Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS Log for trojan horse Agent_r.QS


  • This topic is locked This topic is locked
27 replies to this topic

#1 Covec

Covec

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 02 March 2010 - 02:42 PM

Here are the logs


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Noname at 20:36:24.76 on Tue 03/02/2010
Internet Explorer: 8.0.7100.0 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7100.0.1252.1.1033.18.3327.2677 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Noname\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZWN8BKY7\dds[1].scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = google.com
mStart Page = google.com
mSearch Page =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: : {96ed1012-18e2-4acc-8a82-33311abc7d99} - c:\windows\system32\npzfgut.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Steam] "j:\steam\steam.exe" -silent
uRun: [googletalk] c:\users\noname\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [uTorrent] "j:\utorrent\uTorrent.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "j:\adobe\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xporteren naar Microsoft Excel - j:\office\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - j:\office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - j:\office\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\noname\appdata\roaming\mozilla\firefox\profiles\bbqo7j0t.default\
FF - prefs.js: browser.startup.homepage - Google.com
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: j:\adobe\reader\browser\nppdf32.dll
FF - plugin: j:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: j:\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-28 360584]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2009-10-13 49152]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-1 11608]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-28 333192]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-28 28424]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-1 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-1 185089]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-28 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-28 285392]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-1 56816]
S2 gupdate1ca720ad8dab023;Google Update Service (gupdate1ca720ad8dab023);c:\program files\google\update\GoogleUpdate.exe [2009-11-30 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-4-22 229888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-11-30 9728]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-11-30 3072]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-2 38224]

=============== Created Last 30 ================

2010-03-02 19:35:58 176 ----a-w- c:\users\noname\defogger_reenable
2010-03-02 19:30:47 0 d-----w- c:\users\noname\appdata\roaming\Malwarebytes
2010-03-02 19:30:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 19:30:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 19:30:43 0 d-----w- c:\programdata\Malwarebytes
2010-03-02 19:30:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 16:35:28 0 d-----w- c:\program files\XoftSpy
2010-03-02 15:40:02 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-02 15:40:02 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-02 15:40:02 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-02 15:40:02 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-02 15:39:11 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-02 15:39:11 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-02 15:38:55 0 d-----w- c:\program files\common files\PC Tools
2010-03-02 15:38:54 0 d-----w- c:\users\noname\appdata\roaming\PC Tools
2010-03-02 15:38:54 0 d-----w- c:\programdata\PC Tools
2010-03-02 15:38:54 0 d-----w- c:\program files\Spyware Doctor
2010-03-02 15:32:05 0 d---a-w- c:\programdata\TEMP
2010-03-02 01:10:52 239276272 ----a-w- c:\windows\MEMORY.DMP
2010-03-01 21:59:14 0 d-----w- c:\programdata\F-Secure
2010-03-01 21:39:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-01 21:37:44 0 d-----w- c:\programdata\Lavasoft
2010-03-01 18:23:39 0 d-----w- c:\program files\CCleaner
2010-03-01 17:15:01 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-01 17:15:00 0 d-----w- c:\programdata\Avira
2010-03-01 17:15:00 0 d-----w- c:\program files\Avira
2010-02-28 13:11:34 0 d-----w- c:\windows\system32\Wat
2010-02-26 13:11:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-02-26 13:09:58 0 d-----w- c:\programdata\Microsoft Help
2010-02-24 17:42:04 0 d-----w- c:\windows\system32\appmgmt

==================== Find3M ====================

2010-02-28 13:11:36 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-02-28 13:11:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-02-28 13:11:33 811520 ----a-w- c:\windows\system32\user32.dll
2010-02-28 12:10:11 691346 ----a-w- c:\windows\system32\perfh013.dat
2010-02-28 12:10:11 129994 ----a-w- c:\windows\system32\perfc013.dat
2009-12-20 11:36:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-28 06:11:57 43080 ----a-w- c:\windows\inf\perflib\0413\perfd.dat
2009-11-28 06:11:57 43080 ----a-w- c:\windows\inf\perflib\0413\perfc.dat
2009-11-28 06:11:57 341344 ----a-w- c:\windows\inf\perflib\0413\perfi.dat
2009-11-28 06:11:57 341344 ----a-w- c:\windows\inf\perflib\0413\perfh.dat
2009-04-22 09:01:08 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-04-22 09:01:08 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-04-22 09:01:08 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-04-22 09:01:08 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-04-22 08:14:13 174 --sha-w- c:\program files\desktop.ini
2009-04-22 04:38:41 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-04-22 04:38:41 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-04-22 04:38:39 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-04-22 04:38:39 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-27 04:24:20 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-11-28 06:17:39 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-04-22 05:19:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe

============= FINISH: 20:37:34.13 ===============


And attachment

i really really do hope ou guys can help.

And now with attachments and GMER full log

for some reason the show all option created 585kbs log which is to big to upload

Merged 2 posts. ~ OB

Attached Files


Edited by Orange Blossom, 02 March 2010 - 04:41 PM.


BC AdBot (Login to Remove)

 


#2 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 02 March 2010 - 03:29 PM

bump

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our Malware Removal Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Removal Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Pandy~
Forum Moderator


Edited by Pandy, 02 March 2010 - 04:29 PM.


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 03 March 2010 - 02:09 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.


==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Re-run Gmer and post a log

==========

With your next post please provide:

* Combofix.txt
* Gmer log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 03 March 2010 - 04:08 PM

Hello THCBytes, thank you very much for your much needed help.
Logs will be added in hopefully a few minutes.

First scan found a rootkit, asked for reboot.
Inmediatly after reboot the scan went on but inmediatly Antivir popped up with the trojan i was looking for.
However, antivir and the scan popped up after the reboot, i wasnt able to switch off any AV software after the reboot.
Is it possible that Antivir picked it up because of the scan?


Greetz Covec

PS Gmer scan earlier revealed that the atapi.sys was probably infected. Antivir is picking up that file as infected and it is possible it could remove it.
However i learned earlier that Atapi.sys is a crytical system for windows to run.

PS2: i didnt get the pop ups suggested with the windows recovery thing. It installed something and continued the scan.

Edited by Covec, 03 March 2010 - 04:25 PM.


#5 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 03 March 2010 - 04:45 PM

logs from Gmer and compfix

Attached Files



#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 03 March 2010 - 06:11 PM

Hi,

  1. Select
  2. Select All Programs
  3. Select Accessories
  4. Right click Command Prompt and choose Run as administrator

    • If you have the User Account Control (UAC) enabled you will be asked for authorization prior to the command prompt opening.
    • You may simply need to press the Continue button if you are the administrator or insert the administrator password.
    Copy-paste the following command (the bolded text) into the "cmd" box, and click enter.

    cmd /c dir /a /s C:\QooBox >log.txt&start log.txt

    • Then click on OK.
    • A Text File will open up, please Copy and Paste the contents in your next reply.

    ==========
    1. Please download OTL from one of the following mirrors:
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Click the "Scan All Users" checkbox.
    5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    6. Copy and Paste the following code into the textbox. Do not include the word "Code"

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      CREATERESTOREPOINT
    7. Push
    8. A report will open. Copy and Paste that report in your next reply.
    9. Two reports will open, copy and paste them in a reply here:
      • OTListIt.txt <-- Will be opened
      • Extra.txt <-- Will be minimized


==========

ComboFix 10-03-03.03 - Noname 03/03/2010 22:33:06.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7100.0.1252.1.1033.18.3327.2525 [GMT 1:00]
Running from: c:\users\Noname\Desktop\thcbytes.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 21:36 . 2010-03-03 21:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-03 21:36 . 2010-03-03 21:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-03 21:32 . 2010-03-03 21:32 -------- d-----w- C:\32788R22FWJFW
2010-03-03 21:10 . 2010-03-03 21:36 -------- d-----w- c:\users\Noname\AppData\Local\temp
2010-03-03 21:03 . 2010-03-03 21:14 -------- d-----w- C:\ComboFix
2010-03-02 19:30 . 2010-03-02 19:30 -------- d-----w- c:\users\Noname\AppData\Roaming\Malwarebytes
2010-03-02 19:30 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 19:30 . 2010-03-02 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 19:30 . 2010-03-02 19:30 -------- d-----w- c:\programdata\Malwarebytes
2010-03-02 19:30 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 19:18 . 2010-03-02 19:25 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-02 16:35 . 2010-03-02 16:39 -------- d-----w- c:\program files\XoftSpy
2010-03-02 15:40 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-02 15:40 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-02 15:39 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-02 15:38 . 2010-03-02 15:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-02 15:38 . 2010-03-02 15:39 -------- d-----w- c:\program files\Spyware Doctor
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\users\Noname\AppData\Roaming\PC Tools
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\programdata\PC Tools
2010-03-01 21:59 . 2010-03-01 21:59 -------- d-----w- c:\programdata\F-Secure
2010-03-01 21:39 . 2010-03-02 15:17 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-01 21:39 . 2010-03-01 21:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-01 21:37 . 2010-03-02 15:17 -------- d-----w- c:\programdata\Lavasoft
2010-03-01 18:23 . 2010-03-01 18:23 -------- d-----w- c:\program files\CCleaner
2010-03-01 17:15 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-01 17:15 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-01 17:15 . 2010-03-01 17:15 -------- d-----w- c:\programdata\Avira
2010-03-01 17:15 . 2010-03-01 17:15 -------- d-----w- c:\program files\Avira
2010-02-28 19:01 . 2010-02-28 19:01 79367 ----a-w- c:\users\Noname\AppData\Roaming\Google\Google Talk\uninstall.exe
2010-02-28 13:11 . 2010-02-28 13:11 -------- d-----w- c:\windows\system32\Wat
2010-02-27 20:26 . 2010-02-27 20:26 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-02-26 13:11 . 2008-11-10 10:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-02-26 13:11 . 2006-10-26 18:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-02-26 13:11 . 2010-02-28 02:00 -------- d-----w- c:\program files\Microsoft Works
2010-02-26 13:11 . 2010-02-26 13:11 -------- d-----w- c:\program files\Microsoft.NET
2010-02-26 13:09 . 2010-02-26 13:09 -------- d-----w- c:\users\Noname\AppData\Local\Microsoft Help
2010-02-26 13:09 . 2010-02-28 10:30 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 12:08 . 2010-02-24 12:08 -------- d-----w- c:\users\Noname\AppData\Roaming\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 21:26 . 2009-11-30 21:43 -------- d-----w- c:\users\Noname\AppData\Roaming\uTorrent
2010-03-03 20:51 . 2009-11-30 22:23 -------- d-----w- c:\users\Noname\AppData\Roaming\Skype
2010-03-03 19:53 . 2009-12-01 00:24 -------- d-----w- c:\users\Noname\AppData\Roaming\skypePM
2010-03-03 17:08 . 2009-11-28 06:02 -------- d-----w- c:\programdata\avg9
2010-03-03 15:08 . 2009-12-02 23:39 -------- d-----w- c:\program files\Common Files\Steam
2010-03-02 15:48 . 2009-11-30 22:23 -------- d-----r- c:\program files\Skype
2010-03-01 22:13 . 2009-11-30 22:16 -------- d-----w- c:\program files\Google
2010-02-28 13:11 . 2009-04-22 03:38 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-02-28 13:11 . 2009-04-22 03:34 13824 ----a-w- c:\windows\system32\slwga.dll
2010-02-28 13:11 . 2009-04-22 03:22 811520 ----a-w- c:\windows\system32\user32.dll
2010-02-28 12:48 . 2009-11-30 13:27 72032 ----a-w- c:\users\Noname\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-28 12:10 . 2009-11-28 06:12 691346 ----a-w- c:\windows\system32\perfh013.dat
2010-02-28 12:10 . 2009-11-28 06:12 129994 ----a-w- c:\windows\system32\perfc013.dat
2010-02-05 13:46 . 2009-12-07 22:33 1 ----a-w- c:\users\Noname\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-05 13:44 . 2009-12-17 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-31 15:00 . 2010-01-31 15:00 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-31 15:00 . 2010-01-31 15:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-31 15:00 . 2010-01-31 14:51 -------- d-----w- c:\program files\Common Files\BioWare
2010-01-26 18:09 . 2009-11-30 21:49 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-20 11:36 . 2009-12-20 11:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-03-27 04:24 . 2009-04-22 05:58 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-04-22 05:19 . 2009-04-22 03:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe
.

