Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious File(s): word64main.exe, Win32.Agent.pz


  • This topic is locked This topic is locked
20 replies to this topic

#1 Mud Dobber

Mud Dobber

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 30 July 2009 - 02:32 PM

A Panda online scan of my computer detected a "Suspicious File", ( C:\WINDOWS\system32\word64main.exe) and I am unable to remove it. A scan using Malwarebyte's Anti-Malware (MBAM) showed infected registry keys and a registry value that reappear after removal. A Spybot Search & Destroy scan reveals 3 malware entries called Win32.Agent.pz that also keep reappearing after removal. Any help would be most appreciated. Thank you.

The DDS.txt file is as follows:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Fred at 14:43:29.75 on Thu 07/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.352.170 [GMT -4:00]

AV: Panda Internet Security 2008 *On-access scanning enabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Internet Security 2008 *enabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Documents and Settings\Fred\My Documents\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\word64main.exe,
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [APVXDWIN] "c:\program files\panda security\panda internet security 2008\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda internet security 2008\Inicio.exe"
IE: Download all with Free Download Manager
IE: Download selected with Free Download Manager
IE: Download video with Free Download Manager
IE: Download with Free Download Manager
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\panda security\panda internet security 2008\pavlsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220972857781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {05EC5148-6CFB-43A5-AAED-433738C7C49C} = 64.136.173.4 64.136.164.76
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avldr - avldr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-8-25 28544]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2008-8-18 71608]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2008-8-18 51256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2008-8-18 21816]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2008-8-18 191672]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2008-8-18 132664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 72944]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2008-8-18 38968]
R1 SMSFLT;SMS Filter Plugin;c:\windows\system32\drivers\smsflt.sys [2008-8-18 37304]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2008-8-18 30648]
R2 cpoint;Panda CPoint Driver;c:\windows\system32\drivers\cpoint.sys [2008-8-18 24760]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda internet security 2008\PsCtrlS.exe [2008-8-18 169264]
R2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2008-8-18 83896]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda internet security 2008\PAVFNSVR.EXE [2008-8-18 173360]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2008-8-18 178872]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda software\pavshld\PavPrSrv.exe [2008-8-18 63024]
R2 PAVSRV;Panda anti-virus service;c:\program files\panda security\panda internet security 2008\PAVSRV51.EXE [2008-8-18 148272]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [2008-8-18 13880]
R3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;c:\windows\system32\drivers\netimflt.sys [2008-8-18 143160]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\f.tmp --> c:\windows\system32\F.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]

============== File Associations ===============

JSEFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*
VBEFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*
VBSFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*

=============== Created Last 30 ================

2009-07-29 17:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-29 17:15 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-29 17:15 <DIR> --d----- c:\docume~1\fred\applic~1\SUPERAntiSpyware.com
2009-07-29 17:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-27 19:24 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-27 06:42 <DIR> --d----- C:\RECYCLER(3)
2009-07-26 12:40 <DIR> --dsh--- C:\RECYCLER(2)
2009-07-24 11:19 <DIR> --d----- c:\program files\Sophos
2009-07-22 23:27 389,120 a------- c:\windows\system32\CF16502.exe
2009-07-22 21:47 <DIR> --d----- c:\docume~1\fred\applic~1\Malwarebytes
2009-07-22 21:47 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 21:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-22 21:47 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-22 21:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 20:58 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-22 20:38 <DIR> a-dshr-- C:\cmdcons
2009-07-22 20:13 219,648 a------- c:\windows\PEV.exe
2009-07-22 20:13 161,792 a------- c:\windows\SWREG.exe
2009-07-22 20:13 98,816 a------- c:\windows\sed.exe
2009-07-22 15:37 67,072 a------- c:\windows\system32\main32.tmp
2009-07-22 15:15 <DIR> --d----- c:\program files\Trend Micro
2009-07-22 11:57 63 a------- c:\windows\wininit.ini
2009-07-18 15:17 <DIR> --dsh--- c:\windows\system32\xerox32
2009-07-08 17:22 <DIR> --d----- c:\program files\MSECACHE

==================== Find3M ====================

2009-07-30 13:58 3,244 a------- c:\windows\system32\drivers\APPFLTR.CFG.bck
2009-07-30 13:58 3,244 a------- c:\windows\system32\drivers\APPFLTR.CFG
2009-07-30 13:58 253,836 a------- c:\windows\system32\drivers\APPFCONT.DAT.bck
2009-07-30 13:58 253,836 a------- c:\windows\system32\drivers\APPFCONT.DAT
2009-07-30 13:57 13,880 a------- c:\windows\system32\drivers\COMFiltr.sys
2009-07-09 10:05 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2006-04-05 18:07 10,432,544 ac------ c:\program files\rp505enu.exe
2005-08-13 05:41 609,436 ac------ c:\program files\spell.exe
2008-05-07 03:51 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050720080508\index.dat

============= FINISH: 14:46:54.40 ===============

The most recent MBAM log file is as follows:

Malwarebytes' Anti-Malware 1.39
Database version: 2530
Windows 5.1.2600 Service Pack 3

7/30/2009 12:23:45 PM
mbam-log-2009-07-30 (12-23-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 143468
Time elapsed: 41 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=======================================================

The Spybot report is as follows:

--- Report generated: 2009-07-30 11:20 ---

Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID

===========================================================


Again, thank you very much for your time.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:10 PM

Posted 31 July 2009 - 04:48 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 01 August 2009 - 12:35 PM

Hi Sam! :thumbup2:

Thanks for replying so soon and taking the time to help me. I sincerely appreciate it.

Here is the OTL Report:

===================================

OTL logfile created on: 8/1/2009 9:01:32 am - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Fred\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

351.53 Mb Total Physical Memory | 147.10 Mb Available Physical Memory | 41.85% Memory free
854.13 Mb Paging File | 554.34 Mb Available in Paging File | 64.90% Paging File free
Paging file location(s): C:\pagefile.sys 528 528 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.30 Gb Total Space | 6.54 Gb Free Space | 17.54% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NONE-CC58FCDACE
Current User Name: Fred
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/10/24 16:25:50 | 00,406,832 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
PRC - [2002/03/29 05:44:50 | 00,287,744 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE
PRC - [2002/03/29 05:44:52 | 00,170,496 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXPPS.EXE
PRC - [2007/07/12 10:47:30 | 00,169,264 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
PRC - [2007/07/12 10:47:26 | 00,173,360 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
PRC - [2007/06/14 11:38:02 | 00,063,024 | R--- | M] (Panda Software) -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
PRC - [2007/09/28 13:29:00 | 00,148,272 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
PRC - [2007/09/28 13:28:58 | 00,096,560 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
PRC - [2007/01/15 13:42:16 | 00,067,120 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
PRC - [2007/04/04 10:45:08 | 00,226,864 | ---- | M] (Panda Software International) -- c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
PRC - [2007/05/24 09:31:26 | 00,108,592 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/11/23 14:33:22 | 00,406,832 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
PRC - [2007/06/20 11:32:28 | 00,091,440 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
PRC - [2007/11/14 13:31:18 | 00,083,248 | ---- | M] (Panda Security International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
PRC - [2007/07/26 06:47:30 | 00,111,920 | ---- | M] (Panda Software International, S.L.) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
PRC - [2009/08/01 08:56:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fred\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - File not found -- -- (JavaQuickStarterService [Auto | Stopped])
SRV - [2002/03/29 05:44:50 | 00,287,744 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2007/07/12 10:47:30 | 00,169,264 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe -- (Panda Software Controller [Auto | Running])
SRV - [2007/07/12 10:47:26 | 00,173,360 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe -- (PAVFNSVR [Auto | Running])
SRV - [2007/06/14 11:38:02 | 00,063,024 | R--- | M] (Panda Software) -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe -- (PavPrSrv [Auto | Running])
SRV - [2007/09/28 13:29:00 | 00,148,272 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe -- (PAVSRV [Auto | Running])
SRV - [2007/01/15 13:42:16 | 00,067,120 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe -- (pmshellsrv [Auto | Running])
SRV - [2007/04/04 10:45:08 | 00,226,864 | ---- | M] (Panda Software International) -- c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE -- (PSHost [Auto | Running])
SRV - [2007/05/24 09:31:26 | 00,108,592 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe -- (PSIMSVC [Auto | Running])
SRV - [2007/10/24 16:25:50 | 00,406,832 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe -- (TPSrv [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2007/09/28 13:05:40 | 00,071,608 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\APPFLT.SYS -- (APPFLT [System | Running])
DRV - File not found -- -- (AvFlt [On_Demand | Running])
DRV - [2006/06/09 22:58:22 | 01,373,120 | ---- | M] (C-Media Inc) -- C:\WINDOWS\System32\drivers\cmuda.sys -- (cmuda [On_Demand | Running])
DRV - [2007/06/08 07:44:06 | 00,024,760 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\drivers\cpoint.sys -- (cpoint [Auto | Running])
DRV - [2007/05/11 08:33:06 | 00,051,256 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\DSAFLT.SYS -- (DSAFLT [System | Running])
DRV - [2007/11/14 17:48:22 | 00,021,816 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\fnetmon.SYS -- (FNETMON [System | Running])
DRV - [2008/04/13 14:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [1996/04/03 15:33:26 | 00,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys -- (giveio [Boot | Running])
DRV - [2007/07/11 10:39:48 | 00,191,672 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\IDSFLT.SYS -- (IDSFLT [System | Running])
DRV - [2004/12/04 04:05:10 | 01,348,480 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Running])
DRV - [2006/06/27 21:45:56 | 00,625,280 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Running])
DRV - [2004/12/04 04:03:32 | 00,054,144 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Running])
DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2004/12/04 04:03:00 | 00,036,816 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Running])
DRV - [2007/10/25 08:50:32 | 00,132,664 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\NETFLTDI.SYS -- (NETFLTDI [System | Running])
DRV - [2007/11/19 13:01:50 | 00,143,160 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\DRIVERS\netimflt.sys -- (NETIMFLT01050097 [On_Demand | Running])
DRV - [2008/06/19 18:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
DRV - [2007/09/28 13:24:18 | 00,083,896 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\DRIVERS\pavdrv51.sys -- (PAVDRV [Auto | Running])
DRV - [2007/07/12 08:49:38 | 00,178,872 | R--- | M] (Panda Software International) -- C:\WINDOWS\System32\DRIVERS\PavProc.sys -- (PavProc [Auto | Running])
DRV - File not found -- -- (PavSRK.sys [On_Demand | Running])
DRV - File not found -- -- (PavTPK.sys [On_Demand | Running])
DRV - [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/05/23 10:40:30 | 00,038,968 | R--- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\ShlDrv51.sys -- (ShldDrv [System | Running])
DRV - [2003/08/22 21:44:04 | 00,422,784 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisgrp.sys -- (SiS315 [On_Demand | Running])
DRV - [2003/07/18 09:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (sisagp [Boot | Running])
DRV - [2002/04/16 16:52:04 | 00,032,256 | ---- | M] (SiS Corporation) -- C:\WINDOWS\System32\DRIVERS\sisnic.sys -- (SISNIC [On_Demand | Stopped])
DRV - [2007/05/11 08:33:32 | 00,037,304 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\SMSFLT.SYS -- (SMSFLT [System | Running])
DRV - [2006/09/24 09:28:46 | 00,005,248 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys -- (speedfan [Boot | Running])
DRV - [2007/05/11 08:33:34 | 00,030,648 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\WNMFLT.SYS -- (WNMFLT [System | Running])
DRV - [2009/08/01 08:33:20 | 00,013,880 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\COMFiltr.sys -- (ComFiltr [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-823518204-1644491937-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-823518204-1644491937-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-823518204-1644491937-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-823518204-1644491937-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-823518204-1644491937-725345543-1004\S-1-5-21-823518204-1644491937-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff


