Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

TRO/ROOT KIT?

Started by DAV2 , Jan 09 2012 04:35 PM

Please log in to reply

#16
RKinner

Posted 15 January 2012 - 06:14 PM

Malware Expert

Expert
24,623 posts

The error is something we get sometimes. Windows just needs to reboot one more time.

I'm not sure what these strange drivers were for not what the odd stuff in C:\ was.

I missed one strange driver last time (dropped the z off the front of it) plus I don't know why the IE toolbars are locked so let's run it again:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

Driver::
zlnimc

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Normally a CFScript is going to be different for each PC. Could you run Combofix on one of your other 17 systems and let me see what it looks like?

Ron

#17
DAV2

Posted 15 January 2012 - 06:47 PM

Member

Topic Starter
Member
140 posts

Ron, thanks and will do. Here is the latest "Avast" rescue disk scan. Progress?

;******
;Scan header
;VPS file version: May 31, 2011 - [110531-0]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
D:\## aswSnx private storage\webStorage\image\DOWN\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\DOWN\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.60.0.1800.exe\{embedded}\setup.exe ERROR: Unknown packer version.
;--------------------------
;Files: 238701
;Folders: 21813
;Files size: 30478524298
;Infected files: 3
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******

;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******
d:\users\pagefile.sys MOVE OK d:\users\pagefile.sys

;******
;Command footer
;******

#18
DAV2

Posted 15 January 2012 - 07:06 PM

Member

Topic Starter
Member
140 posts

COMBOFIF FIX2
ComboFix 12-01-15.01 - 975 01/15/2012 18:53:38.3.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6135.4857 [GMT -6:00]
Running from: c:\users\975\Downloads\ComboFix.exe
Command switches used :: c:\users\975\Documents\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ZLNIMC
-------\Service_zlnimc
.
.
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
.
.
2012-01-15 18:39 . 2012-01-15 23:15 31457280 --sha-w- c:\users\pagefile.sys
2012-01-13 13:55 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{61CCC005-1B47-4E4A-8BEC-9C297D5DB101}\mpengine.dll
2012-01-11 15:15 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 15:15 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 15:15 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 15:15 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 15:15 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 15:15 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-11 15:15 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 15:15 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 00:51 . 2012-01-11 00:51 -------- d-----w- c:\program files (x86)\Citrix
2012-01-11 00:45 . 2012-01-11 00:44 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-11 00:44 . 2012-01-11 00:44 -------- d-----w- c:\program files\Java
2012-01-09 16:28 . 2012-01-15 19:21 -------- d-----w- C:\Quarantine
2012-01-08 00:12 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-08 00:12 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-08 00:12 . 2011-11-28 17:54 140120 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-01-08 00:12 . 2011-11-28 17:53 258392 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-01-08 00:12 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-08 00:12 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-08 00:12 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-08 00:12 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-08 00:11 . 2011-11-28 17:26 12368 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-01-08 00:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-08 00:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-01-01 16:01 . 2012-01-01 16:01 -------- d-----w- c:\program files (x86)\iSpy
2011-12-29 21:29 . 2008-01-04 19:34 11832 ----a-w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
2011-12-29 21:29 . 2008-01-04 19:34 10216 ----a-w- c:\windows\SysWow64\drivers\AsInsHelp32.sys
2011-12-29 21:24 . 2011-12-29 21:24 -------- d-----w- c:\windows\system32\appmgmt
2011-12-29 20:22 . 2011-12-29 20:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
2011-12-29 19:40 . 2011-12-29 19:44 -------- d-----w- c:\programdata\Nero
2011-12-29 19:40 . 2011-12-29 19:41 -------- d-----w- c:\program files (x86)\Common Files\Nero
2011-12-29 19:39 . 2011-12-29 19:44 -------- d-----w- c:\program files (x86)\Nero
2011-12-29 19:36 . 2008-10-15 12:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2011-12-29 19:35 . 2007-07-20 00:14 3727720 ----a-w- c:\windows\SysWow64\d3dx9_35.dll
2011-12-29 19:35 . 2007-05-16 22:45 3497832 ----a-w- c:\windows\SysWow64\d3dx9_34.dll
2011-12-29 17:18 . 2011-12-29 17:18 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-29 17:18 . 2011-12-29 17:18 -------- d-----w- c:\windows\SysWow64\Macromed
2011-12-29 17:18 . 2011-12-29 17:18 -------- d-----w- c:\windows\system32\Macromed
2011-12-29 14:06 . 2011-12-29 14:06 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2011-12-29 14:05 . 2011-12-29 14:05 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-12-27 19:34 . 2011-12-27 19:34 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-27 19:33 . 2011-12-27 19:33 -------- d-----w- c:\programdata\Ask
2011-12-27 19:32 . 2011-12-27 19:32 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-12-27 19:32 . 2011-12-27 19:32 -------- d-----w- c:\program files (x86)\Java
2011-12-25 21:09 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-12-25 21:09 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-12-25 21:09 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-12-25 21:09 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-12-25 21:09 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-12-25 18:09 . 2011-12-25 18:09 -------- d-----w- c:\programdata\Malwarebytes
2011-12-25 18:09 . 2012-01-15 22:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-25 18:09 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-21 13:40 . 2011-12-21 13:40 -------- d-----w- c:\program files (x86)\Microsoft ActiveSync
2011-12-21 12:11 . 2011-12-21 12:11 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-12-21 02:49 . 2011-11-15 20:29 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-12-21 02:45 . 2010-12-23 10:42 961024 ----a-w- c:\windows\system32\CPFilters.dll
2011-12-21 02:44 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-21 02:43 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-12-21 02:43 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-21 02:42 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-12-21 02:41 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-21 02:41 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-21 01:41 . 2011-12-20 23:59 -------- d-----w- c:\windows\Panther
2011-12-21 01:27 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-21 01:27 . 2012-01-08 00:11 -------- d-----w- c:\programdata\AVAST Software
2011-12-21 01:27 . 2011-12-21 01:27 -------- d-----w- c:\program files\AVAST Software
2011-12-21 00:53 . 2011-12-21 00:53 -------- d-----w- c:\windows\system32\SPReview
2011-12-21 00:35 . 2010-11-20 11:01 2560 ----a-w- c:\windows\system32\drivers\en-US\rdpwd.sys.mui
2011-12-21 00:35 . 2010-11-20 10:57 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2011-12-21 00:34 . 2010-11-20 11:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2011-12-21 00:34 . 2010-11-20 11:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2011-12-21 00:20 . 2010-11-20 11:25 26112 ----a-w- c:\windows\system32\WerFaultSecure.exe
2011-12-21 00:19 . 2010-11-20 11:27 65536 ----a-w- c:\windows\system32\RpcRtRemote.dll
2011-12-21 00:14 . 2011-12-21 00:14 -------- d-----w- c:\windows\system32\EventProviders
2011-12-21 00:10 . 2009-09-30 03:33 24576 ----a-r- c:\windows\SysWow64\AsIO.dll
2011-12-21 00:10 . 2009-08-04 02:28 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
2011-12-21 00:09 . 2011-12-21 00:09 -------- d-----w- c:\program files (x86)\NEC Electronics
2011-12-21 00:09 . 2012-01-11 21:54 -------- d-sh--w- c:\windows\Installer
2011-12-21 00:08 . 2011-12-21 00:08 -------- d-----w- c:\program files (x86)\Marvell
2011-12-21 00:06 . 2011-12-21 00:06 -------- d-----w- c:\program files (x86)\Intel
2011-12-21 00:05 . 2011-12-29 21:29 -------- d-----w- c:\program files (x86)\ASUS
2011-12-21 00:05 . 2011-12-29 21:29 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
2011-12-21 00:05 . 2011-12-21 00:09 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2011-12-20 23:59 . 2011-12-20 23:59 -------- d-----w- c:\users\975
2011-12-19 15:05 . 2012-01-15 20:38 -------- d-----w- C:\DOWN
2011-12-19 00:33 . 2011-12-19 00:33 -------- d-----w- C:\Intel
2011-12-19 00:24 . 2011-12-20 23:59 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-21 00:45 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-12-21 00:45 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-12-08 19:30 . 2011-12-08 19:30 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
2011-12-08 19:30 . 2011-12-08 19:30 768848 ----a-w- c:\windows\SysWow64\msvcr100.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-15_21.12.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-01-15 21:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-16 00:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-15 21:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-16 00:40 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-15 21:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-16 00:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-21 01:01 . 2012-01-16 00:41 42624 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-16 00:41 35204 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-12-21 00:13 . 2012-01-16 00:41 5470 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-184688549-2744717166-2477723591-1000_UserData.bin
- 2012-01-15 21:12 . 2012-01-15 21:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-16 00:57 . 2012-01-16 00:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-16 00:57 . 2012-01-16 00:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-15 21:12 . 2012-01-15 21:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-01-15 21:10 623940 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-16 00:44 623940 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-15 21:10 106316 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-01-16 00:44 106316 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-01-16 00:55 305952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-01-15 21:11 305952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-12-21 22:31 . 2012-01-16 00:55 13682161 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-184688549-2744717166-2477723591-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]
"TurboV"="c:\program files (x86)\ASUS\TurboV\TurboV.exe" [2009-11-19 5665280]
"QFan Help"="c:\program files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe" [2010-06-03 611968]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
R3 aswArKrn;aswArKrn;c:\users\975\AppData\Local\Temp\aswArKrn.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [x]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-08-19 90112]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2011-11-28 127192]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-01-29 10038304]
"combofix"="c:\combofix\CF7355.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,0b,36,e0,1d,33,5e,4f,88,5f,7b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,0b,36,e0,1d,33,5e,4f,88,5f,7b,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
.
**************************************************************************
.
Completion time: 2012-01-15 18:59:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-16 00:59
ComboFix2.txt 2012-01-15 23:10
ComboFix3.txt 2012-01-15 21:13
.
Pre-Run: 40,571,260,928 bytes free
Post-Run: 40,354,828,288 bytes free
.
- - End Of File - - E081F3193A3EA7860C7599DF02017BE1