------- Sigcheck -------

[-] 2010-02-28 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7100.0] . . c:\windows\System32\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-03_21.12.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 21:05 . 2010-03-03 21:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2009-04-22 05:21 441856 ----a-w- c:\windows\System32\ntshrui.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Steam"="j:\steam\steam.exe" [2010-02-22 1217872]
"googletalk"="c:\users\Noname\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"uTorrent"="j:\utorrent\uTorrent.exe" [2010-03-03 319280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Adobe Reader Speed Launcher"="j:\adobe\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-01-18 1286608]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

R0 amdxata;amdxata;c:\windows\System32\drivers\amdxata.sys [4/22/2009 3:07 AM 23120]
R0 CLFS;Common Log (CLFS);c:\windows\System32\clfs.sys [4/22/2009 4:08 AM 249424]
R0 CNG;CNG;c:\windows\System32\drivers\cng.sys [4/22/2009 4:31 AM 369056]
R0 FileInfo;File Information FS MiniFilter;c:\windows\System32\drivers\fileinfo.sys [4/22/2009 4:19 AM 58448]
R0 fvevol;Filterstuurprogramma Bitlocker-stationsvergrendeling;c:\windows\System32\drivers\fvevol.sys [4/22/2009 4:10 AM 194488]
R0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [4/22/2009 4:08 AM 13904]
R0 KSecPkg;KSecPkg;c:\windows\System32\drivers\ksecpkg.sys [4/22/2009 4:32 AM 133200]
R0 msisadrv;msisadrv;c:\windows\System32\drivers\msisadrv.sys [4/22/2009 4:08 AM 13904]
R0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [4/22/2009 4:08 AM 42576]
R0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [4/22/2009 4:19 AM 173648]
R0 spldr;Security Processor Loader Driver;c:\windows\System32\drivers\spldr.sys [4/22/2009 1:36 AM 17488]
R0 storflt;Schijf - Filterstuurprogramma voor Virtual Machine-busaccelerator;c:\windows\System32\drivers\vmstorfl.sys [4/22/2009 11:23 AM 40912]
R0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;c:\windows\System32\drivers\vdrvroot.sys [4/22/2009 4:44 AM 32848]
R0 volmgr;Volume Manager Driver;c:\windows\System32\drivers\volmgr.sys [4/22/2009 4:08 AM 52304]
R0 volmgrx;Dynamisch Volumebeheer;c:\windows\System32\drivers\volmgrx.sys [4/22/2009 4:09 AM 297040]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/28/2009 7:02 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/28/2009 7:02 AM 360584]
R1 blbdrive;blbdrive;c:\windows\System32\drivers\blbdrive.sys [4/22/2009 4:20 AM 35328]
R1 CSC;Offlinebestandenstuurprogramma;c:\windows\System32\drivers\csc.sys [4/22/2009 4:12 AM 387584]
R1 DfsC;DFS Namespace Client Driver;c:\windows\System32\drivers\dfsc.sys [4/22/2009 4:11 AM 78336]
R1 discache;System Attribute Cache;c:\windows\System32\drivers\discache.sys [4/22/2009 4:21 AM 32768]
R1 nsiproxy;NSI proxy service driver.;c:\windows\System32\drivers\nsiproxy.sys [4/22/2009 4:09 AM 16896]
R1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\System32\drivers\RDPENCDD.sys [4/22/2009 5:00 AM 6656]
R1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\System32\drivers\RDPREFMP.sys [4/22/2009 5:00 AM 7168]
R1 tdx;Stuurprogramma voor ondersteuning van NetIO Legacy TDI;c:\windows\System32\drivers\tdx.sys [4/22/2009 4:09 AM 74240]
R1 Wanarpv6;IPv6 ARP-stuurprogramma voor externe toegang;c:\windows\System32\drivers\wanarp.sys [4/22/2009 4:53 AM 63488]
R1 WfpLwf;WFP Lightweight Filter;c:\windows\System32\drivers\wfplwf.sys [4/22/2009 4:52 AM 9728]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/1/2010 6:15 PM 108289]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/28/2009 7:02 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/28/2009 7:02 AM 285392]
R2 BFE;Base Filtering Engine;c:\windows\system32\svchost.exe -k LocalServiceNoNetwork [4/22/2009 4:16 AM 20992]
R2 DPS;Diagnostic Policy Service;c:\windows\System32\svchost.exe -k LocalServiceNoNetwork [4/22/2009 4:16 AM 20992]
R2 FDResPub;Function Discovery Resource Publication;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
R2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\System32\drivers\lltdio.sys [4/22/2009 4:51 AM 48128]
R2 luafv;Virtualisatie van UAC-bestanden;c:\windows\System32\drivers\luafv.sys [4/22/2009 4:13 AM 86528]
R2 MMCSS;Multimedia Class Scheduler;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
R2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe -k LocalServiceNoNetwork [4/22/2009 4:16 AM 20992]
R2 NlaSvc;Network Location Awareness;c:\windows\System32\svchost.exe -k NetworkService [4/22/2009 4:16 AM 20992]
R2 nsi;Network Store Interface-service;c:\windows\system32\svchost.exe -k LocalService [4/22/2009 4:16 AM 20992]
R2 PEAUTH;PEAUTH;c:\windows\System32\drivers\PEAuth.sys [4/22/2009 4:33 AM 586752]
R2 Power;Power;c:\windows\system32\svchost.exe -k DcomLaunch [4/22/2009 4:16 AM 20992]
R2 ProfSvc;User Profile-service;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
R2 RpcEptMapper;RPC Endpoint Mapper;c:\windows\system32\svchost.exe -k RPCSS [4/22/2009 4:16 AM 20992]
R2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\System32\drivers\tcpipreg.sys [4/22/2009 4:52 AM 34816]
R3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\System32\drivers\1394ohci.sys [4/22/2009 4:50 AM 162816]
R3 Appinfo;Application Information;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\System32\drivers\l160x86.sys [10/13/2009 2:16 AM 49152]
R3 bowser;Stuurprogramma voor browserondersteuning;c:\windows\System32\drivers\bowser.sys [4/22/2009 4:11 AM 69632]
R3 CompositeBus;Composite Bus Enumerator Driver;c:\windows\System32\drivers\CompositeBus.sys [4/22/2009 4:43 AM 31232]
R3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [4/22/2009 4:23 AM 720384]
R3 fdPHost;Function Discovery Provider Host;c:\windows\system32\svchost.exe -k LocalService [4/22/2009 4:16 AM 20992]
R3 HomeGroupProvider;HomeGroup Provider;c:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted [4/22/2009 4:16 AM 20992]
R3 KeyIso;CNG Key Isolation;c:\windows\System32\lsass.exe [4/22/2009 4:09 AM 22528]
R3 monitor;Microsoft Monitor Class Function Driver Service;c:\windows\System32\drivers\monitor.sys [4/22/2009 4:23 AM 23552]
R3 mpsdrv;Autorisatiestuurprogramma van Windows Firewall;c:\windows\System32\drivers\mpsdrv.sys [4/22/2009 4:51 AM 60416]
R3 mrxsmb10;SMB 1.x mini-redirector;c:\windows\System32\drivers\mrxsmb10.sys [4/22/2009 4:11 AM 220672]
R3 mrxsmb20;SMB 2.0 mini-redirector;c:\windows\System32\drivers\mrxsmb20.sys [4/22/2009 4:11 AM 94720]
R3 netprofm;Network List-service;c:\windows\System32\svchost.exe -k LocalService [4/22/2009 4:16 AM 20992]
R3 PcaSvc;Program Compatibility Assistant-service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
R3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\System32\drivers\agilevpn.sys [4/22/2009 4:53 AM 49152]
R3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\System32\drivers\rdpbus.sys [4/22/2009 5:01 AM 18432]
R3 SDRSVC;Windows Back-up;c:\windows\system32\svchost.exe -k SDRSVC [4/22/2009 4:16 AM 20992]
R3 srv2;Stuurprogramma Server SMB 2.xxx;c:\windows\System32\drivers\srv2.sys [11/30/2009 11:13 PM 306688]
R3 srvnet;srvnet;c:\windows\System32\drivers\srvnet.sys [4/22/2009 4:12 AM 113664]
R3 tunnel;Microsoft Tunnel Miniport Adapter Driver;c:\windows\System32\drivers\tunnel.sys [4/22/2009 4:52 AM 108032]
R3 umbus;UMBus Enumerator Driver;c:\windows\System32\drivers\umbus.sys [4/22/2009 4:50 AM 39936]
R3 WdiServiceHost;Diagnostic Service Host;c:\windows\System32\svchost.exe -k LocalService [4/22/2009 4:16 AM 20992]
S2 AudioEndpointBuilder;Windows Audio Endpoint Builder;c:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S2 CscService;Offline Files;c:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S2 gpsvc;Group Policy Client;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S2 gupdate1ca720ad8dab023;Google Update Service (gupdate1ca720ad8dab023);c:\program files\Google\Update\GoogleUpdate.exe [11/30/2009 11:17 PM 133104]
S2 iphlpsvc;IP Helper;c:\windows\System32\svchost.exe -k NetSvcs [4/22/2009 4:16 AM 20992]
S2 SysMain;Superfetch;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S2 UxSms;Desktop Window Manager Session Manager;c:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 AcpiPmi;ACPI Power Meter Driver;c:\windows\System32\drivers\acpipmi.sys [4/22/2009 4:13 AM 9728]
S3 adp94xx;adp94xx;c:\windows\System32\drivers\adp94xx.sys [3/20/2009 4:22 PM 422992]
S3 adpahci;adpahci;c:\windows\System32\drivers\adpahci.sys [4/22/2009 3:07 AM 297552]
S3 amdsata;amdsata;c:\windows\System32\drivers\amdsata.sys [3/20/2009 4:23 PM 77904]
S3 amdsbs;amdsbs;c:\windows\System32\drivers\amdsbs.sys [3/28/2009 5:45 AM 159312]
S3 AppID;AppID-stuurprogramma;c:\windows\System32\drivers\appid.sys [4/22/2009 4:35 AM 50176]
S3 AppIDSvc;Toepassings-id;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
S3 arcsas;arcsas;c:\windows\System32\drivers\arcsas.sys [4/22/2009 3:07 AM 86608]
S3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\System32\drivers\bxvbdx.sys [3/20/2009 4:22 PM 430080]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [4/22/2009 3:01 AM 229888]
S3 BDESVC;BitLocker Drive Encryption Service;c:\windows\System32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\System32\drivers\BrFiltLo.sys [4/22/2009 5:55 AM 13568]
S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\System32\drivers\BrFiltUp.sys [4/22/2009 5:56 AM 5248]
S3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\drivers\BrSerId.sys [4/22/2009 5:53 AM 272128]