O1 HOSTS File: (610657 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
O1 - Hosts: 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
O1 - Hosts: 127.0.0.1 phpadsnew.abac.com
O1 - Hosts: 127.0.0.1 a.abnad.net
O1 - Hosts: 127.0.0.1 b.abnad.net
O1 - Hosts: 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
O1 - Hosts: 127.0.0.1 d.abnad.net
O1 - Hosts: 127.0.0.1 e.abnad.net
O1 - Hosts: 127.0.0.1 t.abnad.net
O1 - Hosts: 127.0.0.1 z.abnad.net
O1 - Hosts: 127.0.0.1 banners.absolpublisher.com
O1 - Hosts: 127.0.0.1 tracking.absolstats.com
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 gtb5.acecounter.com
O1 - Hosts: 127.0.0.1 gtb19.acecounter.com
O1 - Hosts: 16307 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
O3 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\..\Toolbar\WebBrowser: (no name) - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No CLSID value found.
O4 - HKLM..\Run: [APVXDWIN] C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE (Panda Software International)
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe (Lexmark)
O4 - HKLM..\Run: [SCANINICIO] C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe (Panda Software International)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-823518204-1644491937-725345543-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-823518204-1644491937-725345543-1004_Classes\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O8 - Extra context menu item: Download all with Free Download Manager - Reg Error: Value error. File not found
O8 - Extra context menu item: Download selected with Free Download Manager - Reg Error: Value error. File not found
O8 - Extra context menu item: Download video with Free Download Manager - Reg Error: Value error. File not found
O8 - Extra context menu item: Download with Free Download Manager - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1220972857781 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\word64main.exe) - C:\WINDOWS\System32\word64main.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\renator.exe) - C:\WINDOWS\System32\renator.exe ()
O20 - Winlogon\Notify\avldr: DllName - avldr.dll - C:\WINDOWS\System32\avldr.dll (Panda Software International)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (a) - File not found
O34 - HKLM BootExecute: (u) - File not found
O34 - HKLM BootExecute: (t) - File not found
O34 - HKLM BootExecute: (o) - File not found
O34 - HKLM BootExecute: © - File not found
O34 - HKLM BootExecute: (h) - File not found
O34 - HKLM BootExecute: (k) - File not found
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/08/01 08:59:42 | 00,278,846 | ---- | C] () -- C:\Documents and Settings\Fred\Desktop\gmer.zip
[2009/08/01 08:56:31 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Fred\Desktop\OTL.exe
[2009/07/31 14:02:56 | 01,885,088 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\SmitfraudFix.exe
[2009/07/31 13:50:01 | 01,529,241 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\SDFix.exe
[2009/07/31 11:32:19 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bulltlp3.sys
[2009/07/31 11:32:17 | 00,031,529 | ---- | C] (BreezeCOM) -- C:\WINDOWS\System32\dllcache\brzwlan.sys
[2009/07/31 11:32:16 | 00,010,368 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brusbscn.sys
[2009/07/31 11:32:15 | 00,011,008 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brusbmdm.sys
[2009/07/31 11:32:14 | 00,060,416 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brserwdm.sys
[2009/07/31 11:32:13 | 00,009,728 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brserif.dll
[2009/07/31 11:32:13 | 00,005,120 | ---- | C] (Brother Industries,Ltd.) -- C:\WINDOWS\System32\dllcache\brscnrsm.dll
[2009/07/31 11:32:11 | 00,039,552 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brparwdm.sys
[2009/07/31 11:32:10 | 00,003,168 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brparimg.sys
[2009/07/31 11:32:08 | 00,041,472 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfusb.dll
[2009/07/31 11:32:07 | 00,032,256 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfrsmg.exe
[2009/07/31 11:32:06 | 00,081,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\brmfcwia.dll
[2009/07/31 11:32:06 | 00,029,696 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmflpt.dll
[2009/07/31 11:32:05 | 00,015,360 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfbidi.dll
[2009/07/31 11:32:03 | 00,012,160 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brfiltlo.sys
[2009/07/31 11:32:03 | 00,003,968 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brfiltup.sys
[2009/07/31 11:32:02 | 00,002,944 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brfilt.sys
[2009/07/31 11:32:01 | 00,012,800 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brevif.dll
[2009/07/31 11:32:00 | 00,009,728 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brcoinst.dll
[2009/07/31 11:31:59 | 00,019,456 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brbidiif.dll
[2009/07/31 11:31:46 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\binlsvc.dll
[2009/07/31 11:31:38 | 00,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdasup.sys
[2009/07/31 11:31:37 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdaplgin.ax
[2009/07/31 11:31:36 | 00,871,388 | ---- | C] (BCM) -- C:\WINDOWS\System32\dllcache\bcmdm.sys
[2009/07/31 11:31:36 | 00,026,568 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\bcm4e5.sys
[2009/07/31 11:31:35 | 00,054,271 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\bcm42xx5.sys
[2009/07/31 11:31:34 | 00,066,557 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\bcm42u.sys
[2009/07/31 11:31:33 | 00,014,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\battc.sys
[2009/07/31 11:31:32 | 00,036,128 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\banshee.sys
[2009/07/31 11:31:31 | 00,342,336 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\banshee.dll
[2009/07/31 11:31:31 | 00,096,640 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\b57xp32.sys
[2009/07/31 11:31:30 | 00,089,952 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\b1cbase.sys
[2009/07/31 11:31:29 | 00,036,992 | ---- | C] (Aztech Systems Ltd) -- C:\WINDOWS\System32\dllcache\aztw2320.sys
[2009/07/31 11:31:28 | 00,037,568 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmwan.sys
[2009/07/31 11:31:27 | 00,144,384 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmenum.dll
[2009/07/31 11:31:26 | 00,087,552 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmcoxp.dll
[2009/07/31 11:31:25 | 00,036,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avcaudio.sys
[2009/07/31 11:31:25 | 00,013,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avcstrm.sys
[2009/07/31 11:31:23 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avc.sys
[2009/07/31 11:31:19 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atixbar.sys
[2009/07/31 11:31:18 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativxbar.sys
[2009/07/31 11:31:17 | 00,019,456 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativttxx.sys
[2009/07/31 11:31:16 | 00,017,152 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atitvsnd.sys
[2009/07/31 11:31:16 | 00,009,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativmdcd.sys
[2009/07/31 11:31:15 | 00,017,152 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atitunep.sys
[2009/07/31 11:31:14 | 00,049,920 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atirtcap.sys
[2009/07/31 11:31:14 | 00,026,880 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atirtsnd.sys
[2009/07/31 11:31:13 | 00,070,528 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atiragem.sys
[2009/07/31 11:31:12 | 00,104,832 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atiraged.dll
[2009/07/31 11:31:12 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atipcxxx.sys
[2009/07/31 11:31:09 | 00,281,600 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atimtai.sys
[2009/07/31 11:31:09 | 00,075,136 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atimpae.sys
[2009/07/31 11:31:08 | 00,289,664 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atimpab.sys
[2009/07/31 11:31:07 | 00,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atievxx.exe
[2009/07/31 11:31:06 | 00,268,160 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atidvai.dll
[2009/07/31 11:31:06 | 00,137,216 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atidrae.dll
[2009/07/31 11:31:05 | 00,382,592 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atidrab.dll
[2009/07/31 11:31:04 | 00,046,464 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atibt829.sys
[2009/07/31 11:31:00 | 00,077,568 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\dllcache\ati.sys
[2009/07/31 11:30:59 | 00,096,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ati.dll
[2009/07/31 11:30:58 | 00,097,354 | ---- | C] (Bay Networks, Inc.) -- C:\WINDOWS\System32\dllcache\aspndis3.sys
[2009/07/31 11:30:57 | 00,014,848 | ---- | C] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\dllcache\asc3550.sys
[2009/07/31 11:30:56 | 00,022,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\asc3350p.sys
[2009/07/31 11:30:55 | 00,026,496 | ---- | C] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\dllcache\asc.sys
[2009/07/31 11:30:35 | 00,006,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\apmbatt.sys
[2009/07/31 11:30:34 | 00,036,224 | ---- | C] (ADMtek Incorporated.) -- C:\WINDOWS\System32\dllcache\an983.sys
[2009/07/31 11:30:34 | 00,012,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\amsint.sys
[2009/07/31 11:30:33 | 00,016,969 | ---- | C] (AmbiCom, Inc.) -- C:\WINDOWS\System32\dllcache\amb8002.sys
[2009/07/31 11:30:31 | 00,026,624 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\alifir.sys
[2009/07/31 11:30:31 | 00,005,248 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\aliide.sys
[2009/07/31 11:30:30 | 00,027,678 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\ali5261.sys
[2009/07/31 11:30:29 | 00,056,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aic78xx.sys
[2009/07/31 11:30:28 | 00,055,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aic78u2.sys
[2009/07/31 11:30:28 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aha154x.sys
[2009/07/31 11:30:20 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agcgauge.ax
[2009/07/31 11:29:42 | 00,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\adpu160m.sys
[2009/07/31 11:29:41 | 00,046,112 | ---- | C] (Adaptec, Inc ) -- C:\WINDOWS\System32\dllcache\adptsf50.sys
[2009/07/31 11:29:39 | 00,010,880 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\admjoy.sys
[2009/07/31 11:29:38 | 00,747,392 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8830.sys
[2009/07/31 11:29:38 | 00,553,984 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8820.sys
[2009/07/31 11:29:37 | 00,584,448 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8810.sys
[2009/07/31 11:29:36 | 00,020,160 | ---- | C] (ADMtek Incorporated) -- C:\WINDOWS\System32\dllcache\adm8511.sys
[2009/07/31 11:29:35 | 00,007,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\adicvls.sys
[2009/07/31 11:29:33 | 00,061,440 | ---- | C] (Color Flatbed Scanner) -- C:\WINDOWS\System32\dllcache\acerscad.dll
[2009/07/31 11:29:32 | 00,084,480 | ---- | C] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\dllcache\ac97via.sys
[2009/07/31 11:29:31 | 00,297,728 | ---- | C] (Silicon Integrated Systems Corp.) -- C:\WINDOWS\System32\dllcache\ac97sis.sys
[2009/07/31 11:29:31 | 00,096,256 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\dllcache\ac97intc.sys
[2009/07/31 11:29:30 | 00,231,552 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\ac97ali.sys
[2009/07/31 11:29:29 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\abp480n5.sys
[2009/07/31 11:29:28 | 00,462,848 | ---- | C] (Aureal Inc.) -- C:\WINDOWS\System32\dllcache\a3dapi.dll
[2009/07/31 11:29:27 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\61883.sys
[2009/07/31 11:29:27 | 00,038,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\8514a.dll
[2009/07/31 11:29:26 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\4mmdat.sys
[2009/07/31 11:29:25 | 00,689,216 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\3dfxvs.dll
[2009/07/31 11:29:25 | 00,148,352 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\3dfxvsm.sys
[2009/07/31 11:29:24 | 00,762,780 | ---- | C] (3Com, Inc.) -- C:\WINDOWS\System32\dllcache\3cwmcru.sys
[2009/07/31 11:29:23 | 00,053,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\1394bus.sys
[2009/07/31 11:29:23 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\1394vdbg.sys
[2009/07/31 11:28:47 | 00,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\s3legacy.dll
[2009/07/31 10:41:04 | 00,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2009/07/31 10:41:04 | 00,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2009/07/31 10:41:04 | 00,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2009/07/31 10:41:03 | 00,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2009/07/31 10:41:03 | 00,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2009/07/31 10:41:03 | 00,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2009/07/31 10:41:03 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2009/07/31 10:41:03 | 00,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2009/07/31 10:41:03 | 00,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/07/31 10:41:03 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2009/07/31 10:41:03 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2009/07/31 10:41:02 | 00,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2009/07/31 10:41:02 | 00,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2009/07/30 15:57:52 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\winwswd32
[2009/07/30 10:03:59 | 00,359,932 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\dds.scr
[2009/07/30 09:00:20 | 01,496,399 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Windows XP Tweak Guide.zip
[2009/07/28 06:05:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/07/28 06:01:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/07/27 19:36:39 | 00,000,519 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\DefaultHosts.zip
[2009/07/27 19:09:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fred\My Documents\hosts
[2009/07/27 19:02:35 | 00,148,286 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\hosts.zip
[2009/07/27 12:29:09 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/07/27 06:42:34 | 00,000,000 | ---D | C] -- C:\RECYCLER(3)
[2009/07/26 12:40:15 | 00,000,000 | -HSD | C] -- C:\RECYCLER(2)
[2009/07/26 12:38:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/07/26 10:53:06 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/22 23:27:46 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF16502.exe
[2009/07/22 21:47:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fred\Application Data\Malwarebytes
[2009/07/22 21:47:32 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/22 21:47:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/22 21:47:29 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/22 21:47:29 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/22 20:58:45 | 02,189,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntoskrnl.exe
[2009/07/22 20:58:45 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntkrnlpa.exe
[2009/07/22 20:58:45 | 01,614,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfcfiles.dll
[2009/07/22 20:58:45 | 01,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\explorer.exe
[2009/07/22 20:58:45 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kernel32.dll
[2009/07/22 20:58:45 | 00,927,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mfc40u.dll
[2009/07/22 20:58:45 | 00,915,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wininet.dll
[2009/07/22 20:58:45 | 00,792,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comres.dll
[2009/07/22 20:58:45 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comctl32.dll
[2009/07/22 20:58:45 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\user32.dll
[2009/07/22 20:58:45 | 00,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\winlogon.exe
[2009/07/22 20:58:45 | 00,435,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntmssvc.dll
[2009/07/22 20:58:45 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rpcss.dll
[2009/07/22 20:58:45 | 00,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tcpip.sys
[2009/07/22 20:58:45 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\termsrv.dll
[2009/07/22 20:58:45 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ndis.sys
[2009/07/22 20:58:45 | 00,171,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\srsvc.dll
[2009/07/22 20:58:45 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\aec.sys
[2009/07/22 20:58:45 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\services.exe
[2009/07/22 20:58:45 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\imm32.dll
[2009/07/22 20:58:45 | 00,088,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rasauto.dll
[2009/07/22 20:58:45 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ws2_32.dll
[2009/07/22 20:58:45 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\spoolsv.exe
[2009/07/22 20:58:45 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wuauclt.exe
[2009/07/22 20:58:45 | 00,036,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ip6fw.sys
[2009/07/22 20:58:45 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\msgsvc.dll
[2009/07/22 20:58:45 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\userinit.exe
[2009/07/22 20:58:45 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kbdclass.sys
[2009/07/22 20:58:45 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lpk.dll
[2009/07/22 20:58:45 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\powrprof.dll
[2009/07/22 20:58:45 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ctfmon.exe
[2009/07/22 20:58:45 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\svchost.exe
[2009/07/22 20:58:45 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lsass.exe
[2009/07/22 20:58:45 | 00,011,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\acpiec.sys
[2009/07/22 20:58:45 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfc.dll
[2009/07/22 20:58:45 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\beep.sys
[2009/07/22 20:58:45 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\null.sys
[2009/07/22 20:58:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/07/22 20:39:05 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/07/22 20:38:58 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/07/22 20:38:55 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/07/22 20:13:50 | 00,219,648 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/07/22 20:13:50 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/07/22 20:13:50 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/07/22 20:13:50 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/07/22 20:13:50 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/07/22 20:13:50 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/07/22 20:13:50 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/07/22 20:13:50 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/07/22 20:13:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/07/22 15:37:34 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\zpord32
[2009/07/22 15:15:42 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/07/22 11:57:55 | 00,000,063 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/18 15:17:05 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\xerox32
[2009/07/16 05:33:03 | 11,218,222 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Employment Guide.PDF
[2009/07/10 10:31:07 | 00,052,645 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Breaking The Bank.rtf
[2009/07/10 10:24:57 | 00,055,257 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Inside The Meltdown.rtf
[2009/07/10 10:13:28 | 00,014,687 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Rolling Stone - The Great American Bubble Machine.rtf
[2009/07/08 17:22:53 | 00,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2009/07/06 11:16:06 | 00,806,420 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Federal Job Application.PDF
[2009/06/25 16:12:09 | 00,000,245 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2009/06/25 16:11:12 | 00,000,191 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2009/06/25 16:04:02 | 00,000,198 | ---- | C] () -- C:\WINDOWS\NGARCHIV.INI
[2008/08/18 13:25:19 | 00,013,880 | ---- | C] () -- C:\WINDOWS\System32\drivers\COMFiltr.sys
[2007/06/06 12:06:54 | 00,443,368 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/06/05 11:30:08 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/06/03 04:21:34 | 00,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/06/03 04:21:32 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005/08/23 20:50:41 | 00,001,636 | ---- | C] () -- C:\WINDOWS\yahtzee.ini
[2005/08/01 19:29:09 | 00,000,200 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2005/08/01 19:29:09 | 00,000,033 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2005/08/01 19:19:58 | 00,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2004/08/04 08:00:00 | 00,000,585 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,435 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/02/18 18:26:28 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2002/03/29 05:44:52 | 00,000,643 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[1996/04/03 15:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/08/01 08:59:43 | 00,278,846 | ---- | M] () -- C:\Documents and Settings\Fred\Desktop\gmer.zip
[2009/08/01 08:56:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fred\Desktop\OTL.exe
[2009/08/01 08:42:03 | 00,008,627 | ---- | M] () -- C:\WINDOWS\System32\PAV_FOG.OPC
[2009/08/01 08:38:43 | 00,000,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAV.alt.bck
[2009/08/01 08:38:43 | 00,000,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAV.alt
[2009/08/01 08:38:42 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAR.wlt.bck
[2009/08/01 08:38:42 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAR.wlt
[2009/08/01 08:33:45 | 00,272,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.rls.bck
[2009/08/01 08:33:45 | 00,272,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.rls
[2009/08/01 08:33:45 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.cfg.bck
[2009/08/01 08:33:45 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.cfg
[2009/08/01 08:33:36 | 00,003,324 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFLTR.CFG.bck
[2009/08/01 08:33:36 | 00,003,324 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFLTR.CFG
[2009/08/01 08:33:36 | 00,000,252 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\IdsFlt.cfg.bck
[2009/08/01 08:33:36 | 00,000,252 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\IdsFlt.cfg
[2009/08/01 08:33:36 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetFlt.cfg.bck
[2009/08/01 08:33:36 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetFlt.cfg
[2009/08/01 08:33:36 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\WnmFlt.cfg.bck
[2009/08/01 08:33:36 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\WnmFlt.cfg
[2009/08/01 08:33:36 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\SmsFlt.cfg.bck
[2009/08/01 08:33:36 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\SmsFlt.cfg
[2009/08/01 08:33:35 | 00,253,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT.bck
[2009/08/01 08:33:35 | 00,253,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT
[2009/08/01 08:33:20 | 00,013,880 | ---- | M] () -- C:\WINDOWS\System32\drivers\COMFiltr.sys
[2009/08/01 08:31:33 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/01 08:31:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/01 08:30:06 | 05,883,990 | -H-- | M] () -- C:\Documents and Settings\Fred\Local Settings\Application Data\IconCache.db
[2009/08/01 07:23:18 | 00,063,488 | ---- | M] () -- C:\Documents and Settings\Fred\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/31 16:54:42 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/31 14:02:57 | 01,885,088 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\SmitfraudFix.exe
[2009/07/31 13:50:04 | 01,529,241 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\SDFix.exe
[2009/07/30 10:04:48 | 00,359,932 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\dds.scr
[2009/07/30 09:46:04 | 00,610,657 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090731-171629.backup
[2009/07/30 09:46:04 | 00,610,657 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/07/30 09:00:29 | 01,496,399 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Windows XP Tweak Guide.zip
[2009/07/27 19:36:40 | 00,000,519 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\DefaultHosts.zip
[2009/07/27 19:03:47 | 00,000,048 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS.MVP
[2009/07/27 19:02:51 | 00,148,286 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\hosts.zip
[2009/07/27 12:19:35 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/07/22 23:27:35 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF16502.exe
[2009/07/22 20:39:06 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/07/22 11:57:55 | 00,000,063 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/07/20 00:00:00 | 00,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Clean-up.job
[2009/07/19 18:48:58 | 11,067,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieframe.dll
[2009/07/19 18:48:58 | 11,067,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2009/07/19 09:18:59 | 05,937,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/07/19 09:18:59 | 05,937,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/07/16 05:33:05 | 11,218,222 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Employment Guide.PDF
[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/13 05:48:54 | 00,219,648 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/07/10 10:31:07 | 00,052,645 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Breaking The Bank.rtf
[2009/07/10 10:24:57 | 00,055,257 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Inside The Meltdown.rtf
[2009/07/10 10:13:45 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2009/07/10 10:13:28 | 00,014,687 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Rolling Stone - The Great American Bubble Machine.rtf
[2009/07/09 10:05:13 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/07/07 11:10:56 | 24,539,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/07/06 11:25:45 | 00,806,420 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Federal Job Application.PDF
[2009/07/03 13:09:28 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wininet.dll
[2009/07/03 13:09:28 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2009/07/03 13:09:28 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/07/03 13:09:27 | 01,208,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\urlmon.dll
[2009/07/03 13:09:27 | 01,208,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2009/07/03 13:09:27 | 00,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\occache.dll
[2009/07/03 13:09:27 | 00,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2009/07/03 13:09:25 | 00,594,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2009/07/03 13:09:25 | 00,594,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2009/07/03 13:09:25 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2009/07/03 13:09:25 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2009/07/03 13:09:24 | 01,985,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iertutil.dll
[2009/07/03 13:09:24 | 01,985,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2009/07/03 13:09:24 | 01,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2009/07/03 13:09:24 | 01,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2009/07/03 13:09:24 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2009/07/03 13:09:24 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2009/07/03 13:09:23 | 00,246,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/07/03 13:09:23 | 00,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2009/07/03 13:09:23 | 00,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2009/07/03 13:09:21 | 00,386,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2009/07/03 13:09:21 | 00,386,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2009/07/03 10:00:15 | 00,000,585 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/03 07:01:06 | 00,173,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2009/07/03 07:01:06 | 00,173,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
< End of report >

