Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovering from rootkit tdss on xp


  • This topic is locked This topic is locked
6 replies to this topic

#1 xccxcc

xccxcc

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 22 February 2010 - 04:40 PM

okay the other day i got infected with root kit tdss among other things
When i realized i was infected (weird stuff was running) i ripped the dive out and scanned it with mbam on my back up pc
the pc seems fine now and spybot was removing other things
then i ran System Virginity Verifier which is a low level root kit scanner
i got back these results and i would like some advice am i clean or am i infected


underneath is the command prompt vesion of it with the result



Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsPhilippe>cd C:Documents and SettingsPhilippeDesktop


C:Documents and SettingsPhilippeDesktop>svv

System Virginity Verifier 2.3, January 2006
written by Joanna Rutkowska
http://invisiblethings.org

svv <command> [options] [/l <altKernelModuleName>]
command is one of the following:
check - check system virginity
fix - try to fix suspected modifications (disinfection)
report - generate report

following options are supported:
/a verify ALL modules (DANGEROUS!)
/m show details about modifications
/c show also clean modules
/d leave driver after finished
/t <n> fix to target verdict level = n (valid for fix command)

C:Documents and SettingsPhilippeDesktop>svv check /m
ntoskrnl.exe (804d7000 - 806ff000)... suspected! (verdict = 5).
module ntoskrnl.exe [0x804d7000 - 0x806ff000]:
0x804dcb22 (section .text) 18 byte(s): exclusion filter: KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dcb3a (section .text) 1 byte(s): exclusion filter: KeFlushCurrentTb() [
c3->00]
file :c3
memory :00
verdict = 1

0x804dda9d (section .text) 1 byte(s): exclusion filter: KiSystemCallExitBran
ch() [05->06]
file :05
memory :06
verdict = 1

0x804e5531 (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exc
lusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
file :c3
memory :90
verdict = 1

0x805499b8 (section .text) [NtTraceEvent()+0] 5 byte(s):
JMPing code (jmp to: 0x89fc7b0b)
address 0x89fc7b0b DOES NOT belong to ANY MODULE!
file :6a 0c 68 18 9b
memory :e9 53 e1 a7 09
verdict = 5

0x80579485 (section PAGE) [NtRequestWaitReplyPort()+0] 5 byte(s):
JMPing code (jmp to: 0x89fc7c4b)
address 0x89fc7c4b DOES NOT belong to ANY MODULE!
file :6a 7c 68 f0 16
memory :e9 c6 e7 a4 09
verdict = 5

0x805e94d8 (section PAGE) [NtRequestPort()+0] 5 byte(s):
JMPing code (jmp to: 0x89fc7bab)
address 0x89fc7bab DOES NOT belong to ANY MODULE!
file :6a 3c 68 f0 4e
memory :e9 d3 e6 9d 09
verdict = 5

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!

C:Documents and SettingsPhilippeDesktop>

also i would like any suggestions for a anti (removal) root-kit software

i currently use root kit revealer
here is the dump by root kit revealer which i ran

