System tool Feb. 2011

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

6 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

System tool Feb. 2011

#1 Nulecule

Member

Group: Members
Posts: 43
Joined: 04-February 11

Posted 04 February 2011 - 04:32 PM

Hi,

I was lately infected by Palladium pro but was able to End Process it from task manager and start cpu normally following your instructions (thx btw, much appreciated) - it is not uninstalled from my system though.

I got a new infection yesterday by System Tool and while trying to get rid of it, the following happened:

- Unlimited amount of Popups flashing on my screen - all blank windows - and then disappear at a very high speed. The windows are just titled "blank".

- When I do manage to keep taskmanager on from startup - from safe mode w network - I can see an unlimited amount of .exe files keep multipliying in the processes menu. One of them is a csrss.exe, install.exe, nvsvc32.exe, smss.exe, sysmgm.exe, win32.exe, winlogon.exe and another is hexdump.exe.

** Before this happened, it was the classic System Tool false scanner that starts. System Tool shortcut still shows on my desktop - I cannot remove / uninstall program.

- I don't notice much difference from Safe Mode vs normal boot either.. still has to surpass Palladium with Run explorer.com in Task Manager (Has it failed?)

I still have access to internet explorer but it is slowed down considerably and my screen is hidden by all the blank popups.

I manage to d/l spy doctor, rkill etc. but unable to run them (even after I renamed the .exe file) - the mouse pointer change to an hourglass for awhile then nothing happens..

I am willing to do I system recovery but the process is denied - error msg indicates that another program running is preventing it.

Finally I manage to run a full scan with ReImage but end up having to buy it? Will it even work?

Please help. I have limited cpu knowledge so I haven't tempted kill process or remove registry .. I won't know what are the names of those files anyway .. ( and show hidden files is NOT in the scrolldown menu of windows explorer ?!) Arg..

This post has been edited by Nulecule: 04 February 2011 - 08:21 PM

#2 oneof4

Forum Addict

Group: Malware Study Hall Senior
Posts: 2,466
Joined: 25-December 08
Gender:Male
Location:The Collective

Posted 07 February 2011 - 04:58 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

We need to create a New FULL OTL Report

Please download OTL from here if you have not done so already:
- Main Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Change the "Extra Registry" option to "SafeList"
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

Best Regards,
oneof4.

Best Regards,
oneof4.

#3 oneof4

Forum Addict

Group: Malware Study Hall Senior
Posts: 2,466
Joined: 25-December 08
Gender:Male
Location:The Collective

Posted 11 February 2011 - 01:06 PM

Do you still need help?

Best Regards,
oneof4.

#4 Nulecule

Member

Group: Members
Posts: 43
Joined: 04-February 11

Posted 11 February 2011 - 02:09 PM

I was jus typing this.. Thank you for your reply and follow up oneof4!

I have managed to complete OTL.txt and Extra.txt (please see below) with Task Manager -> Msconfig -> Diagnostic Mode startup ( Reboot -> F8 -> Safe Mode will just restart the laptop again with no difference - I don't think it works. )

I have also completed the Gmer.doc scan but unable to email or extract the file to a USB key now since Task Manager -> Msconfig -> Diagnostic Mode startup doesn't stop the continuous Blank Windows Pop-Ups anymore..

I still have to end the Palladium.exe process on my Task Manager but the System Tool fake scan and the "Danger" message showing as a wallpaper from System Tool are gone - I am not sure if this is still a System Tool 2011 infection anymore..

I cannot use System Recovery Tools - an error msg stating " unable to access partition as another application is running ".

I also attempted to install Malwarebyte but couldn't rename the .exe file as one of your forum instructed: I can't seem to find how to "show file extention" - the option is not there in the My Computer -> Tools -> Show File Extension .. is that a result of the infection?

It seems to have gotten worse as all the Pop-Ups prevents me of doing anything. Task Manager shows csrss.exe, install.exe, smss.exe, hexdump.exe files multiplying and CPU usage is at 100%. Please help.

OTL logfile created on: 2/8/2011 6:48:23 PM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Tristan\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 373.00 Mb Available Physical Memory | 73.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 4.08 Gb Free Space | 10.96% Space Free | Partition Type: NTFS
Drive D: | 30.75 Gb Total Space | 0.41 Gb Free Space | 1.35% Space Free | Partition Type: NTFS

Computer Name: YOUR-8E0538BEEB | User Name: Tristan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/08 13:10:22 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tristan\Desktop\OTL.exe
PRC - [2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/02/08 13:10:22 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tristan\Desktop\OTL.exe
MOD - [2011/02/03 13:02:38 | 000,030,000 | ---- | M] () -- C:\WINDOWS\system32\opy8fkexc3.dll
MOD - [2011/01/13 12:31:33 | 000,046,202 | RHS- | M] () -- C:\Program Files\Common Files\Microsoft Shared\MSInfo\4A55EF08.dll
MOD - [2004/08/04 07:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 07:00:00 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/11/19 02:18:58 | 001,942,416 | ---- | M] (Bandoo Media Inc.) [Disabled | Stopped] -- C:\Program Files\Fun4IM\Bandoo.exe -- (Fun4IM Coordinator)
SRV - [2006/08/11 20:53:40 | 001,120,960 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2006/06/13 08:03:42 | 002,084,864 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe -- (VAIOMediaPlatform-IntegratedServer-AppServer)
SRV - [2006/06/07 09:51:50 | 000,155,648 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe -- (VAIOMediaPlatform-Mobile-Gateway)
SRV - [2006/05/18 10:22:26 | 000,770,048 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP)
SRV - [2006/05/18 10:22:26 | 000,057,344 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP)
SRV - [2006/05/08 06:24:54 | 000,069,632 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2006/04/27 19:35:16 | 000,053,337 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/04/27 19:27:06 | 000,049,241 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2006/04/27 19:16:28 | 000,069,718 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/04/13 15:36:36 | 000,176,128 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2006/04/04 16:55:18 | 000,274,432 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
SRV - [2006/02/28 16:18:10 | 000,540,745 | ---- | M] (Intel Corporation ) [Disabled | Stopped] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2006/02/28 16:16:08 | 000,114,753 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2006/02/28 16:15:30 | 000,217,164 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/01/19 13:29:52 | 002,041,536 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/01/19 13:29:52 | 000,100,032 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2005/11/28 15:39:32 | 000,118,784 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- (VzFw)
SRV - [2005/11/28 15:39:30 | 000,131,072 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
SRV - [2005/11/25 15:08:54 | 000,073,728 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
SRV - [2005/11/14 03:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/10/22 20:28:00 | 000,045,696 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Norton Internet Security\comHost.exe -- (comHost)
SRV - [2005/10/13 10:48:00 | 000,072,280 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Norton Internet Security\ccPwdSvc.exe -- (ccISPwdSvc)
SRV - [2005/10/07 02:25:00 | 000,133,744 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe -- (navapsvc)
SRV - [2005/09/24 18:10:00 | 000,749,696 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE -- (NSCService)
SRV - [2005/09/19 13:24:00 | 000,214,672 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/09/17 02:27:00 | 000,202,352 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy)
SRV - [2005/09/17 02:27:00 | 000,192,112 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/09/17 02:27:00 | 000,169,584 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/09/15 18:21:00 | 001,160,800 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2005/08/26 16:22:00 | 000,198,368 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe -- (SAVScan)
SRV - [2005/07/14 19:10:16 | 000,032,768 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\Image Converter 2\IcVzMon.exe -- (Image Converter video recording monitor for VAIO Entertainment)
SRV - [2005/02/10 12:44:04 | 000,397,312 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe -- (VAIO Entertainment Task Scheduler)
SRV - [2005/02/09 05:43:58 | 000,143,360 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe -- (VAIO Entertainment Aggregation and Control Service)

========== Driver Services (SafeList) ==========

DRV - [2006/08/11 20:53:40 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2006/06/20 03:45:00 | 003,662,400 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/05/25 17:59:12 | 001,177,032 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/06 04:39:00 | 000,030,080 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyImgF.sys -- (SonyImgF)
DRV - [2006/02/28 17:35:56 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/02/26 06:43:00 | 001,428,480 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2006/02/22 18:13:12 | 000,013,440 | ---- | M] (UPEK Inc.) [File_System | Auto | Running] -- C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys -- (FdRedir)
DRV - [2006/02/22 18:13:04 | 000,033,024 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys -- (FileDisk2)
DRV - [2006/02/22 18:05:44 | 000,028,800 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2006/02/21 04:32:32 | 000,226,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ti21sony.sys -- (ti21sony)
DRV - [2006/02/08 17:33:34 | 000,062,848 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfhid.sys -- (Tosrfhid)
DRV - [2006/02/02 23:16:08 | 000,108,928 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (Tosrfbd)
DRV - [2006/01/31 18:35:28 | 000,039,808 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2005/12/28 09:28:08 | 000,055,680 | ---- | M] (Micro Vision Co.,Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mvc25U870.sys -- (Mvc25U870_VID_1262&PID_25FD)
DRV - [2005/12/14 17:07:24 | 000,037,632 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2005/11/24 13:37:36 | 000,047,104 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/11/21 00:06:02 | 000,009,216 | ---- | M] (Sony Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\shpf.sys -- (shpf)
DRV - [2005/11/11 15:09:52 | 000,052,864 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfsnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2005/10/20 21:19:34 | 000,036,352 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2005/10/18 02:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/10/18 02:52:34 | 000,202,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/10/18 02:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/10/16 18:43:00 | 000,241,408 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/09/17 02:20:00 | 000,108,168 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/09/15 18:21:00 | 000,389,728 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/09/12 03:00:00 | 000,665,816 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050912.024\NAVEX15.SYS -- (NAVEX15)
DRV - [2005/09/12 03:00:00 | 000,077,816 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050912.024\NAVENG.SYS -- (NAVENG)
DRV - [2005/09/01 21:07:00 | 000,199,408 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\20050901.036\SymIDSCo.sys -- (SYMIDSCO)
DRV - [2005/08/26 16:22:00 | 000,334,984 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/08/26 16:22:00 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/08/01 16:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2005/07/11 18:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\toshidpt.sys -- (toshidpt)
DRV - [2005/01/06 13:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/11/21 23:31:10 | 000,108,767 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/08/12 19:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2002/08/19 21:59:32 | 000,071,961 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyPI.sys -- (SPI)
DRV - [2000/12/05 18:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/11/09 05:15:08 | 000,048,896 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchqu.com/sidebar.html?src=ssb&sysid=402