====================================

Here are the GMER results:


GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-01 12:15:45
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Process Protection driver/Panda Software International) ZwTerminateProcess [0xF3B4AA70]
SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Process Protection driver/Panda Software International) ZwTerminateThread [0xF3B49E40]
SSDT \??\C:\WINDOWS\system32\PavSRK.sys ZwWriteVirtualMemory [0xF7A814E8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2AFC 4 Bytes CALL 2745D315
? C:\WINDOWS\system32\PavTPK.sys The system cannot find the file specified. !
? system32\drivers\av5flt.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\PavSRK.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [6E, 5F] {OUTSB ; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [50, 5F] {PUSH EAX; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [71, 5F] {JNO 0x61}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [53, 5F] {PUSH EBX; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [5C, 5F] {POP ESP; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [5F, 5F] {POP EDI; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 5F] {JZ 0x61}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [62, 5F]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [7A, 5F] {JP 0x61}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [68, 5F]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [7D, 5F] {JGE 0x61}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!LdrLoadDll 7C9163C3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ntdll.dll!LdrLoadDll + 4 7C9163C7 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!CreateAcceleratorTableW 7E41D9BB 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!CreateAcceleratorTableW + 4 7E41D9BF 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5FA60F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5FA00F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!BeginDeferWindowPos 7E42AFB9 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!AttachThreadInput 7E431E52 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] USER32.dll!AttachThreadInput + 4 7E431E56 2 Bytes [9B, 5F] {WAIT ; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!OpenServiceW 77DE6FFD 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!StartServiceA 77DEFB58 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!StartServiceW 77DF3E94 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!ControlService 77DF4A09 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!OpenServiceA 77DF4C66 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!LsaAddAccountRights 77E1ABF1 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!ChangeServiceConfigW 77E37001 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E3718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ADVAPI32.dll!DeleteService 77E374B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ole32.dll!CoGetClassObject 775156C5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ole32.dll!CLSIDFromProgID 775187F2 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[188] ole32.dll!CLSIDFromProgIDEx 7755620D 6 Bytes JMP 5F7F0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [6E, 5F] {OUTSB ; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [50, 5F] {PUSH EAX; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [71, 5F] {JNO 0x61}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [53, 5F] {PUSH EBX; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [5C, 5F] {POP ESP; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [5F, 5F] {POP EDI; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 5F] {JZ 0x61}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [62, 5F]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [7A, 5F] {JP 0x61}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [68, 5F]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [7D, 5F] {JGE 0x61}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!LdrLoadDll 7C9163C3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ntdll.dll!LdrLoadDll + 4 7C9163C7 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!OpenServiceW 77DE6FFD 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!StartServiceA 77DEFB58 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!StartServiceW 77DF3E94 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!ControlService 77DF4A09 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!OpenServiceA 77DF4C66 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!LsaAddAccountRights 77E1ABF1 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!ChangeServiceConfigW 77E37001 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E3718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ADVAPI32.dll!DeleteService 77E374B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!CreateAcceleratorTableW 7E41D9BB 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!CreateAcceleratorTableW + 4 7E41D9BF 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5FA60F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5FA00F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!BeginDeferWindowPos 7E42AFB9 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!AttachThreadInput 7E431E52 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LEXPPS.EXE[336] USER32.dll!AttachThreadInput + 4 7E431E56 2 Bytes [9B, 5F] {WAIT ; POP EDI}
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ole32.dll!CoGetClassObject 775156C5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ole32.dll!CLSIDFromProgID 775187F2 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[336] ole32.dll!CLSIDFromProgIDEx 7755620D 6 Bytes JMP 5F7F0F5A
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [6E, 5F] {OUTSB ; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [50, 5F] {PUSH EAX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [71, 5F] {JNO 0x61}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [53, 5F] {PUSH EBX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [5C, 5F] {POP ESP; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [5F, 5F] {POP EDI; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 5F] {JZ 0x61}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [62, 5F]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [65, 5F]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [7A, 5F] {JP 0x61}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [68, 5F]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [6B, 5F]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [7D, 5F] {JGE 0x61}
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!LdrLoadDll 7C9163C3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!LdrLoadDll + 4 7C9163C7 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!OpenServiceW 77DE6FFD 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!StartServiceA 77DEFB58 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!StartServiceW 77DF3E94 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!ControlService 77DF4A09 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!OpenServiceA 77DF4C66 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!LsaAddAccountRights 77E1ABF1 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!ChangeServiceConfigW 77E37001 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E3718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!DeleteService 77E374B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!CreateAcceleratorTableW 7E41D9BB 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!CreateAcceleratorTableW + 4 7E41D9BF 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5FA00F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!BeginDeferWindowPos 7E42AFB9 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [98, 5F] {CWDE ; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!AttachThreadInput 7E431E52 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!AttachThreadInput + 4 7E431E56 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[360] ole32.dll!CLSIDFromProgID 775187F2 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\Explorer.EXE[360] ole32.dll!CLSIDFromProgIDEx 7755620D 6 Bytes JMP 5F7F0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [6E, 5F] {OUTSB ; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [50, 5F] {PUSH EAX; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [71, 5F] {JNO 0x61}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [53, 5F] {PUSH EBX; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [5C, 5F] {POP ESP; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [5F, 5F] {POP EDI; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 5F] {JZ 0x61}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [62, 5F]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [65, 5F]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [77, 5F] {JA 0x61}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [7A, 5F] {JP 0x61}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [68, 5F]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [6B, 5F]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [7D, 5F] {JGE 0x61}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!LdrLoadDll 7C9163C3 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ntdll.dll!LdrLoadDll + 4 7C9163C7 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F370F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3D0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F3A0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FA90F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!CreateAcceleratorTableW 7E41D9BB 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!CreateAcceleratorTableW + 4 7E41D9BF 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5FA60F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5FA00F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F970F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!BeginDeferWindowPos 7E42AFB9 6 Bytes JMP 5F8E0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F8B0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!AttachThreadInput 7E431E52 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] USER32.dll!AttachThreadInput + 4 7E431E56 2 Bytes [9B, 5F] {WAIT ; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 6 Bytes JMP 5F100F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!OpenServiceW 77DE6FFD 6 Bytes JMP 5F220F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!StartServiceA 77DEFB58 6 Bytes JMP 5F250F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!StartServiceW 77DF3E94 6 Bytes JMP 5F280F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!ControlService 77DF4A09 6 Bytes JMP 5F130F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!OpenServiceA 77DF4C66 6 Bytes JMP 5F1F0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!LsaAddAccountRights 77E1ABF1 6 Bytes JMP 5F2B0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F2E0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!ChangeServiceConfigW 77E37001 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E3718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F160F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F190F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ADVAPI32.dll!DeleteService 77E374B1 6 Bytes JMP 5F1C0F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F880F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ole32.dll!CoGetClassObject 775156C5 6 Bytes JMP 5F850F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ole32.dll!CLSIDFromProgID 775187F2 6 Bytes JMP 5F820F5A
.text C:\DOCUME~1\Fred\LOCALS~1\Temp\Rar$EX00.453\gmer.exe[2860] ole32.dll!CLSIDFromProgIDEx 7755620D 6 Bytes JMP 5F7F0F5A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 000451BE
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 000451BE
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0004510A
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 000450A5
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00045073
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 000451BE
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00045729
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 00045477
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00045729
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00045477
IAT C:\WINDOWS\system32\services.exe[704] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00045729
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00EE514A
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00EE5096
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00EE5031
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00EE4FFF
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00EE5096
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00EE514A
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00EE5096
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00EE5031
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00EE5403
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00EE56B5
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00EE56B5
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00EE5403
IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00EE56B5
IAT C:\WINDOWS\system32\svchost.exe[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00BD5073
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00BB514A
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00BB5096
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00BB5031
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00BB4FFF
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00BB5403
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00BB56B5
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00BB56B5
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00BB5403
IAT C:\WINDOWS\system32\svchost.exe[992] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00BB56B5
IAT C:\WINDOWS\system32\svchost.exe[992] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00BB514A
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 02C2514A
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 02C25096
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 02C25031
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 02C24FFF
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 02C25403
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 02C256B5
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 02C256B5
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 02C25403
IAT C:\WINDOWS\system32\svchost.exe[1028] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 02C256B5
IAT C:\WINDOWS\system32\svchost.exe[1028] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 02C2514A
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004051BE
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0040510A
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004050A5
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00405073
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00405477
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405729
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004051BE
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405729
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00405477
IAT C:\WINDOWS\System32\alg.exe[1200] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405729
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 026951BE
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0269510A
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 026950A5
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 02695073
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 02695477
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 02695729
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 02695729
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 02695729
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 02695477
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe[1432] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 026951BE
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 003C51BE
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 003C510A
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 003C50A5
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 003C5073
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 003C5477
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 003C5729
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 003C5729
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 003C5477
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 003C5729
IAT C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 003C51BE

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Software)

AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Software International)
AttachedDevice \FileSystem\Ntfs \Ntfs av5flt.sys
AttachedDevice \Driver\Tcpip \Device\Ip NETFLTDI.SYS (Panda TDI Filter/Panda Software)
AttachedDevice \Driver\Tcpip \Device\Tcp NETFLTDI.SYS (Panda TDI Filter/Panda Software)

Device \Driver\Modem \Device\00000065 COMFiltr.sys

AttachedDevice \Driver\Tcpip \Device\Udp NETFLTDI.SYS (Panda TDI Filter/Panda Software)
AttachedDevice \Driver\Tcpip \Device\RawIp NETFLTDI.SYS (Panda TDI Filter/Panda Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

=====================



On reboot I got a Panda Internet Security message that said "A malicious program has been detected and some of its functions blocked : location C:\WINDOWS\SYSTEM32\RENATOR.EXE"

In addition, every once in a while on startup I'll get the message:

"EXPLORER.EXE: Application Error - The application failed to initialize properly (Oxc0000142) - Click OK to terminate the application." Of course when I press OK everything comes to a standstill and I have to press the reset button on the tower to restart it. Occasionally this will happen two times in a row before I can finally get everything up and running.

I realize that I don't have a lot of RAM (only 352 MB) and this might be a source of some of my problems, but I'm sure that I have other issues as well - possibly major and un-fixable.

In any case, I gladly welcome anything you suggest and am grateful for your attention on this matter.

Thanks again,

Mud Dobber

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:10 PM

Posted 01 August 2009 - 12:55 PM

Let's clear out the malware first and then we'll see how things are running.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\word64main.exe) - C:\WINDOWS\System32\word64main.exe ()
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\renator.exe) - C:\WINDOWS\System32\renator.exe ()
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
    O2 - BHO: (no name) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - No CLSID value found.
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
    O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
    O3 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-823518204-1644491937-725345543-1004\..\Toolbar\WebBrowser: (no name) - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No CLSID value found.
    
    :Files
    C:\WINDOWS\System32\*.tmp
    C:\WINDOWS\*.tmp
    C:\WINDOWS\System32\word64main.exe
    C:\WINDOWS\System32\renator.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 01 August 2009 - 05:37 PM

Thanks for the quick reply Sam.

Oops - it looks like I shouldn't have pasted the word "CODE" in the fix. I wasn't sure if I should've or shouldn't have, and typical me I guessed wrong. I hope it didn't affect the repair.