not the problem happened on 2/21/10

HKLMSECURITYPolicySecretsSAC* 12/29/2009 5:39 PM 0 bytes Key name contains embedded nulls (*)
HKLMSECURITYPolicySecretsSAI* 12/29/2009 5:39 PM 0 bytes Key name contains embedded nulls (*)
HKLMSECURITYPolicySecretsSCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 12/29/2009 5:51 PM 0 bytes Key name contains embedded nulls (*)
HKLMSOFTWAREMicrosoftMicrosoft SQL ServerMSSQL10.SQLEXPRESSMSSQLServerParameters 1/6/2010 5:48 PM 0 bytes Security mismatch.
HKLMSOFTWAREMicrosoftMicrosoft SQL ServerMSSQL10.SQLEXPRESSSecurity 1/6/2010 5:49 PM 0 bytes Security mismatch.
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionPrefetcherTracesProcessed 2/22/2010 4:50 PM 4 bytes Data mismatch between Windows API and raw hive data.
C:Documents and SettingsPhilippeApplication DataMozillaFirefoxProfiles325g2zn5.defaultcookies.sqlite-journal 2/22/2010 5:06 PM 4.53 KB Hidden from Windows API.
C:Documents and SettingsPhilippeApplication DataMozillaFirefoxProfiles325g2zn5.defaultparent.lock 2/22/2010 5:06 PM 0 bytes Hidden from Windows API.
C:Documents and SettingsPhilippeApplication DataMozillaFirefoxProfiles325g2zn5.defaultsessionstore.js 2/22/2010 5:07 PM 1.60 KB Hidden from Windows API.
C:Documents and SettingsPhilippeLocal SettingsApplication DataMozillaFirefoxProfiles325g2zn5.defaultCache40E4680Cd01 2/22/2010 5:09 PM 20.20 KB Visible in directory index, but not Windows API or MFT.
C:Documents and SettingsPhilippeLocal SettingsApplication DataMozillaFirefoxProfiles325g2zn5.defaultCache7748C03Ad01 2/22/2010 5:06 PM 25.28 KB Hidden from Windows API.
C:Documents and SettingsPhilippeLocal SettingsApplication DataMozillaFirefoxProfiles325g2zn5.defaultCache9766ABEDd01 2/22/2010 5:10 PM 19.27 KB Visible in directory index, but not Windows API or MFT.
C:Documents and SettingsPhilippeLocal SettingsApplication DataMozillaFirefoxProfiles325g2zn5.defaultCacheF65CD93Bd01 2/22/2010 5:06 PM 23.67 KB Hidden from Windows API.

here is a gmer log

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2010-02-22 21:35:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1PhilippeLOCALS~1Temppxdyrfod.sys


---- System - GMER 1.0.15 ----

Code 897F4BAC ZwRequestPort
Code 897F4B0C ZwTraceEvent
Code 897F4BAB NtRequestPort
Code 897F4B0B NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!NtTraceEvent 805499B8 5 Bytes JMP 897F4B10
PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 4 80579489 3 Bytes [A6, 41, 00]
PAGE ntoskrnl.exe!NtRequestPort 805E94D8 5 Bytes JMP 897F4BB0

---- EOF - GMER 1.0.15 ----


basically i just want a verdict am i clean or am i infected

thank you

here is a root repeal scan

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/22 21:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7DBA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF79EF000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1286000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==


Merged 3 posts and move to log forum. ~ OB

Edited by Orange Blossom, 22 February 2010 - 10:21 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:56 PM

Posted 24 February 2010 - 07:30 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues.

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

unite.jpg


#3 xccxcc

xccxcc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 25 February 2010 - 06:24 PM

ok will do


#4 xccxcc

xccxcc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 26 February 2010 - 12:53 PM

here are the files

OTL logfile created on: 2/26/2010 12:28:29 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Philippe\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 451.65 Gb Total Space | 372.05 Gb Free Space | 82.38% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 384.19 Gb Free Space | 82.49% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PHILIPPE10
Current User Name: Philippe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/26 12:26:40 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Philippe\Desktop\OTL.exe
PRC - [2010/01/26 17:22:49 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/17 17:14:06 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2009/12/01 08:55:10 | 000,066,560 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe
PRC - [2009/11/16 14:58:38 | 000,839,168 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2009/10/22 05:00:04 | 000,395,824 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2009/10/22 04:59:58 | 000,113,200 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
PRC - [2009/10/22 04:59:24 | 000,129,584 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
PRC - [2009/10/22 03:47:54 | 000,563,760 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
PRC - [2008/07/10 19:28:06 | 040,999,448 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
PRC - [2008/07/10 02:49:44 | 000,098,840 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/07/10 02:49:34 | 000,258,072 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 07:00:00 | 000,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqtgsvc.exe
PRC - [2008/04/14 07:00:00 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2008/04/14 07:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 07:00:00 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/14 07:00:00 | 000,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe
PRC - [2006/07/12 13:19:00 | 000,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2005/06/10 04:24:29 | 000,196,608 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2005/06/10 04:21:01 | 000,217,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe
PRC - [2004/10/14 14:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2002/03/19 17:30:00 | 000,045,632 | ---- | M] () -- C:\WINDOWS\system32\TaskSwitch.exe