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/402
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchqu.com/sidebar.html?src=ssb&sysid=402
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/402
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchqu.com/sidebar.html?src=ssb&sysid=402
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://vaio-online.sony.com/

IE - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com.hk/
IE - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\..\URLSearchHook: {795828a9-f271-43a8-8536-4484bb991d3d} - C:\Program Files\Productivity_2\prxtbProd.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - HKLM\software\mozilla\Firefox\Extensions\\{6514FFD4-B431-4F01-B8E5-D56840822306}: C:\Documents and Settings\Tristan\Local Settings\Application Data\{6514FFD4-B431-4F01-B8E5-D56840822306} [2011/02/03 13:05:33 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (C:\WINDOWS\system32\opy8fkexc3.dll) - {B9B220C1-A500-59BD-F413-02B52A2C8953} - C:\WINDOWS\system32\opy8fkexc3.dll ()
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\..\Toolbar\ShellBrowser: (Productivity 2 Toolbar) - {795828A9-F271-43A8-8536-4484BB991D3D} - C:\Program Files\Productivity_2\prxtbProd.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\..\Toolbar\WebBrowser: (Norton Internet Security 2006) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\..\Toolbar\WebBrowser: (Productivity 2 Toolbar) - {795828A9-F271-43A8-8536-4484BB991D3D} - C:\Program Files\Productivity_2\prxtbProd.dll (Conduit Ltd.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (Sony Corporation)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\NPJPI150_07.dll (Sun Microsystems, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (c:\progra~1\window~4\datamngr\datamngr.dll) - c:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngr.dll (Discordia, LTD)
O20 - AppInit_DLLs: (c:\progra~1\fun4im\bndhook.dll) - c:\Program Files\Fun4IM\BndHook.dll (Discordia Limited)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005 Winlogon: Shell - (C:\Documents and Settings\Tristan\Application Data\palladium.exe) - C:\Documents and Settings\Tristan\Application Data\palladium.exe ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - fusstub.dll - C:\WINDOWS\System32\fusstub.dll (UPEK Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O22 - SharedTaskScheduler: {B9B220C1-A500-59BD-F413-02B52A2C8953} - psioj9f8w873bgfdshdfg - C:\WINDOWS\system32\opy8fkexc3.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\VAIO Aqua Breeze Wallpaper TrueColor 1280x800.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\VAIO Aqua Breeze Wallpaper TrueColor 1280x800.bmp
O27 - HKLM IFEO\360rpt.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\360Safe.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\360tray.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\adam.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\AgentSvr.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\AppSvc32.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\autoruns.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\avgrssvc.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\AvMonitor.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\avp.com: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\avp.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\CCenter.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\ccSvcHst.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\FileDsty.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\FTCleanerShell.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\HijackThis.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\IceSword.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\iparmo.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\Iparmor.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\isPwdSvc.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\kabaload.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KaScrScn.SCR: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KASMain.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KASTask.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KAV32.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KAVDX.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KAVPFW.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KAVSetup.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KAVStart.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KISLnchr.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KMailMon.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KMFilter.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KPFW32.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KPFW32X.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KPFWSvc.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KRegEx.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\krepair.COM: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KsLoader.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KVCenter.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KvDetect.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KvfwMcl.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KVMonXP.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KVMonXP_1.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\kvol.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\kvolself.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KvReport.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KVScan.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KVSrvXP.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KVStub.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\kvupload.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\kvwsc.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KvXP.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KvXP_1.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KWatch.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KWatch9x.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\KWatchX.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\loaddll.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\MagicSet.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\mcconsol.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\mmqczj.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\mmsk.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\NAVSetup.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\nod32krn.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\nod32kui.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\PFW.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\PFWLiveUpdate.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\QHSET.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\Ras.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\Rav.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\RavMon.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\RavMonD.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\RavStub.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\RavTask.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\RegClean.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\rfwcfg.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\RfwMain.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\rfwProxy.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\rfwsrv.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\RsAgent.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\Rsaupd.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\runiep.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\safelive.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\scan32.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\shcfg32.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\SmartUp.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\SREng.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\symlcsvc.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\SysSafe.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\TrojanDetector.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\Trojanwall.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\TrojDie.kxp: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\UIHost.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\UmxAgent.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\UmxAttachment.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\UmxCfg.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\UmxFwHlp.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\UmxPol.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\UpLive.EXE.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\WoptiClean.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O27 - HKLM IFEO\zxsweep.exe: Debugger - C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\4A55EF08.dat ()
O28 - HKLM ShellExecuteHooks: {5EF04A55-4A55-EF08-55EF-A55F0A55EF08} - C:\Program Files\Common Files\Microsoft Shared\MSInfo\4A55EF08.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/11 14:50:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/02/08 18:48:36 | 000,000,172 | RHS- | M] () - D:\AutoRun.inf -- [ NTFS ]
O33 - MountPoints2\{43dccd32-1e91-11e0-93b6-0013a98a7b9e}\Shell\AutoRun\command - "" = G:\4A55EF08.exe
O33 - MountPoints2\{43dccd32-1e91-11e0-93b6-0013a98a7b9e}\Shell\explore\Command - "" = G:\4A55EF08.exe
O33 - MountPoints2\{43dccd32-1e91-11e0-93b6-0013a98a7b9e}\Shell\open\Command - "" = G:\4A55EF08.exe
O33 - MountPoints2\{43dccd33-1e91-11e0-93b6-0013a98a7b9e}\Shell\AutoRun\command - "" = H:\4A55EF08.exe
O33 - MountPoints2\{43dccd33-1e91-11e0-93b6-0013a98a7b9e}\Shell\explore\Command - "" = H:\4A55EF08.exe
O33 - MountPoints2\{43dccd33-1e91-11e0-93b6-0013a98a7b9e}\Shell\open\Command - "" = H:\4A55EF08.exe
O33 - MountPoints2\{8afc2476-2ffe-11e0-93de-0013a98a7b9e}\Shell\AutoRun\command - "" = G:\4A55EF08.exe
O33 - MountPoints2\{8afc2476-2ffe-11e0-93de-0013a98a7b9e}\Shell\explore\Command - "" = G:\4A55EF08.exe
O33 - MountPoints2\{8afc2476-2ffe-11e0-93de-0013a98a7b9e}\Shell\open\Command - "" = G:\4A55EF08.exe
O33 - MountPoints2\{cacd2895-1e8c-11e0-93b4-806d6172696f}\Shell\AutoRun\command - "" = D:\4A55EF08.exe -- [2001/03/08 18:04:49 | 000,079,482 | RHS- | M] ()
O33 - MountPoints2\{cacd2895-1e8c-11e0-93b4-806d6172696f}\Shell\explore\Command - "" = D:\4A55EF08.exe -- [2001/03/08 18:04:49 | 000,079,482 | RHS- | M] ()
O33 - MountPoints2\{cacd2895-1e8c-11e0-93b4-806d6172696f}\Shell\open\Command - "" = D:\4A55EF08.exe -- [2001/03/08 18:04:49 | 000,079,482 | RHS- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/08 14:00:29 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tristan\Desktop\OTL.exe
[2011/02/08 13:40:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/02/04 19:38:22 | 000,000,000 | R-SD | C] -- C:\Documents and Settings\Tristan\My Documents\My Safe
[2011/02/03 22:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2011/02/03 22:43:10 | 000,000,000 | ---D | C] -- C:\rei
[2011/02/03 22:42:57 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2011/02/03 19:41:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/02/03 13:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Start Menu\Programs\System Tool
[2011/02/03 13:05:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\{6514FFD4-B431-4F01-B8E5-D56840822306}
[2011/02/03 13:04:00 | 000,033,284 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:03:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\dHkCpGj15400
[2011/02/03 13:03:06 | 000,033,284 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\win32 .exe
[2011/02/03 13:00:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/02/01 13:12:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Conduit
[2011/02/01 13:12:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\searchqutb
[2011/02/01 13:12:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Productivity_2
[2011/02/01 13:12:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ConduitEngine
[2011/01/26 11:21:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\InterVideo
[2011/01/21 14:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/01/21 14:10:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/01/21 14:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\searchqutb
[2011/01/21 14:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Bandoo
[2011/01/21 14:04:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Bandoo
[2011/01/21 14:04:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Fun4IM
[2011/01/21 14:04:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\searchqutb
[2011/01/21 14:04:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Fun4IM
[2011/01/21 14:04:03 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Searchqu Toolbar
[2011/01/21 14:04:03 | 000,000,000 | ---D | C] -- C:\Program Files\Fun4IM
[2011/01/19 17:18:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/01/19 17:18:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/01/19 16:57:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/01/19 16:57:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Sun
[2011/01/19 16:47:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2011/01/19 16:11:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DShield
[2011/01/19 16:11:00 | 000,000,000 | ---D | C] -- C:\DVDRanger
[2011/01/19 16:11:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVDRanger
[2011/01/19 16:10:58 | 000,000,000 | ---D | C] -- C:\Program Files\Pixbyte
[2011/01/19 16:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\FunWebProducts
[2011/01/19 15:42:11 | 000,222,208 | ---- | C] (Avira GmbH) -- C:\WINDOWS\Mqafua.exe
[2011/01/19 14:51:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/01/19 14:50:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/01/19 14:45:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\AdobeUM