On the reboot I got another "Unknown Virus Blocked" message: "A malicious program has been detected...", this time location - C:\WINDOWS\SYSTEM32\WORD64MAIN.EXE

Here are the results of the OTL fix:

================================================================

All processes killed
Error: Unable to interpret <CODE> in the current context!
========== OTL ==========
No active process named explorer.exe was found!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\word64main.exe deleted successfully.
File move failed. C:\WINDOWS\System32\word64main.exe scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\renator.exe deleted successfully.
File move failed. C:\WINDOWS\System32\renator.exe scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ not found.
Registry value HKEY_USERS\S-1-5-21-823518204-1644491937-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-823518204-1644491937-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{871F91FD-3A92-4988-A842-16AB2CFF5AF1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871F91FD-3A92-4988-A842-16AB2CFF5AF1}\ not found.
========== FILES ==========
C:\WINDOWS\System32\CONFIG.TMP moved successfully.
C:\WINDOWS\System32\main32.tmp moved successfully.
C:\WINDOWS\System32\pool32.tmp moved successfully.
C:\WINDOWS\System32\UserRequest_1223402088.tmp moved successfully.
C:\WINDOWS\System32\UserRequest_1225135919.tmp moved successfully.
C:\WINDOWS\002838_.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
File\Folder C:\WINDOWS\System32\word64main.exe not found.
File move failed. C:\WINDOWS\System32\renator.exe scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Fred
->Temp folder emptied: 4155 bytes
File delete failed. C:\Documents and Settings\Fred\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 54476345 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65748 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34704 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 27134 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 52.11 mb


OTL by OldTimer - Version 3.0.10.3 log created on 08012009_173053

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\System32\word64main.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\renator.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

================================================================

OK, here is the second OTL log:

================================================================

OTL logfile created on: 8/1/2009 6:08:05 pm - Run 2
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Fred\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

351.53 Mb Total Physical Memory | 161.91 Mb Available Physical Memory | 46.06% Memory free
854.13 Mb Paging File | 517.98 Mb Available in Paging File | 60.64% Paging File free
Paging file location(s): C:\pagefile.sys 528 528 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.30 Gb Total Space | 6.62 Gb Free Space | 17.74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NONE-CC58FCDACE
Current User Name: Fred
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/10/24 16:25:50 | 00,406,832 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
PRC - [2002/03/29 05:44:50 | 00,287,744 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE
PRC - [2002/03/29 05:44:52 | 00,170,496 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXPPS.EXE
PRC - [2007/07/12 10:47:30 | 00,169,264 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
PRC - [2007/07/12 10:47:26 | 00,173,360 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
PRC - [2007/06/14 11:38:02 | 00,063,024 | R--- | M] (Panda Software) -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
PRC - [2007/09/28 13:29:00 | 00,148,272 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
PRC - [2007/01/15 13:42:16 | 00,067,120 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
PRC - [2007/09/28 13:28:58 | 00,096,560 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
PRC - [2007/04/04 10:45:08 | 00,226,864 | ---- | M] (Panda Software International) -- c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
PRC - [2007/05/24 09:31:26 | 00,108,592 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/11/23 14:33:22 | 00,406,832 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
PRC - [2007/06/20 11:32:28 | 00,091,440 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
PRC - [2007/11/14 13:31:18 | 00,083,248 | ---- | M] (Panda Security International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
PRC - [2007/07/26 06:47:30 | 00,111,920 | ---- | M] (Panda Software International, S.L.) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
PRC - [2009/08/01 08:56:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fred\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - File not found -- -- (JavaQuickStarterService [Auto | Stopped])
SRV - [2002/03/29 05:44:50 | 00,287,744 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2007/07/12 10:47:30 | 00,169,264 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe -- (Panda Software Controller [Auto | Running])
SRV - [2007/07/12 10:47:26 | 00,173,360 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe -- (PAVFNSVR [Auto | Running])
SRV - [2007/06/14 11:38:02 | 00,063,024 | R--- | M] (Panda Software) -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe -- (PavPrSrv [Auto | Running])
SRV - [2007/09/28 13:29:00 | 00,148,272 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe -- (PAVSRV [Auto | Running])
SRV - [2007/01/15 13:42:16 | 00,067,120 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe -- (pmshellsrv [Auto | Running])
SRV - [2007/04/04 10:45:08 | 00,226,864 | ---- | M] (Panda Software International) -- c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE -- (PSHost [Auto | Running])
SRV - [2007/05/24 09:31:26 | 00,108,592 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\psimsvc.exe -- (PSIMSVC [Auto | Running])
SRV - [2007/10/24 16:25:50 | 00,406,832 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe -- (TPSrv [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2007/09/28 13:05:40 | 00,071,608 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\APPFLT.SYS -- (APPFLT [System | Running])
DRV - File not found -- -- (AvFlt [On_Demand | Running])
DRV - [2006/06/09 22:58:22 | 01,373,120 | ---- | M] (C-Media Inc) -- C:\WINDOWS\System32\drivers\cmuda.sys -- (cmuda [On_Demand | Running])
DRV - [2009/08/01 17:39:04 | 00,013,880 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\COMFiltr.sys -- (ComFiltr [On_Demand | Running])
DRV - [2007/06/08 07:44:06 | 00,024,760 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\drivers\cpoint.sys -- (cpoint [Auto | Running])
DRV - [2007/05/11 08:33:06 | 00,051,256 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\DSAFLT.SYS -- (DSAFLT [System | Running])
DRV - [2007/11/14 17:48:22 | 00,021,816 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\fnetmon.SYS -- (FNETMON [System | Running])
DRV - [2008/04/13 14:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [1996/04/03 15:33:26 | 00,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys -- (giveio [Boot | Running])
DRV - [2007/07/11 10:39:48 | 00,191,672 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\IDSFLT.SYS -- (IDSFLT [System | Running])
DRV - [2004/12/04 04:05:10 | 01,348,480 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Running])
DRV - [2006/06/27 21:45:56 | 00,625,280 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Running])
DRV - [2004/12/04 04:03:32 | 00,054,144 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Running])
DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2004/12/04 04:03:00 | 00,036,816 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Running])
DRV - [2007/10/25 08:50:32 | 00,132,664 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\NETFLTDI.SYS -- (NETFLTDI [System | Running])
DRV - [2007/11/19 13:01:50 | 00,143,160 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\DRIVERS\netimflt.sys -- (NETIMFLT01050097 [On_Demand | Running])
DRV - [2008/06/19 18:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
DRV - [2007/09/28 13:24:18 | 00,083,896 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\DRIVERS\pavdrv51.sys -- (PAVDRV [Auto | Running])
DRV - [2007/07/12 08:49:38 | 00,178,872 | R--- | M] (Panda Software International) -- C:\WINDOWS\System32\DRIVERS\PavProc.sys -- (PavProc [Auto | Running])
DRV - File not found -- -- (PavSRK.sys [On_Demand | Running])
DRV - File not found -- -- (PavTPK.sys [On_Demand | Running])
DRV - [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/05/23 10:40:30 | 00,038,968 | R--- | M] (Panda Software) -- C:\WINDOWS\System32\Drivers\ShlDrv51.sys -- (ShldDrv [System | Running])
DRV - [2003/08/22 21:44:04 | 00,422,784 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisgrp.sys -- (SiS315 [On_Demand | Running])
DRV - [2003/07/18 09:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (sisagp [Boot | Running])
DRV - [2002/04/16 16:52:04 | 00,032,256 | ---- | M] (SiS Corporation) -- C:\WINDOWS\System32\DRIVERS\sisnic.sys -- (SISNIC [On_Demand | Stopped])
DRV - [2007/05/11 08:33:32 | 00,037,304 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\SMSFLT.SYS -- (SMSFLT [System | Running])
DRV - [2006/09/24 09:28:46 | 00,005,248 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys -- (speedfan [Boot | Running])
DRV - [2007/05/11 08:33:34 | 00,030,648 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\Drivers\WNMFLT.SYS -- (WNMFLT [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff


O1 HOSTS File: (610657 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
O1 - Hosts: 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
O1 - Hosts: 127.0.0.1 phpadsnew.abac.com
O1 - Hosts: 127.0.0.1 a.abnad.net
O1 - Hosts: 127.0.0.1 b.abnad.net
O1 - Hosts: 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
O1 - Hosts: 127.0.0.1 d.abnad.net
O1 - Hosts: 127.0.0.1 e.abnad.net
O1 - Hosts: 127.0.0.1 t.abnad.net
O1 - Hosts: 127.0.0.1 z.abnad.net
O1 - Hosts: 127.0.0.1 banners.absolpublisher.com
O1 - Hosts: 127.0.0.1 tracking.absolstats.com
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 gtb5.acecounter.com
O1 - Hosts: 127.0.0.1 gtb19.acecounter.com
O1 - Hosts: 16307 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [APVXDWIN] C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE (Panda Software International)
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe (Lexmark)
O4 - HKLM..\Run: [SCANINICIO] C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe (Panda Software International)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Download all with Free Download Manager - Reg Error: Value error. File not found
O8 - Extra context menu item: Download selected with Free Download Manager - Reg Error: Value error. File not found
O8 - Extra context menu item: Download video with Free Download Manager - Reg Error: Value error. File not found
O8 - Extra context menu item: Download with Free Download Manager - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll (Panda Software International)
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1220972857781 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\word64main.exe) - C:\WINDOWS\System32\word64main.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\renator.exe) - C:\WINDOWS\System32\renator.exe ()
O20 - Winlogon\Notify\avldr: DllName - avldr.dll - C:\WINDOWS\System32\avldr.dll (Panda Software International)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (a) - File not found
O34 - HKLM BootExecute: (u) - File not found
O34 - HKLM BootExecute: (t) - File not found
O34 - HKLM BootExecute: (o) - File not found
O34 - HKLM BootExecute: © - File not found
O34 - HKLM BootExecute: (h) - File not found
O34 - HKLM BootExecute: (k) - File not found
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/01 17:30:53 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/08/01 08:59:42 | 00,278,846 | ---- | C] () -- C:\Documents and Settings\Fred\Desktop\gmer.zip
[2009/08/01 08:56:31 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Fred\Desktop\OTL.exe
[2009/07/31 14:02:56 | 01,885,088 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\SmitfraudFix.exe
[2009/07/31 13:50:01 | 01,529,241 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\SDFix.exe
[2009/07/31 11:32:19 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bulltlp3.sys
[2009/07/31 11:32:17 | 00,031,529 | ---- | C] (BreezeCOM) -- C:\WINDOWS\System32\dllcache\brzwlan.sys
[2009/07/31 11:32:16 | 00,010,368 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brusbscn.sys
[2009/07/31 11:32:15 | 00,011,008 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brusbmdm.sys
[2009/07/31 11:32:14 | 00,060,416 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brserwdm.sys
[2009/07/31 11:32:13 | 00,009,728 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brserif.dll
[2009/07/31 11:32:13 | 00,005,120 | ---- | C] (Brother Industries,Ltd.) -- C:\WINDOWS\System32\dllcache\brscnrsm.dll
[2009/07/31 11:32:11 | 00,039,552 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brparwdm.sys
[2009/07/31 11:32:10 | 00,003,168 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brparimg.sys
[2009/07/31 11:32:08 | 00,041,472 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfusb.dll
[2009/07/31 11:32:07 | 00,032,256 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfrsmg.exe
[2009/07/31 11:32:06 | 00,081,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\brmfcwia.dll
[2009/07/31 11:32:06 | 00,029,696 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmflpt.dll
[2009/07/31 11:32:05 | 00,015,360 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfbidi.dll
[2009/07/31 11:32:03 | 00,012,160 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brfiltlo.sys
[2009/07/31 11:32:03 | 00,003,968 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brfiltup.sys
[2009/07/31 11:32:02 | 00,002,944 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brfilt.sys
[2009/07/31 11:32:01 | 00,012,800 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brevif.dll
[2009/07/31 11:32:00 | 00,009,728 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brcoinst.dll
[2009/07/31 11:31:59 | 00,019,456 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brbidiif.dll
[2009/07/31 11:31:46 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\binlsvc.dll
[2009/07/31 11:31:38 | 00,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdasup.sys
[2009/07/31 11:31:37 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdaplgin.ax
[2009/07/31 11:31:36 | 00,871,388 | ---- | C] (BCM) -- C:\WINDOWS\System32\dllcache\bcmdm.sys
[2009/07/31 11:31:36 | 00,026,568 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\bcm4e5.sys
[2009/07/31 11:31:35 | 00,054,271 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\bcm42xx5.sys
[2009/07/31 11:31:34 | 00,066,557 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\bcm42u.sys
[2009/07/31 11:31:33 | 00,014,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\battc.sys
[2009/07/31 11:31:32 | 00,036,128 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\banshee.sys
[2009/07/31 11:31:31 | 00,342,336 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\banshee.dll
[2009/07/31 11:31:31 | 00,096,640 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\dllcache\b57xp32.sys
[2009/07/31 11:31:30 | 00,089,952 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\b1cbase.sys
[2009/07/31 11:31:29 | 00,036,992 | ---- | C] (Aztech Systems Ltd) -- C:\WINDOWS\System32\dllcache\aztw2320.sys
[2009/07/31 11:31:28 | 00,037,568 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmwan.sys
[2009/07/31 11:31:27 | 00,144,384 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmenum.dll
[2009/07/31 11:31:26 | 00,087,552 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmcoxp.dll
[2009/07/31 11:31:25 | 00,036,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avcaudio.sys
[2009/07/31 11:31:25 | 00,013,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avcstrm.sys
[2009/07/31 11:31:23 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avc.sys
[2009/07/31 11:31:19 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atixbar.sys
[2009/07/31 11:31:18 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativxbar.sys
[2009/07/31 11:31:17 | 00,019,456 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativttxx.sys
[2009/07/31 11:31:16 | 00,017,152 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atitvsnd.sys
[2009/07/31 11:31:16 | 00,009,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativmdcd.sys
[2009/07/31 11:31:15 | 00,017,152 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atitunep.sys
[2009/07/31 11:31:14 | 00,049,920 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atirtcap.sys
[2009/07/31 11:31:14 | 00,026,880 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atirtsnd.sys
[2009/07/31 11:31:13 | 00,070,528 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atiragem.sys
[2009/07/31 11:31:12 | 00,104,832 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atiraged.dll
[2009/07/31 11:31:12 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atipcxxx.sys
[2009/07/31 11:31:09 | 00,281,600 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atimtai.sys
[2009/07/31 11:31:09 | 00,075,136 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atimpae.sys
[2009/07/31 11:31:08 | 00,289,664 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atimpab.sys
[2009/07/31 11:31:07 | 00,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atievxx.exe
[2009/07/31 11:31:06 | 00,268,160 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atidvai.dll
[2009/07/31 11:31:06 | 00,137,216 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atidrae.dll
[2009/07/31 11:31:05 | 00,382,592 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\atidrab.dll
[2009/07/31 11:31:04 | 00,046,464 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atibt829.sys
[2009/07/31 11:31:00 | 00,077,568 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\dllcache\ati.sys
[2009/07/31 11:30:59 | 00,096,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ati.dll
[2009/07/31 11:30:58 | 00,097,354 | ---- | C] (Bay Networks, Inc.) -- C:\WINDOWS\System32\dllcache\aspndis3.sys
[2009/07/31 11:30:57 | 00,014,848 | ---- | C] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\dllcache\asc3550.sys
[2009/07/31 11:30:56 | 00,022,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\asc3350p.sys
[2009/07/31 11:30:55 | 00,026,496 | ---- | C] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\dllcache\asc.sys
[2009/07/31 11:30:35 | 00,006,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\apmbatt.sys
[2009/07/31 11:30:34 | 00,036,224 | ---- | C] (ADMtek Incorporated.) -- C:\WINDOWS\System32\dllcache\an983.sys
[2009/07/31 11:30:34 | 00,012,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\amsint.sys
[2009/07/31 11:30:33 | 00,016,969 | ---- | C] (AmbiCom, Inc.) -- C:\WINDOWS\System32\dllcache\amb8002.sys
[2009/07/31 11:30:31 | 00,026,624 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\alifir.sys
[2009/07/31 11:30:31 | 00,005,248 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\aliide.sys
[2009/07/31 11:30:30 | 00,027,678 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\ali5261.sys
[2009/07/31 11:30:29 | 00,056,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aic78xx.sys
[2009/07/31 11:30:28 | 00,055,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aic78u2.sys
[2009/07/31 11:30:28 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aha154x.sys
[2009/07/31 11:30:20 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agcgauge.ax
[2009/07/31 11:29:42 | 00,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\adpu160m.sys
[2009/07/31 11:29:41 | 00,046,112 | ---- | C] (Adaptec, Inc ) -- C:\WINDOWS\System32\dllcache\adptsf50.sys
[2009/07/31 11:29:39 | 00,010,880 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\admjoy.sys
[2009/07/31 11:29:38 | 00,747,392 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8830.sys
[2009/07/31 11:29:38 | 00,553,984 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8820.sys
[2009/07/31 11:29:37 | 00,584,448 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8810.sys
[2009/07/31 11:29:36 | 00,020,160 | ---- | C] (ADMtek Incorporated) -- C:\WINDOWS\System32\dllcache\adm8511.sys
[2009/07/31 11:29:35 | 00,007,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\adicvls.sys
[2009/07/31 11:29:33 | 00,061,440 | ---- | C] (Color Flatbed Scanner) -- C:\WINDOWS\System32\dllcache\acerscad.dll
[2009/07/31 11:29:32 | 00,084,480 | ---- | C] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\dllcache\ac97via.sys
[2009/07/31 11:29:31 | 00,297,728 | ---- | C] (Silicon Integrated Systems Corp.) -- C:\WINDOWS\System32\dllcache\ac97sis.sys
[2009/07/31 11:29:31 | 00,096,256 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\dllcache\ac97intc.sys
[2009/07/31 11:29:30 | 00,231,552 | ---- | C] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\dllcache\ac97ali.sys
[2009/07/31 11:29:29 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\abp480n5.sys
[2009/07/31 11:29:28 | 00,462,848 | ---- | C] (Aureal Inc.) -- C:\WINDOWS\System32\dllcache\a3dapi.dll
[2009/07/31 11:29:27 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\61883.sys
[2009/07/31 11:29:27 | 00,038,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\8514a.dll
[2009/07/31 11:29:26 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\4mmdat.sys
[2009/07/31 11:29:25 | 00,689,216 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\3dfxvs.dll
[2009/07/31 11:29:25 | 00,148,352 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\3dfxvsm.sys
[2009/07/31 11:29:24 | 00,762,780 | ---- | C] (3Com, Inc.) -- C:\WINDOWS\System32\dllcache\3cwmcru.sys
[2009/07/31 11:29:23 | 00,053,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\1394bus.sys
[2009/07/31 11:29:23 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\1394vdbg.sys
[2009/07/31 11:28:47 | 00,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\s3legacy.dll
[2009/07/31 10:41:04 | 00,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2009/07/31 10:41:04 | 00,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2009/07/31 10:41:04 | 00,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2009/07/31 10:41:03 | 00,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2009/07/31 10:41:03 | 00,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2009/07/31 10:41:03 | 00,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2009/07/31 10:41:03 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2009/07/31 10:41:03 | 00,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2009/07/31 10:41:03 | 00,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/07/31 10:41:03 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2009/07/31 10:41:03 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2009/07/31 10:41:02 | 00,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2009/07/31 10:41:02 | 00,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2009/07/30 15:57:52 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\winwswd32
[2009/07/30 10:03:59 | 00,359,932 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\dds.scr
[2009/07/30 09:00:20 | 01,496,399 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Windows XP Tweak Guide.zip
[2009/07/28 06:05:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/07/28 06:01:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/07/27 19:36:39 | 00,000,519 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\DefaultHosts.zip
[2009/07/27 19:09:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fred\My Documents\hosts
[2009/07/27 19:02:35 | 00,148,286 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\hosts.zip
[2009/07/27 12:29:09 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/07/27 06:42:34 | 00,000,000 | ---D | C] -- C:\RECYCLER(3)