#19
DAV2

Posted 15 January 2012 - 07:16 PM

Member

Topic Starter
Member
140 posts

Ron, I noticed that OTL lists pagefile.sys as 6.02 Gb, however it is only a 32 Mb file on Win and on the disk, because I made it smaller to upload to virus total. Unfortunately, on one computer it simply would not upload, even though I reset security on it so that it would upload and on the other computer it was positive on 2 of those scanned and 1 of them was Avast.

#20
RKinner

Posted 15 January 2012 - 07:49 PM

Malware Expert

Expert
24,623 posts

Let's delete the MBAM setup folders in

D:\ProgramData\Malwarebytes
D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe
D:\Users\975\Downloads\mbam-setup-1.60.0.1800.exe
and uninstall MBAM

to make things simpler. Then set it up to delete the pagefile.sys file on shutdown:

http://support.microsoft.com/kb/314834

Delete any pagefile.sys files that are not in use.

Then reboot and run the Avast scan again.

#21
DAV2

Posted 15 January 2012 - 08:25 PM

Member

Topic Starter
Member
140 posts

OK HERE IS ANOTHER AVAST RESCUE SCAN AND I WILL DO THE DEL NEXT.

;******
;Scan header
;VPS file version: May 31, 2011 - [110531-0]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
D:\## aswSnx private storage\webStorage\image\DOWN\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\$RECYCLE.BIN\S-1-5-21-184688549-2744717166-2477723591-1000\$R0IUHUX.sys INFECTED: Win32:Small-HUF [Trj]
D:\DOWN\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.60.0.1800.exe\{embedded}\setup.exe ERROR: Unknown packer version.
;--------------------------
;Files: 238721
;Folders: 21817
;Files size: 30513023717
;Infected files: 3
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******

#22
RKinner

Posted 15 January 2012 - 09:44 PM

Malware Expert

Expert
24,623 posts

Looks like it finally found something interesting:

D:\$RECYCLE.BIN\S-1-5-21-184688549-2744717166-2477723591-1000\$R0IUHUX.sys

I'd say this is what it is finding in the pagefile.sys. See if you can empty the recycle bin.

#23
DAV2

Posted 16 January 2012 - 06:44 AM

Member

Topic Starter
Member
140 posts

Ron, here is another 64 bit, I7, Win7.1 that shows identical Avast results.
ComboFix 12-01-16.02 - 930 01/16/2012 6:25.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6135.4860 [GMT -6:00]
Running from: c:\users\930\Downloads\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\ydi.log
.
.
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
.
.
2012-01-16 12:28 . 2012-01-16 12:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-16 03:42 . 2012-01-16 03:42 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-16 03:42 . 2012-01-16 03:42 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 01:36 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-16 01:36 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-16 01:36 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8E68F4B4-E6CA-4904-BAAD-A1ED7D52EEA4}\mpengine.dll
2012-01-16 01:35 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-16 01:35 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-16 01:35 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-16 01:35 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-16 01:35 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-16 01:35 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-15 20:29 . 2012-01-15 20:29 -------- d-----w- C:\DOWN
2012-01-15 19:08 . 2012-01-15 19:08 -------- d-----w- c:\programdata\Malwarebytes
2012-01-15 19:08 . 2012-01-16 02:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-15 19:08 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-15 18:53 . 2012-01-15 18:58 -------- d-----w- C:\Quarantine
2012-01-08 11:42 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-08 11:42 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-08 11:42 . 2011-11-28 17:54 140120 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-01-08 11:42 . 2011-11-28 17:53 258392 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-01-08 11:42 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-08 11:42 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-08 11:42 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-08 11:42 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-08 11:42 . 2011-11-28 17:26 12368 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-01-08 11:41 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-08 11:41 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-01-07 01:23 . 2012-01-07 01:23 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-01-07 01:14 . 2012-01-07 01:14 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-07 01:14 . 2012-01-07 01:14 -------- d-----w- c:\windows\SysWow64\Macromed
2012-01-07 01:14 . 2012-01-07 01:14 -------- d-----w- c:\windows\system32\Macromed
2012-01-07 00:50 . 2012-01-07 00:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
2012-01-07 00:49 . 2012-01-07 00:49 -------- d-----w- c:\windows\PCHEALTH
2012-01-07 00:48 . 2012-01-07 00:48 -------- d-----w- c:\users\UpdatusUser
2012-01-07 00:48 . 2012-01-07 00:48 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-01-07 00:48 . 2012-01-07 00:48 -------- d-----w- c:\programdata\NVIDIA
2012-01-07 00:48 . 2011-05-21 12:01 739432 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2012-01-07 00:48 . 2011-05-21 12:01 6300776 ----a-w- c:\windows\system32\nvcpl.dll
2012-01-07 00:48 . 2011-05-21 12:01 61544 ----a-w- c:\windows\system32\nvshext.dll
2012-01-07 00:48 . 2011-05-21 12:01 3040872 ----a-w- c:\windows\system32\nvsvc64.dll
2012-01-07 00:48 . 2011-05-21 12:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2012-01-07 00:48 . 2011-05-21 12:01 117864 ----a-w- c:\windows\system32\nvmctray.dll
2012-01-07 00:48 . 2011-05-21 12:01 1016936 ----a-w- c:\windows\system32\nvvsvc.exe
2012-01-07 00:47 . 2012-01-07 00:47 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-01-07 00:47 . 2012-01-07 00:48 -------- d-----w- c:\program files\NVIDIA Corporation
2012-01-07 00:40 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-01-07 00:40 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-01-07 00:40 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-01-07 00:40 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-01-07 00:40 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-01-07 00:13 . 2012-01-07 00:13 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-01-06 23:58 . 2012-01-06 23:58 995328 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2012-01-06 23:51 . 2011-11-15 20:29 270720 ------w- c:\windows\system32\MpSigStub.exe
2012-01-06 23:49 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2012-01-06 23:48 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2012-01-06 23:48 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-01-06 23:48 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2012-01-06 23:48 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2012-01-06 23:48 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2012-01-06 23:48 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2012-01-06 23:46 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2012-01-06 23:46 . 2011-05-24 10:40 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2012-01-06 23:46 . 2011-05-24 10:40 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2012-01-06 23:46 . 2011-05-24 10:39 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2012-01-06 23:46 . 2011-05-24 10:37 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2012-01-06 23:46 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-01-05 16:03 . 2012-01-05 16:03 -------- d-----w- c:\programdata\McAfee
2012-01-04 22:42 . 2009-09-30 17:33 24576 ----a-w- c:\windows\SysWow64\AsIO.dll
2012-01-04 22:42 . 2009-08-04 16:28 13440 ----a-w- c:\windows\SysWow64\drivers\AsIO.sys
2012-01-04 22:41 . 2012-01-04 22:42 -------- d-----w- c:\program files (x86)\ASUS
2012-01-04 22:41 . 2008-01-04 19:34 11832 ----a-w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
2012-01-04 19:42 . 2009-04-22 15:53 62464 ----a-w- c:\windows\SysWow64\SFFXComm.dll
2012-01-04 19:40 . 2012-01-04 19:40 -------- d-----w- c:\program files (x86)\Marvell
2012-01-04 19:40 . 2012-01-04 19:40 -------- d-----w- c:\program files (x86)\Intel
2012-01-04 19:40 . 2009-12-04 23:30 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
2012-01-04 02:54 . 2012-01-04 01:28 -------- d-----w- c:\windows\Panther
2012-01-04 01:58 . 2012-01-04 01:58 -------- d-----w- c:\windows\system32\SPReview
2012-01-04 01:45 . 2010-11-20 11:01 2560 ----a-w- c:\windows\system32\drivers\en-US\rdpwd.sys.mui
2012-01-04 01:45 . 2010-11-20 10:57 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2012-01-04 01:45 . 2010-11-20 11:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2012-01-04 01:45 . 2010-11-20 11:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2012-01-04 01:38 . 2010-11-20 11:33 299392 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2012-01-04 01:36 . 2012-01-04 01:36 -------- d-----w- c:\windows\system32\EventProviders
2012-01-04 01:28 . 2012-01-04 01:28 -------- d-----w- c:\users\930
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 01:56 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-01-04 01:56 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-12-04 1310720]
"Ai Nap"="c:\program files (x86)\ASUS\AI Suite\AiNap\AiNap.exe" [2010-03-10 1439360]
"QFan Help"="c:\program files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe" [2010-01-14 611968]
"Cpu Level Up help"="c:\program files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe" [2009-12-29 887936]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R0 mjvhhu;mjvhhu; [x]
R0 tcoifh;tcoifh; [x]
R0 vqdtrh;vqdtrh; [x]
R0 wayuia;wayuia; [x]
R0 zedltn;zedltn; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [x]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2011-11-28 127192]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="c:\program files (x86)\Analog Devices\SoundMAX\soundmax.exe" [2009-05-18 3866624]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
.
**************************************************************************
.
Completion time: 2012-01-16 06:33:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-16 12:33
.
Pre-Run: 120,600,227,840 bytes free
Post-Run: 120,210,829,312 bytes free
.
- - End Of File - - E8B6556A7130FAA01CD1448BE71C65FB