========== Modules (SafeList) ==========

MOD - [2010/02/26 12:26:40 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Philippe\Desktop\OTL.exe
MOD - [2006/07/12 13:19:00 | 001,466,368 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2006/07/12 13:19:00 | 001,019,904 | ---- | M] () -- C:\WINDOWS\system32\nvwimg.dll
MOD - [2006/07/12 13:19:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/30 16:13:41 | 000,072,704 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2010/01/22 19:16:30 | 000,545,576 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/12/31 16:50:50 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/12/19 01:06:00 | 000,814,344 | ---- | M] (ABBYY) [On_Demand | Stopped] -- C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Corporate.10.0)
SRV - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/01 08:55:10 | 000,066,560 | ---- | M] (tzuk) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2009/10/22 05:00:04 | 000,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2009/10/22 04:59:58 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
SRV - [2009/10/22 04:59:48 | 000,334,384 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2009/10/22 03:47:54 | 000,563,760 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2009/10/20 13:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/10/12 14:32:24 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60)
SRV - [2009/10/01 21:32:04 | 004,584,288 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost)
SRV - [2009/09/28 07:38:18 | 000,099,704 | ---- | M] (Dynamic Network Services, Inc.) [On_Demand | Stopped] -- C:\Program Files\DynDNS Updater\DynUpSvc.exe -- (DynDNS Updater)
SRV - [2009/09/21 20:25:34 | 001,571,336 | ---- | M] (Symantec) [On_Demand | Stopped] -- C:\Program Files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe -- (GenericMount Helper Service)
SRV - [2009/09/21 20:19:20 | 001,964,528 | ---- | M] (Symantec) [On_Demand | Stopped] -- C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe -- (SymSnapService)
SRV - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/14 16:48:08 | 000,053,760 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2009/05/14 16:48:06 | 000,044,032 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/10 19:28:06 | 040,999,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/07/10 19:28:06 | 000,369,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE -- (SQLAgent$SQLEXPRESS) SQL Server Agent (SQLEXPRESS)
SRV - [2008/07/10 19:28:04 | 000,047,128 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE -- (MSSQLServerADHelper100)
SRV - [2008/07/10 02:49:44 | 000,098,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/07/10 02:49:34 | 000,258,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/06/12 11:48:16 | 002,159,992 | ---- | M] (RealVNC Ltd.) [On_Demand | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/04/14 07:00:00 | 000,117,248 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\mqtgsvc.exe -- (MSMQTriggers)
SRV - [2008/04/14 07:00:00 | 000,033,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2008/04/14 07:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)
SRV - [2008/04/14 07:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/14 07:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/14 07:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2008/04/14 07:00:00 | 000,004,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\mqsvc.exe -- (MSMQ)
SRV - [2008/03/08 20:14:50 | 000,069,632 | ---- | M] (Softomotive) [On_Demand | Stopped] -- C:\Program Files\Softomotive\WinAutomation\WinAutomation.ServiceAgent.exe -- (WinAutomation Service)
SRV - [2007/09/12 18:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2006/09/29 12:48:06 | 000,065,536 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe -- (mi-raysat_3dsmax9_32) mental ray 3.5 Satellite (32-bit)
SRV - [2006/07/12 13:19:00 | 000,155,715 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)