S3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\drivers\BrSerWdm.sys [4/22/2009 5:55 AM 62336]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\drivers\BrUsbMdm.sys [4/22/2009 5:55 AM 12160]
S3 CertPropSvc;Certificate Propagation;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S3 circlass;Consumer IR Devices;c:\windows\System32\drivers\circlass.sys [4/22/2009 4:49 AM 37888]
S3 defragsvc;Disk Defragmenter;c:\windows\system32\svchost.exe -k defragsvc [4/22/2009 4:16 AM 20992]
S3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\System32\drivers\evbdx.sys [3/20/2009 4:22 PM 3100160]
S3 elxstor;elxstor;c:\windows\System32\drivers\elxstor.sys [3/20/2009 4:23 PM 453712]
S3 epmntdrv;epmntdrv;c:\windows\System32\epmntdrv.sys [11/30/2009 2:31 PM 9728]
S3 EuGdiDrv;EuGdiDrv;c:\windows\System32\EuGdiDrv.sys [11/30/2009 2:31 PM 3072]
S3 Filetrace;Filetrace;c:\windows\System32\drivers\filetrace.sys [4/22/2009 4:12 AM 28160]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
S3 FsDepends;File System Dependency Minifilter;c:\windows\System32\drivers\fsdepends.sys [4/22/2009 4:12 AM 45648]
S3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\System32\drivers\hcw85cir.sys [4/22/2009 3:52 AM 26624]
S3 HomeGroupListener;HomeGroup Listener;c:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 HpSAMD;HpSAMD;c:\windows\System32\drivers\HpSAMD.sys [4/22/2009 3:07 AM 67152]
S3 iaStorV;iaStorV;c:\windows\System32\drivers\iaStorV.sys [4/15/2009 3:30 AM 332368]
S3 IKEEXT;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S3 IPBusEnum;PnP-X IP Bus Enumerator;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 IPMIDRV;IPMIDRV;c:\windows\System32\drivers\IPMIDrv.sys [4/22/2009 4:28 AM 65536]
S3 iScsiPrt;iScsiPort Driver;c:\windows\System32\drivers\msiscsi.sys [4/22/2009 4:44 AM 186960]
S3 KtmRm;KtmRm for Distributed Transaction Coordinator;c:\windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
S3 lltdsvc;Link-Layer Topology Discovery Mapper;c:\windows\System32\svchost.exe -k LocalService [4/22/2009 4:16 AM 20992]
S3 LSI_FC;LSI_FC;c:\windows\System32\drivers\lsi_fc.sys [4/22/2009 3:07 AM 95824]
S3 LSI_SAS;LSI_SAS;c:\windows\System32\drivers\lsi_sas.sys [4/22/2009 3:07 AM 89168]
S3 LSI_SAS2;LSI_SAS2;c:\windows\System32\drivers\lsi_sas2.sys [4/22/2009 3:07 AM 54864]
S3 LSI_SCSI;LSI_SCSI;c:\windows\System32\drivers\lsi_scsi.sys [4/22/2009 3:07 AM 96848]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [3/2/2010 8:30 PM 38224]
S3 megasas;megasas;c:\windows\System32\drivers\megasas.sys [3/20/2009 4:23 PM 30800]
S3 mpio;mpio;c:\windows\System32\drivers\mpio.sys [4/22/2009 4:44 AM 130640]
S3 msahci;msahci;c:\windows\System32\drivers\msahci.sys [4/22/2009 4:44 AM 27728]
S3 msdsm;msdsm;c:\windows\System32\drivers\msdsm.sys [4/22/2009 4:44 AM 115792]
S3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [4/22/2009 4:49 AM 4096]
S3 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S3 MsRPC;MsRPC;c:\windows\System32\drivers\msrpc.sys [4/22/2009 4:09 AM 162896]
S3 MTConfig;Microsoft Input Configuration Driver;c:\windows\System32\drivers\MTConfig.sys [4/22/2009 4:45 AM 12288]
S3 NativeWifiP;NativeWiFi Filter;c:\windows\System32\drivers\nwifi.sys [4/22/2009 4:50 AM 267264]
S3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\System32\drivers\ndiscap.sys [4/22/2009 4:51 AM 27136]
S3 nfrd960;nfrd960;c:\windows\System32\drivers\nfrd960.sys [4/22/2009 3:07 AM 44624]
S3 nvstor;nvstor;c:\windows\System32\drivers\nvstor.sys [4/15/2009 3:30 AM 142416]
S3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe -k PeerDist [4/22/2009 4:16 AM 20992]
S3 pla;Performance Logs & Alerts;c:\windows\System32\svchost.exe -k LocalServiceNoNetwork [4/22/2009 4:16 AM 20992]
S3 PNRPAutoReg;PNRP Machine Name Publication-service;c:\windows\System32\svchost.exe -k LocalServicePeerNet [4/22/2009 4:16 AM 20992]
S3 ql2300;ql2300;c:\windows\System32\drivers\ql2300.sys [3/20/2009 4:23 PM 1383504]
S3 ql40xx;ql40xx;c:\windows\System32\drivers\ql40xx.sys [4/22/2009 3:07 AM 105552]
S3 s3cap;s3cap;c:\windows\System32\drivers\vms3cap.sys [4/22/2009 11:23 AM 5632]
S3 scfilter;Klassefilterstuurprogramma voor smartcard-PnP;c:\windows\System32\drivers\scfilter.sys [4/22/2009 4:32 AM 26624]
S3 SCPolicySvc;Smart Card Removal Policy;c:\windows\system32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S3 SensrSvc;Adaptive Brightness;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
S3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\System32\drivers\sffp_mmc.sys [4/22/2009 4:44 AM 12288]
S3 SiSRaid4;SiSRaid4;c:\windows\System32\drivers\sisraid4.sys [4/22/2009 3:07 AM 77904]
S3 Smb;Bericht-georiŰnteerd TCP/IP- en TCP/IPv6-protocol (SMB-sessie);c:\windows\System32\drivers\smb.sys [4/22/2009 4:52 AM 71168]
S3 sppsvc;Software Protection;c:\windows\System32\sppsvc.exe [4/22/2009 5:44 AM 3179520]
S3 sppuinotify;SPP Notification-service;c:\windows\system32\svchost.exe -k LocalService [4/22/2009 4:16 AM 20992]
S3 stexstor;stexstor;c:\windows\System32\drivers\stexstor.sys [4/22/2009 3:07 AM 21072]
S3 storvsc;storvsc;c:\windows\System32\drivers\storvsc.sys [4/22/2009 11:23 AM 28240]
S3 TabletInputService;Tablet PC Input Service;c:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 TBS;TPM Base Services;c:\windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
S3 THREADORDER;Thread Ordering Server;c:\windows\system32\svchost.exe -k LocalService [4/22/2009 4:16 AM 20992]
S3 TrustedInstaller;Windows Modules Installer;c:\windows\servicing\TrustedInstaller.exe [4/22/2009 4:20 AM 204800]
S3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\System32\drivers\tssecsrv.sys [4/22/2009 5:00 AM 30208]
S3 UI0Detect;Interactive Services Detection;c:\windows\System32\UI0Detect.exe [4/22/2009 4:35 AM 35840]
S3 uliagpkx;Uli AGP Bus Filter;c:\windows\System32\drivers\ULIAGPKX.SYS [4/22/2009 4:23 AM 57424]
S3 UmRdpService;Remote Desktop Services UserMode Port Redirector;c:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\System32\drivers\usbcir.sys [4/22/2009 4:49 AM 86016]
S3 VaultSvc;Referentiebeheer;c:\windows\System32\lsass.exe [4/22/2009 4:09 AM 22528]
S3 vhdmp;vhdmp;c:\windows\System32\drivers\vhdmp.sys [4/22/2009 4:44 AM 158288]
S3 ViaC7;VIA C7 Processor Driver;c:\windows\System32\drivers\viac7.sys [4/22/2009 4:08 AM 52736]
S3 vmbus;vmbus;c:\windows\System32\drivers\vmbus.sys [4/22/2009 11:23 AM 175824]
S3 VMBusHID;VMBusHID;c:\windows\System32\drivers\VMBusHID.sys [4/22/2009 11:23 AM 17920]
S3 vsmraid;vsmraid;c:\windows\System32\drivers\vsmraid.sys [3/20/2009 4:23 PM 141904]
S3 vwifibus;Stuurprogramma voor Virtual WiFi-bus;c:\windows\System32\drivers\vwifibus.sys [4/22/2009 4:50 AM 19968]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\System32\drivers\wacompen.sys [4/22/2009 4:45 AM 21632]
S3 wbengine;Block Level Backup Engine-service;c:\windows\System32\wbengine.exe [4/22/2009 4:21 AM 1203200]
S3 WbioSrvc;Windows Biometric Service;c:\windows\system32\svchost.exe -k WbioSvcGroup [4/22/2009 4:16 AM 20992]
S3 wcncsvc;Windows Connect Now - Config Registrar;c:\windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
S3 WcsPlugInService;Windows Color System;c:\windows\system32\svchost.exe -k wcssvc [4/22/2009 4:16 AM 20992]
S3 Wd;Wd;c:\windows\System32\drivers\wd.sys [4/22/2009 4:08 AM 19024]
S3 WdiSystemHost;Diagnostic System Host;c:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 Wecsvc;Windows Event Collector;c:\windows\system32\svchost.exe -k NetworkService [4/22/2009 4:16 AM 20992]
S3 wercplsupport;Problem Reports and Solutions Control Panel Support;c:\windows\System32\svchost.exe -k netsvcs [4/22/2009 4:16 AM 20992]
S3 WerSvc;Windows Error Reporting Service;c:\windows\System32\svchost.exe -k WerSvcGroup [4/22/2009 4:16 AM 20992]
S3 WIMMount;WIMMount;c:\windows\System32\drivers\wimmount.sys [4/22/2009 4:15 AM 19024]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [4/22/2009 4:16 AM 20992]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\System32\svchost.exe -k NetworkService [4/22/2009 4:16 AM 20992]
S3 Wlansvc;WLAN Auto Config;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 WPDBusEnum;Portable Device Enumerator-service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [4/22/2009 4:16 AM 20992]
S3 WwanSvc;WWAN AutoConfig;c:\windows\system32\svchost.exe -k LocalServiceNoNetwork [4/22/2009 4:16 AM 20992]
S4 Mcx2Svc;Media Center Extender-service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [4/22/2009 4:16 AM 20992]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [11/30/2009 11:56 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RPCSS REG_MULTI_SZ RpcEptMapper RpcSs
defragsvc REG_MULTI_SZ defragsvc
WerSvcGroup REG_MULTI_SZ wersvc
LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc
swprv REG_MULTI_SZ swprv
LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg
NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm
regsvc REG_MULTI_SZ RemoteRegistry
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS AppIDSvc FontCache fdrespub QWAVE wcncsvc Mcx2Svc SensrSvc
DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent
sdrsvc REG_MULTI_SZ sdrsvc
WbioSvcGroup REG_MULTI_SZ WbioSrvc
wcssvc REG_MULTI_SZ WcsPlugInService
secsvcs REG_MULTI_SZ WinDefend
AxInstSVGroup REG_MULTI_SZ AxInstSV
PeerDist REG_MULTI_SZ PeerDistSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
EapHost
wercplsupport
ProfSvc
hkmsvc
winmgmt
SessionEnv
schedule
browser
BDESVC
Themes
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
homegrouplistener