[2009/07/26 12:40:15 | 00,000,000 | -HSD | C] -- C:\RECYCLER(2)
[2009/07/26 12:38:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/07/26 10:53:06 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/22 23:27:46 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF16502.exe
[2009/07/22 21:47:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Fred\Application Data\Malwarebytes
[2009/07/22 21:47:32 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/22 21:47:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/22 21:47:29 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/22 21:47:29 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/22 20:58:45 | 02,189,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntoskrnl.exe
[2009/07/22 20:58:45 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntkrnlpa.exe
[2009/07/22 20:58:45 | 01,614,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfcfiles.dll
[2009/07/22 20:58:45 | 01,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\explorer.exe
[2009/07/22 20:58:45 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kernel32.dll
[2009/07/22 20:58:45 | 00,927,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mfc40u.dll
[2009/07/22 20:58:45 | 00,915,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wininet.dll
[2009/07/22 20:58:45 | 00,792,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comres.dll
[2009/07/22 20:58:45 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comctl32.dll
[2009/07/22 20:58:45 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\user32.dll
[2009/07/22 20:58:45 | 00,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\winlogon.exe
[2009/07/22 20:58:45 | 00,435,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntmssvc.dll
[2009/07/22 20:58:45 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rpcss.dll
[2009/07/22 20:58:45 | 00,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tcpip.sys
[2009/07/22 20:58:45 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\termsrv.dll
[2009/07/22 20:58:45 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ndis.sys
[2009/07/22 20:58:45 | 00,171,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\srsvc.dll
[2009/07/22 20:58:45 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\aec.sys
[2009/07/22 20:58:45 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\services.exe
[2009/07/22 20:58:45 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\imm32.dll
[2009/07/22 20:58:45 | 00,088,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rasauto.dll
[2009/07/22 20:58:45 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ws2_32.dll
[2009/07/22 20:58:45 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\spoolsv.exe
[2009/07/22 20:58:45 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wuauclt.exe
[2009/07/22 20:58:45 | 00,036,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ip6fw.sys
[2009/07/22 20:58:45 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\msgsvc.dll
[2009/07/22 20:58:45 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\userinit.exe
[2009/07/22 20:58:45 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kbdclass.sys
[2009/07/22 20:58:45 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lpk.dll
[2009/07/22 20:58:45 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\powrprof.dll
[2009/07/22 20:58:45 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ctfmon.exe
[2009/07/22 20:58:45 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\svchost.exe
[2009/07/22 20:58:45 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lsass.exe
[2009/07/22 20:58:45 | 00,011,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\acpiec.sys
[2009/07/22 20:58:45 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfc.dll
[2009/07/22 20:58:45 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\beep.sys
[2009/07/22 20:58:45 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\null.sys
[2009/07/22 20:58:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/07/22 20:39:05 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/07/22 20:38:58 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/07/22 20:38:55 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/07/22 20:13:50 | 00,219,648 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/07/22 20:13:50 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/07/22 20:13:50 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/07/22 20:13:50 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/07/22 20:13:50 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/07/22 20:13:50 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/07/22 20:13:50 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/07/22 20:13:50 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/07/22 20:13:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/07/22 15:37:34 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\zpord32
[2009/07/22 15:15:42 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/07/22 11:57:55 | 00,000,063 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/18 15:17:05 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\xerox32
[2009/07/16 05:33:03 | 11,218,222 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Employment Guide.PDF
[2009/07/10 10:31:07 | 00,052,645 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Breaking The Bank.rtf
[2009/07/10 10:24:57 | 00,055,257 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Inside The Meltdown.rtf
[2009/07/10 10:13:28 | 00,014,687 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Rolling Stone - The Great American Bubble Machine.rtf
[2009/07/08 17:22:53 | 00,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2009/07/06 11:16:06 | 00,806,420 | ---- | C] () -- C:\Documents and Settings\Fred\My Documents\Federal Job Application.PDF
[2009/06/25 16:12:09 | 00,000,245 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2009/06/25 16:11:12 | 00,000,191 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2009/06/25 16:04:02 | 00,000,198 | ---- | C] () -- C:\WINDOWS\NGARCHIV.INI
[2008/08/18 13:25:19 | 00,013,880 | ---- | C] () -- C:\WINDOWS\System32\drivers\COMFiltr.sys
[2007/06/06 12:06:54 | 00,443,368 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/06/05 11:30:08 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/06/03 04:21:34 | 00,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/06/03 04:21:32 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005/08/23 20:50:41 | 00,001,636 | ---- | C] () -- C:\WINDOWS\yahtzee.ini
[2005/08/01 19:29:09 | 00,000,200 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2005/08/01 19:29:09 | 00,000,033 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2005/08/01 19:19:58 | 00,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2004/08/04 08:00:00 | 00,000,585 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,435 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/02/18 18:26:28 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2002/03/29 05:44:52 | 00,000,643 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[1996/04/03 15:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[2009/08/01 17:42:14 | 00,000,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAV.alt.bck
[2009/08/01 17:42:14 | 00,000,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAV.alt
[2009/08/01 17:42:14 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAR.wlt.bck
[2009/08/01 17:42:14 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetAR.wlt
[2009/08/01 17:39:16 | 00,272,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.rls.bck
[2009/08/01 17:39:16 | 00,272,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.rls
[2009/08/01 17:39:16 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.cfg.bck
[2009/08/01 17:39:16 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\DsaFlt.cfg
[2009/08/01 17:39:09 | 00,000,252 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\IdsFlt.cfg.bck
[2009/08/01 17:39:09 | 00,000,252 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\IdsFlt.cfg
[2009/08/01 17:39:09 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetFlt.cfg.bck
[2009/08/01 17:39:09 | 00,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\NetFlt.cfg
[2009/08/01 17:39:09 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\WnmFlt.cfg.bck
[2009/08/01 17:39:09 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\WnmFlt.cfg
[2009/08/01 17:39:09 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\SmsFlt.cfg.bck
[2009/08/01 17:39:09 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\SmsFlt.cfg
[2009/08/01 17:39:08 | 00,253,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT.bck
[2009/08/01 17:39:08 | 00,253,836 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT
[2009/08/01 17:39:08 | 00,003,344 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFLTR.CFG.bck
[2009/08/01 17:39:08 | 00,003,344 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFLTR.CFG
[2009/08/01 17:39:04 | 00,013,880 | ---- | M] () -- C:\WINDOWS\System32\drivers\COMFiltr.sys
[2009/08/01 17:35:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/01 17:35:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/01 13:58:25 | 05,884,536 | -H-- | M] () -- C:\Documents and Settings\Fred\Local Settings\Application Data\IconCache.db
[2009/08/01 08:59:43 | 00,278,846 | ---- | M] () -- C:\Documents and Settings\Fred\Desktop\gmer.zip
[2009/08/01 08:56:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fred\Desktop\OTL.exe
[2009/08/01 08:42:03 | 00,008,627 | ---- | M] () -- C:\WINDOWS\System32\PAV_FOG.OPC
[2009/08/01 07:23:18 | 00,063,488 | ---- | M] () -- C:\Documents and Settings\Fred\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/31 16:54:42 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/31 14:02:57 | 01,885,088 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\SmitfraudFix.exe
[2009/07/31 13:50:04 | 01,529,241 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\SDFix.exe
[2009/07/30 10:04:48 | 00,359,932 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\dds.scr
[2009/07/30 09:46:04 | 00,610,657 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090731-171629.backup
[2009/07/30 09:46:04 | 00,610,657 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/07/30 09:00:29 | 01,496,399 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Windows XP Tweak Guide.zip
[2009/07/27 19:36:40 | 00,000,519 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\DefaultHosts.zip
[2009/07/27 19:03:47 | 00,000,048 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS.MVP
[2009/07/27 19:02:51 | 00,148,286 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\hosts.zip
[2009/07/27 12:19:35 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/07/22 23:27:35 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF16502.exe
[2009/07/22 20:39:06 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/07/22 11:57:55 | 00,000,063 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/07/20 00:00:00 | 00,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Clean-up.job
[2009/07/19 18:48:58 | 11,067,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieframe.dll
[2009/07/19 18:48:58 | 11,067,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2009/07/19 09:18:59 | 05,937,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/07/19 09:18:59 | 05,937,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/07/16 05:33:05 | 11,218,222 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Employment Guide.PDF
[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/13 05:48:54 | 00,219,648 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/07/10 10:31:07 | 00,052,645 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Breaking The Bank.rtf
[2009/07/10 10:24:57 | 00,055,257 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Frontline - Inside The Meltdown.rtf
[2009/07/10 10:13:45 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2009/07/10 10:13:28 | 00,014,687 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Rolling Stone - The Great American Bubble Machine.rtf
[2009/07/09 10:05:13 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/07/07 11:10:56 | 24,539,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/07/06 11:25:45 | 00,806,420 | ---- | M] () -- C:\Documents and Settings\Fred\My Documents\Federal Job Application.PDF
[2009/07/03 13:09:28 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wininet.dll
[2009/07/03 13:09:28 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2009/07/03 13:09:28 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/07/03 13:09:27 | 01,208,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\urlmon.dll
[2009/07/03 13:09:27 | 01,208,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2009/07/03 13:09:27 | 00,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\occache.dll
[2009/07/03 13:09:27 | 00,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2009/07/03 13:09:25 | 00,594,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2009/07/03 13:09:25 | 00,594,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2009/07/03 13:09:25 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2009/07/03 13:09:25 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2009/07/03 13:09:24 | 01,985,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iertutil.dll
[2009/07/03 13:09:24 | 01,985,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2009/07/03 13:09:24 | 01,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2009/07/03 13:09:24 | 01,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2009/07/03 13:09:24 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2009/07/03 13:09:24 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2009/07/03 13:09:23 | 00,246,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/07/03 13:09:23 | 00,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2009/07/03 13:09:23 | 00,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2009/07/03 13:09:21 | 00,386,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2009/07/03 13:09:21 | 00,386,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2009/07/03 10:00:15 | 00,000,585 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/03 07:01:06 | 00,173,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2009/07/03 07:01:06 | 00,173,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
< End of report >