========== Driver Services (SafeList) ==========

DRV - [2010/02/19 18:58:30 | 000,073,312 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2010/02/07 13:35:52 | 000,139,264 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010/01/26 20:37:37 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2010/01/16 17:28:57 | 000,084,028 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2009/12/01 08:55:10 | 000,119,296 | ---- | M] (tzuk) [Kernel | On_Demand | Running] -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2009/10/22 05:00:50 | 000,032,688 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2009/10/22 05:00:46 | 000,853,936 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2009/10/22 05:00:44 | 000,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2009/10/22 05:00:44 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2009/10/22 05:00:44 | 000,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2009/10/22 04:59:48 | 000,014,896 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2009/10/22 03:47:52 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2009/10/22 00:13:32 | 000,016,560 | R--- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2009/10/20 13:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/10/12 14:31:52 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2009/10/01 22:03:40 | 000,131,000 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/09/21 20:40:14 | 000,015,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys -- (VProEventMonitor)
DRV - [2009/09/21 20:26:10 | 000,046,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GenericMount.sys -- (GenericMount)
DRV - [2009/09/21 20:20:42 | 000,138,592 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symsnap.sys -- (symsnap)
DRV - [2009/08/28 19:42:52 | 000,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 14:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/07/10 02:49:14 | 000,242,712 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RsFx0102.sys -- (RsFx0102)
DRV - [2008/06/20 06:08:27 | 000,225,856 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/06/12 09:46:40 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vncmirror.sys -- (vncmirror)
DRV - [2008/05/08 09:02:52 | 000,203,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST)
DRV - [2008/04/14 07:00:00 | 000,092,544 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC)
DRV - [2008/04/14 07:00:00 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/13 19:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/06 03:00:00 | 000,044,608 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/07/12 13:19:00 | 003,934,592 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/06/22 00:12:34 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/06/10 04:21:01 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32)
DRV - [2005/05/27 04:46:22 | 000,913,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302AV.SYS -- (PID_08A0) QuickCam IM(PID_08A0)
DRV - [2005/05/27 04:38:00 | 000,007,136 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2005/05/27 04:31:28 | 000,022,016 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2005/01/27 15:31:06 | 000,260,352 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/05/07 00:47:10 | 000,079,616 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2500usb.sys -- (WUSB54GV4SRV)
DRV - [2004/05/05 21:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2003/06/30 18:11:52 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/04/24 16:21:50 | 000,006,025 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BASFND.sys -- (BASFND)
DRV - [2001/08/17 13:56:16 | 000,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2001/08/17 13:53:32 | 000,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-117609710-1770027372-842925246-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-117609710-1770027372-842925246-1003\S-1-5-21-117609710-1770027372-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-117609710-1770027372-842925246-1003\S-1-5-21-117609710-1770027372-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2}:0.9.86
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.8.6
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d}:0.8.19
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2b}:1.1.12
FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:11.0.1
FF - prefs.js..extensions.enabledItems: {bee6eb20-01e0-ebd1-da83-080329fb9a3a}:0.1
FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.63.20091024
FF - prefs.js..keyword.URL: "http://www.google.com/search?q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/20 18:49:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/12 17:44:54 | 000,000,000 | ---D | M]

[2009/12/29 20:59:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Extensions
[2010/02/25 18:09:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions
[2009/12/29 22:00:07 | 000,000,000 | ---D | M] (WindowsUpdate) -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2b}
[2010/01/11 15:02:28 | 000,000,000 | ---D | M] (ShowIP) -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\{3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d}
[2010/01/13 17:18:53 | 000,000,000 | ---D | M] (ChatZilla) -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
[2010/02/20 19:38:16 | 000,000,000 | ---D | M] (Tamper Data) -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
[2010/02/20 19:38:16 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2010/01/07 18:45:52 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/22 20:50:30 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/02/25 17:18:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Philippe\Application Data\Mozilla\Firefox\Profiles\325g2zn5.default\extensions\ietab@ip.cn
[2010/02/25 18:09:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/03 15:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll

O1 HOSTS File: ([2010/02/25 15:30:30 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKU\S-1-5-21-117609710-1770027372-842925246-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-117609710-1770027372-842925246-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe (VMware, Inc.)
O4 - HKU\S-1-5-21-117609710-1770027372-842925246-1003..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe (Gibin Software House (http://www.gibinsoft.net))
O4 - HKU\S-1-5-21-117609710-1770027372-842925246-1003..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - Startup: C:\Documents and Settings\Philippe\Start Menu\Programs\Startup\AutorunsDisabled [2010/01/09 21:07:16 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-117609710-1770027372-842925246-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-117609710-1770027372-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-117609710-1770027372-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-117609710-1770027372-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-117609710-1770027372-842925246-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/01 22:07:02 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2009/12/29 17:26:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/12/29 12:11:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Linksys Cordless Internet Telephony Kit.lnk - C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe - ()
MsConfig - StartUpReg: DVDLauncher - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891835792228352)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/26 12:26:38 | 000,549,888 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Philippe\Desktop\OTL.exe
[2010/02/26 12:23:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\VMware
[2010/02/25 16:40:32 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2010/02/25 16:40:32 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2010/02/25 16:40:32 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2010/02/25 16:40:31 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2010/02/25 16:40:31 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[2010/02/25 16:40:30 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2010/02/25 16:40:30 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2010/02/25 16:40:29 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2010/02/25 16:40:28 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2010/02/25 16:40:28 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2010/02/25 16:40:28 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2010/02/25 16:40:27 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2010/02/25 16:40:27 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2010/02/25 16:40:26 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2010/02/25 16:40:26 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2010/02/25 16:40:26 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2010/02/25 16:40:25 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2010/02/25 16:40:25 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2010/02/25 16:40:24 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2010/02/25 16:40:24 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2010/02/25 16:40:24 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2010/02/25 16:40:23 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2010/02/25 16:40:23 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2010/02/25 16:40:23 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2010/02/25 16:40:22 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2010/02/25 16:40:22 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2010/02/25 16:40:22 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2010/02/25 16:40:22 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2010/02/25 16:40:21 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2010/02/25 16:40:21 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2010/02/25 16:40:20 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2010/02/25 16:40:20 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2010/02/25 16:40:20 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2010/02/25 16:40:19 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2010/02/25 16:40:19 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2010/02/25 16:40:19 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2010/02/25 16:40:18 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2010/02/25 16:40:18 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2010/02/25 16:40:18 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2010/02/25 16:40:17 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2010/02/25 16:40:17 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2010/02/25 16:40:17 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2010/02/25 16:40:16 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2010/02/25 16:40:16 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2010/02/25 16:40:15 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2010/02/25 16:40:15 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2010/02/25 16:40:14 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2010/02/25 16:40:14 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2010/02/25 16:40:14 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2010/02/25 16:40:13 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2010/02/25 16:40:13 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2010/02/25 16:40:12 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2010/02/25 16:40:12 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2010/02/25 16:40:12 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2010/02/25 16:40:11 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2010/02/25 16:40:11 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2010/02/25 16:40:10 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2010/02/25 16:40:10 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2010/02/25 16:40:09 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2010/02/25 16:40:09 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2010/02/25 16:40:08 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2010/02/25 16:40:08 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2010/02/25 16:40:07 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2010/02/25 16:40:07 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2010/02/25 16:40:07 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2010/02/25 16:40:07 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2010/02/25 16:40:06 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2010/02/25 16:40:06 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2010/02/25 16:40:06 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2010/02/25 16:40:05 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2010/02/25 16:40:05 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2010/02/25 16:40:05 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2010/02/25 16:40:05 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2010/02/25 16:40:04 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2010/02/25 16:40:04 | 000,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2010/02/25 16:40:03 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2010/02/25 16:40:03 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2010/02/25 16:40:02 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2010/02/25 15:55:45 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Philippe\Desktop\HijackThis.exe