#24
DAV2

Posted 16 January 2012 - 09:05 AM

Member

Topic Starter
Member
140 posts

Ron, we may be making some progress. I hope there are fixes for the other computers that have identical Avast Trojans. I noticed that Avast rescue disk will not update its data base to any directory that had previously been used for an update and that is after it has been deleted, removed from trash and rebooted. It just gives a memory error until I select a never used directory. I am running out of never used directories. How can Avast know that its deleted and removed from trash update used to reside in those directories by giving a memory error even after a reboot?
I am still getting a lot of "unknown" programs that are not digitally signed that want to take complete control of the computers. I have enabled "UAC" "EDP" and "max IS security options" that by default are disabled in Win. I think this is the only thing that is preventing all these "unknown" and "unsigned" programs from automatically taking complete control of the computers right through "Avasi IS"
Is there "ANY" real internet security programs out there? Comodo crashes at a rate of 2 times a week with the error message "Unknown Bug". I have reported it to "Comodo" repeatedly and they have released updates that only do the "EXACT" same thing on all test computers. Avast simply crashes without any warning and you only know it when you are looking at the real time scanner protection stop working.
Mcafee, simply stops working, refuses to go to its own support site and the support people simply blame Microsoft. Microsoft blames NVIDIA. No one takes responsibility nor fixes the problems. Norton and Zonealarm only let in more Trojans/viruses that slow the test computers to a crawl.
Any hope?
The only real (permanent) fix I have found so far is to "TRASH" Win, kill disk the drive and reload Win without connection to the net. It works, but what a waste of time and it only works for a few weeks before you are right back where you started no mater which "SECURITY" protection used.
The routers logs continue to fill with constant attacks from primarily the Chinese military, but there are others, so I think I still need to be looking for a solution. These attacks ore only getting more frequent as the attackers get more super computers to do the attacking. Any suggestions?

Edited by DAV2, 16 January 2012 - 01:14 PM.

#25
RKinner

Posted 16 January 2012 - 10:54 AM

Malware Expert

Expert
24,623 posts

How did the scan go on the first one after deleting the MBAM stuff and clearing the Recycle Bin?

On this last Combofix log we see:

R0 mjvhhu;mjvhhu; [x]
R0 tcoifh;tcoifh; [x]
R0 vqdtrh;vqdtrh; [x]
R0 wayuia;wayuia; [x]
R0 zedltn;zedltn; [x]

These are randomly named drivers that start at boot. Last time we had:

R0 nckkof;nckkof; [x]
R0 pvkvlw;pvkvlw; [x]
R0 qhpbzs;qhpbzs; [x]
R0 qozysh;qozysh; [x]
R0 sjzgxw;sjzgxw; [x]
R0 vqdtrh;vqdtrh; [x]
R0 wayuia;wayuia; [x]
R0 wjtvys;wjtvys; [x]
R0 xtoxpl;xtoxpl; [x]
R0 zlnimc;zlnimc; [x]

Two of them are the same so they may not be totally random but we will still need to write a different Combofix script for each one assuming these random drivers are part of the problem and not something left from some scan you ran.

Combofix has a problem on 64 bit systems and doesn't always find the driver files. Let's try a different tool on this one:

Please download Random's System Information Tool by random/random from
http://images.malwar...random/RSIT.exe
and save it to your desktop.

Make sure that RSIT.exe is on your Desktop before running the application!

Right- click on RSIT.exe and select Run as Administrator to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit

Also on this second one let's try this:

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)

sigverif

Press Start in the new window. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

On the first one let's try ESET and Bitdefender
Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.

Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a report option. Click on it and copy and paste the report (even if it says nothing found).

Have you tried creating a Hiren's boot disk? Preferably on a system which is not infected.
http://www.hirensbootcd.org/download/
This a BIG! Zip File so save it. Then right click on it and Extract all. Put a blank CD in the drive and then double click on BurnToCD.cmd. When it finishes you boot off it and run the MiniXP program. This will give you a fake XP desktop. Under All Programs should be a program called

MBRFIX 1.3

See
http://www.sysint.no...ting/mbrfix.htm
for instructions.
but
MbrFix /drive 0 listpartitions

Should show you the partitions. Do they look any different from what you saw is aswMBR?
Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 60955 MB offset 206848

There is also an Avira scan on Hiren's that you can try and see if it sees anything.

Ron

#26
DAV2

Posted 16 January 2012 - 11:58 AM

Member

Topic Starter
Member
140 posts

Logfile of random's system information tool 1.09 (written by random/random)
Run by 930 at 2012-01-16 11:45:17
Microsoft Windows 7 Professional Service Pack 1
System drive C: has 114 GB (75%) free of 153 GB
Total RAM: 6135 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:45:24 AM, on 1/16/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Users\930\Desktop\RSIT.exe
C:\Program Files (x86)\trend micro\930.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files (x86)\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKUS\S-1-5-21-2861902998-1298274927-726295685-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2861902998-1298274927-726295685-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - C:\Program Files\AVAST Software\Avast\afwServ.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5473 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}]
avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2011-11-28 809040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2011-11-28 809040]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [2009-12-04 1310720]
"Ai Nap"=C:\Program Files (x86)\ASUS\AI Suite\AiNap\AiNap.exe [2010-03-10 1439360]
"QFan Help"=C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe [2010-01-13 611968]
"Cpu Level Up help"=C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe [2009-12-28 887936]
"avast"=C:\Program Files\AVAST Software\Avast\avastUI.exe [2011-11-28 3744552]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\SysWow64\webcheck.dll [2012-01-06 203776]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvyu"=msyuv.dll
"vidc.iyuv"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"vidc.yvu9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\SysWOW64\l3codeca.acm
"vidc.cvid"=iccvid.dll
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 month======