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
WdiServiceHost
sppuinotify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
lanmanworkstation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
homegroupprovider

.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 22:16]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 22:16]

2010-03-02 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2007-04-26 13:39]
.
.
------- Supplementary Scan -------
.
uStart Page = google.com
mStart Page = google.com
IE: E&xporteren naar Microsoft Excel - j:\office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Noname\AppData\Roaming\Mozilla\Firefox\Profiles\bbqo7j0t.default\
FF - prefs.js: browser.startup.homepage - Google.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: j:\adobe\Reader\browser\nppdf32.dll
FF - plugin: j:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: j:\divx\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 22:36
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 22:36
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 22:36
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 22:36
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 22:36
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-03-03 22:37:09
ComboFix-quarantined-files.txt 2010-03-03 21:37
ComboFix2.txt 2010-03-03 21:14

Pre-Run: 71,427,358,720 bytes beschikbaar
Post-Run: 71,141,482,496 bytes beschikbaar

- - End Of File - - 6F17488FEC2F945D4A739077CFEA179B


==========

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-03 22:39:53
Windows 6.1.7100
Running: jennz358.exe; Driver: C:\Users\Noname\AppData\Local\Temp\awryqpow.sys


---- System - GMER 1.0.15 ----

SSDT 99874A4C ZwCreateThread
SSDT 99874A38 ZwOpenProcess
SSDT 99874A3D ZwOpenThread
SSDT 99874A47 ZwTerminateProcess

INT 0x01 ? 9D3312A4
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E373F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E371DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E376F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E381A8

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA3 0x8C 0x01 0x24 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x99 0xE0 0xE4 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x91 0x48 0xCB 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA3 0x8C 0x01 0x24 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x99 0xE0 0xE4 0x18 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x91 0x48 0xCB 0x1E ...

---- EOF - GMER 1.0.15 ----

==========

With your next post please provide:

* Qoobox log
* OTL.txt
* Extra.txt

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 03 March 2010 - 06:14 PM

See my prior post. Please copy and paste all replies. Provide the logs I asked for while I review the Combofix and Gmer log. Please take your time and read all my directions carefully!
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 03 March 2010 - 08:12 PM



its 2am up here so im gonna call it a night after this.

Het volume in station C heeft geen naam.
Het volumenummer is B412-A7FB

Map van C:\QooBox

03/03/2010 10:37 PM <DIR> .
03/03/2010 10:37 PM <DIR> ..
03/03/2010 10:36 PM 2,500 Add-Remove Programs.txt
03/03/2010 10:04 PM <DIR> BackEnv
03/03/2010 10:37 PM 1,613 ComboFix-quarantined-files.txt
03/03/2010 10:14 PM 42,509 ComboFix2.txt
03/03/2010 10:04 PM <DIR> Quarantine
03/03/2010 10:13 PM 1,738,164 SnapShot@2010-03-03_21.12.18.dat
4 bestand(en) 1,784,786 bytes

Map van C:\QooBox\BackEnv

03/03/2010 10:04 PM <DIR> .
03/03/2010 10:04 PM <DIR> ..
03/03/2010 10:03 PM 124 appdata.folder.dat
03/03/2010 10:03 PM 229 cache.folder.dat
03/03/2010 10:03 PM 61 Cookies.folder.dat
03/03/2010 10:03 PM 82 desktop.folder.dat
03/03/2010 10:03 PM 116 favorites.folder.dat
03/03/2010 10:03 PM 100 localappdata.folder.dat
03/03/2010 10:03 PM 100 LocalSettings.folder.dat
03/03/2010 10:03 PM 85 mypictures.folder.dat
03/03/2010 10:03 PM 88 personal.folder.dat
03/03/2010 10:03 PM 178 Profiles.Folder.dat
03/03/2010 10:03 PM 203 Profiles.Folder.folder.dat
03/03/2010 10:03 PM 346 programs.folder.dat
03/03/2010 10:03 PM 5,294 SetPath.bat
03/03/2010 10:03 PM 240 startmenu.folder.dat
03/03/2010 10:03 PM 386 startup.folder.dat
03/03/2010 10:03 PM 829 SysPath.dat
03/03/2010 10:03 PM 236 templates.folder.dat
17 bestand(en) 8,697 bytes

Map van C:\QooBox\Quarantine

03/03/2010 10:04 PM <DIR> .
03/03/2010 10:04 PM <DIR> ..
03/03/2010 10:04 PM <DIR> C
03/03/2010 10:33 PM 226 catchme.log
03/03/2010 10:36 PM <DIR> Registry_backups
1 bestand(en) 226 bytes

Map van C:\QooBox\Quarantine\C

03/03/2010 10:04 PM <DIR> .
03/03/2010 10:04 PM <DIR> ..
03/03/2010 10:04 PM <DIR> Windows
0 bestand(en) 0 bytes

Map van C:\QooBox\Quarantine\C\Windows

03/03/2010 10:04 PM <DIR> .
03/03/2010 10:04 PM <DIR> ..
03/03/2010 10:10 PM <DIR> System32
0 bestand(en) 0 bytes

Map van C:\QooBox\Quarantine\C\Windows\System32

03/03/2010 10:10 PM <DIR> .
03/03/2010 10:10 PM <DIR> ..
03/03/2010 10:04 PM <DIR> drivers
04/22/2009 04:08 AM 109,568 npzfgut.dll.vir
1 bestand(en) 109,568 bytes

Map van C:\QooBox\Quarantine\C\Windows\System32\drivers

03/03/2010 10:04 PM <DIR> .
03/03/2010 10:04 PM <DIR> ..
04/22/2009 06:24 AM 21,584 atapi.sys.vir
1 bestand(en) 21,584 bytes



Map van C:\QooBox\Quarantine\Registry_backups

03/03/2010 10:36 PM <DIR> .
03/03/2010 10:36 PM <DIR> ..
03/03/2010 10:13 PM 499 BHO-{96ED1012-18E2-4ACC-8A82-33311ABC7D99}.reg.dat
03/03/2010 10:13 PM 164 HKCU-Run-msnmsgr.reg.dat
03/03/2010 10:13 PM 538 SafeBoot-sacsvr.reg.dat
03/03/2010 10:13 PM 530 SafeBoot-vmms.reg.dat
03/03/2010 10:13 PM 534 SafeBoot-WudfPf.reg.dat
03/03/2010 10:13 PM 534 SafeBoot-WudfRd.reg.dat
03/03/2010 10:09 PM 1,914 Service_gtbqlnpm.reg.dat
03/03/2010 10:13 PM 687 ShellIconOverlayIdentifiers-{96ED1012-18E2-4ACC-8A82-33311ABC7D99}.reg.dat
03/03/2010 10:35 PM 3,925 tcpip.reg
9 bestand(en) 9,325 bytes

Totaal aantal weergegeven bestanden:
33 bestand(en) 1,934,186 bytes
23 map(pen) 70,363,783,168 bytes beschikbaar





i hope this is the info you need,

Greetz Covec

Attached Files


Edited by Covec, 03 March 2010 - 08:15 PM.


#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 03 March 2010 - 08:59 PM

Hello,

Combofix removed the rootkit and replaced the infected System File (Atapi.sys). thumbup2.gif

==========

Please do not attach logs!!!!!!!!! Please copy and paste all logs directly into your reply.

==========

I have copied and pasted the logs for you again! Please follow my instructions and do not attach logs unless I specifically direct you to do so!!

==========

I will review these logs and guide you.

==========

OTL Extras logfile created on: 3/4/2010 2:05:12 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Users\Noname\Downloads
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 87.90 Gb Total Space | 65.53 Gb Free Space | 74.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 377.86 Gb Total Space | 232.51 Gb Free Space | 61.53% Space Free | Partition Type: NTFS

Computer Name: NONAME-PC
Current User Name: Noname
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3841116261-2093695884-1951506884-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "J:\office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- J:\office\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{11202615-E557-4ECF-9B86-F59C81E52909}" = FIFA 10
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB}" = Mass Effect 2
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0016-0413-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Dutch) 2007
"{90120000-0016-0413-0000-0000000FF1CE}_HOMESTUDENTR_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0413-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Dutch) 2007
"{90120000-0018-0413-0000-0000000FF1CE}_HOMESTUDENTR_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0413-0000-0000000FF1CE}" = Microsoft Office Word MUI (Dutch) 2007
"{90120000-001B-0413-0000-0000000FF1CE}_HOMESTUDENTR_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0413-0000-0000000FF1CE}" = Microsoft Office Proof (Dutch) 2007
"{90120000-001F-0413-0000-0000000FF1CE}_HOMESTUDENTR_{D66D5A44-E480-4BA4-B4F2-C554F6B30EBB}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0413-0000-0000000FF1CE}" = Microsoft Office Proofing (Dutch) 2007
"{90120000-006E-0413-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Dutch) 2007
"{90120000-006E-0413-0000-0000000FF1CE}_HOMESTUDENTR_{89C8E56A-90D8-4598-B0E6-EB28F6270E07}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0413-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Dutch) 2007
"{90120000-00A1-0413-0000-0000000FF1CE}_HOMESTUDENTR_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1043-7B44-A93000000001}" = Adobe Reader 9.3 - Nederlands
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = SkypeÖ 4.1
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EASEUS Partition Master Professional Edition_is1" = EASEUS Partition Master 3.0.2 Professional
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"NVIDIA Drivers" = NVIDIA Drivers
"Spyware Doctor" = Spyware Doctor 7.0
"Steam App 10500" = Empire: Total War
"uTorrent" = ÁTorrent
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinRAR archiver" = WinRAR
"XoftSpy" = XoftSpy

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3841116261-2093695884-1951506884-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/2/2010 11:48:17 AM | Computer Name = Noname-PC | Source = System Restore | ID = 8193
Description =

Error - 3/2/2010 3:48:22 PM | Computer Name = Noname-PC | Source = Application Error | ID = 1000
Description = Naam van toepassing met fout: mbam.exe, versie: 1.44.0.0, tijdstempel:
0x4b46461a Naam van module met fout: KERNELBASE.dll, versie: 6.1.7100.0, tijdstempel:
0x49eea60f Uitzonderingscode: 0xe06d7363 Foutoffset: 0x0000b4f4 Id van proces met
fout: 0x248 Starttijd van toepassing met fout: 0x01caba3eeae5a78e Pad naar toepassing
met fout: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe Pad naar module met
fout: C:\Windows\system32\KERNELBASE.dll Rapport-id: 8e833c39-2634-11df-9b4e-001e8c1a96ea