[2010/02/25 15:45:42 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/24 13:03:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/23 19:26:57 | 000,000,000 | ---D | C] -- C:\Program Files\Half-Life 2
[2010/02/23 15:49:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\.k3d
[2010/02/22 20:58:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
[2010/02/22 20:58:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\My Documents\Adobe
[2010/02/22 17:56:34 | 000,000,000 | ---D | C] -- C:\Program Files\Sunbelt Software
[2010/02/22 17:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\Hex-Rays
[2010/02/22 17:51:05 | 000,000,000 | ---D | C] -- C:\Program Files\IDA
[2010/02/22 17:39:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/02/22 17:27:42 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/02/21 22:35:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/21 22:35:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/21 22:34:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/21 22:34:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/21 22:34:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/21 20:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/21 15:14:28 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/21 15:13:40 | 000,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2010/02/21 15:13:03 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2010/02/21 15:11:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2010/02/21 14:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Desktop\scout pictures
[2010/02/21 13:39:34 | 000,007,552 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\drivers\SONYPVU1.SYS
[2010/02/21 13:39:34 | 000,007,552 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\dllcache\sonypvu1.sys
[2010/02/21 12:59:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2010/02/20 19:38:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\My Documents\Downloads
[2010/02/20 19:04:54 | 000,000,000 | ---D | C] -- C:\Program Files\TVAnts
[2010/02/12 17:46:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\Apple Computer
[2010/02/12 17:45:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/02/12 17:45:35 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/02/12 17:45:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/02/12 17:45:05 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/02/12 17:44:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/02/12 17:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Local Settings\Application Data\Apple
[2010/02/12 17:44:02 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/02/12 17:43:54 | 002,065,696 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2010/02/12 17:43:54 | 000,040,448 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\drivers\usbaapl.sys
[2010/02/12 17:43:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/02/12 17:43:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/02/12 17:42:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Local Settings\Application Data\Apple Computer
[2010/02/12 15:50:53 | 000,107,864 | ---- | C] (TechSmith Corporation) -- C:\WINDOWS\System32\tsccvid.dll
[2010/02/12 15:50:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/02/12 15:50:42 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/02/12 15:50:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\TechSmith Shared
[2010/02/12 15:50:23 | 000,000,000 | ---D | C] -- C:\Program Files\TechSmith
[2010/02/10 11:05:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\My Documents\RCT3
[2010/02/10 11:05:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\Atari
[2010/02/10 10:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\Leadertech
[2010/02/10 10:56:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PocketSoft
[2010/02/10 10:53:51 | 000,000,000 | ---D | C] -- C:\Program Files\Atari
[2010/02/09 19:56:09 | 000,000,000 | ---D | C] -- C:\Program Files\DOOM
[2010/02/07 13:41:18 | 001,379,096 | ---- | C] (Acronis) -- C:\WINDOWS\System32\AutoPartNt.exe
[2010/02/07 13:41:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2010/02/07 13:35:52 | 000,139,264 | ---- | C] (Acronis) -- C:\WINDOWS\System32\drivers\snapman.sys
[2010/02/07 13:35:48 | 000,000,000 | ---D | C] -- C:\Program Files\Acronis
[2010/02/07 13:35:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Acronis
[2010/02/06 22:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Local Settings\Application Data\RcIncidents
[2010/02/06 21:38:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/02/06 21:38:42 | 000,000,000 | ---D | C] -- C:\Program Files\Course Vector
[2010/01/31 20:31:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\ABBYY
[2010/01/31 20:24:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ABBYY
[2010/01/31 20:17:17 | 000,000,000 | ---D | C] -- C:\Program Files\ABBYY FineReader 10
[2010/01/31 20:17:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Local Settings\Application Data\ABBYY
[2010/01/31 20:17:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ABBYY
[2010/01/31 18:36:24 | 000,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2010/01/30 22:22:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010/01/30 16:21:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\My Documents\3dsmax
[2010/01/30 16:04:49 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2010/01/30 15:07:13 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2010/01/30 14:52:28 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2010/01/30 14:29:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Local Settings\Application Data\WMTools Downloaded Files
[2010/01/30 13:12:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\fretsonfire
[2010/01/30 09:00:03 | 000,000,000 | ---D | C] -- C:\Program Files\Half-Life