2012-01-16 11:45:17 ----D---- C:\rsit
2012-01-16 11:45:17 ----D---- C:\Program Files (x86)\trend micro
2012-01-16 07:40:03 ----A---- C:\Windows\SysWOW64\webio.dll
2012-01-16 07:40:03 ----A---- C:\Windows\SysWOW64\sspicli.dll
2012-01-16 07:40:03 ----A---- C:\Windows\SysWOW64\secur32.dll
2012-01-16 07:40:03 ----A---- C:\Windows\SysWOW64\schannel.dll
2012-01-16 07:38:02 ----A---- C:\Windows\ODBC.INI
2012-01-16 07:37:51 ----D---- C:\Program Files (x86)\Microsoft ActiveSync
2012-01-16 07:37:37 ----D---- C:\Program Files (x86)\Common Files\Designer
2012-01-16 07:37:03 ----D---- C:\Program Files (x86)\Microsoft Office
2012-01-16 06:39:06 ----SHD---- C:\$RECYCLE.BIN
2012-01-16 06:33:20 ----A---- C:\ComboFix.txt
2012-01-16 06:24:19 ----A---- C:\Windows\zip.exe
2012-01-16 06:24:19 ----A---- C:\Windows\SWSC.exe
2012-01-16 06:24:19 ----A---- C:\Windows\SWREG.exe
2012-01-16 06:24:19 ----A---- C:\Windows\sed.exe
2012-01-16 06:24:19 ----A---- C:\Windows\PEV.exe
2012-01-16 06:24:19 ----A---- C:\Windows\NIRCMD.exe
2012-01-16 06:24:19 ----A---- C:\Windows\MBR.exe
2012-01-16 06:24:19 ----A---- C:\Windows\grep.exe
2012-01-16 06:24:16 ----D---- C:\Windows\ERDNT
2012-01-16 06:24:14 ----D---- C:\Qoobox
2012-01-15 21:42:43 ----D---- C:\Windows\Microsoft Antimalware
2012-01-15 21:42:16 ----D---- C:\Windows\Windows Defender Offline
2012-01-15 19:36:04 ----A---- C:\Windows\SysWOW64\packager.dll
2012-01-15 19:35:58 ----A---- C:\Windows\SysWOW64\quartz.dll
2012-01-15 19:35:58 ----A---- C:\Windows\SysWOW64\qdvd.dll
2012-01-15 19:35:45 ----A---- C:\Windows\SysWOW64\ntdll.dll
2012-01-15 14:29:33 ----D---- C:\DOWN
2012-01-15 13:08:18 ----D---- C:\Users\930\AppData\Roaming\Malwarebytes
2012-01-15 13:08:10 ----D---- C:\ProgramData\Malwarebytes
2012-01-15 13:08:07 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-15 12:53:08 ----D---- C:\Quarantine
2012-01-15 11:46:41 ----ASH---- C:\pagefile.sys
2012-01-08 05:41:55 ----A---- C:\Windows\SysWOW64\aswBoot.exe
2012-01-08 05:41:55 ----A---- C:\Windows\avastSS.scr
2012-01-06 19:23:32 ----D---- C:\Program Files (x86)\Microsoft Silverlight
2012-01-06 19:14:45 ----D---- C:\Users\930\AppData\Roaming\Macromedia
2012-01-06 19:14:45 ----D---- C:\Users\930\AppData\Roaming\Adobe
2012-01-06 19:14:40 ----D---- C:\Windows\SysWOW64\Macromed
2012-01-06 18:49:51 ----D---- C:\Windows\PCHEALTH
2012-01-06 18:48:16 ----D---- C:\Program Files (x86)\NVIDIA Corporation
2012-01-06 18:48:15 ----D---- C:\ProgramData\NVIDIA
2012-01-06 18:47:30 ----D---- C:\ProgramData\NVIDIA Corporation
2012-01-06 18:40:28 ----A---- C:\Windows\SysWOW64\DWrite.dll
2012-01-06 18:40:28 ----A---- C:\Windows\SysWOW64\d2d1.dll
2012-01-06 18:13:03 ----D---- C:\Program Files (x86)\Microsoft.NET
2012-01-06 18:12:05 ----A---- C:\Windows\SysWOW64\esent.dll
2012-01-06 18:12:04 ----A---- C:\Windows\SysWOW64\fsutil.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\wininet.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\wextract.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\webcheck.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\vbscript.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\urlmon.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\url.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\SetIEInstalledDate.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\pngfilt.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\occache.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\msrating.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\msls31.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\mshtmler.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\mshtmled.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\mshtml.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\mshta.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\msfeedssync.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\msfeedsbs.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\msfeeds.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\licmgr10.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\jsproxy.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\jscript9.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\jscript.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\inseng.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\imgutil.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\iexpress.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieUnatt.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieui.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\iesysprep.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\iesetup.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\iertutil.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\iernonce.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\iepeers.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieframe.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\iedkcs32.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieapfltr.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieapfltr.dat
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieakui.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieaksie.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ieakeng.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\IEAdvpack.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\ie4uinit.exe
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\icardie.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\dxtrans.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\dxtmsft.dll
2012-01-06 17:58:49 ----A---- C:\Windows\SysWOW64\admparse.dll
2012-01-06 17:50:14 ----A---- C:\Windows\SysWOW64\tquery.dll
2012-01-06 17:50:14 ----A---- C:\Windows\SysWOW64\mssrch.dll
2012-01-06 17:50:13 ----A---- C:\Windows\SysWOW64\SearchProtocolHost.exe
2012-01-06 17:50:13 ----A---- C:\Windows\SysWOW64\SearchIndexer.exe
2012-01-06 17:50:13 ----A---- C:\Windows\SysWOW64\SearchFilterHost.exe
2012-01-06 17:50:13 ----A---- C:\Windows\SysWOW64\mssvp.dll
2012-01-06 17:50:13 ----A---- C:\Windows\SysWOW64\mssph.dll
2012-01-06 17:50:12 ----A---- C:\Windows\SysWOW64\mssphtb.dll
2012-01-06 17:50:12 ----A---- C:\Windows\SysWOW64\msscntrs.dll
2012-01-06 17:50:07 ----A---- C:\Windows\SysWOW64\CPFilters.dll
2012-01-06 17:50:06 ----A---- C:\Windows\SysWOW64\sbe.dll
2012-01-06 17:50:04 ----A---- C:\Windows\SysWOW64\odbctrac.dll
2012-01-06 17:50:04 ----A---- C:\Windows\SysWOW64\odbcjt32.dll
2012-01-06 17:50:04 ----A---- C:\Windows\SysWOW64\odbccu32.dll
2012-01-06 17:50:04 ----A---- C:\Windows\SysWOW64\odbccr32.dll
2012-01-06 17:50:04 ----A---- C:\Windows\SysWOW64\odbccp32.dll
2012-01-06 17:49:56 ----A---- C:\Windows\SysWOW64\poqexec.exe
2012-01-06 17:49:50 ----A---- C:\Windows\SysWOW64\mfc42u.dll
2012-01-06 17:49:50 ----A---- C:\Windows\SysWOW64\mfc42.dll
2012-01-06 17:49:48 ----A---- C:\Windows\SysWOW64\explorer.exe
2012-01-06 17:49:48 ----A---- C:\Windows\explorer.exe
2012-01-06 17:49:46 ----A---- C:\Windows\SysWOW64\XpsGdiConverter.dll
2012-01-06 17:49:44 ----A---- C:\Windows\SysWOW64\xmllite.dll
2012-01-06 17:49:42 ----A---- C:\Windows\SysWOW64\kerberos.dll
2012-01-06 17:49:36 ----A---- C:\Windows\SysWOW64\XpsPrint.dll
2012-01-06 17:49:34 ----A---- C:\Windows\SysWOW64\fontsub.dll
2012-01-06 17:49:34 ----A---- C:\Windows\SysWOW64\dnscacheugc.exe
2012-01-06 17:49:34 ----A---- C:\Windows\SysWOW64\dnsapi.dll
2012-01-06 17:49:34 ----A---- C:\Windows\SysWOW64\atmlib.dll
2012-01-06 17:49:34 ----A---- C:\Windows\SysWOW64\atmfd.dll
2012-01-06 17:49:28 ----A---- C:\Windows\SysWOW64\d3d10_1.dll
2012-01-06 17:49:26 ----A---- C:\Windows\SysWOW64\prevhost.exe
2012-01-06 17:48:48 ----A---- C:\Windows\SysWOW64\tzres.dll
2012-01-06 17:48:36 ----A---- C:\Windows\SysWOW64\psisdecd.dll
2012-01-06 17:47:30 ----A---- C:\Windows\SysWOW64\KernelBase.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-01-06 17:47:29 ----AH---- C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-01-06 17:47:29 ----A---- C:\Windows\SysWOW64\wow32.dll
2012-01-06 17:47:29 ----A---- C:\Windows\SysWOW64\user.exe
2012-01-06 17:47:29 ----A---- C:\Windows\SysWOW64\setup16.exe
2012-01-06 17:47:29 ----A---- C:\Windows\SysWOW64\ntvdm64.dll
2012-01-06 17:47:29 ----A---- C:\Windows\SysWOW64\kernel32.dll
2012-01-06 17:47:29 ----A---- C:\Windows\SysWOW64\instnm.exe
2012-01-06 17:46:14 ----A---- C:\Windows\SysWOW64\drvinst.exe
2012-01-06 17:46:14 ----A---- C:\Windows\SysWOW64\devrtl.dll
2012-01-06 17:46:14 ----A---- C:\Windows\SysWOW64\devobj.dll
2012-01-06 17:46:14 ----A---- C:\Windows\SysWOW64\cfgmgr32.dll
2012-01-06 17:45:58 ----A---- C:\Windows\SysWOW64\inetcomm.dll
2012-01-06 17:45:49 ----A---- C:\Windows\SysWOW64\ntoskrnl.exe
2012-01-06 17:45:48 ----A---- C:\Windows\SysWOW64\ntkrnlpa.exe
2012-01-06 17:45:46 ----A---- C:\Windows\SysWOW64\EncDec.dll
2012-01-06 17:45:43 ----A---- C:\Windows\SysWOW64\oleaut32.dll
2012-01-06 17:45:43 ----A---- C:\Windows\SysWOW64\oleacc.dll
2012-01-05 10:03:17 ----D---- C:\ProgramData\McAfee
2012-01-04 16:42:01 ----A---- C:\Windows\SysWOW64\drivers\AsIO.sys
2012-01-04 16:42:01 ----A---- C:\Windows\SysWOW64\AsIO.dll
2012-01-04 16:41:57 ----D---- C:\Program Files (x86)\ASUS
2012-01-04 16:41:57 ----A---- C:\Windows\SysWOW64\drivers\AsInsHelp64.sys
2012-01-04 16:41:57 ----A---- C:\Windows\SysWOW64\drivers\AsInsHelp32.sys
2012-01-04 16:37:00 ----SHD---- C:\Windows\Installer
2012-01-04 16:36:48 ----D---- C:\ProgramData\AVAST Software
2012-01-04 13:42:23 ----D---- C:\Program Files (x86)\Creative
2012-01-04 13:42:22 ----N---- C:\Windows\SysWOW64\adi_oal.dll
2012-01-04 13:42:22 ----A---- C:\Windows\SysWOW64\wrap_oal.dll
2012-01-04 13:42:22 ----A---- C:\Windows\SysWOW64\OpenAL32.dll
2012-01-04 13:42:09 ----D---- C:\Program Files (x86)\Common Files\InstallShield
2012-01-04 13:42:04 ----A---- C:\Windows\SysWOW64\SFFXComm.dll
2012-01-04 13:41:55 ----D---- C:\ProgramData\SonicFocus
2012-01-04 13:41:46 ----D---- C:\Program Files (x86)\Analog Devices
2012-01-04 13:41:45 ----HD---- C:\Program Files (x86)\InstallShield Installation Information
2012-01-04 13:41:26 ----D---- C:\Users\930\AppData\Roaming\InstallShield
2012-01-04 13:40:38 ----D---- C:\Program Files (x86)\Marvell
2012-01-04 13:40:09 ----RA---- C:\Windows\SysWOW64\CSVer.dll
2012-01-04 13:40:09 ----D---- C:\Program Files (x86)\Intel
2012-01-04 13:39:59 ----A---- C:\Windows\Language_trs.ini
2012-01-03 20:58:45 ----D---- C:\Windows\SoftwareDistribution
2012-01-03 20:56:26 ----D---- C:\Windows\Prefetch
2012-01-03 20:54:21 ----D---- C:\Windows\Panther
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\raschap.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\RacEngn.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\qedit.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\provsvc.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\mstask.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\mscories.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\MSAC3ENC.DLL
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\mobsync.exe
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\MMDevAPI.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\MediaMetadataHandler.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\lsmproxy.dll
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\logagent.exe
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\KBDLT1.DLL
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\KBDINTEL.DLL
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\KBDCZ1.DLL
2012-01-03 19:39:44 ----A---- C:\Windows\SysWOW64\iTVData.dll
2012-01-03 19:39:43 ----A---- C:\Windows\SysWOW64\samcli.dll
2012-01-03 19:39:43 ----A---- C:\Windows\SysWOW64\Robocopy.exe
2012-01-03 19:39:43 ----A---- C:\Windows\SysWOW64\RMActivate.exe
2012-01-03 19:39:43 ----A---- C:\Windows\SysWOW64\propsys.dll
2012-01-03 19:39:42 ----A---- C:\Windows\SysWOW64\schtasks.exe
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\ReAgent.dll
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\rdprefdrvapi.dll
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\olepro32.dll
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\nlsbres.dll
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\netiougc.exe
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\netiohlp.dll
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\netcfgx.dll
2012-01-03 19:39:41 ----A---- C:\Windows\SysWOW64\ncryptui.dll
2012-01-03 19:39:40 ----A---- C:\Windows\SysWOW64\perfmon.exe
2012-01-03 19:39:40 ----A---- C:\Windows\SysWOW64\pdhui.dll
2012-01-03 19:39:40 ----A---- C:\Windows\SysWOW64\ntlanman.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\imapi2.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\evr.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\dxgi.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\d3d10level9.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\cryptui.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\cryptsvc.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\cmd.exe
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\cdosys.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\C_ISCII.DLL
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\authui.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\AudioSes.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\asycfilt.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\advapi32.dll
2012-01-03 19:39:39 ----A---- C:\Windows\SysWOW64\activeds.dll
2012-01-03 19:39:38 ----A---- C:\Windows\SysWOW64\systemcpl.dll
2012-01-03 19:39:38 ----A---- C:\Windows\SysWOW64\ExplorerFrame.dll
2012-01-03 19:39:38 ----A---- C:\Windows\SysWOW64\dskquoui.dll
2012-01-03 19:39:38 ----A---- C:\Windows\SysWOW64\diskpart.exe
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\wmpsrcwp.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\wmpmde.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\themecpl.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\tcpipcfg.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\StructuredQuery.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\srvcli.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\sppinst.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\spp.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\spbcd.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\shsetup.dll
2012-01-03 19:39:37 ----A---- C:\Windows\SysWOW64\shlwapi.dll