[2011/01/19 14:42:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\Adobe
[2011/01/14 16:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack
[2011/01/14 16:08:42 | 000,000,000 | ---D | C] -- C:\Program Files\K-Lite Codec Pack
[2011/01/14 16:00:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/01/14 15:51:15 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/01/14 15:51:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\Productivity_2
[2011/01/14 15:51:12 | 000,000,000 | ---D | C] -- C:\Program Files\ConduitEngine
[2011/01/14 15:51:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\ConduitEngine
[2011/01/14 15:51:10 | 000,000,000 | ---D | C] -- C:\Program Files\Productivity_2
[2011/01/14 15:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\Conduit
[2011/01/14 10:23:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Local
[2011/01/14 10:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\DivX
[2011/01/14 10:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2011/01/14 10:20:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2011/01/14 10:17:57 | 000,000,000 | ---D | C] -- C:\Program Files\Real
[2011/01/14 10:17:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2011/01/14 10:17:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Real
[2011/01/14 09:59:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Media Player Classic
[2011/01/14 09:57:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/01/14 09:52:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Google
[2011/01/14 09:52:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\Google
[2011/01/14 09:52:13 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/01/14 09:52:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2011/01/14 09:15:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\My Documents\My Videos
[2011/01/13 12:44:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\PriceGong
[2011/01/13 12:44:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\Temp
[2011/01/13 10:32:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2011/01/12 17:58:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2011/01/12 16:15:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Protector Suite
[2011/01/12 16:15:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\Toshiba
[2011/01/12 16:05:35 | 000,000,000 | ---D | C] -- C:\Infineon
[2011/01/12 16:05:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Protector Suite QL
[2011/01/12 16:05:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Protector Suite QL
[2011/01/12 16:05:08 | 000,000,000 | ---D | C] -- C:\Program Files\Protector Suite QL
[2011/01/12 16:04:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VAIO Update 2
[2011/01/12 16:04:19 | 000,372,736 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\cameravj.scr
[2011/01/12 16:04:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\VAIOcameravjsrc
[2011/01/12 16:04:10 | 000,053,248 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\vaiomov.scr
[2011/01/12 16:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Roxio
[2011/01/12 16:03:26 | 000,000,000 | ---D | C] -- C:\Program Files\Roxio
[2011/01/12 16:03:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Sonic Shared
[2011/01/12 16:02:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VAIO Edit Components 6
[2011/01/12 16:02:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\DSD Direct
[2011/01/12 16:02:24 | 000,091,648 | ---- | C] (QSound Labs, Inc.) -- C:\WINDOWS\System32\SonyAIds.dll
[2011/01/12 16:02:24 | 000,075,776 | ---- | C] (QSound Labs, Inc.) -- C:\WINDOWS\System32\SonyAIwo.dll
[2011/01/12 16:02:24 | 000,038,400 | ---- | C] (QSound Labs, Inc.) -- C:\WINDOWS\System32\SonyAIwd.dll
[2011/01/12 16:02:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\SonicStage Mastering Studio
[2011/01/12 16:01:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SonicStage Mastering Studio
[2011/01/12 16:01:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Memory Stick Utility
[2011/01/12 16:00:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\VAIO Media Platform
[2011/01/12 16:00:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VAIO Media
[2011/01/12 16:00:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VAIO Launcher
[2011/01/12 15:59:29 | 000,757,760 | ---- | C] (Gracenote) -- C:\WINDOWS\System32\CDDBUI.dll
[2011/01/12 15:59:29 | 000,630,784 | ---- | C] (Gracenote (formerly CDDB, Inc.)) -- C:\WINDOWS\System32\CDDBControl.dll
[2011/01/12 15:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VAIO Zone
[2011/01/12 15:57:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Click to DVD
[2011/01/12 15:55:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Bluetooth
[2011/01/12 15:55:42 | 000,000,000 | ---D | C] -- C:\Program Files\Toshiba
[2011/01/12 15:55:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DVgate Plus
[2011/01/12 15:55:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\ImageConverter2
[2011/01/12 15:55:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Image Converter 2 Plus
[2011/01/12 15:53:15 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Tristan\Application Data\Microsoft
[2011/01/12 15:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Sony Corporation
[2011/01/12 15:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Identities
[2011/01/12 15:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Adobe
[2011/01/12 15:53:14 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Tristan\Cookies
[2011/01/12 15:53:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tristan\SendTo
[2011/01/12 15:53:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tristan\Recent
[2011/01/12 15:53:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tristan\Application Data
[2011/01/12 15:53:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\Start Menu\Programs\Startup
[2011/01/12 15:53:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\Start Menu
[2011/01/12 15:53:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\My Documents\My Pictures
[2011/01/12 15:53:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\My Documents\My Music
[2011/01/12 15:53:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\My Documents
[2011/01/12 15:53:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\Favorites
[2011/01/12 15:53:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tristan\Start Menu\Programs\Accessories
[2011/01/12 15:53:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Tristan\Templates
[2011/01/12 15:53:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Tristan\PrintHood
[2011/01/12 15:53:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Tristan\NetHood
[2011/01/12 15:53:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Tristan\Local Settings
[2011/01/12 15:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Symantec
[2011/01/12 15:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\Microsoft
[2011/01/12 15:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Desktop
[2011/01/12 15:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\ApplicationHistory
[2011/01/12 15:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150070}
[2011/01/12 15:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Program Shortcuts
[2011/01/12 15:46:08 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2011/01/12 15:02:07 | 000,026,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbstor.sys
[2011/01/12 14:34:15 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Tristan\UserData
[2011/01/12 14:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Application Data\Macromedia
[2011/01/12 14:17:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/08 18:49:40 | 000,765,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\ewcdhzs.sys
[2011/02/08 18:46:48 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/02/08 18:44:29 | 534,810,624 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/08 18:40:12 | 000,000,306 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/02/08 18:40:12 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011/02/08 18:40:12 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-375473015-3699484750-2554986250-1005.job
[2011/02/08 18:40:11 | 000,000,250 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/02/08 18:40:10 | 000,000,306 | -HS- | M] () -- C:\WINDOWS\tasks\Zijwzhjtdz.job
[2011/02/08 18:38:15 | 000,037,940 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/08 18:38:12 | 000,037,928 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/08 18:38:11 | 000,037,932 | -H-- | M] () -- C:\WINDOWS\svchost.exe
[2011/02/08 18:38:07 | 000,037,928 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/08 18:38:07 | 000,037,928 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/08 18:38:05 | 000,037,956 | -H-- | M] () -- C:\WINDOWS\winlogon.exe
[2011/02/08 18:38:04 | 000,037,932 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/08 18:37:53 | 000,037,936 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/08 18:37:42 | 000,037,932 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/08 18:37:34 | 000,037,932 | -H-- | M] () -- C:\WINDOWS\win .exe
[2011/02/08 18:37:29 | 000,037,932 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/08 18:37:19 | 000,037,928 | -H-- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/08 18:36:59 | 000,037,932 | -H-- | M] () -- C:\WINDOWS\avp32.exe
[2011/02/08 18:36:57 | 000,037,932 | -H-- | M] () -- C:\WINDOWS\lsass.exe
[2011/02/08 18:36:54 | 000,037,928 | -H-- | M] () -- C:\WINDOWS\install .exe
[2011/02/08 18:36:53 | 000,037,928 | -H-- | M] () -- C:\WINDOWS\win .exe
[2011/02/08 18:36:48 | 000,037,932 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/08 18:36:25 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\sysedit.exe
[2011/02/08 18:36:25 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\csrss.exe
[2011/02/08 18:36:24 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\wininst.exe
[2011/02/08 18:36:23 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\winlogon .exe
[2011/02/08 18:36:23 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\system.exe
[2011/02/08 18:36:20 | 000,037,920 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/08 18:35:34 | 000,037,964 | -H-- | M] () -- C:\WINDOWS\spoolsv.exe
[2011/02/08 18:35:30 | 000,037,960 | -H-- | M] () -- C:\WINDOWS\win .exe
[2011/02/08 18:34:53 | 000,037,956 | -H-- | M] () -- C:\WINDOWS\win .exe
[2011/02/08 18:27:26 | 000,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/02/08 14:00:39 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2011/02/08 13:12:47 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\RU3FAy.dat
[2011/02/08 13:12:46 | 000,077,826 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1VE1d06B.exe
[2011/02/08 13:11:28 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/08 13:10:22 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tristan\Desktop\OTL.exe
[2011/02/04 20:09:47 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2011/02/04 19:47:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/04 19:31:02 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Qpayowetohe.dat
[2011/02/04 19:31:01 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Vyiqo.bin
[2011/02/03 23:14:34 | 000,037,944 | -H-- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 23:13:42 | 000,037,944 | -H-- | M] () -- C:\WINDOWS\lsass .exe
[2011/02/03 23:13:18 | 000,037,912 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 23:12:40 | 000,037,932 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 23:12:29 | 000,037,916 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 23:12:29 | 000,037,916 | ---- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 23:11:57 | 000,037,912 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 23:11:36 | 000,037,928 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 23:11:08 | 000,037,932 | ---- | M] () -- C:\WINDOWS\lsass .exe
[2011/02/03 23:10:18 | 000,037,952 | -H-- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 23:10:14 | 000,037,912 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 23:10:11 | 000,037,956 | -H-- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 23:10:11 | 000,037,956 | -H-- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 23:09:39 | 000,037,952 | -H-- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 23:08:56 | 000,037,928 | ---- | M] () -- C:\WINDOWS\lsass .exe
[2011/02/03 23:08:14 | 000,037,932 | ---- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 23:07:30 | 000,037,920 | ---- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 23:07:09 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2011/02/03 23:06:34 | 000,037,952 | -H-- | M] () -- C:\WINDOWS\taskmgr.exe
[2011/02/03 23:06:33 | 000,037,952 | -H-- | M] () -- C:\WINDOWS\nvsvc32.exe
[2011/02/03 23:06:28 | 000,037,948 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 22:54:13 | 000,000,286 | ---- | M] () -- C:\WINDOWS\reimage.ini
[2011/02/03 22:49:52 | 000,001,759 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Scan & Repair by Reimage.lnk
[2011/02/03 22:46:12 | 000,037,920 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 22:46:05 | 000,037,956 | -H-- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 22:45:48 | 000,037,960 | -H-- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 22:45:46 | 000,037,928 | ---- | M] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 22:45:08 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Reimage Reminder.job