[2010/01/29 18:42:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\My Documents\Adobe Scripts
[2010/01/29 18:40:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\My Documents\My Fragments
[2010/01/27 19:58:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/01/27 18:03:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\My Documents\SketchPad Backgrounds
[2010/01/27 17:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/01/27 16:37:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\Planetside Software
[2010/01/27 16:37:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Philippe\Application Data\uk.co.planetside
[2010/01/27 16:36:32 | 000,000,000 | ---D | C] -- C:\Program Files\Planetside Software
[2010/01/09 15:57:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Softomotive
[2010/01/07 16:05:52 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/04 20:18:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/01/02 00:30:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/02 00:29:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/12/29 17:29:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/26 12:26:40 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Philippe\Desktop\OTL.exe
[2010/02/26 12:23:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/26 12:22:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/26 12:22:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/26 12:22:49 | 1608,585,216 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/26 12:21:51 | 009,437,184 | ---- | M] () -- C:\Documents and Settings\Philippe\ntuser.dat
[2010/02/26 12:21:51 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Philippe\ntuser.ini
[2010/02/25 17:15:30 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Pc basic Apple and Microsoft essay2,24,10.doc
[2010/02/25 16:47:41 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Microsoft Office Outlook 2003.lnk
[2010/02/25 16:21:49 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/02/25 15:55:45 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Philippe\Desktop\HijackThis.exe
[2010/02/25 15:30:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/25 15:30:30 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/24 18:14:16 | 000,001,120 | ---- | M] () -- C:\Documents and Settings\Philippe\My Documents\Default.sfvidcap
[2010/02/24 17:16:06 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Microsoft Office Word 2003.lnk
[2010/02/24 15:23:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/24 14:57:31 | 000,000,700 | RHS- | M] () -- C:\Documents and Settings\Philippe\ntuser.pol
[2010/02/23 19:40:29 | 000,000,672 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Half-Life 2.lnk
[2010/02/23 18:20:36 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\iTunes.lnk
[2010/02/23 16:02:27 | 000,002,258 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2010/02/22 21:09:40 | 000,000,219 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.tgz
[2010/02/22 21:09:40 | 000,000,087 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2010/02/22 21:09:40 | 000,000,021 | ---- | M] () -- C:\WINDOWS\SurCode.INI
[2010/02/22 20:58:57 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.tgz
[2010/02/22 20:58:57 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.dll
[2010/02/22 20:58:57 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\clauth2.dll
[2010/02/22 20:58:57 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\clauth1.dll
[2010/02/22 20:45:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/22 20:43:23 | 000,000,724 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/22 16:37:25 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/02/21 22:36:28 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/21 22:05:07 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/21 21:32:18 | 063,987,712 | ---- | M] () -- C:\WINDOWS\System32\JSKLXP
[2010/02/21 15:13:22 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/02/21 15:13:22 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/02/21 15:12:25 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/02/21 15:11:43 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/02/20 23:12:06 | 003,187,818 | -H-- | M] () -- C:\Documents and Settings\Philippe\Local Settings\Application Data\IconCache.db
[2010/02/19 18:58:30 | 000,073,312 | ---- | M] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\drivers\adfs.sys
[2010/02/10 11:03:31 | 000,001,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Roller Coaster Tycoon 3.lnk
[2010/02/10 10:51:19 | 000,000,661 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\DOOM.lnk
[2010/02/09 19:00:23 | 000,000,272 | ---- | M] () -- C:\WINDOWS\_delis32.ini
[2010/02/09 19:00:03 | 000,000,635 | ---- | M] () -- C:\WINDOWS\Dc.INI
[2010/02/07 13:42:12 | 000,001,024 | ---- | M] () -- C:\WINDOWS\System32\AutoPartNt.let
[2010/02/07 13:41:18 | 001,379,096 | ---- | M] (Acronis) -- C:\WINDOWS\System32\AutoPartNt.exe
[2010/02/07 13:35:52 | 000,139,264 | ---- | M] (Acronis) -- C:\WINDOWS\System32\drivers\snapman.sys
[2010/02/07 13:35:51 | 000,001,067 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Acronis Disk Director Suite.lnk
[2010/02/07 11:58:03 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Microsoft Office PowerPoint 2003.lnk
[2010/02/06 21:29:11 | 000,000,675 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\.sol Editor.lnk
[2010/02/04 15:57:14 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Microsoft Office Excel 2003.lnk
[2010/02/04 10:01:14 | 000,528,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2010/02/04 10:01:14 | 000,238,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2010/02/04 10:01:14 | 000,074,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2010/02/04 10:01:14 | 000,022,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[2010/02/03 17:59:48 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Microsoft Office Publisher 2003.lnk
[2010/01/30 20:16:22 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX
[2010/01/30 16:13:19 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Autodesk 3ds Max 9.lnk
[2010/01/30 16:11:21 | 000,007,207 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\services
[2010/01/30 09:53:38 | 000,001,601 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Half-Life - Counter Strike.lnk
[2010/01/29 21:24:18 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Half-Life - Team Fortress Classic.lnk
[2010/01/29 18:45:39 | 000,002,321 | ---- | M] () -- C:\Documents and Settings\Philippe\Desktop\Acrobat Distiller 9.lnk
[2010/01/27 17:07:01 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 9 Pro.lnk