2012-01-03 19:39:36 ----A---- C:\Windows\SysWOW64\XpsRasterService.dll
2012-01-03 19:39:36 ----A---- C:\Windows\SysWOW64\wvc.dll
2012-01-03 19:39:36 ----A---- C:\Windows\SysWOW64\wuwebv.dll
2012-01-03 19:39:36 ----A---- C:\Windows\SysWOW64\wuapp.exe
2012-01-03 19:39:36 ----A---- C:\Windows\SysWOW64\wtsapi32.dll
2012-01-03 19:39:36 ----A---- C:\Windows\SysWOW64\WPDSp.dll
2012-01-03 19:39:36 ----A---- C:\Windows\SysWOW64\tzutil.exe
2012-01-03 19:39:35 ----A---- C:\Windows\twain_32.dll
2012-01-03 19:39:34 ----A---- C:\Windows\SysWOW64\wiadefui.dll
2012-01-03 19:39:34 ----A---- C:\Windows\SysWOW64\wdc.dll
2012-01-03 19:39:34 ----A---- C:\Windows\SysWOW64\wavemsp.dll
2012-01-03 19:39:34 ----A---- C:\Windows\SysWOW64\untfs.dll
2012-01-03 19:39:34 ----A---- C:\Windows\SysWOW64\unlodctr.exe
2012-01-03 19:39:34 ----A---- C:\Windows\SysWOW64\shacct.dll
2012-01-03 19:39:33 ----A---- C:\Windows\SysWOW64\setupugc.exe
2012-01-03 19:39:33 ----A---- C:\Windows\SysWOW64\setupapi.dll
2012-01-03 19:39:33 ----A---- C:\Windows\SysWOW64\secproc.dll
2012-01-03 19:39:33 ----A---- C:\Windows\SysWOW64\mfc40u.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\OnLineIDCpl.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\ocsetup.exe
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\ocsetapi.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\ntshrui.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\nshipsec.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\NAPCRYPT.DLL
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\MuiUnattend.exe
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\msxml6.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\mstsc.exe
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\msinfo32.exe
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\msihnd.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\mscorier.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\mprapi.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\logoncli.dll
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\logman.exe
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\KBDSF.DLL
2012-01-03 19:39:32 ----A---- C:\Windows\SysWOW64\itircl.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\imm32.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\gpprefcl.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\fde.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\elsTrans.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\efscore.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\eapphost.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\eappgnui.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\eapp3hst.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\DxpTaskSync.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\dxdiagn.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\drvstore.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\dot3ui.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\dot3cfg.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\d3d10_1core.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\crypt32.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\credui.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\comctl32.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\CertEnroll.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\cabview.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\Bubbles.scr
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\browcli.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\autochk.exe
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\AdmTmpl.dll
2012-01-03 19:39:31 ----A---- C:\Windows\SysWOW64\accessibilitycpl.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\WMVDECOD.DLL
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\WMVCORE.DLL
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\WMSPDMOD.DLL
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\WMPEncEn.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\wlanui.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\winmm.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\UIRibbonRes.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\UIRibbon.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\TRAPI.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\themeui.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\taskschd.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\taskeng.exe
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\t2embed.dll
2012-01-03 19:39:30 ----A---- C:\Windows\SysWOW64\SyncCenter.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\zipfldr.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\win32spl.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\wdscore.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\wbemcomn.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\usercpl.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\user32.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\upnp.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\sppcomapi.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\schedcli.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\Ribbons.scr
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\relog.exe
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\rastls.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\rastapi.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\qcap.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\powercpl.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\PortableDeviceSyncProvider.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\pla.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\PerfCenterCPL.dll
2012-01-03 19:39:29 ----A---- C:\Windows\SysWOW64\pdh.dll
2012-01-03 19:39:28 ----A---- C:\Windows\SysWOW64\sud.dll
2012-01-03 19:39:28 ----A---- C:\Windows\SysWOW64\slwga.dll
2012-01-03 19:39:28 ----A---- C:\Windows\SysWOW64\setupcln.dll
2012-01-03 19:39:28 ----A---- C:\Windows\SysWOW64\SessEnv.dll
2012-01-03 19:39:28 ----A---- C:\Windows\SysWOW64\KBDUGHR1.DLL
2012-01-03 19:39:28 ----A---- C:\Windows\SysWOW64\KBDTUF.DLL
2012-01-03 19:39:28 ----A---- C:\Windows\SysWOW64\KBDSG.DLL
2012-01-03 19:39:28 ----A---- C:\Windows\splwow64.exe
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\pnidui.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\olethk32.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\ole32.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\odbcconf.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\nshwfp.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\networkmap.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\networkexplorer.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\netshell.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\netbtugc.exe
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\migisol.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\KBDPO.DLL
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\KBDMAORI.DLL
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\KBDINORI.DLL
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\KBDINKAN.DLL
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\KBDBLR.DLL
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\isoburn.exe
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\iscsium.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\iscsicli.exe
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\ipsmsnap.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\iprtrmgr.dll
2012-01-03 19:39:27 ----A---- C:\Windows\SysWOW64\imapi2fs.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\nci.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\napdsnap.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\muifontsetup.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\mswsock.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\msv1_0.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\msorcl32.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\msieftp.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\msdrm.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\DevicePairingFolder.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\credssp.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\CertPolEng.dll
2012-01-03 19:39:26 ----A---- C:\Windows\SysWOW64\calc.exe
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\TSpkg.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\hgcpl.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\FWPUCLNT.DLL
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\ftp.exe
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\FirewallControlPanel.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\findstr.exe
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\fdeploy.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\eudcedit.exe
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\DXPTaskRingtone.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\dsauth.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\dpx.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\dpnaddr.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\dnscmmc.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\batmeter.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\appmgr.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\apphelp.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\ActionCenterCPL.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\ActionCenter.dll
2012-01-03 19:39:25 ----A---- C:\Windows\SysWOW64\acppage.dll
2012-01-03 19:39:25 ----A---- C:\Windows\bfsvc.exe
2012-01-03 19:39:24 ----A---- C:\Windows\SysWOW64\unimdmat.dll
2012-01-03 19:39:24 ----A---- C:\Windows\SysWOW64\twext.dll
2012-01-03 19:39:24 ----A---- C:\Windows\SysWOW64\tcpmonui.dll
2012-01-03 19:39:24 ----A---- C:\Windows\SysWOW64\takeown.exe
2012-01-03 19:39:24 ----A---- C:\Windows\SysWOW64\stobject.dll
2012-01-03 19:39:23 ----A---- C:\Windows\SysWOW64\wlanmsm.dll
2012-01-03 19:39:23 ----A---- C:\Windows\SysWOW64\WinSCard.dll
2012-01-03 19:39:22 ----A---- C:\Windows\SysWOW64\wusa.exe
2012-01-03 19:39:22 ----A---- C:\Windows\SysWOW64\wsnmp32.dll
2012-01-03 19:39:22 ----A---- C:\Windows\SysWOW64\WsmSvc.dll
2012-01-03 19:39:22 ----A---- C:\Windows\SysWOW64\WPDShServiceObj.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\wpdshext.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\WMVSDECD.DLL
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\wimserv.exe
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\wimgapi.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\wiavideo.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\wer.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\webservices.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\WebClnt.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\w32tm.exe
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\Vault.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\userinit.exe
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\userenv.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\secproc_isv.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\scecli.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\RpcRtRemote.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\rpcrt4.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\rpchttp.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\RMActivate_isv.exe
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\remotepg.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\ReAgentc.exe
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\rdpd3d.dll
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\QAGENT.DLL
2012-01-03 19:39:21 ----A---- C:\Windows\SysWOW64\prntvpt.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\SndVolSSO.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\SndVol.exe
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\QUTIL.DLL
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\QCLIPROV.DLL
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\mprddm.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\mmcndmgr.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\mfds.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\mf.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\mciavi32.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\mcbuilder.exe
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\mapistub.dll
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\KBDNEPR.DLL
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\KBDGR1.DLL
2012-01-03 19:39:20 ----A---- C:\Windows\SysWOW64\KBDGEO.DLL
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\PortableDeviceStatus.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\pifmgr.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\onexui.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\onex.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\odbc32.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\nslookup.exe
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\netid.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\msrle32.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\mapi32.dll
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\KBDTURME.DLL
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\KBDTUQ.DLL
2012-01-03 19:39:19 ----A---- C:\Windows\SysWOW64\IPHLPAPI.DLL
2012-01-03 19:39:18 ----A---- C:\Windows\SysWOW64\mscoree.dll
2012-01-03 19:39:18 ----A---- C:\Windows\SysWOW64\msasn1.dll
2012-01-03 19:39:17 ----A---- C:\Windows\SysWOW64\netapi32.dll
2012-01-03 19:39:17 ----A---- C:\Windows\SysWOW64\Mystify.scr
2012-01-03 19:39:17 ----A---- C:\Windows\SysWOW64\msvidc32.dll
2012-01-03 19:39:17 ----A---- C:\Windows\SysWOW64\msvfw32.dll
2012-01-03 19:39:17 ----A---- C:\Windows\SysWOW64\comdlg32.dll
2012-01-03 19:39:16 ----A---- C:\Windows\SysWOW64\dhcpcore.dll
2012-01-03 19:39:16 ----A---- C:\Windows\SysWOW64\dfshim.dll
2012-01-03 19:39:16 ----A---- C:\Windows\SysWOW64\davclnt.dll
2012-01-03 19:39:16 ----A---- C:\Windows\SysWOW64\d3d9.dll
2012-01-03 19:39:16 ----A---- C:\Windows\SysWOW64\certcli.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\iasrad.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\iasacct.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\httpapi.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\d3d11.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\basecsp.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\avifil32.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\AuthFWSnapin.dll