================================================================

This thing is really putting up a fight - seems like a lot of my memory is being used up; it's really a struggle to get on the internet, load the web pages, and type in this post - with me using dialup not helping either. At any rate, this is how things stand for now. Thanks again for your assistance.

Mud Dobber (aka Fred)

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:10 PM

Posted 02 August 2009 - 10:52 AM

We need something with a little more muscle.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 02 August 2009 - 12:56 PM

Hello again Sam -

Things are running a little better - no warnings on startup, and I'm able to type a little bit faster on this message board.

Here's the Combofix log:

================================================================

ComboFix 09-08-01.09 - Fred 08/02/2009 12:46.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.352.145 [GMT -4:00]
Running from: c:\documents and settings\Fred\Desktop\ComboFix.exe
AV: Panda Internet Security 2008 *On-access scanning disabled* (Outdated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Internet Security 2008 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-08-01 21:30 . 2009-08-01 21:30 -------- d-----w- C:\_OTL
2009-07-31 15:31 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2009-07-31 15:30 . 2001-08-17 18:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2009-07-31 15:29 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-07-31 15:28 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-30 19:57 . 2009-08-02 16:20 -------- d-sh--w- c:\windows\system32\winwswd32
2009-07-28 10:05 . 2009-07-29 22:01 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-28 10:01 . 2009-07-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-27 23:24 . 2009-07-27 23:24 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-27 10:42 . 2009-07-27 16:29 -------- d-----w- C:\RECYCLER(3)
2009-07-26 16:40 . 2009-07-27 16:29 -------- d-sh--w- C:\RECYCLER(2)
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\documents and settings\Fred\Application Data\Malwarebytes
2009-07-23 01:47 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 01:47 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 19:15 . 2009-07-22 19:15 -------- d-----w- c:\program files\Trend Micro
2009-07-18 19:17 . 2009-07-18 19:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-18 19:17 . 2009-07-23 02:24 -------- d-sh--w- c:\windows\system32\xerox32
2009-07-08 21:22 . 2009-07-08 21:26 -------- d-----w- c:\program files\MSECACHE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 16:40 . 2008-08-18 17:29 253836 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2009-08-02 16:40 . 2008-08-18 17:28 3364 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2009-08-02 16:40 . 2008-08-18 17:20 3364 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2009-08-02 16:40 . 2008-08-18 17:20 253836 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2009-08-02 14:34 . 2008-08-18 17:25 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2009-07-31 21:14 . 2009-06-06 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-31 14:42 . 2009-06-17 12:53 -------- d-----w- c:\program files\Unlocker
2009-07-30 03:13 . 2008-06-02 23:44 -------- d-----w- c:\program files\SpeedFan
2009-07-29 16:06 . 2009-06-06 19:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 10:57 . 2005-08-03 02:23 -------- d-----w- c:\program files\oDC
2009-07-20 20:15 . 2008-04-10 02:51 -------- d-----w- c:\program files\Mp3 My Mp3 2.0
2009-07-09 14:05 . 2009-06-07 17:37 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2006-04-05 22:07 . 2006-04-05 22:06 10432544 -c--a-w- c:\program files\rp505enu.exe
2005-08-13 09:41 . 2005-08-13 14:57 609436 -c--a-w- c:\program files\spell.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-03-29 36864]
"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" [2007-11-23 406832]
"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 27952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\word64main.exe,c:\windows\system32\renator.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 23:02 50736 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0a\0u\0t\0o\0c\0h\0k\0 \0*

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\oDC\\oDC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8965:TCP"= 8965:TCP:BitComet 8965 TCP
"8965:UDP"= 8965:UDP:BitComet 8965 UDP
"16594:TCP"= 16594:TCP:BitComet 16594 TCP
"16594:UDP"= 16594:UDP:BitComet 16594 UDP
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/25/2008 2:58 pm 28544]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [8/18/2008 1:19 pm 71608]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [8/18/2008 1:20 pm 51256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [8/18/2008 1:19 pm 21816]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [8/18/2008 1:20 pm 191672]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [8/18/2008 1:19 pm 132664]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [8/18/2008 1:15 pm 38968]
R1 SMSFLT;SMS Filter Plugin;c:\windows\system32\drivers\smsflt.sys [8/18/2008 1:20 pm 37304]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [8/18/2008 1:20 pm 30648]
R2 cpoint;Panda CPoint Driver;c:\windows\system32\drivers\cpoint.sys [8/18/2008 1:18 pm 24760]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [8/18/2008 1:15 pm 178872]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
R3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;c:\windows\system32\drivers\netimflt.sys [8/18/2008 1:18 pm 143160]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\F.tmp --> c:\windows\system32\F.tmp [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - ComFiltr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-20 c:\windows\Tasks\Clean-up.job
- c:\program files\Panda Security\Panda Internet Security 2008\PlaTasks.exe [2008-08-18 18:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all with Free Download Manager
IE: Download selected with Free Download Manager
IE: Download video with Free Download Manager
IE: Download with Free Download Manager
LSP: c:\program files\Panda Security\Panda Internet Security 2008\pavlsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 13:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\word64main.exe 132608 bytes executable
c:\windows\system32\zpord32

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\avldr.dll
c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\wininet.dll
.
Completion time: 2009-08-02 13:09
ComboFix-quarantined-files.txt 2009-08-02 17:08

Pre-Run: 7,052,169,216 bytes free
Post-Run: 7,027,404,800 bytes free

157 --- E O F --- 2009-05-14 08:42

================================================================

I can't thank you enough for helping me with this. You're going to make an Ohio State fan out of me before this is over. And this is from a life long Florida Gator fan - so that's quite a stretch.