Error - 3/2/2010 4:51:55 PM | Computer Name = Noname-PC | Source = Application Error | ID = 1000
Description = Naam van toepassing met fout: dvubtf2k.exe, versie: 1.0.15.15281,
tijdstempel: 0x4b2763f0 Naam van module met fout: dvubtf2k.exe, versie: 1.0.15.15281,
tijdstempel: 0x4b2763f0 Uitzonderingscode: 0xc0000005 Foutoffset: 0x0000c4b1 Id van
proces met fout: 0x6a8 Starttijd van toepassing met fout: 0x01caba4a26106c99 Pad
naar toepassing met fout: C:\Users\Noname\Downloads\dvubtf2k.exe Pad naar module
met fout: C:\Users\Noname\Downloads\dvubtf2k.exe Rapport-id: 6f49648e-263d-11df-8bf3-001e8c1a96ea

Error - 3/2/2010 4:55:51 PM | Computer Name = Noname-PC | Source = PerfNet | ID = 2004
Description =

Error - 3/2/2010 10:50:05 PM | Computer Name = Noname-PC | Source = VSS | ID = 8193
Description =

Error - 3/2/2010 10:59:53 PM | Computer Name = Noname-PC | Source = Application Error | ID = 1000
Description = Naam van toepassing met fout: svchost.exe_gtbqlnpm, versie: 6.1.7100.0,
tijdstempel: 0x49ee8c24 Naam van module met fout: KERNELBASE.dll, versie: 6.1.7100.0,
tijdstempel: 0x49eea60f Uitzonderingscode: 0x0eedfade Foutoffset: 0x0000b4f4 Id van
proces met fout: 0x4b0 Starttijd van toepassing met fout: 0x01caba6eab30b0d8 Pad
naar toepassing met fout: C:\Windows\system32\svchost.exe Pad naar module met fout:
C:\Windows\system32\KERNELBASE.dll Rapport-id: d6de6a17-2670-11df-89d6-001e8c1a96ea

Error - 3/3/2010 11:12:17 AM | Computer Name = Noname-PC | Source = Schedule | ID = 0
Description =

Error - 3/3/2010 1:14:41 PM | Computer Name = Noname-PC | Source = Schedule | ID = 0
Description =

Error - 3/3/2010 4:53:12 PM | Computer Name = Noname-PC | Source = Schedule | ID = 0
Description =

Error - 3/3/2010 8:39:35 PM | Computer Name = Noname-PC | Source = Schedule | ID = 0
Description =

[ System Events ]
Error - 3/3/2010 8:38:35 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7031
Description = De System Event Notification-service-service is onverwacht gestopt.
Dit is 2 keer gebeurd. De volgende herstelbewerking zal over 300000 milliseconden
worden uitgevoerd: Service opnieuw starten.

Error - 3/3/2010 8:38:35 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7031
Description = De Themes-service is onverwacht gestopt. Dit is 2 keer gebeurd. De
volgende herstelbewerking zal over 60000 milliseconden worden uitgevoerd: Service
opnieuw starten.

Error - 3/3/2010 8:38:35 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7031
Description = De Windows Management Instrumentation-service is onverwacht gestopt.
Dit is 2 keer gebeurd. De volgende herstelbewerking zal over 300000 milliseconden
worden uitgevoerd: Service opnieuw starten.

Error - 3/3/2010 8:38:35 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7034
Description = De Windows Update-service is onverwacht beŰindigd. Dit is nu 2 keer
gebeurd.

Error - 3/3/2010 8:38:38 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7031
Description = De Base Filtering Engine-service is onverwacht gestopt. Dit is 1 keer
gebeurd. De volgende herstelbewerking zal over 120000 milliseconden worden uitgevoerd:
Service opnieuw starten.

Error - 3/3/2010 8:38:38 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7031
Description = De Diagnostic Policy Service-service is onverwacht gestopt. Dit is
1 keer gebeurd. De volgende herstelbewerking zal over 120000 milliseconden worden
uitgevoerd: Service opnieuw starten.

Error - 3/3/2010 8:38:38 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7031
Description = De Windows Firewall-service is onverwacht gestopt. Dit is 1 keer gebeurd.
De volgende herstelbewerking zal over 120000 milliseconden worden uitgevoerd: Service
opnieuw starten.

Error - 3/3/2010 8:40:35 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7032
Description = Servicebesturingsbeheer heeft na het onverwachte afsluiten van de
Computer Browser-service geprobeerd een herstelactie (Service opnieuw starten) uit
te voeren, maar deze actie is met de volgende fout mislukt: %%1056

Error - 3/3/2010 8:40:35 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7032
Description = Servicebesturingsbeheer heeft na het onverwachte afsluiten van de
Server-service geprobeerd een herstelactie (Service opnieuw starten) uit te voeren,
maar deze actie is met de volgende fout mislukt: %%1056

Error - 3/3/2010 8:40:38 PM | Computer Name = Noname-PC | Source = Service Control Manager | ID = 7032
Description = Servicebesturingsbeheer heeft na het onverwachte afsluiten van de
Base Filtering Engine-service geprobeerd een herstelactie (Service opnieuw starten)
uit te voeren, maar deze actie is met de volgende fout mislukt: %%1056


< End of report >

==========

OTL logfile created on: 3/4/2010 2:05:12 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Users\Noname\Downloads
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 87.90 Gb Total Space | 65.53 Gb Free Space | 74.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 377.86 Gb Total Space | 232.51 Gb Free Space | 61.53% Space Free | Partition Type: NTFS

Computer Name: NONAME-PC
Current User Name: Noname
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/04 02:03:48 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Noname\Downloads\OTL.exe
PRC - [2010/03/03 20:55:42 | 000,319,280 | ---- | M] (BitTorrent, Inc.) -- J:\Utorrent\uTorrent.exe
PRC - [2010/01/16 04:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/12 21:02:51 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/12 21:02:51 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/28 07:02:37 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/28 07:02:37 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/28 07:02:30 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/11/28 07:02:29 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/04/22 06:19:35 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/04/22 06:19:02 | 002,607,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/22 06:18:45 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe


========== Modules (SafeList) ==========

MOD - [2010/03/04 02:03:48 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Noname\Downloads\OTL.exe
MOD - [2009/04/22 06:22:04 | 000,099,328 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/04/22 06:21:49 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/04/22 06:21:46 | 000,051,200 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/04/22 06:21:43 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/04/22 06:21:19 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/04/22 06:20:43 | 000,280,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/04/22 06:20:19 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/04/22 06:20:14 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/04/22 06:20:07 | 000,036,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/04/22 06:20:00 | 000,145,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/04/22 06:00:58 | 001,679,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7100.0_none_d75e6751736615f2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/03 04:14:28 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/11/28 07:02:30 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/11/28 07:02:29 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/08 22:53:41 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/04/22 06:22:25 | 000,185,344 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/04/22 06:22:12 | 000,151,040 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/04/22 06:22:10 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/04/22 06:22:07 | 000,037,888 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/04/22 06:22:02 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/04/22 06:21:49 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/04/22 06:21:46 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/04/22 06:21:43 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/04/22 06:21:42 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc) Peer Name Resolution Protocol (PNRP)
SRV - [2009/04/22 06:21:42 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/04/22 06:21:42 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/04/22 06:21:40 | 001,004,032 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/04/22 06:20:52 | 000,680,448 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/04/22 06:20:30 | 000,797,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/04/22 06:20:14 | 000,252,928 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/04/22 06:20:13 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/04/22 06:19:55 | 000,076,288 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/04/22 06:19:54 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/04/22 06:19:51 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/04/22 06:19:20 | 003,179,520 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)


========== Driver Services (SafeList) ==========

DRV - [2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/11/30 23:56:43 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/11/28 07:02:42 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/11/28 07:02:38 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/11/28 07:02:38 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/11/25 11:19:02 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/10/13 02:16:02 | 000,049,152 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\l160x86.sys -- (AtcL001)
DRV - [2009/09/27 23:12:22 | 009,509,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/05/11 09:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/22 06:24:35 | 000,422,992 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/04/22 06:24:29 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/04/22 06:24:23 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/04/22 06:24:21 | 000,332,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/04/22 06:24:21 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/04/22 06:24:21 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/04/22 06:24:20 | 000,236,112 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/04/22 06:24:19 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/04/22 06:24:17 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/04/22 06:24:16 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/04/22 06:24:14 | 000,117,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/04/22 06:24:14 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/04/22 06:24:13 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/04/22 06:24:13 | 000,077,904 | ---- | M] (AMD) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/04/22 06:24:12 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/04/22 06:24:12 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/04/22 06:24:08 | 000,070,736 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/04/22 06:24:08 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/04/22 06:24:06 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/04/22 06:24:05 | 000,045,648 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/04/22 06:24:05 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/04/22 06:24:04 | 000,042,576 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/04/22 06:24:04 | 000,023,120 | ---- | M] (AMD) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/04/22 06:24:04 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/04/22 06:24:04 | 000,014,416 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/04/22 06:24:02 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/04/22 06:23:59 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/04/22 06:23:56 | 001,383,504 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/04/22 06:23:55 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/04/22 06:23:55 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/04/22 06:23:53 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/04/22 06:23:52 | 000,158,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/04/22 06:23:52 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/04/22 06:23:49 | 000,105,552 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/04/22 06:23:49 | 000,077,904 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/04/22 06:23:47 | 000,040,912 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/04/22 06:23:45 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/04/22 06:23:44 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/04/22 06:23:44 | 000,028,240 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/04/22 06:23:43 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/04/22 06:23:43 | 000,019,024 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/04/22 06:23:42 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/04/22 06:23:29 | 000,369,056 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/04/22 05:53:34 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/04/22 05:01:13 | 000,018,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/04/22 05:00:12 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/04/22 04:53:30 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/04/22 04:52:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/04/22 04:51:14 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/04/22 04:50:28 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/04/22 04:50:20 | 000,162,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/04/22 04:50:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/04/22 04:49:31 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/04/22 04:45:25 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/04/22 04:43:54 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/04/22 04:35:06 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/04/22 04:32:05 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/04/22 04:26:30 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/04/22 04:26:29 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/04/22 04:21:35 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/04/22 04:16:45 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/04/22 04:13:47 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/04/22 04:08:28 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/04/22 03:52:05 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/04/22 03:51:17 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/04/22 03:51:17 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/04/22 03:51:16 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/04/22 03:51:15 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/04/22 03:51:15 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/04/22 03:01:07 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/04/22 03:01:07 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/04/22 03:01:07 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/04/22 01:51:15 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2009/03/30 09:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/23 14:52:50 | 000,009,728 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\epmntdrv.sys -- (epmntdrv)
DRV - [2009/02/23 14:52:50 | 000,003,072 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2004/08/13 11:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = google.com


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = google.com
IE - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DB 8E FF E3 65 77 CA 01 [binary data]
IE - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001\S-1-5-21-3841116261-2093695884-1951506884-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "Google.com"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/27 21:02:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/26 14:11:32 | 000,000,000 | ---D | M]