[2011/02/03 22:44:43 | 000,037,920 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 22:44:17 | 000,037,928 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 22:44:07 | 000,037,916 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 22:44:00 | 000,037,932 | ---- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 22:43:57 | 000,037,920 | ---- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 22:43:05 | 000,037,952 | -H-- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 22:41:35 | 000,037,912 | ---- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 22:41:31 | 000,037,932 | ---- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 22:20:18 | 000,037,936 | ---- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 22:09:54 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2011/02/03 21:14:56 | 000,037,896 | ---- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 21:10:44 | 000,037,916 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:10:39 | 000,037,916 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:10:37 | 000,037,916 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:10:30 | 000,037,948 | -H-- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:10:25 | 000,037,924 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:10:23 | 000,037,952 | -H-- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:10:22 | 000,037,944 | -H-- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:10:14 | 000,037,944 | -H-- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:10:12 | 000,037,936 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:10:11 | 000,037,932 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:10:10 | 000,037,932 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:10:09 | 000,037,916 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:10:07 | 000,037,928 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:09:58 | 000,037,948 | -H-- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:09:54 | 000,037,948 | -H-- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:09:50 | 000,037,932 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:09:49 | 000,037,924 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:09:46 | 000,037,932 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:09:43 | 000,037,948 | -H-- | M] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 21:09:39 | 000,037,912 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:09:32 | 000,037,924 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:09:30 | 000,037,956 | -H-- | M] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 21:09:26 | 000,037,928 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:09:23 | 000,037,932 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:09:23 | 000,037,932 | ---- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 21:09:23 | 000,037,928 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:09:15 | 000,037,932 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:09:13 | 000,037,952 | -H-- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:09:11 | 000,037,928 | -H-- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 21:09:08 | 000,037,932 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:08:55 | 000,037,908 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:08:44 | 000,037,940 | -H-- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:08:44 | 000,037,940 | -H-- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 21:08:41 | 000,037,928 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:08:38 | 000,037,920 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:08:32 | 000,037,924 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:08:30 | 000,037,908 | ---- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 21:08:29 | 000,037,928 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:08:26 | 000,037,928 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:08:25 | 000,037,924 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:08:05 | 000,037,948 | -H-- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:08:00 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:07:58 | 000,037,928 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:07:55 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:07:53 | 000,037,940 | -H-- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 21:07:48 | 000,037,924 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:07:23 | 000,037,912 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:07:23 | 000,037,912 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:07:06 | 000,037,932 | ---- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 21:07:03 | 000,037,920 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:06:52 | 000,037,932 | -H-- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 21:06:51 | 000,037,920 | ---- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 21:06:26 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\mdm.exe
[2011/02/03 21:06:20 | 000,037,928 | -H-- | M] () -- C:\WINDOWS\services.exe
[2011/02/03 21:06:20 | 000,037,928 | -H-- | M] () -- C:\WINDOWS\msmgm.exe
[2011/02/03 21:06:20 | 000,037,920 | -H-- | M] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 21:06:14 | 000,037,900 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 21:06:10 | 000,037,924 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:05:59 | 000,037,916 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:05:35 | 000,033,284 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\winlogon .exe
[2011/02/03 21:05:35 | 000,033,284 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\win32 .exe
[2011/02/03 21:05:32 | 000,037,916 | -H-- | M] () -- C:\WINDOWS\avp.exe
[2011/02/03 21:05:25 | 000,037,904 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 21:05:20 | 000,037,908 | ---- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 21:05:19 | 000,037,924 | -H-- | M] () -- C:\WINDOWS\win32 .exe
[2011/02/03 21:05:11 | 000,037,912 | ---- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 21:05:06 | 000,037,900 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:05:05 | 000,037,920 | -H-- | M] () -- C:\WINDOWS\login.exe
[2011/02/03 21:05:03 | 000,037,920 | -H-- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 21:04:59 | 000,037,916 | -H-- | M] () -- C:\WINDOWS\win32 .exe
[2011/02/03 21:04:52 | 000,037,912 | ---- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 21:04:44 | 000,037,916 | -H-- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 21:04:20 | 000,037,908 | ---- | M] () -- C:\WINDOWS\install.exe
[2011/02/03 21:04:20 | 000,037,900 | ---- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 21:04:19 | 000,037,908 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 21:04:17 | 000,037,908 | ---- | M] () -- C:\WINDOWS\win32 .exe
[2011/02/03 21:03:42 | 000,037,912 | -H-- | M] () -- C:\WINDOWS\sysmgm.exe
[2011/02/03 21:03:42 | 000,037,912 | -H-- | M] () -- C:\WINDOWS\gdi32.exe
[2011/02/03 21:03:35 | 000,037,904 | ---- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 21:03:20 | 000,037,904 | ---- | M] () -- C:\WINDOWS\win32 .exe
[2011/02/03 21:02:46 | 000,037,896 | ---- | M] () -- C:\WINDOWS\win32 .exe
[2011/02/03 20:59:27 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/02/03 20:55:22 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Tristan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/03 20:29:22 | 000,037,904 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 20:29:12 | 000,037,900 | ---- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 20:28:09 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\completescan_pal
[2011/02/03 20:08:11 | 000,512,992 | ---- | M] () -- C:\Documents and Settings\Tristan\Desktop\sdsetup_aff.exe
[2011/02/03 20:02:23 | 000,720,369 | ---- | M] () -- C:\Documents and Settings\Tristan\Desktop\rkill.com
[2011/02/03 19:59:21 | 000,720,369 | ---- | M] () -- C:\Documents and Settings\Tristan\Desktop\yeh.exe
[2011/02/03 19:10:19 | 000,037,900 | ---- | M] () -- C:\WINDOWS\win32 .exe
[2011/02/03 19:10:19 | 000,037,900 | ---- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 19:10:19 | 000,037,900 | ---- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2011/02/03 18:59:14 | 000,012,772 | -H-- | M] () -- C:\WINDOWS\lsass .exe
[2011/02/03 18:59:13 | 000,012,772 | -H-- | M] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:35:05 | 000,037,896 | ---- | M] () -- C:\WINDOWS\win.exe
[2011/02/03 18:35:05 | 000,037,896 | ---- | M] () -- C:\WINDOWS\setup.exe
[2011/02/03 18:35:05 | 000,037,896 | ---- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 18:35:02 | 000,012,772 | -H-- | M] () -- C:\WINDOWS\setup .exe
[2011/02/03 13:14:26 | 000,001,082 | ---- | M] () -- C:\Documents and Settings\Tristan\Desktop\System Tool 2011.lnk
[2011/02/03 13:04:40 | 000,021,668 | -H-- | M] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:38 | 000,021,668 | -H-- | M] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:01 | 000,021,668 | -H-- | M] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:00 | 000,021,668 | -H-- | M] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:03:58 | 000,021,668 | -H-- | M] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:57 | 000,021,668 | -H-- | M] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:54 | 000,021,668 | -H-- | M] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:06 | 000,060,004 | -H-- | M] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:05 | 000,060,004 | -H-- | M] () -- C:\WINDOWS\drweb.exe
[2011/02/03 13:03:00 | 000,060,004 | -H-- | M] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:02:56 | 000,060,004 | -H-- | M] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:39 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\odjonbpm.dll
[2011/02/03 13:02:38 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\opy8fkexc3.dll
[2011/02/03 13:00:10 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2011/02/01 13:09:08 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2011/01/19 17:18:00 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\start_pal
[2011/01/19 17:06:39 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\install_pal
[2011/01/19 16:57:52 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/01/19 16:57:49 | 000,460,800 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\palladium.exe
[2011/01/19 16:57:49 | 000,000,122 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\asdfasfas.bat
[2011/01/19 16:57:48 | 000,000,007 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\uid_pal
[2011/01/19 15:42:05 | 000,222,208 | ---- | M] (Avira GmbH) -- C:\WINDOWS\Mqafua.exe
[2011/01/19 15:42:05 | 000,098,304 | RHS- | M] () -- C:\WINDOWS\System32\sessmgro.dll
[2011/01/14 16:02:29 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-375473015-3699484750-2554986250-1005.job
[2011/01/14 10:13:07 | 002,079,423 | ---- | M] () -- C:\Program Files\mplayerc_20100214.zip
[2011/01/14 09:15:26 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/01/12 17:58:08 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/12 16:05:45 | 000,031,588 | ---- | M] () -- C:\WINDOWS\System32\Snyres.oem
[2011/01/12 16:05:45 | 000,000,322 | ---- | M] () -- C:\WINDOWS\System32\Snysplst.oem
[2011/01/12 16:05:45 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\SNYINST.OEM
[2011/01/12 16:04:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\VAIOUpdt.INI
[2011/01/12 16:04:07 | 000,000,058 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2011/01/12 15:55:41 | 000,380,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/12 15:55:41 | 000,053,166 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/12 15:53:46 | 000,000,783 | ---- | M] () -- C:\Documents and Settings\Tristan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/01/12 15:52:17 | 000,000,099 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2011/01/12 15:52:11 | 000,000,000 | RH-- | M] () -- C:\WINDOWS\System32\drivers\Sony_VGN-SZ32GPB.mrk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/08 18:36:59 | 000,037,932 | -H-- | C] () -- C:\WINDOWS\avp32.exe
[2011/02/08 18:36:24 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\wininst.exe
[2011/02/08 18:36:23 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\system.exe
[2011/02/08 18:35:34 | 000,037,964 | -H-- | C] () -- C:\WINDOWS\spoolsv.exe
[2011/02/03 22:45:08 | 000,000,278 | ---- | C] () -- C:\WINDOWS\tasks\Reimage Reminder.job
[2011/02/03 22:45:05 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2011/02/03 22:43:16 | 000,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Scan & Repair by Reimage.lnk
[2011/02/03 21:06:20 | 000,037,928 | -H-- | C] () -- C:\WINDOWS\services.exe
[2011/02/03 21:06:20 | 000,037,928 | -H-- | C] () -- C:\WINDOWS\msmgm.exe
[2011/02/03 21:05:05 | 000,037,920 | -H-- | C] () -- C:\WINDOWS\login.exe
[2011/02/03 21:05:04 | 000,037,956 | -H-- | C] () -- C:\WINDOWS\winlogon.exe
[2011/02/03 21:04:25 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\mdm.exe
[2011/02/03 21:04:24 | 000,037,916 | -H-- | C] () -- C:\WINDOWS\avp.exe
[2011/02/03 21:03:43 | 000,037,932 | -H-- | C] () -- C:\WINDOWS\svchost.exe
[2011/02/03 21:03:39 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\sysedit.exe
[2011/02/03 20:08:10 | 000,512,992 | ---- | C] () -- C:\Documents and Settings\Tristan\Desktop\sdsetup_aff.exe
[2011/02/03 20:02:22 | 000,720,369 | ---- | C] () -- C:\Documents and Settings\Tristan\Desktop\rkill.com
[2011/02/03 19:59:19 | 000,720,369 | ---- | C] () -- C:\Documents and Settings\Tristan\Desktop\yeh.exe
[2011/02/03 19:40:20 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2011/02/03 18:59:14 | 000,037,944 | -H-- | C] () -- C:\WINDOWS\lsass .exe
[2011/02/03 18:59:14 | 000,037,932 | -H-- | C] () -- C:\WINDOWS\lsass.exe
[2011/02/03 18:59:14 | 000,037,932 | ---- | C] () -- C:\WINDOWS\lsass .exe
[2011/02/03 18:59:14 | 000,037,928 | ---- | C] () -- C:\WINDOWS\lsass .exe
[2011/02/03 18:59:14 | 000,012,772 | -H-- | C] () -- C:\WINDOWS\lsass .exe
[2011/02/03 18:59:13 | 000,037,952 | -H-- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,037,936 | ---- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,037,932 | ---- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,037,932 | ---- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,037,920 | ---- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,037,916 | -H-- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,037,916 | ---- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,037,912 | -H-- | C] () -- C:\WINDOWS\gdi32.exe