2012-01-03 19:39:13 ----A---- C:\Windows\SysWOW64\adsldp.dll
2012-01-03 19:39:12 ----A---- C:\Windows\SysWOW64\tapisrv.dll
2012-01-03 19:39:12 ----A---- C:\Windows\SysWOW64\PresentationHost.exe
2012-01-03 19:39:12 ----A---- C:\Windows\SysWOW64\imagehlp.dll
2012-01-03 19:39:12 ----A---- C:\Windows\SysWOW64\framedynos.dll
2012-01-03 19:39:12 ----A---- C:\Windows\SysWOW64\framedyn.dll
2012-01-03 19:39:12 ----A---- C:\Windows\SysWOW64\fontext.dll
2012-01-03 19:39:12 ----A---- C:\Windows\SysWOW64\Display.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\wscapi.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\ws2_32.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\wmpps.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\WMPhoto.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\wmpdxm.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\wmdrmnet.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\wmdrmdev.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\WMADMOD.DLL
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\uxlib.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\utildll.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\usp10.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\ssText3d.scr
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\srchadmin.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\sqlsrv32.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\sqlcese30.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\spwizres.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\spwizeng.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\sppc.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\shsvcs.dll
2012-01-03 19:39:11 ----A---- C:\Windows\SysWOW64\SearchFolder.dll
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\shimgvw.dll
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\riched32.dll
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\riched20.dll
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\rdpcore.dll
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\QSVRMGMT.DLL
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\QSHVHOST.DLL
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\qdv.dll
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\qasf.dll
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\proquota.exe
2012-01-03 19:39:10 ----A---- C:\Windows\SysWOW64\prnfldr.dll
2012-01-03 19:39:09 ----A---- C:\Windows\SysWOW64\mimefilt.dll
2012-01-03 19:39:09 ----A---- C:\Windows\SysWOW64\mfc40.dll
2012-01-03 19:39:09 ----A---- C:\Windows\SysWOW64\mciqtz32.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\ntprint.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\nlaapi.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\netutils.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\netplwiz.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\netjoin.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\netfxperf.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\ncsi.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\NAPHLPR.DLL
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\mydocs.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\mtxclu.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\msxml3.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\mstscax.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\msscp.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\msnetobj.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\msiexec.exe
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\msi.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\localsec.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\kbdlk41a.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\KBDINBEN.DLL
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\KBDGKL.DLL
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\KBDBULG.DLL
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\KBDBASH.DLL
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\input.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\dbghelp.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\dbgeng.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\d3d10warp.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\cscobj.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\cmstp.exe
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\clusapi.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\certmgr.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\blackbox.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\bitsadmin.exe
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\AzSqlExt.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\autofmt.exe
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\audiodev.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\amstream.dll
2012-01-03 19:39:08 ----A---- C:\Windows\SysWOW64\aaclient.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\TSWorkspace.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\tsmf.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\tsgqec.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\tlscsp.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\syssetup.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\syncui.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\sxs.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\sscore.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\spopk.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\fphc.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\Faultrep.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\dsuiext.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\DShowRdpFilter.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\drmmgrtn.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\dot3msm.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\dot3api.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\diskraid.exe
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\dfrgui.exe
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\DeviceCenter.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\azroles.dll
2012-01-03 19:39:07 ----A---- C:\Windows\SysWOW64\autoplay.dll
2012-01-03 19:39:05 ----A---- C:\Windows\SysWOW64\wmdrmsdk.dll
2012-01-03 19:39:05 ----A---- C:\Windows\SysWOW64\Wldap32.dll
2012-01-03 19:39:05 ----A---- C:\Windows\SysWOW64\wlanpref.dll
2012-01-03 19:39:05 ----A---- C:\Windows\SysWOW64\wlangpui.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\xpsservices.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\WSDApi.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\wpdwcn.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\WerFaultSecure.exe
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\wcncsvc.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\vpnikeapi.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\SmartcardCredentialProvider.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\sisbkup.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\shwebsvc.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\shunimpl.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\shell32.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\shdocvw.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\resutils.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\regapi.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\rdpendp.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\rdpencom.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\rasppp.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\prncache.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\printui.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\PresentationHostProxy.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\PortableDeviceApi.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\PkgMgr.exe
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\perfts.dll
2012-01-03 19:39:04 ----A---- C:\Windows\SysWOW64\OobeFldr.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\wmpshell.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\wmpeffects.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\wmp.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\WMNetMgr.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\wkscli.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\wintrust.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\winsta.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\WinSATAPI.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\winhttp.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\tsbyuv.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\shgina.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\sethc.exe
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\SensorsCpl.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\secproc_ssp_isv.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\scansetting.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\runonce.exe
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\rtutils.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\msftedit.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\msdmo.dll
2012-01-03 19:39:03 ----A---- C:\Windows\SysWOW64\mscms.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\wmploc.DLL
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\thumbcache.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\termmgr.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\taskmgr.exe
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\taskcomp.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\sqmapi.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\spwmp.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\printmanagement.msc
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\ppcsnap.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\pmcsnap.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\photowiz.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\PhotoScreensaver.scr
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\OpcServices.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\netlogon.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\azroleui.dll
2012-01-03 19:39:02 ----A---- C:\Windows\SysWOW64\autoconv.exe
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\wups.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\wudriver.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\wuapi.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\wshirda.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\wshbth.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\wsdchngr.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\secproc_ssp.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\scrptadm.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\scesrv.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\RMActivate_ssp.exe
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\Query.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\PushPrinterConnections.exe
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\puiobj.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\netdiagfx.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\netcenter.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\net1.exe
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\msyuv.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\MSVidCtl.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\msutb.dll
2012-01-03 19:39:01 ----A---- C:\Windows\SysWOW64\MSMPEG2ENC.DLL
2012-01-03 19:39:00 ----A---- C:\Windows\SysWOW64\NaturalLanguage6.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\WindowsCodecs.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\vssapi.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\vfwwdm32.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\vdsbas.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\VAN.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\UserAccountControlSettings.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\mfreadwrite.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\MFPlay.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\MCEWMDRMNDBootstrap.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\luainstall.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\KBDUS.DLL
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\KBDTAJIK.DLL
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\KBDMON.DLL
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\KBDINTAM.DLL
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\KBDINMAR.DLL
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\KBDINHIN.DLL
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\iyuv_32.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\inetmib1.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\dxmasf.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\dwmcore.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\defaultlocationcpl.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\cscdll.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\cscapi.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\cca.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\cabinet.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\browseui.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\bitsperf.dll
2012-01-03 19:38:59 ----A---- C:\Windows\SysWOW64\actxprxy.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\ifsutil.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\iccvid.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\iasrecst.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\hbaapi.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\gdi32.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\gameux.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\fms.dll
2012-01-03 19:38:58 ----A---- C:\Windows\SysWOW64\EhStorAPI.dll
2012-01-03 19:28:32 ----D---- C:\Users\930\AppData\Roaming\Identities
2012-01-03 19:28:22 ----SD---- C:\Users\930\AppData\Roaming\Microsoft
2012-01-03 19:28:22 ----D---- C:\Users\930\AppData\Roaming\Media Center Programs