[2009/11/30 22:42:25 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\mozilla\Extensions
[2010/03/03 23:20:03 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\mozilla\Firefox\Profiles\bbqo7j0t.default\extensions
[2009/11/30 22:44:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Noname\AppData\Roaming\mozilla\Firefox\Profiles\bbqo7j0t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/27 21:02:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/03 22:12:09 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] J:\Adobe\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001..\Run: [googletalk] C:\Users\Noname\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
O4 - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001..\Run: [Steam] j:\steam\steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001..\Run: [uTorrent] J:\Utorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3841116261-2093695884-1951506884-1001_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - J:\office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\Windows\System32\avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/20 16:42:25 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/04/22 07:17:33 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: dmadmin - Service
SafeBootMin: dmboot.sys - Driver
SafeBootMin: dmio.sys - Driver
SafeBootMin: dmload.sys - Driver
SafeBootMin: dmserver - Service
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Power - C:\Windows\System32\umpo.dll (Microsoft Corporation)
SafeBootMin: Primary disk - Driver Group
SafeBootMin: RpcEptMapper - C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sr.sys - FSFilter System Recovery
SafeBootMin: SRService - Service
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: Dhcp - C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SafeBootNet: dmadmin - Service
SafeBootNet: dmboot.sys - Driver
SafeBootNet: dmio.sys - Driver
SafeBootNet: dmload.sys - Driver
SafeBootNet: dmserver - Service
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: ip6fw.sys - Driver
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: ndiscap - C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS - File not found
SafeBootNet: NtLmSsp - Service
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Power - C:\Windows\System32\umpo.dll (Microsoft Corporation)
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: RpcEptMapper - C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sr.sys - FSFilter System Recovery
SafeBootNet: SRService - Service
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} - Reg Error: Value error.
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/03 22:37:10 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/03 22:36:55 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/03/03 22:32:50 | 000,000,000 | ---D | C] -- C:\thcbytes
[2010/03/03 22:32:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/03 22:32:35 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/03/03 22:10:41 | 000,000,000 | ---D | C] -- C:\Users\Noname\AppData\Local\temp
[2010/03/03 22:03:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/03/03 22:03:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/03/03 22:03:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/03/03 22:03:33 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/03 22:03:32 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/03/03 22:02:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/03 18:57:56 | 000,021,584 | ---- | C] (Microsoft Corporation) -- C:\Users\Noname\Desktop\atapi.sys
[2010/03/02 20:30:47 | 000,000,000 | ---D | C] -- C:\Users\Noname\AppData\Roaming\Malwarebytes
[2010/03/02 20:30:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/02 20:30:43 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/02 20:30:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/02 20:30:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/02 20:18:30 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/03/02 17:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\XoftSpy
[2010/03/02 16:47:17 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/03/02 16:40:02 | 000,207,280 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2010/03/02 16:40:02 | 000,087,784 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2010/03/02 16:39:11 | 000,070,408 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2010/03/02 16:38:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/03/02 16:38:54 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/03/02 16:38:54 | 000,000,000 | ---D | C] -- C:\Users\Noname\AppData\Roaming\PC Tools
[2010/03/02 16:38:54 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2010/03/02 16:32:05 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/03/02 16:31:51 | 000,000,000 | ---D | C] -- C:\Users\Noname\Documents\Simply Super Software
[2010/03/01 22:59:14 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure
[2010/03/01 22:39:23 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2010/03/01 22:39:21 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/03/01 22:37:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/03/01 19:23:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/03/01 18:15:01 | 000,096,104 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/03/01 18:15:01 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/03/01 18:15:01 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2010/03/01 18:15:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/03/01 18:15:00 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/02/28 20:01:42 | 000,000,000 | ---D | C] -- C:\Users\Noname\AppData\Roaming\Google
[2010/02/28 14:11:34 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/02/26 14:11:41 | 000,032,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msonpmon.dll
[2010/02/26 14:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2010/02/26 14:11:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/02/26 14:11:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/02/26 14:09:59 | 000,000,000 | ---D | C] -- C:\Users\Noname\AppData\Local\Microsoft Help
[2010/02/26 14:09:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2010/02/24 18:42:04 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2010/02/24 13:35:37 | 000,000,000 | ---D | C] -- C:\Users\Noname\Documents\FIFA 10
[2010/02/24 13:08:57 | 000,000,000 | ---D | C] -- C:\Users\Noname\AppData\Roaming\Leadertech

========== Files - Modified Within 30 Days ==========

[2010/03/04 02:06:49 | 001,572,864 | -HS- | M] () -- C:\Users\Noname\NTUSER.DAT
[2010/03/04 01:39:35 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/04 01:19:42 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/04 00:42:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/04 00:42:51 | 2616,549,376 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/03 22:41:25 | 001,056,618 | -H-- | M] () -- C:\Users\Noname\AppData\Local\IconCache.db
[2010/03/03 22:36:16 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/03 22:19:00 | 004,118,254 | R--- | M] () -- C:\Users\Noname\Desktop\thcbytes.exe
[2010/03/03 22:16:06 | 000,293,376 | ---- | M] () -- C:\Users\Noname\Desktop\jennz358.exe
[2010/03/03 22:12:09 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/03/03 22:02:28 | 004,118,254 | R--- | M] () -- C:\Users\Noname\Desktop\ComboFix.exe
[2010/03/03 18:58:06 | 000,011,242 | ---- | M] () -- C:\Users\Noname\Desktop\atapi.rar
[2010/03/03 18:57:56 | 000,021,584 | ---- | M] (Microsoft Corporation) -- C:\Users\Noname\Desktop\atapi.sys
[2010/03/03 16:18:34 | 056,595,798 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/03/03 16:07:11 | 212,201,664 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/03 03:39:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/02 20:36:14 | 000,000,176 | ---- | M] () -- C:\Users\Noname\defogger_reenable
[2010/03/02 20:30:46 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/02 20:14:44 | 000,018,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 20:14:44 | 000,018,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 17:39:34 | 000,000,302 | ---- | M] () -- C:\Windows\tasks\XoftSpy.job
[2010/03/02 17:35:28 | 000,000,953 | ---- | M] () -- C:\Users\Noname\Desktop\XoftSpy.lnk
[2010/03/02 17:33:40 | 000,001,492 | ---- | M] () -- C:\Users\Noname\Desktop\avg report.csv
[2010/03/02 16:39:29 | 000,001,924 | ---- | M] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/03/02 16:21:40 | 000,000,522 | ---- | M] () -- C:\Users\Public\Desktop\ÁTorrent.lnk
[2010/03/01 22:39:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/03/01 22:30:54 | 000,270,832 | ---- | M] () -- C:\Users\Noname\Desktop\virus.jpg
[2010/03/01 22:30:33 | 000,000,000 | ---- | M] () -- C:\Users\Noname\Desktop\virus.bmp
[2010/03/01 20:26:26 | 000,000,036 | ---- | M] () -- C:\Users\Noname\AppData\Local\housecall.guid.cache
[2010/03/01 19:23:41 | 000,001,835 | ---- | M] () -- C:\Users\Noname\Desktop\CCleaner.lnk
[2010/03/01 18:15:06 | 000,002,016 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/02/28 14:12:50 | 000,324,064 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/28 14:11:36 | 000,409,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\systemcpl.dll
[2010/02/28 14:11:36 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\slwga.dll
[2010/02/28 13:48:49 | 000,072,032 | ---- | M] () -- C:\Users\Noname\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/28 13:10:11 | 001,523,498 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/02/28 13:10:11 | 000,691,346 | ---- | M] () -- C:\Windows\System32\perfh013.dat
[2010/02/28 13:10:11 | 000,617,196 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/02/28 13:10:11 | 000,129,994 | ---- | M] () -- C:\Windows\System32\perfc013.dat
[2010/02/28 13:10:11 | 000,103,942 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/02/26 14:15:37 | 000,000,000 | ---- | M] () -- C:\Users\Noname\Desktop\Nieuw - Microsoft Office Word-document.docx
[2010/02/26 11:56:02 | 003,932,214 | ---- | M] () -- C:\Users\Noname\Desktop\toshiba.bmp
[2010/02/25 11:19:55 | 000,000,618 | ---- | M] () -- C:\Users\Noname\Desktop\FIFA10 - Snelkoppeling.lnk
[2010/02/05 14:44:52 | 000,001,532 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/02/05 14:35:08 | 000,002,170 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys

========== Files Created - No Company Name ==========

[2010/03/03 22:18:56 | 004,118,254 | R--- | C] () -- C:\Users\Noname\Desktop\thcbytes.exe
[2010/03/03 22:16:05 | 000,293,376 | ---- | C] () -- C:\Users\Noname\Desktop\jennz358.exe
[2010/03/03 22:03:39 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/03/03 22:03:39 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/03/03 22:03:39 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/03/03 22:03:39 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/03/03 22:03:39 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/03/03 22:02:28 | 004,118,254 | R--- | C] () -- C:\Users\Noname\Desktop\ComboFix.exe
[2010/03/03 18:58:06 | 000,011,242 | ---- | C] () -- C:\Users\Noname\Desktop\atapi.rar
[2010/03/02 21:58:18 | 000,004,648 | ---- | C] () -- C:\Users\Noname\AppData\Local\96ED1012-18E2-4ACC-8A82-33311ABC7D99.txt
[2010/03/02 20:35:58 | 000,000,176 | ---- | C] () -- C:\Users\Noname\defogger_reenable
[2010/03/02 20:30:46 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/02 17:39:34 | 000,000,302 | ---- | C] () -- C:\Windows\tasks\XoftSpy.job
[2010/03/02 17:35:28 | 000,000,953 | ---- | C] () -- C:\Users\Noname\Desktop\XoftSpy.lnk
[2010/03/02 17:33:40 | 000,001,492 | ---- | C] () -- C:\Users\Noname\Desktop\avg report.csv
[2010/03/02 16:40:02 | 000,007,412 | ---- | C] () -- C:\Windows\System32\drivers\PCTAppEvent.cat
[2010/03/02 16:40:02 | 000,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctcore.cat
[2010/03/02 16:39:29 | 000,001,924 | ---- | C] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/03/02 16:39:11 | 000,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctplsg.cat
[2010/03/02 16:21:40 | 000,000,522 | ---- | C] () -- C:\Users\Public\Desktop\ÁTorrent.lnk
[2010/03/02 02:10:52 | 212,201,664 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/03/01 22:30:54 | 000,270,832 | ---- | C] () -- C:\Users\Noname\Desktop\virus.jpg
[2010/03/01 22:30:33 | 000,000,000 | ---- | C] () -- C:\Users\Noname\Desktop\virus.bmp
[2010/03/01 20:26:26 | 000,000,036 | ---- | C] () -- C:\Users\Noname\AppData\Local\housecall.guid.cache
[2010/03/01 19:23:41 | 000,001,835 | ---- | C] () -- C:\Users\Noname\Desktop\CCleaner.lnk
[2010/03/01 18:15:06 | 000,002,016 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/02/26 14:15:37 | 000,000,000 | ---- | C] () -- C:\Users\Noname\Desktop\Nieuw - Microsoft Office Word-document.docx
[2010/02/26 11:55:48 | 003,932,214 | ---- | C] () -- C:\Users\Noname\Desktop\toshiba.bmp
[2010/02/25 11:19:55 | 000,000,618 | ---- | C] () -- C:\Users\Noname\Desktop\FIFA10 - Snelkoppeling.lnk
[2010/02/05 14:35:08 | 000,002,170 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/01 01:24:28 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/11/30 14:33:59 | 000,000,011 | ---- | C] () -- C:\Windows\EuBcd.ini
[2009/11/30 14:31:23 | 000,472,064 | ---- | C] () -- C:\Windows\System32\NTFSFormat.dll
[2009/11/30 14:31:23 | 000,139,776 | ---- | C] () -- C:\Windows\System32\NTFSCopy.dll
[2009/11/30 14:31:23 | 000,093,184 | ---- | C] () -- C:\Windows\System32\Partition.dll
[2009/11/30 14:31:23 | 000,086,528 | ---- | C] () -- C:\Windows\System32\NTFSLib.dll
[2009/11/30 14:31:23 | 000,086,016 | ---- | C] () -- C:\Windows\System32\ResizeNTFS.dll
[2009/11/30 14:31:23 | 000,061,952 | ---- | C] () -- C:\Windows\System32\FatResizeMove.dll
[2009/11/30 14:31:23 | 000,045,568 | ---- | C] () -- C:\Windows\System32\FileSystemCheck.dll
[2009/11/30 14:31:23 | 000,024,576 | ---- | C] () -- C:\Windows\System32\NTFSFileSystemAnalyser.dll
[2009/11/30 14:31:23 | 000,021,504 | ---- | C] () -- C:\Windows\System32\Fixup.dll
[2009/11/30 14:31:23 | 000,017,920 | ---- | C] () -- C:\Windows\System32\SectorCopy.dll
[2009/11/30 14:31:23 | 000,014,848 | ---- | C] () -- C:\Windows\System32\FileSystemAnalyser.dll
[2009/11/30 14:31:22 | 000,180,224 | ---- | C] () -- C:\Windows\System32\DeviceManager.dll
[2009/11/30 14:31:22 | 000,068,096 | ---- | C] () -- C:\Windows\System32\Device.dll
[2009/11/30 14:31:22 | 000,065,536 | ---- | C] () -- C:\Windows\System32\FatCopy.dll
[2009/11/30 14:31:22 | 000,031,744 | ---- | C] () -- C:\Windows\System32\FatLib.dll
[2009/11/30 14:31:22 | 000,025,088 | ---- | C] () -- C:\Windows\System32\FATFileSystemAnalyser.dll
[2009/11/30 14:31:22 | 000,022,016 | ---- | C] () -- C:\Windows\System32\FatFormat.dll
[2009/11/30 14:31:22 | 000,014,848 | ---- | C] () -- C:\Windows\System32\EuEpmGdi.dll
[2009/11/30 14:31:22 | 000,010,752 | ---- | C] () -- C:\Windows\System32\DeviceAdapter.dll
[2009/11/30 14:31:22 | 000,009,728 | ---- | C] () -- C:\Windows\System32\epmntdrv.sys
[2009/11/30 14:31:22 | 000,006,656 | ---- | C] () -- C:\Windows\System32\CallbackOperator.dll
[2009/11/30 14:31:22 | 000,003,072 | ---- | C] () -- C:\Windows\System32\EuGdiDrv.sys
[2009/08/03 00:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009/04/22 04:50:07 | 000,073,216 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/04/22 04:40:32 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/04/22 04:34:32 | 000,193,024 | ---- | C] () -- C:\Windows\System32\sppcomapi.dll
[2004/08/13 11:56:20 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys

========== LOP Check ==========

[2009/12/03 00:38:40 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\DAEMON Tools Lite
[2010/02/24 13:08:57 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Leadertech
[2009/12/07 23:33:35 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\OpenOffice.org
[2009/12/03 01:00:45 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\The Creative Assembly
[2010/03/04 02:06:48 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\uTorrent
[2010/03/04 01:39:35 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/03/02 17:39:34 | 000,000,302 | ---- | M] () -- C:\Windows\Tasks\XoftSpy.job

========== Purity Check ==========



========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %APPDATA%\*. >
[2009/12/17 23:56:25 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Adobe
[2009/12/03 00:38:40 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\DAEMON Tools Lite
[2009/12/29 16:10:10 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\DivX
[2010/02/28 20:01:44 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Google
[2009/11/28 06:52:36 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Identities
[2010/02/24 13:08:57 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Leadertech
[2009/12/01 00:37:43 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Macromedia
[2010/03/02 20:30:47 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Malwarebytes
[2009/04/22 11:24:12 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Media Center Programs
[2010/03/02 18:22:47 | 000,000,000 | --SD | M] -- C:\Users\Noname\AppData\Roaming\Microsoft
[2009/11/30 22:42:25 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Mozilla
[2009/12/07 23:33:35 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\OpenOffice.org
[2010/03/02 16:38:54 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\PC Tools
[2010/03/04 00:45:22 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\Skype
[2010/03/04 00:45:23 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\skypePM
[2009/12/03 01:00:45 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\The Creative Assembly
[2010/03/04 02:06:48 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\uTorrent
[2009/12/03 00:32:36 | 000,000,000 | ---D | M] -- C:\Users\Noname\AppData\Roaming\WinRAR

< %APPDATA%\*.exe /s >
[2007/01/01 22:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Users\Noname\AppData\Roaming\Google\Google Talk\googletalk.exe
[2010/02/28 20:01:44 | 000,079,367 | ---- | M] () -- C:\Users\Noname\AppData\Roaming\Google\Google Talk\uninstall.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/04/22 06:24:12 | 000,053,328 | ---- | M] (Microsoft Corporation) MD5=7DFFC1CD425BCD998D9FDA0192383A19 -- C:\Windows\ERDNT\cache\AGP440.sys
[2009/04/22 06:24:12 | 000,053,328 | ---- | M] (Microsoft Corporation) MD5=7DFFC1CD425BCD998D9FDA0192383A19 -- C:\Windows\System32\drivers\AGP440.sys
[2009/04/22 06:24:12 | 000,053,328 | ---- | M] (Microsoft Corporation) MD5=7DFFC1CD425BCD998D9FDA0192383A19 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_e13b2b757efc5205\AGP440.sys
[2009/04/22 06:24:12 | 000,053,328 | ---- | M] (Microsoft Corporation) MD5=7DFFC1CD425BCD998D9FDA0192383A19 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7100.0_none_2b05e59d13c6aac3\AGP440.sys

< MD5 for: ATAPI.SYS >
[2010/03/03 18:57:56 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=80C40F7FDFC376E4C5FEEC28B41C119E -- C:\Users\Noname\Desktop\atapi.sys
[2009/04/22 06:24:04 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=80C40F7FDFC376E4C5FEEC28B41C119E -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/22 06:24:04 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=80C40F7FDFC376E4C5FEEC28B41C119E -- C:\Windows\System32\drivers\atapi.sys
[2009/04/22 06:24:04 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=80C40F7FDFC376E4C5FEEC28B41C119E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_b27d5421375ad1cd\atapi.sys
[2009/04/22 06:24:04 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=80C40F7FDFC376E4C5FEEC28B41C119E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7100.0_none_4e2b207b769f9fe5\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/04/22 06:20:04 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=EC9930C8CDF46295A1354256435CB5DE -- C:\Windows\ERDNT\cache\cngaudit.dll
[2009/04/22 06:20:04 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=EC9930C8CDF46295A1354256435CB5DE -- C:\Windows\System32\cngaudit.dll
[2009/04/22 06:20:04 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=EC9930C8CDF46295A1354256435CB5DE -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/04/22 06:24:21 | 000,332,368 | ---- | M] (Intel Corporation) MD5=AC958B65CDE27ADFDEC628BF7ECCEB8C -- C:\Windows\System32\drivers\iaStorV.sys
[2009/04/22 06:24:21 | 000,332,368 | ---- | M] (Intel Corporation) MD5=AC958B65CDE27ADFDEC628BF7ECCEB8C -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/04/22 06:24:21 | 000,332,368 | ---- | M] (Intel Corporation) MD5=AC958B65CDE27ADFDEC628BF7ECCEB8C -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7100.0_none_20044ad9dcddcbd8\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/22 06:21:18 | 000,561,152 | ---- | M] (Microsoft Corporation) MD5=A3EA8619FBBC2D270D79C241CE426618 -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/04/22 06:21:18 | 000,561,152 | ---- | M] (Microsoft Corporation) MD5=A3EA8619FBBC2D270D79C241CE426618 -- C:\Windows\System32\netlogon.dll
[2009/04/22 06:21:18 | 000,561,152 | ---- | M] (Microsoft Corporation) MD5=A3EA8619FBBC2D270D79C241CE426618 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7100.0_none_6eaaafa48d0fb9a0\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/04/22 06:24:17 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=93CF6F974095F7D146AA273F3BF418D7 -- C:\Windows\System32\drivers\nvstor.sys
[2009/04/22 06:24:17 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=93CF6F974095F7D146AA273F3BF418D7 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_4d1b6b7b67c54c8c\nvstor.sys
[2009/04/22 06:24:17 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=93CF6F974095F7D146AA273F3BF418D7 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7100.0_none_aacdbb89141475b0\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/04/22 06:21:47 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=686BAFE6AF35AF1C8D5EB536A8500430 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/04/22 06:21:47 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=686BAFE6AF35AF1C8D5EB536A8500430 -- C:\Windows\System32\scecli.dll
[2009/04/22 06:21:47 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=686BAFE6AF35AF1C8D5EB536A8500430 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7100.0_none_a900dabd2e31405b\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/22 06:22:02 | 000,193,024 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\sppcomapi.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

==========
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 03 March 2010 - 09:29 PM

Hi,

Please do not attach logs!!!!!!!!! Please copy and paste all logs directly into your reply.

==========

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Avira.

==========

QUOTE
[2010/03/03 18:58:06 | 000,011,242 | ---- | M] () -- C:\Users\Noname\Desktop\atapi.rar
[2010/03/03 18:57:56 | 000,021,584 | ---- | C] (Microsoft Corporation) -- C:\Users\Noname\Desktop\atapi.sys

Did you replace this file yourself? It appears that my program quarantined and replaced the file too.

==========

We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

==========

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RESTORE::
c:\windows\System32\user32.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

With your next post please provide:

* Copy and paste all logs. DO NOT ATTACH LOGS!!
* Which antivirus software did you uninstall?
* Did you try to replace atapi.sys yourself?
* OTL fix log
* Combofix.txt
* MBAM log
* ESET log
* How is your computer running now?