[2011/02/03 18:59:13 | 000,037,912 | ---- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:59:13 | 000,012,772 | -H-- | C] () -- C:\WINDOWS\gdi32 .exe
[2011/02/03 18:35:02 | 000,037,896 | ---- | C] () -- C:\WINDOWS\setup.exe
[2011/02/03 18:35:02 | 000,012,772 | -H-- | C] () -- C:\WINDOWS\setup .exe
[2011/02/03 13:14:26 | 000,001,082 | ---- | C] () -- C:\Documents and Settings\Tristan\Desktop\System Tool 2011.lnk
[2011/02/03 13:05:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Vyiqo.bin
[2011/02/03 13:05:35 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Qpayowetohe.dat
[2011/02/03 13:04:40 | 000,037,948 | -H-- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,932 | -H-- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,932 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,928 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,928 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\csrss.exe
[2011/02/03 13:04:40 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,924 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,924 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,920 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,916 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,912 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,037,900 | ---- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:40 | 000,021,668 | -H-- | C] () -- C:\WINDOWS\csrss .exe
[2011/02/03 13:04:38 | 000,037,952 | -H-- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,936 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,932 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,932 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,928 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,924 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,924 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,920 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,912 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,037,908 | ---- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:38 | 000,021,668 | -H-- | C] () -- C:\WINDOWS\smss .exe
[2011/02/03 13:04:01 | 000,037,952 | -H-- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,948 | -H-- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,944 | -H-- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,940 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,932 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,932 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,932 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,928 | -H-- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,928 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,928 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,924 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,920 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,916 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,916 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,916 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,912 | -H-- | C] () -- C:\WINDOWS\sysmgm.exe
[2011/02/03 13:04:01 | 000,037,912 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,037,908 | ---- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:01 | 000,021,668 | -H-- | C] () -- C:\WINDOWS\sysmgm .exe
[2011/02/03 13:04:00 | 000,037,956 | -H-- | C] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:04:00 | 000,037,948 | -H-- | C] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:04:00 | 000,037,928 | ---- | C] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:04:00 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:04:00 | 000,037,920 | -H-- | C] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:04:00 | 000,021,668 | -H-- | C] () -- C:\WINDOWS\winlogon .exe
[2011/02/03 13:03:58 | 000,037,960 | -H-- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,037,956 | -H-- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,037,952 | -H-- | C] () -- C:\WINDOWS\taskmgr.exe
[2011/02/03 13:03:58 | 000,037,952 | -H-- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,037,932 | ---- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,037,912 | ---- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,037,904 | ---- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,037,900 | ---- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,037,900 | ---- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:58 | 000,021,668 | -H-- | C] () -- C:\WINDOWS\taskmgr .exe
[2011/02/03 13:03:57 | 000,037,960 | -H-- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,956 | -H-- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,952 | -H-- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,948 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,932 | -H-- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,932 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,928 | -H-- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,928 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,920 | -H-- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,920 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,920 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,916 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,908 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,904 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,904 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,900 | ---- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:57 | 000,037,896 | ---- | C] () -- C:\WINDOWS\win.exe
[2011/02/03 13:03:57 | 000,021,668 | -H-- | C] () -- C:\WINDOWS\win .exe
[2011/02/03 13:03:54 | 000,037,948 | -H-- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,940 | -H-- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,932 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,932 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,932 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,928 | -H-- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,928 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,928 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,928 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,924 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,916 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,912 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,912 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,908 | ---- | C] () -- C:\WINDOWS\install.exe
[2011/02/03 13:03:54 | 000,037,900 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,037,896 | ---- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:54 | 000,021,668 | -H-- | C] () -- C:\WINDOWS\install .exe
[2011/02/03 13:03:06 | 000,060,004 | -H-- | C] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:06 | 000,037,924 | -H-- | C] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:06 | 000,037,916 | -H-- | C] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:06 | 000,037,908 | ---- | C] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:06 | 000,037,904 | ---- | C] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:06 | 000,037,900 | ---- | C] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:06 | 000,037,896 | ---- | C] () -- C:\WINDOWS\win32 .exe
[2011/02/03 13:03:05 | 000,060,004 | -H-- | C] () -- C:\WINDOWS\drweb.exe
[2011/02/03 13:03:00 | 000,060,004 | -H-- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,952 | -H-- | C] () -- C:\WINDOWS\nvsvc32.exe
[2011/02/03 13:03:00 | 000,037,948 | -H-- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,944 | -H-- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,944 | -H-- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,936 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,932 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,932 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,932 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,928 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,928 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,928 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,924 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,916 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,912 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,912 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:03:00 | 000,037,900 | ---- | C] () -- C:\WINDOWS\nvsvc32 .exe
[2011/02/03 13:02:56 | 000,060,004 | -H-- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,956 | -H-- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,956 | -H-- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,940 | -H-- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,940 | -H-- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,932 | ---- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,928 | -H-- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,920 | ---- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,920 | ---- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,908 | ---- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:56 | 000,037,896 | ---- | C] () -- C:\WINDOWS\hexdump .exe
[2011/02/03 13:02:46 | 000,765,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\ewcdhzs.sys
[2011/02/03 13:02:39 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\odjonbpm.dll
[2011/02/03 13:02:38 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\opy8fkexc3.dll
[2011/02/01 13:09:05 | 000,077,826 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1VE1d06B.exe
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2011/02/01 13:09:05 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2011/02/01 13:08:54 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\RU3FAy.dat
[2011/01/19 17:12:58 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\start_pal
[2011/01/19 17:10:46 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\completescan_pal
[2011/01/19 17:06:39 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\install_pal
[2011/01/19 16:57:51 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2011/01/19 16:57:49 | 000,460,800 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\palladium.exe
[2011/01/19 16:57:49 | 000,000,122 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\asdfasfas.bat
[2011/01/19 16:57:48 | 000,000,007 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\uid_pal
[2011/01/19 16:49:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/19 15:42:11 | 000,000,290 | -H-- | C] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011/01/19 15:42:08 | 000,000,306 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/01/19 15:42:06 | 000,000,250 | -H-- | C] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/01/19 15:42:05 | 000,098,304 | RHS- | C] () -- C:\WINDOWS\System32\sessmgro.dll
[2011/01/19 15:42:05 | 000,000,306 | -HS- | C] () -- C:\WINDOWS\tasks\Zijwzhjtdz.job
[2011/01/14 16:08:45 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/01/14 10:18:43 | 000,000,282 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-375473015-3699484750-2554986250-1005.job
[2011/01/14 10:18:39 | 000,000,290 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-375473015-3699484750-2554986250-1005.job
[2011/01/14 10:13:03 | 002,079,423 | ---- | C] () -- C:\Program Files\mplayerc_20100214.zip
[2011/01/14 09:15:26 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/01/13 09:55:15 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Tristan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/12 16:05:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\snyprmnd.oem
[2011/01/12 16:04:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2011/01/12 16:04:07 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2011/01/12 15:53:16 | 000,000,783 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/01/12 15:53:16 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Tristan\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/01/12 15:53:15 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Tristan\Start Menu\Programs\Remote Assistance.lnk
[2011/01/12 15:53:15 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\Tristan\Start Menu\Programs\Windows Media Player.lnk
[2011/01/12 15:53:15 | 000,000,771 | ---- | C] () -- C:\Documents and Settings\Tristan\Start Menu\Programs\Internet Explorer.lnk
[2011/01/12 15:53:15 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Tristan\Start Menu\Programs\Outlook Express.lnk
[2011/01/12 15:52:11 | 000,000,000 | RH-- | C] () -- C:\WINDOWS\System32\drivers\Sony_VGN-SZ32GPB.mrk
[2011/01/12 15:45:05 | 534,810,624 | -HS- | C] () -- C:\hiberfil.sys
[2006/08/14 13:46:22 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/11 20:45:49 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/08/11 20:45:49 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/08/11 20:45:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/08/11 20:45:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/08/11 20:45:49 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/08/11 20:45:49 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/08/11 20:45:30 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2006/08/11 20:44:21 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2006/08/11 15:15:31 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/08/11 07:44:15 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/08/10 22:38:34 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/08/10 22:38:25 | 000,004,464 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/08/10 22:37:56 | 000,249,856 | ---- | C] () -- C:\WINDOWS\odemerok.dll
[2006/08/10 22:37:56 | 000,098,304 | ---- | C] () -- C:\WINDOWS\dhesjsd.dll
[2006/08/10 22:37:48 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/08/10 22:37:30 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/07/04 20:07:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/09/02 14:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 21:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll

< End of report >

OTL Extras logfile created on: 2/8/2011 6:48:23 PM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Tristan\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 373.00 Mb Available Physical Memory | 73.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 4.08 Gb Free Space | 10.96% Space Free | Partition Type: NTFS
Drive D: | 30.75 Gb Total Space | 0.41 Gb Free Space | 1.35% Space Free | Partition Type: NTFS

Computer Name: YOUR-8E0538BEEB | User Name: Tristan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 4

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}" = SonicStage Mastering Studio Audio Filter Custom Preset
"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio DigitalMedia Data
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{11C98E1A-EC91-4B38-B44C-C562292D8453}" = Adobe Premiere Elements 2.0
"{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}" = ccCommon
"{12E2B9E9-05B1-407d-B0FD-B5F350535125}" = Norton Internet Security
"{1417F599-1DBD-4499-9375-B2813E9F890C}" = VAIO Camera Utility
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1A91D1FA-B9B3-4556-9878-5C61059A19B2}" = InterVideo WinDVDX
"{1BEF9285-5530-426B-A5F1-5836B95C7EB1}" = VAIO Original Screen Saver
"{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility
"{2A2FF7F5-6F0E-4A5D-A881-39365E718BD6}" = VAIO Cozy Orange Wallpaper
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{2EBF25F1-F8A2-40EA-92BE-931C142A44E2}" = CC_ccProxyExt
"{30738666-9805-4926-A78F-91DA33B6C437}" = ccPxyCore
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
"{3B29A786-5803-4E9E-9B58-3014A5B4E519}" = Norton AntiSpam
"{449F3A9E-9903-4a0d-A209-08030D45A935}" = Norton Internet Security
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{48185814-A224-447a-81DA-71BD20580E1B}" = Norton Internet Security
"{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 2
"{560F6B2E-F0DF-44E5-8190-A4A161F0E205}" = VAIO Media 5.0
"{5677563D-0CB1-485F-9E18-C5025306BB3F}" = Norton AntiSpam
"{582C5C46-399D-4A9D-AB9F-C36F6FEC85EA}" = VAIO CameraVJ Screen Saver
"{5855C127-1F20-404D-B7FB-1FD84D7EAB5E}" = VAIO Media Redistribution 5.0
"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series
"{5958CAC6-373E-402F-84FE-0A699AA920B9}" = LAN Setting Utility
"{61D6E4FB-1A62-4EB1-BE56-929B00C155CF}" = Wireless LAN Starter
"{63B8FB69-A1B6-425D-B67D-5257B7A1F663}" = Image Converter 2 Plus
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{6B1F20F2-6321-4669-A58C-33DF8E7517FF}" = VAIO Entertainment Platform
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC
"{785EB1D4-ECEC-4195-99B4-73C47E187721}" = VAIO Media Integrated Server 5.0
"{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}" = Norton Protection Center
"{88DA0A52-3372-4803-971A-ADFB961707E8}" = PictureGear Studio 2.0
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8DF4C627-4AF3-4245-9F13-3518FC8584DC}" = Protector Suite QL 5.3
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for VAIO
"{934A3213-1CB6-4264-84A2-EE080C017BCA}" = VAIO Tender Green Wallpaper
"{97BCD719-6ECB-458F-97D6-F38D2E07375E}" = VAIO Aqua Breeze Wallpaper
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management
"{9E407618-D9CD-4F39-9490-9ED45294073D}" = Click to DVD 2.0.03 Menu Data
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 4.0
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A43F939E-A863-433D-AC78-0897E44CFEB2}" = VAIO Launcher
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security
"{AA171A69-F942-40DA-AE3A-EA91026A1CAE}" = VAIO Manual
"{AB467B85-4F52-48C2-AEED-0673D00417B0}" = SonicStage Mastering Studio Audio Filter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio DigitalMedia Audio
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}" = VAIO Media Registration Tool 5.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio DigitalMedia Copy
"{B7C03E84-AF46-42F4-809D-D4127D9086D0}" = VAIO Edit Components 6.0
"{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist
"{BBFFB027-7D53-4E1B-95BC-35A2216D1D60}" = VAIO Long Battery Life Wallpaper
"{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library
"{BF3B304B-8A18-452D-A19F-6012CA8418D7}" = SonicStage Mastering Studio 2.2
"{C27BF761-C499-488D-A964-A3718BC6EC3E}" = DSD Direct
"{C518C7BF-A345-4019-815B-FFDF32EBCAD9}" = VAIO HDD Protection
"{C6F5B6CF-609C-428E-876F-CA83176C021B}" = Norton AntiVirus 2006
"{C89EB8CD-675F-44F4-9729-4C9A8FAC2D4F}" = DSD Playback Plug-in 1.0
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{DEBACE7E-5DD1-42DB-AFE7-2B60E7CC80A8}" = Microsoft GB18030 Support Package
"{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
"{E809063C-51A3-4269-8984-D1EB742F2151}" = Click to DVD 2.5.30
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{E85FA9A1-C241-4698-893B-DD99509B8DB0}" = Norton WMI Update
"{ED8D39F2-7FFA-45EC-B148-EF2472955BB4}" = VAIO Zone
"{EE7EB179-5AA2-4B28-AC92-5CBAAF82BA7F}" = SonicStage Mastering Studio Plugins
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
"{F64306A5-4C32-41bb-B153-53986527FAB4}" = Norton WMI Update
"{FB714F13-10C9-48DB-91C9-DDBCCCBF9370}" = VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
"{FC37C108-821D-4EDE-8F40-D5B497586805}" = VAIO Control Center
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FFB4DD53-28B7-4981-BFF0-9BD801F61095}" = Norton Internet Security
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Bandoo" = Fun4IM
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
"InstallShield_{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
"InstallShield_{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
"KLiteCodecPack_is1" = K-Lite Codec Pack 6.6.6 (Standard)
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MouseSuite98" = Sony USB Mouse
"NVIDIA Drivers" = NVIDIA Drivers
"OpenMG HotFix4.5-06-05-10-01" = OpenMG Limited Patch 4.5-06-05-12-01
"PremElem20" = Adobe Premiere Elements 2.0
"Productivity_2 Toolbar" = Productivity 2 Toolbar
"ProInst" = Intel® PROSet/Wireless Software
"Searchqu MediaBar" = Windows Searchqu Toolbar
"SymSetup.{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security 2006 (Symantec Corporation)
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-375473015-3699484750-2554986250-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/3/2011 2:14:48 PM | Computer Name = YOUR-8E0538BEEB | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 2/3/2011 2:31:25 PM | Computer Name = YOUR-8E0538BEEB | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/3/2011 2:31:25 PM | Computer Name = YOUR-8E0538BEEB | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/3/2011 2:31:25 PM | Computer Name = YOUR-8E0538BEEB | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/3/2011 2:31:25 PM | Computer Name = YOUR-8E0538BEEB | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/3/2011 7:30:44 PM | Computer Name = YOUR-8E0538BEEB | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2/3/2011 7:30:44 PM | Computer Name = YOUR-8E0538BEEB | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/3/2011 7:35:09 PM | Computer Name = YOUR-8E0538BEEB | Source = Application Error | ID = 1000
Description = Faulting application ico .exe, version 1.0.0.8, faulting module ico
.exe, version 1.0.0.8, fault address 0x000033ae.