========== Files Created - No Company Name ==========

[2010/02/25 15:56:44 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\Pc basic Apple and Microsoft essay2,24,10.doc
[2010/02/23 19:40:29 | 000,000,672 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\Half-Life 2.lnk
[2010/02/22 20:58:57 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.tgz
[2010/02/22 20:58:57 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2010/02/22 20:58:57 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2010/02/22 20:58:57 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2010/02/22 20:58:57 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.tgz
[2010/02/22 20:58:57 | 000,000,087 | ---- | C] () -- C:\WINDOWS\System32\ssprs.tgz
[2010/02/22 20:58:57 | 000,000,021 | ---- | C] () -- C:\WINDOWS\SurCode.INI
[2010/02/22 20:28:34 | 000,001,120 | ---- | C] () -- C:\Documents and Settings\Philippe\My Documents\Default.sfvidcap
[2010/02/22 16:36:52 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/02/21 22:36:28 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/21 21:28:02 | 063,987,712 | ---- | C] () -- C:\WINDOWS\System32\JSKLXP
[2010/02/21 15:11:43 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/02/20 20:21:49 | 000,001,613 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\LTOOLS.lnk
[2010/02/12 18:46:08 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\iTunes.lnk
[2010/02/12 18:09:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/10 10:56:47 | 000,001,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Roller Coaster Tycoon 3.lnk
[2010/02/10 10:56:23 | 000,197,120 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2010/02/10 10:08:52 | 000,000,661 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\DOOM.lnk
[2010/02/09 19:00:05 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2010/02/09 18:20:22 | 000,000,635 | ---- | C] () -- C:\WINDOWS\Dc.INI
[2010/02/07 13:56:32 | 000,001,067 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\Acronis Disk Director Suite.lnk
[2010/02/07 13:41:18 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\AutoPartNt.let
[2010/01/31 19:43:29 | 000,001,763 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\Blender.lnk
[2010/01/31 18:18:23 | 000,001,736 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\Autodesk 3ds Max 9.lnk
[2010/01/30 18:32:50 | 000,004,096 | -HS- | C] () -- C:\VSNAP.IDX
[2010/01/29 21:03:42 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Philippe\Desktop\Half-Life - Team Fortress Classic.lnk
[2010/01/26 18:04:40 | 000,102,462 | ---- | C] () -- C:\WINDOWS\System32\DspFx.dll
[2010/01/22 11:21:36 | 000,000,230 | ---- | C] () -- C:\Documents and Settings\Philippe\Application Data\default.rss
[2010/01/22 11:19:42 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/20 15:19:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\RussSqr.INI
[2010/01/11 18:35:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2010/01/04 19:37:14 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/01/03 14:28:41 | 001,124,768 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/01 22:05:10 | 000,002,258 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009/12/30 14:18:29 | 000,327,168 | ---- | C] () -- C:\WINDOWS\System32\cutil32.dll
[2009/12/30 13:28:10 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Philippe\Local Settings\Application Data\fusioncache.dat
[2009/12/29 22:09:56 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\d3dx9.dll
[2009/12/29 21:54:53 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/12/29 21:54:53 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/12/29 21:54:51 | 002,378,752 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009/12/29 21:54:51 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/12/29 21:54:51 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/29 21:54:50 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/12/29 21:54:48 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/12/29 21:54:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/12/29 18:43:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/12/29 18:10:21 | 000,009,255 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/12/29 17:50:36 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2009/12/29 17:50:36 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2009/12/29 17:50:22 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2009/12/29 17:50:22 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2009/12/29 17:50:20 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/12/29 17:50:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/10/20 13:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/07/12 13:19:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/12 13:19:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/12 13:19:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/12 13:19:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/07/12 13:19:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/12 13:19:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/07/12 13:19:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/19 19:37:32 | 000,000,577 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 07:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\Documents and Settings\Philippe\Desktop\Computer Items\Pe Builder 3110a\BartPE\i386\system32\drivers\atapi.sys
[2008/04/14 07:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 07:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\Documents and Settings\Philippe\Desktop\Computer Items\Pe Builder 3110a\BartPE\i386\system32\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: PROQUOTA.EXE >
[2008/04/14 07:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\dllcache\proquota.exe
[2008/04/14 07:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\Documents and Settings\Philippe\Desktop\Computer Items\Pe Builder 3110a\BartPE\i386\system32\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C8B8CEBD
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A2C6D38F
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84098FD3
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
< End of report >

Edited by syler, 26 February 2010 - 05:35 PM.
Post attached log


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:56 PM

Posted 26 February 2010 - 05:42 PM

Your logs look absolutely fine to me do you have any problems or are you happy for me to close the topic.

unite.jpg


#6 xccxcc

xccxcc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 28 February 2010 - 02:57 PM

okay thanks i was just checking with some one more knowledgeable in this field
for my job i manage networks of computers so i have no clue when it comes to this stuff
but let me know how i could help with certain problems that end up in my field of knowledge

so thank you again

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:56 PM

Posted 01 March 2010 - 01:51 AM

Ok no problem.

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users