======List of files/folders modified in the last 1 month======

2012-01-16 11:45:20 ----D---- C:\Windows\Temp
2012-01-16 11:45:17 ----RD---- C:\Program Files (x86)
2012-01-16 08:32:20 ----D---- C:\Windows\System32
2012-01-16 08:32:20 ----D---- C:\Windows\inf
2012-01-16 08:07:09 ----D---- C:\Windows\winsxs
2012-01-16 08:05:25 ----D---- C:\Windows\SysWOW64
2012-01-16 07:40:27 ----D---- C:\Program Files (x86)\Common Files\microsoft shared
2012-01-16 07:40:08 ----SHD---- C:\System Volume Information
2012-01-16 07:38:02 ----D---- C:\Windows
2012-01-16 07:37:43 ----D---- C:\Windows\ShellNew
2012-01-16 07:37:37 ----D---- C:\Program Files (x86)\Common Files
2012-01-16 07:37:19 ----RSD---- C:\Windows\Fonts
2012-01-16 07:37:05 ----D---- C:\Windows\Help
2012-01-16 07:37:03 ----SD---- C:\ProgramData\Microsoft
2012-01-16 07:35:22 ----D---- C:\Windows\system
2012-01-16 06:30:00 ----A---- C:\Windows\system.ini
2012-01-16 06:26:53 ----D---- C:\Windows\SysWOW64\drivers
2012-01-16 06:26:53 ----D---- C:\Windows\AppPatch
2012-01-16 06:15:50 ----D---- C:\Windows\ehome
2012-01-15 13:08:10 ----D---- C:\ProgramData
2012-01-15 12:57:43 ----D---- C:\DOWNFROMC
2012-01-08 08:18:19 ----D---- C:\Windows\debug
2012-01-08 06:58:01 ----D---- C:\Windows\rescache
2012-01-07 13:24:03 ----D---- C:\Windows\Microsoft.NET
2012-01-07 13:23:55 ----RSD---- C:\Windows\assembly
2012-01-06 18:50:01 ----RD---- C:\Program Files
2012-01-06 18:48:19 ----RD---- C:\Users
2012-01-06 18:31:03 ----D---- C:\Windows\SysWOW64\en-US
2012-01-06 18:01:16 ----D---- C:\Windows\SysWOW64\migration
2012-01-06 18:01:16 ----D---- C:\Windows\PolicyDefinitions
2012-01-06 18:01:16 ----D---- C:\Program Files (x86)\Common Files\System
2012-01-06 18:01:15 ----D---- C:\Program Files (x86)\Internet Explorer
2012-01-06 17:59:11 ----D---- C:\Windows\Logs
2012-01-03 20:56:19 ----D---- C:\Windows\CSC
2012-01-03 19:59:56 ----D---- C:\Program Files (x86)\Windows Sidebar
2012-01-03 19:59:56 ----D---- C:\Program Files (x86)\Windows Portable Devices
2012-01-03 19:59:56 ----D---- C:\Program Files (x86)\Windows Photo Viewer
2012-01-03 19:59:56 ----D---- C:\Program Files (x86)\Windows Media Player
2012-01-03 19:59:56 ----D---- C:\Program Files (x86)\Windows Mail
2012-01-03 19:59:54 ----D---- C:\Windows\servicing
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\sppui
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\Setup
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\oobe
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\manifeststore
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\es-ES
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\en
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\da-DK
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\cs-CZ
2012-01-03 19:59:52 ----D---- C:\Windows\SysWOW64\AdvancedInstallers
2012-01-03 19:59:51 ----D---- C:\Windows\SysWOW64\wbem
2012-01-03 19:59:51 ----D---- C:\Windows\SysWOW64\migwiz
2012-01-03 19:59:51 ----D---- C:\Windows\SysWOW64\Dism
2012-01-03 19:56:08 ----A---- C:\Windows\SysWOW64\msclmd.dll
2012-01-03 19:28:18 ----D---- C:\Recovery