Best regards,

Mud Dobber

#8 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 03 August 2009 - 05:36 AM

Hi Sam -

Looks like I spoke too soon. I got another warning on my latest startup - "A malicious program has been detected and some of its functions blocked : location C:\WINDOWS\SYSTEM32\RENATOR.EXE"

Rather stubborn - I wonder if it isn't leaving or if I keep getting re-infected on my travels on the internet.

Oh well, something's gotta give eventually.

I await your advice.

Thanks,

Mud Dobber

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:10 PM

Posted 03 August 2009 - 10:23 AM

Gator fan huh? Well...good luck getting your computer fixed now!
Just kiddin'! :thumbup2:
You guys should have another great year this year. Can't wait for the season to start!

Now back your computer, you've got something nasty in there for sure. We might have a rootkit involved, but let's see what Combofix can do with it.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
MEMSWEEP2

File::
c:\windows\system32\F.tmp
c:\windows\system32\word64main.exe
c:\windows\system32\renator.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



Is your antivirus current and up to date? The combofix log shows it as being outdated.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 03 August 2009 - 01:38 PM

Howdy again Sam -

I probably should've held off on mentioning being a Gator fan until the we finished with this, but I just couldn't help it. :thumbup2: Of course, without Tebow we probably wouldn't be in such good shape, but we'll take what we can get after the Spurrier years...

I make a point to update the Panda antivirus on a daily basis, and ALWAYS before I open up Internet Explorer 8. I have the automatic update setting turned on, and when it has updates it usually does it on its own. To be honest, I haven't been very happy with Panda since I bought it last year, and when it expires in 15 days I plan on switching to BitDefender.

In fact, it occasionally informs me that the firewall is turned off, or that the security protection has been disabled: not something you want to see after you've been surfing the internet for a while. This might be the ultimate cause of my recent infection, or maybe the malware is somehow turning it off. Who knows?

It's interesting to note that both the renator and word64main worms originated in Spain last month - precisely where Panda's operations are. Am I paranoid for thinking they might have something to do with it?

Anyway, here's the latest Combofix log:

================================================================


ComboFix 09-08-01.09 - Fred 08/03/2009 13:01.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.352.143 [GMT -4:00]
Running from: c:\documents and settings\Fred\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fred\Desktop\CFScript.txt
AV: Panda Internet Security 2008 *On-access scanning disabled* (Outdated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Internet Security 2008 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}
* Created a new restore point

FILE ::
"c:\windows\system32\F.tmp"
"c:\windows\system32\renator.exe"
"c:\windows\system32\word64main.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\renator.exe
c:\windows\system32\word64main.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-01 21:30 . 2009-08-01 21:30 -------- d-----w- C:\_OTL
2009-07-31 15:31 . 2001-08-18 02:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2009-07-31 15:30 . 2001-08-17 18:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2009-07-31 15:29 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-07-31 15:28 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-30 19:57 . 2009-08-03 16:25 -------- d-sh--w- c:\windows\system32\winwswd32
2009-07-28 10:05 . 2009-07-29 22:01 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-28 10:01 . 2009-07-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-27 23:24 . 2009-07-27 23:24 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-27 10:42 . 2009-07-27 16:29 -------- d-----w- C:\RECYCLER(3)
2009-07-26 16:40 . 2009-07-27 16:29 -------- d-sh--w- C:\RECYCLER(2)
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\documents and settings\Fred\Application Data\Malwarebytes
2009-07-23 01:47 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 01:47 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 19:37 . 2009-08-02 16:16 -------- d-sh--w- c:\windows\system32\zpord32
2009-07-22 19:15 . 2009-07-22 19:15 -------- d-----w- c:\program files\Trend Micro
2009-07-18 19:17 . 2009-07-18 19:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-18 19:17 . 2009-07-23 02:24 -------- d-sh--w- c:\windows\system32\xerox32
2009-07-08 21:22 . 2009-07-08 21:26 -------- d-----w- c:\program files\MSECACHE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 17:17 . 2008-08-18 17:28 3424 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2009-08-03 17:17 . 2008-08-18 17:20 3424 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2009-08-03 17:16 . 2008-08-18 17:25 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2009-08-03 17:14 . 2008-08-18 17:29 253836 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2009-08-03 17:14 . 2008-08-18 17:20 253836 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2009-07-31 21:14 . 2009-06-06 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-31 14:42 . 2009-06-17 12:53 -------- d-----w- c:\program files\Unlocker
2009-07-30 03:13 . 2008-06-02 23:44 -------- d-----w- c:\program files\SpeedFan
2009-07-29 16:06 . 2009-06-06 19:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 10:57 . 2005-08-03 02:23 -------- d-----w- c:\program files\oDC
2009-07-20 20:15 . 2008-04-10 02:51 -------- d-----w- c:\program files\Mp3 My Mp3 2.0
2009-07-09 14:05 . 2009-06-07 17:37 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2006-04-05 22:07 . 2006-04-05 22:06 10432544 -c--a-w- c:\program files\rp505enu.exe
2005-08-13 09:41 . 2005-08-13 14:57 609436 -c--a-w- c:\program files\spell.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-02_17.02.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-01 23:11 . 2009-08-03 10:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-01 23:11 . 2009-08-02 14:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-08-01 23:11 . 2009-08-03 10:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-01 23:11 . 2009-08-02 14:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-18 19:17 . 2009-08-02 14:31 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-18 19:17 . 2009-08-03 10:15 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-08-01 23:11 . 2009-08-03 10:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-08-01 23:11 . 2009-08-02 14:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-03-29 36864]
"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" [2007-11-23 406832]
"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 27952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 23:02 50736 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0a\0u\0t\0o\0c\0h\0k\0 \0*

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\oDC\\oDC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8965:TCP"= 8965:TCP:BitComet 8965 TCP
"8965:UDP"= 8965:UDP:BitComet 8965 UDP
"16594:TCP"= 16594:TCP:BitComet 16594 TCP
"16594:UDP"= 16594:UDP:BitComet 16594 UDP
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/25/2008 2:58 pm 28544]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [8/18/2008 1:19 pm 71608]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [8/18/2008 1:20 pm 51256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [8/18/2008 1:19 pm 21816]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [8/18/2008 1:20 pm 191672]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [8/18/2008 1:19 pm 132664]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [8/18/2008 1:15 pm 38968]
R1 SMSFLT;SMS Filter Plugin;c:\windows\system32\drivers\smsflt.sys [8/18/2008 1:20 pm 37304]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [8/18/2008 1:20 pm 30648]
R2 cpoint;Panda CPoint Driver;c:\windows\system32\drivers\cpoint.sys [8/18/2008 1:18 pm 24760]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [8/18/2008 1:15 pm 178872]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [8/18/2008 1:25 pm 13880]
R3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;c:\windows\system32\drivers\netimflt.sys [8/18/2008 1:18 pm 143160]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMFILTR

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-20 c:\windows\Tasks\Clean-up.job
- c:\program files\Panda Security\Panda Internet Security 2008\PlaTasks.exe [2008-08-18 18:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all with Free Download Manager
IE: Download selected with Free Download Manager
IE: Download video with Free Download Manager
IE: Download with Free Download Manager
LSP: c:\program files\Panda Security\Panda Internet Security 2008\pavlsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 13:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avldr.dll

- - - - - - - > 'explorer.exe'(548)
c:\windows\system32\WININET.dll
c:\program files\Panda Security\Panda Internet Security 2008\pavoepl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Panda Security\Panda Internet Security 2008\TPSrv.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Panda Security\Panda Internet Security 2008\PsCtrlS.exe
c:\program files\Panda Security\Panda Internet Security 2008\PAVFNSVR.EXE
c:\program files\Common Files\Panda Software\PavShld\PavPrSrv.exe
c:\program files\Panda Security\Panda Internet Security 2008\PAVSRV51.EXE
c:\program files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
c:\program files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\Panda Security\Panda Internet Security 2008\FIREWALL\PSHost.exe
c:\program files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
c:\program files\Panda Security\Panda Internet Security 2008\SrvLoad.exe
c:\program files\Panda Security\Panda Internet Security 2008\WebProxy.exe
c:\program files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
.
**************************************************************************
.
Completion time: 2009-08-03 13:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 17:26
ComboFix2.txt 2009-08-02 17:09

Pre-Run: 6,923,730,944 bytes free
Post-Run: 6,938,648,576 bytes free

188 --- E O F --- 2009-05-14 08:42

================================================================


Hope this is indicating some progress - things seem to be running a little smoother, but you never know. It's weird that it mentions the antivirus being outdated. I updated the virus definitions this morning. Oh well.

Again, many thanks...

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:10 PM

Posted 04 August 2009 - 10:36 AM

I've heard differing opinions of Panda over the years, but it does seem like I'm hearing more negative feedback now than I used to. It's difficult for these security systems to always keep up with the latest variants. One year they're on top of things and doing a great job, then a year later they've completely dropped the ball. BitDefender is pretty good. I've also heard good things about Nod32 lately.

From looking at your log those files appear to be gone now. How are things on your end? Any indication the infection is still hanging in there?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 04 August 2009 - 11:44 AM

Hi Sam -

Things are running great on this end - it's like having a new machine. I used to get annoying pauses while downloading web pages (this bleeping computer!) - but now it's smooth sailing (or surfing) all the way.

No warnings on startups, and the system scan isn't showing anything suspicious. Haven't done MBAM or Spybot scans yet though - they may be irrelevant in this case. (I'm almost afraid to check. Like they say: if it works - don't fix it.)

Big ups to you all the way. :thumbup2: Now let's hope the Buckeyes can throttle the Trojans in week 2 at home - I'll be rooting for 'em! The pressure is on the Gators though, now that we have the highest paid coach in the SEC. The consensus is that Pete Carroll gets even more - yet another reason to beat USC.

And thanks for the heads up on the ESET's Nod32 - I'll have to check them out.

Take care, and continued success in all your efforts.

Gratefully,

Mud Dobber (aka Fred from Florida)

P.S. I've seen other posts where they recommend removing Combofix, OTL, etc. after you're done using them. Should I do the same? and what's the best way to do it?

#13 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 05 August 2009 - 08:24 AM

Just one more thing Sam -

I did the MBAM and Spybot scans and they're malware-free - so all's well in computer land. A final thanks for all you've done. Keep up the good work - it's making a real difference. You can consider this case solved.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:10 PM

Posted 05 August 2009 - 03:29 PM

Sounds good! :)
Here are some final steps/recommendations for you.



We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Mud Dobber

Mud Dobber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 12 August 2009 - 11:08 AM

Hello again Sam -

Sorry to bother you with something so trivial; I posted this problem in a different forum as another topic but the moderator "garmanma" told me to post it here:

I went to set my clock, but now I can't update/synchronize with any of the time servers that I had before: time.windows.com, time.nist.gov, etc.

Seems like some settings got changed, and the server is not contacted (computer icons in taskbar aren't lighting up.)

Have checked the firewall settings on my Panda antivirus, but it does not seem to be the issue: Windows Time Service Diagnostic Tool is set for Outbound (client); Internet Time Synchronization is set on Enable.

In services.msc, Windows Time is started and in Automatic mode.

Is there a Spybot or Spywareblaster setting that needs to be addressed?

Take your "time" in addressing this issue - pun intended. :thumbup2:

Thanks

Edited by Mud Dobber, 12 August 2009 - 11:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users