Error - 2/3/2011 8:10:13 PM | Computer Name = YOUR-8E0538BEEB | Source = Application Error | ID = 1000
Description = Faulting application ico .exe, version 1.0.0.8, faulting module ico
.exe, version 1.0.0.8, fault address 0x000033ae.

Error - 2/3/2011 8:57:03 PM | Computer Name = YOUR-8E0538BEEB | Source = Application Error | ID = 1000
Description = Faulting application ico .exe, version 1.0.0.8, faulting module ico
.exe, version 1.0.0.8, fault address 0x000033ae.

[ System Events ]
Error - 2/8/2011 2:11:39 PM | Computer Name = YOUR-8E0538BEEB | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Real\RealUpgrade\realupgrade.exe.
Reference
error message: The operation completed successfully. .

Error - 2/8/2011 2:16:44 PM | Computer Name = YOUR-8E0538BEEB | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 2/8/2011 2:17:01 PM | Computer Name = YOUR-8E0538BEEB | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 2/8/2011 2:30:22 PM | Computer Name = YOUR-8E0538BEEB | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 2/8/2011 2:30:22 PM | Computer Name = YOUR-8E0538BEEB | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 2/8/2011 2:30:22 PM | Computer Name = YOUR-8E0538BEEB | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Real\RealUpgrade\realupgrade.exe.
Reference
error message: The operation completed successfully. .

Error - 2/8/2011 2:35:17 PM | Computer Name = YOUR-8E0538BEEB | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 2/8/2011 2:55:26 PM | Computer Name = YOUR-8E0538BEEB | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 2/8/2011 2:55:26 PM | Computer Name = YOUR-8E0538BEEB | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 2/8/2011 2:55:26 PM | Computer Name = YOUR-8E0538BEEB | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Real\RealUpgrade\realupgrade.exe.
Reference
error message: The operation completed successfully. .

< End of report >

#5 pwgib

Forum Addict

Group: Malware Response Team
Posts: 2,859
Joined: 14-February 05
Gender:Male
Location:God's Country

Posted 12 February 2011 - 08:51 AM

Hello Nulecule

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you have not done so, include a clear description of the problems you are having, along with any steps you may have performed so far.

Thanks!!

This post has been edited by pwgib: 12 February 2011 - 10:49 AM
Reason for edit: syntax

#6 pwgib

Forum Addict

Group: Malware Response Team
Posts: 2,859
Joined: 14-February 05
Gender:Male
Location:God's Country

Posted 12 February 2011 - 04:56 PM

Hi Nulecule,

Do you have access to a clean computer and a flash drive or cd burner we can use if needed?

Did you install searchqutb and set http://www.searchqu.com as your homepage?

Step 1.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please reboot into Safe Mode.

This can be done tapping the F8 key as soon as you start your computer. You will be brought to a menu where you can choose to boot into safe mode.

Make sure you choose the option without networking support. <---Important

Instructions on booting into Safe Mode can be found here

Step 2.

After you boot to safe mode you should disable any anti-malware softwares you have installed so they do not interfere with RKill.

If the tool does not run tell me about it. After running it shall produce a log located at C:\RKill.
Please copy and paste it into your next reply.

Step 3.

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:OTL
MOD - [2011/02/03 13:02:38 | 000,030,000 | ---- | M] () -- C:\WINDOWS\system32\opy8fkexc3.dll
FF - HKLM\software\mozilla\Firefox\Extensions\\{6514FFD4-B431-4F01-B8E5-D56840822306}: C:\Documents and Settings\Tristan\Local Settings\Application Data\{6514FFD4-B431-4F01-B8E5-D56840822306} [2011/02/03 13:05:33 | 000,000,000 | ---D | M]
O2 - BHO: (C:\WINDOWS\system32\opy8fkexc3.dll) - {B9B220C1-A500-59BD-F413-02B52A2C8953} - C:\WINDOWS\system32\opy8fkexc3.dll ()
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O20 - HKU\S-1-5-21-375473015-3699484750-2554986250-1005 Winlogon: Shell - (C:\Documents and Settings\Tristan\Application Data\palladium.exe) - C:\Documents and Settings\Tristan\Application Data\palladium.exe ()
O22 - SharedTaskScheduler: {B9B220C1-A500-59BD-F413-02B52A2C8953} - psioj9f8w873bgfdshdfg - C:\WINDOWS\system32\opy8fkexc3.dll ()
[2011/02/03 13:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tristan\Start Menu\Programs\System Tool
[2011/02/03 13:03:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\dHkCpGj15400
[2011/02/08 18:49:40 | 000,765,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\ewcdhzs.sys
[2011/02/08 18:40:10 | 000,000,306 | -HS- | M] () -- C:\WINDOWS\tasks\Zijwzhjtdz.job
[2011/02/08 13:12:47 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\RU3FAy.dat
[2011/02/08 13:12:46 | 000,077,826 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1VE1d06B.exe
:commands
[Reboot]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click .
A report will open. Copy and Paste that report in your next reply.

Let your computer reboot into normal Windows and only connect to the internet to perform the following step and reply to this topic.

Step 4.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to Disable your Security Applications

Note - If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications <----Important
Refer to this page if you are not sure how.
Close any open windows, including this one.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please answer my questions and include the following:

RKill log
OTLfix report
Combofix.txt

Thanks!!

#7 Nulecule

Member

Group: Members
Posts: 43
Joined: 04-February 11

Posted 14 February 2011 - 01:44 PM

Hi pwgib,

I have encoutered a few barriers and just wanted to check with you:

- Safe mode does not seem to be making any difference: System just retarts normally.

*** I only manage the above tests (OTL, Extra.txt and now Gmer: see attach below) by Run -> msconfig -> selective startup -> I then uncheck the "load startup item" checkbox. Diagnostic startup used to work but now it is also filled with blank popups windows. sigh.

- Following your instructions to show hidden file on Window XP, under the tools menu, there is no "Folder Options".

- I have an Rkill icon on my desktop - d/l ed it in a previous attempt to remove System Tool but it cannot not run. The mouse pointer change to an hourglass for awhile then nothing happens..

As to your questions:

I do not believe I have any anti-malware or anti-virus softwares installed. Norton came with the computer but I have uninstalled it long ago.

I do have several access to other computers. As a matter of facts, I d/l the programs (i.e. OTL, mbam <- unable to run it btw) into a USB key and transfer them to my incfected labtop then run them.

I do not have, at least not knowingly, searchqutb as my homepage. My home page was set as google.com.hk.