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 aswNdis;avast! Firewall NDIS Filter Service; C:\Windows\system32\DRIVERS\aswNdis.sys []
R0 aswNdis2;avast! Firewall Core Firewall Service; C:\Windows\SysWOW64\drivers\aswNdis2.sys []
R0 pciide;pciide; C:\Windows\system32\drivers\pciide.sys []
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys []
R0 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\drivers\vmbus.sys []
R1 AsIO;AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [2009-08-04 13440]
R1 aswFW;avast! TDI Firewall driver; C:\Windows\SysWOW64\drivers\aswFW.sys []
R1 aswRdr;aswRdr; C:\Windows\SysWOW64\drivers\aswRdr.sys []
R1 aswSnx;aswSnx; C:\Windows\SysWOW64\drivers\aswSnx.sys []
R1 aswSP;aswSP; C:\Windows\SysWOW64\drivers\aswSP.sys []
R1 aswTdi;avast! Network Shield Support; C:\Windows\SysWOW64\drivers\aswTdi.sys []
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys []
R2 aswFsBlk;aswFsBlk; C:\Windows\SysWOW64\drivers\aswFsBlk.sys []
R2 aswMonFlt;aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\ADIHdAud.sys []
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys []
R3 Point64;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point64.sys []
S0 mjvhhu;mjvhhu; C:\Windows\SysWOW64\drivers\mjvhhu.sys []
S0 tcoifh;tcoifh; C:\Windows\SysWOW64\drivers\tcoifh.sys []
S0 vqdtrh;vqdtrh; C:\Windows\SysWOW64\drivers\vqdtrh.sys []
S0 wayuia;wayuia; C:\Windows\SysWOW64\drivers\wayuia.sys []
S0 zedltn;zedltn; C:\Windows\SysWOW64\drivers\zedltn.sys []
S3 BridgeMP;@%SystemRoot%\system32\bridgeres.dll,-1; C:\Windows\system32\DRIVERS\bridge.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys []
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys []
S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys []
S3 TsUsbFlt;TsUsbFlt; C:\Windows\system32\drivers\tsusbflt.sys []
S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-11-28 44768]
R2 avast! Firewall;avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [2011-11-28 127192]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe []
R2 nvUpdatusService;NVIDIA Update Service Daemon; C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S4 AEADIFilters;Andrea ADI Filters Service; C:\Windows\system32\AEADISRV.EXE []

-----------------EOF-----------------
info.txt logfile of random's system information tool 1.09 2012-01-16 11:45:25

======Uninstall list======

-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{BA8A7C81-B0D0-422D-8FBD-BF2D25986667}\setup.exe" -l0x9
AI Suite-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{310BC5E2-31AF-49BB-904D-E71EB93645DC}\setup.exe" -l0x9
avast! Internet Security-->C:\Program Files\AVAST Software\Avast\aswRunDll.exe "C:\Program Files\AVAST Software\Avast\Setup\setiface.dll" RunSetup
Host OpenAL (ADI)-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{BA8A7C81-B0D0-422D-8FBD-BF2D25986667}\setup.exe" -l0x9 /remove
Malwarebytes Anti-Malware version 1.60.0.1800-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver-->C:\Program Files (x86)\Marvell\Miniport Driver\Uninst.exe
Microsoft Office XP Small Business-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161-->MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {E720AD01-93D5-3E8E-BB8D-E4EF5AF4E5DD} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {BCD37DCB-F479-3D4D-A90E-A0F7575549C4} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {FF811680-AECE-3F35-A98C-1B84B6E09168} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {E59B2174-E924-311F-8549-AD714C14664D} /parameterfolder Client
SoundMAX-->C:\Program Files (x86)\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe -runfromtemp -l0x0009 -removeonly
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {29C7BE97-DE59-37A2-A687-2ADD5321948A} /parameterfolder Client
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {7D799A81-5661-3159-BF92-754161CED6E6} /parameterfolder Client

======System event log======

Computer Name: 930-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
Record Number: 1816
Source Name: Microsoft-Windows-Time-Service
Time Written: 20120106221854.233625-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: 930-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
Record Number: 1815
Source Name: Microsoft-Windows-Time-Service
Time Written: 20120106221842.174804-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: 930-PC
Event Code: 1014
Message: Name resolution for the name download755.avast.com timed out after none of the configured DNS servers responded.
Record Number: 1804
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20120106221540.618276-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: 930-PC
Event Code: 16
Message: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
Record Number: 1694
Source Name: Microsoft-Windows-WindowsUpdateClient
Time Written: 20120106204225.358976-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: 930-PC
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
cdrom
Record Number: 1399
Source Name: Service Control Manager
Time Written: 20120105151535.925203-000
Event Type: Error
User:

=====Application event log=====

Computer Name: 930-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-2861902998-1298274927-726295685-1000:
Process 1032 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1032 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1032 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1032 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Policies
Process 1032 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software

Record Number: 676
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20120106224758.463048-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: 930-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-2861902998-1298274927-726295685-1000_Classes:
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000_CLASSES
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000_CLASSES

Record Number: 433
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20120104194325.300308-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: 930-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
14 user registry handles leaked from \Registry\User\S-1-5-21-2861902998-1298274927-726295685-1000:
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Policies
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software\Policies
Process 2580 (\Device\CdRom0\Intel_ChipsetUtility\Intel_ChipsetUtility_V9101001_Win7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software
Process 2956 (\Device\CdRom0\SoundMAX2000B_Audio_V610X6585_Windows7\SoundMAX2000B_Audio_V610X6585_Windows7\AsusSetup.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000\Software

Record Number: 432
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20120104194324.785507-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: 930-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2861902998-1298274927-726295685-1000:
Process 540 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2861902998-1298274927-726295685-1000

Record Number: 241
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20120104015846.166045-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: 37L4247E29-32
Event Code: 1008
Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 190
Source Name: Microsoft-Windows-Search
Time Written: 20120104030608.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: 37L4247E29-32
Event Code: 4735
Message: A security-enabled local group was changed.

Subject:
Security ID: S-1-5-18
Account Name: 37L4247E29-32$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin

Changed Attributes:
SAM Account Name: -
SID History: -

Additional Information:
Privileges: -
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20120104025558.498087-000
Event Type: Audit Success
User:

Computer Name: 37L4247E29-32
Event Code: 4731
Message: A security-enabled local group was created.

Subject:
Security ID: S-1-5-18
Account Name: 37L4247E29-32$
Account Domain: WORKGROUP
Logon ID: 0x3e7

New Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin

Attributes:
SAM Account Name: Backup Operators
SID History: -

Additional Information:
Privileges: -
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20120104025558.498087-000
Event Type: Audit Success
User:

Computer Name: 37L4247E29-32
Event Code: 4902
Message: The Per-user audit policy table was created.

Number of Elements: 0
Policy ID: 0x32eca
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20120104025558.108087-000
Event Type: Audit Success
User:

Computer Name: 37L4247E29-32
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x4
Process Name:

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20120104025555.315682-000
Event Type: Audit Success
User:

Computer Name: 37L4247E29-32
Event Code: 4608
Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20120104025555.175282-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=8
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 26 Stepping 5, GenuineIntel
"PROCESSOR_REVISION"=1a05

-----------------EOF-----------------

#27
DAV2

Posted 16 January 2012 - 12:37 PM

Member

Topic Starter
Member
140 posts

145 signed drivers with no integrity violations.
Still testing and scanning first computer. It has taken a few days of use before the Trojin returned on some of the computers before. I am running out of virgin directories for the Avast updates.
This computer was simply a reload of Win without the usual kill disk and the Trojin was there from day 1.

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/01/2012 12:35:27 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#28
DAV2

Posted 16 January 2012 - 12:38 PM

Member

Topic Starter
Member
140 posts

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/01/2012 12:37:51 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 16/01/2012 6:04:22 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: iexplore.exe, version: 9.0.8112.16421, time stamp: 0x4d76255d Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f Exception code: 0xc0000005 Fault offset: 0x000222b2 Faulting process id: 0xb70 Faulting application start time: 0x01ccd4794383811a Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\SysWOW64\ntdll.dll Report Id: 83f5660c-406c-11e1-9b58-90e6ba82c0fd

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~