Sorry I don't quite understand your comment about : "Word Wrap in notepad is turned off" - how can I do so? Is the format of the log I posted previously ok?

Once again, your support is very appreciated.

Finally, please see Gmer below:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-10 12:53:00
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST98823AS rev.3.14
Running: iivj3uv0.exe; Driver: C:\DOCUME~1\Tristan\LOCALS~1\Temp\kwpiykoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ewcdhzs.sys F846A000 33 Bytes JMP F849A2F5 ewcdhzs.sys
.text ewcdhzs.sys F846A022 45 Bytes [00, 60, 8D, 64, 24, 20, E9, ...]
.text ewcdhzs.sys F846A050 7 Bytes [24, 91, D2, CC, 04, 8B, 45] {AND AL, 0x91; ROR AH, CL; ADD AL, 0x8b; INC EBP}
.text ewcdhzs.sys F846A058 625 Bytes [66, 0F, A3, CE, 0F, 83, B6, ...]
.text ewcdhzs.sys F846A2CA 52 Bytes [00, 66, 89, 45, 04, 8D, 64, ...]
.text ...
? C:\WINDOWS\system32\drivers\ewcdhzs.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F8376E88 4 Bytes CALL 825B06A1
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF72BB360, 0x22117D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[224] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A6000A
.text C:\WINDOWS\explorer.exe[224] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A7000A
.text C:\WINDOWS\explorer.exe[224] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 003C000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 825548F0
Device \Driver\Tcpip \Device\Ip 8220EC50
Device \Driver\Tcpip \Device\Tcp 8220EC50
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8250557B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8250557B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8250557B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8250557B
Device \Driver\Tcpip \Device\Udp 8220EC50
Device \Driver\Tcpip \Device\RawIp 8220EC50
Device \Driver\Tcpip \Device\IPMULTICAST 8220EC50
Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST98823AS_______________________________3.14____#5&36bd7437&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] ewcdhzs <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ewcdhzs@mrueyjx 61748826
Reg HKLM\SYSTEM\CurrentControlSet\Services\ewcdhzs@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ewcdhzs@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ewcdhzs@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ewcdhzs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\ewcdhzs@mrueyjx 61748826
Reg HKLM\SYSTEM\ControlSet003\Services\ewcdhzs@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\ewcdhzs@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\ewcdhzs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ewcdhzs@Group Boot Bus Extender

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

#8 pwgib

Forum Addict

Group: Malware Response Team
Posts: 2,859
Joined: 14-February 05
Gender:Male
Location:God's Country

Posted 15 February 2011 - 09:58 AM

Hi Nulecule,

Do you have your Windows installation disk?

Your computer is badly infected. There are some procedures we can try but I want to make you aware that a format and reinstall might be in your future.

Quote

Sorry I don't quite understand your comment about : "Word Wrap in notepad is turned off" - how can I do so? Is the format of the log I posted previously ok?

Everything is fine for now. :thumbup2:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue please do the following:

The first thing we need to do is run a little program that will prevent any clean computer that is used from becoming infected.

Step 1.

Please download Flash_Disinfector.exe by sUBs and save it to your clean computer desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Step 2.

On a clean computer download Combofix from any of the links below and save it to your USB drive. During the download rename Combofix to Fixit when saving it .

Link 1
Link 2

You will see similar windows to those below when downloading Combofix. Do not rename to Combo-Fix or save to the desktop as shown in the examples. Remember that you want to save Combofix to your USB drive and rename it to Fixit.

Leave the renamed Combofix on your USB drive and insert it in the infected computer. Double click on Fixit & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Since you will not be connected to the internet skip, (answer no), to this procedure.

Posted Image

Ignore any warnings about the recovery console not being installed and continue on to scan for malware.

When finished, it will produce a log for you. Save the log to your USB drive then please copy and paste the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: Combofix may still not run using this procedure. Don't be alarmed.

Let me know if you have any problems or questions.

Thanks!!

This post has been edited by pwgib: 15 February 2011 - 12:41 PM

#9 Nulecule

Member

Group: Members
Posts: 43
Joined: 04-February 11

Posted 15 February 2011 - 02:17 PM

Thank you pwgib for your quick reply. As you've suspected:

- From my USB key Fixit.exe started and a bar loading is shown but when loading completed, it just disappears and nothing happenned.

To answer your question:

My system recovery tool is installed in the laptop. I also have acquired a copy of Windows installation disk. Both failed to start (note my disk reader has not been functionning properly lately).

I certainly do not mind formating the computer - no important material here ; just don't know how to proceed.

Please instruct what to do next? Many thanks.

#10 pwgib

Forum Addict

Group: Malware Response Team
Posts: 2,859
Joined: 14-February 05
Gender:Male
Location:God's Country

Posted 17 February 2011 - 10:33 AM

Hi Nulecule,

Sory for the delay. I've been down with pneumonia so my responses may be slow.

Quote

Both failed to start (note my disk reader has not been functionning properly lately).

We will try using a CD.

Download GETxPUD.exe to the desktop of your clean computer

Run GETxPUD.exe
A new folder will appear on the desktop.
Open the GETxPUD folder and click on the get&burn.bat
The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
Click on Start and follow the prompts to burn the image to a CD.
Format your USB then download http://noahdfear.net/downloads/dumpit to your USB drive
Remove the USB
Boot the computer with the CD you just burned
The computer must be set to boot from the CD
Gently tap F12 and choose to boot from the CD
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
Replace the USB
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
Confirm that you see dumpit that you downloaded there
Double click the dumpit file
After it has finished a report will be located on your USB drive named mbr.zip. Please attach it for my review.
Please note - all text entries are case sensitive

Thanks!!

#11 Nulecule

Member

Group: Members
Posts: 43
Joined: 04-February 11

Posted 17 February 2011 - 04:21 PM

Hi pw,

Hope you r feelin better. I really appreciate you still take the time to follow up.

I have tried what you suggested above and have a few questions (bear in mind I'm still new to all this.. )

1 - d/l and burn xPUD to disc successfully. My infected computer will not load / boot it though.

Pressing F12 doesn't change anything (I dunno when should I be pressing it actually so I tapped on it all the time the system was rebooting). I then tried to mod. the boot priority in BIOS by pressing F2 but CD drive wasn't listed -I have: floppy disk drive <-- ?!, USB optical dr., i. Link optical dr., USB Hard Disk dr., i Link Hard Disk dr., Internal Hard Disk dr. and Network listed under "Boot priority order".

Note that when I open the disk to see its content the infected computer says "blank CD" whereas another computer can label it xPUD. This has happened to me before though - maybe a problem with the CD drive?

2 - How do I format a USB? This is my phone mem. card in a USB adapter. I rather not lose the funtionnality and info in it. Can I skip this step?

Please get back to me at your convenience.

Take care.

#12 pwgib

Forum Addict

Group: Malware Response Team
Posts: 2,859
Joined: 14-February 05
Gender:Male
Location:God's Country

Posted 18 February 2011 - 09:04 AM

Hi Nulecule,

What is the exact make and model of your computer?

Since your CD Drive is not working the only option is to use a USB flash/thumb drive. Could you possibly borrow or purchase one?

What happens when you boot your computer and tap F8 during the boot process?

For information purposes please read thisregarding msconfig and safe mode.

Thanks!!

#13 Nulecule

Member

Group: Members
Posts: 43
Joined: 04-February 11

Posted 18 February 2011 - 05:46 PM

Hi pw,

My Laptop is a Sony VAIO VGN-SZ32GP/B.

When I tab F8 during boot process I do see the black and white screen with all the options (i.e. Safe Mode, .. ,Enable Boot Logging, etc.) but after selecting Safe Mode (or Safe Mode without networking - I tried both) the computer will restart normally just as if I just turned it on.

I should be able to get my hands on an external CD drive this weekend. I will try it. What is a USB flash/thumb drive? Is it the same thing?

#14 pwgib

Forum Addict

Group: Malware Response Team
Posts: 2,859
Joined: 14-February 05
Gender:Male
Location:God's Country

Posted 18 February 2011 - 07:53 PM

Hi Nulecule,

Quote

What is a USB flash/thumb drive?

The short answer is a portable drive that you can store data on and move from one computer to another. Instead of burning a disk you can drag, drop, copy and paste the data without burning.. Just like moving data from one hard drive to another.

The long answer

You can pick one up at just about any electronics store; Staples, Best Buy, Walmart, etc. 2GB is sufficient for our needs.

Here is a link to Best Buy

#15 Nulecule

Member

Group: Members
Posts: 43
Joined: 04-February 11

Posted 21 February 2011 - 10:06 AM

Hi pw,

I purchased an external CD drive - connected via USB to my laptop - but the system does not seem to boot my xPUT CD.

I tested, the external CD drive is functional and CD does have the xPUT data. The computer seems to ignore it unless I eject the CD and put it back in: it then lights up and I can hear the disk spinning.

When I open the "My Computer" windows I can't see the external CD drive listed either. (I do see the "assumed defected" built in CD drive on my laptop listed as F:/ .)

I do have an 8GB USB drive - still did not figure out how to re-format it though. (Is this mandatory?)

Thank you for you continuing help. I hope we get tot the bottom of this soon.