Kind regards,
~t



Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 04 March 2010 - 01:51 PM

a quick reply to your first 3 pointers:

1: i requested help from AVG before i asked for your help on bleebpingcomputer.
After a couple of days i got a mail if i could send a copy of the atapi.sys file zipped too AVG.
Since i didnt install any software or altered anything i thought this couldnt do harm.
So the zip file and the copy on my desktop where both copies of the original file, the original file never left its position.
2: I uninstalled AVg virusscanner after your last reply, i only got antivir running now.
3: here are the OTL, Combofix and MBAM logs:

All processes killed
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Noname
->Temp folder emptied: 148160 bytes
->Temporary Internet Files folder emptied: 2746694 bytes
->Java cache emptied: 25832893 bytes
->FireFox cache emptied: 35936674 bytes
->Google Chrome cache emptied: 301368459 bytes
->Flash cache emptied: 2514 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 349.00 mb


OTL by OldTimer - Version 3.1.32.0 log created on 03042010_191427

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


COMBOfix log:

ComboFix 10-03-03.09 - Noname 03/04/2010 19:33:32.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7100.0.1252.1.1033.18.3327.2414 [GMT 1:00]
Running from: c:\users\Noname\Desktop\ComboFix.exe
Command switches used :: c:\users\Noname\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\System32\user32.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7100.0_none_3e2b64a2c272507b\user32.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 18:36 . 2010-03-04 18:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-04 18:36 . 2010-03-04 18:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-04 18:32 . 2010-02-24 08:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-04 18:14 . 2010-03-04 18:14 -------- d-----w- C:\_OTL
2010-03-03 21:32 . 2010-03-03 21:37 -------- d-----w- C:\thcbytes
2010-03-03 21:10 . 2010-03-04 18:37 -------- d-----w- c:\users\Noname\AppData\Local\temp
2010-03-02 19:30 . 2010-03-02 19:30 -------- d-----w- c:\users\Noname\AppData\Roaming\Malwarebytes
2010-03-02 19:30 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 19:30 . 2010-03-02 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 19:30 . 2010-03-02 19:30 -------- d-----w- c:\programdata\Malwarebytes
2010-03-02 19:30 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 19:18 . 2010-03-02 19:25 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-02 16:35 . 2010-03-02 16:39 -------- d-----w- c:\program files\XoftSpy
2010-03-02 15:40 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-02 15:40 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-02 15:39 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-02 15:38 . 2010-03-02 15:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-02 15:38 . 2010-03-02 15:39 -------- d-----w- c:\program files\Spyware Doctor
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\users\Noname\AppData\Roaming\PC Tools
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\programdata\PC Tools
2010-03-01 21:59 . 2010-03-01 21:59 -------- d-----w- c:\programdata\F-Secure
2010-03-01 21:39 . 2010-03-02 15:17 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-01 21:39 . 2010-03-01 21:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-01 21:37 . 2010-03-02 15:17 -------- d-----w- c:\programdata\Lavasoft
2010-03-01 18:23 . 2010-03-01 18:23 -------- d-----w- c:\program files\CCleaner
2010-03-01 17:15 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-01 17:15 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-01 17:15 . 2010-03-01 17:15 -------- d-----w- c:\programdata\Avira
2010-03-01 17:15 . 2010-03-01 17:15 -------- d-----w- c:\program files\Avira
2010-02-28 19:01 . 2010-02-28 19:01 79367 ----a-w- c:\users\Noname\AppData\Roaming\Google\Google Talk\uninstall.exe
2010-02-28 13:11 . 2010-02-28 13:11 -------- d-----w- c:\windows\system32\Wat
2010-02-27 20:26 . 2010-02-27 20:26 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-02-26 13:11 . 2008-11-10 10:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-02-26 13:11 . 2006-10-26 18:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-02-26 13:11 . 2010-02-28 02:00 -------- d-----w- c:\program files\Microsoft Works
2010-02-26 13:11 . 2010-02-26 13:11 -------- d-----w- c:\program files\Microsoft.NET
2010-02-26 13:09 . 2010-02-26 13:09 -------- d-----w- c:\users\Noname\AppData\Local\Microsoft Help
2010-02-26 13:09 . 2010-02-28 10:30 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 12:08 . 2010-02-24 12:08 -------- d-----w- c:\users\Noname\AppData\Roaming\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 18:37 . 2009-11-30 21:43 -------- d-----w- c:\users\Noname\AppData\Roaming\uTorrent
2010-03-04 18:26 . 2009-11-30 22:23 -------- d-----w- c:\users\Noname\AppData\Roaming\Skype
2010-03-04 18:16 . 2009-12-01 00:24 -------- d-----w- c:\users\Noname\AppData\Roaming\skypePM
2010-03-03 15:08 . 2009-12-02 23:39 -------- d-----w- c:\program files\Common Files\Steam
2010-03-02 15:48 . 2009-11-30 22:23 -------- d-----r- c:\program files\Skype
2010-03-01 22:13 . 2009-11-30 22:16 -------- d-----w- c:\program files\Google
2010-02-28 13:11 . 2009-04-22 03:38 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-02-28 13:11 . 2009-04-22 03:34 13824 ----a-w- c:\windows\system32\slwga.dll
2010-02-28 12:48 . 2009-11-30 13:27 72032 ----a-w- c:\users\Noname\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-28 12:10 . 2009-11-28 06:12 691346 ----a-w- c:\windows\system32\perfh013.dat
2010-02-28 12:10 . 2009-11-28 06:12 129994 ----a-w- c:\windows\system32\perfc013.dat
2010-02-05 13:46 . 2009-12-07 22:33 1 ----a-w- c:\users\Noname\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-05 13:44 . 2009-12-17 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-31 15:00 . 2010-01-31 15:00 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-31 15:00 . 2010-01-31 15:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-31 15:00 . 2010-01-31 14:51 -------- d-----w- c:\program files\Common Files\BioWare
2010-01-26 18:09 . 2009-11-30 21:49 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-20 11:36 . 2009-12-20 11:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-03-27 04:24 . 2009-04-22 05:58 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-04-22 05:19 . 2009-04-22 03:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-03-03_21.12.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 13:04 . 2010-03-04 18:27 27036 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-04-22 08:29 . 2010-03-04 18:27 36470 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-28 21:37 . 2010-03-04 18:08 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-28 21:37 . 2010-03-03 21:05 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-22 08:14 . 2010-03-04 18:08 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-22 08:14 . 2010-03-03 21:05 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-28 06:17 . 2010-03-03 21:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-28 06:17 . 2010-03-04 18:38 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-28 06:17 . 2010-03-04 18:38 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-28 06:17 . 2010-03-03 21:12 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-28 06:17 . 2010-03-03 21:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-28 06:17 . 2010-03-04 18:38 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-01 00:23 . 2010-03-03 21:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-01 00:23 . 2010-03-04 18:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-01 00:23 . 2010-03-03 21:08 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-01 00:23 . 2010-03-04 18:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-01 00:23 . 2010-03-04 18:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-01 00:23 . 2010-03-03 21:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-28 06:18 . 2010-03-04 18:27 8574 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3841116261-2093695884-1951506884-1001_UserData.bin
+ 2010-03-04 18:31 . 2010-03-04 18:32 2182 c:\windows\SoftwareDistribution\EventCache\{FFF76775-78E5-4298-82E3-F6BA4E4AA46B}.bin
+ 2010-03-04 18:25 . 2010-03-04 18:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-03-03 21:05 . 2010-03-03 21:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-03-04 18:25 . 2010-03-04 18:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-04-22 03:22 . 2009-04-22 05:22 811520 c:\windows\System32\user32.dll
- 2009-04-22 03:22 . 2010-02-28 13:11 811520 c:\windows\System32\user32.dll
- 2009-11-28 21:37 . 2010-03-03 21:05 360448 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-28 21:37 . 2010-03-04 18:08 360448 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2009-04-22 05:21 441856 ----a-w- c:\windows\System32\ntshrui.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Steam"="j:\steam\steam.exe" [2010-02-22 1217872]
"googletalk"="c:\users\Noname\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"uTorrent"="j:\utorrent\uTorrent.exe" [2010-03-03 319280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Adobe Reader Speed Launcher"="j:\adobe\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-01-18 1286608]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

R2 gupdate1ca720ad8dab023;Google Update Service (gupdate1ca720ad8dab023);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 133104]
R2 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 AcpiPmi;ACPI Power Meter Driver;c:\windows\system32\DRIVERS\acpipmi.sys [2009-04-22 9728]
R3 adp94xx;adp94xx;c:\windows\system32\DRIVERS\adp94xx.sys [2009-04-22 422992]
R3 adpahci;adpahci;c:\windows\system32\DRIVERS\adpahci.sys [2009-04-22 297552]
R3 amdsata;amdsata;c:\windows\system32\DRIVERS\amdsata.sys [2009-04-22 77904]
R3 amdsbs;amdsbs;c:\windows\system32\DRIVERS\amdsbs.sys [2009-04-22 159312]
R3 AppID;AppID-stuurprogramma;c:\windows\system32\drivers\appid.sys [2009-04-22 50176]
R3 AppIDSvc;Toepassings-id;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 arcsas;arcsas;c:\windows\system32\DRIVERS\arcsas.sys [2009-04-22 86608]
R3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\DRIVERS\bxvbdx.sys [2009-04-22 430080]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2009-04-22 229888]
R3 BDESVC;BitLocker Drive Encryption Service;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\DRIVERS\BrFiltLo.sys [2009-04-22 13568]
R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\DRIVERS\BrFiltUp.sys [2009-04-22 5248]
R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\Drivers\Brserid.sys [2009-04-22 272128]
R3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\Drivers\BrSerWdm.sys [2009-04-22 62336]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\Drivers\BrUsbMdm.sys [2009-04-22 12160]
R3 CertPropSvc;Certificate Propagation;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 circlass;Consumer IR Devices;c:\windows\system32\DRIVERS\circlass.sys [2009-04-22 37888]
R3 defragsvc;Disk Defragmenter;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\system32\DRIVERS\evbdx.sys [2009-04-22 3100160]
R3 elxstor;elxstor;c:\windows\system32\DRIVERS\elxstor.sys [2009-04-22 453712]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-02-23 9728]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-02-23 3072]
R3 Filetrace;Filetrace;c:\windows\system32\drivers\filetrace.sys [2009-04-22 28160]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 FsDepends;File System Dependency Minifilter;c:\windows\system32\drivers\FsDepends.sys [2009-04-22 45648]
R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\hcw85cir.sys [2009-04-22 26624]
R3 HpSAMD;HpSAMD;c:\windows\system32\DRIVERS\HpSAMD.sys [2009-04-22 67152]
R3 iaStorV;iaStorV;c:\windows\system32\DRIVERS\iaStorV.sys [2009-04-22 332368]
R3 IKEEXT;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 IPBusEnum;PnP-X IP Bus Enumerator;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 IPMIDRV;IPMIDRV;c:\windows\system32\DRIVERS\IPMIDrv.sys [2009-04-22 65536]
R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\DRIVERS\msiscsi.sys [2009-04-22 186960]
R3 KtmRm;KtmRm for Distributed Transaction Coordinator;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 lltdsvc;Link-Layer Topology Discovery Mapper;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 LSI_FC;LSI_FC;c:\windows\system32\DRIVERS\lsi_fc.sys [2009-04-22 95824]
R3 LSI_SAS;LSI_SAS;c:\windows\system32\DRIVERS\lsi_sas.sys [2009-04-22 89168]
R3 LSI_SAS2;LSI_SAS2;c:\windows\system32\DRIVERS\lsi_sas2.sys [2009-04-22 54864]
R3 LSI_SCSI;LSI_SCSI;c:\windows\system32\DRIVERS\lsi_scsi.sys [2009-04-22 96848]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 megasas;megasas;c:\windows\system32\DRIVERS\megasas.sys [2009-04-22 30800]
R3 mpio;mpio;c:\windows\system32\DRIVERS\mpio.sys [2009-04-22 130640]
R3 msahci;msahci;c:\windows\system32\DRIVERS\msahci.sys [2009-04-22 27728]
R3 msdsm;msdsm;c:\windows\system32\DRIVERS\msdsm.sys [2009-04-22 115792]
R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [2009-04-22 4096]
R3 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 MsRPC;MsRPC; [x]
R3 MTConfig;Microsoft Input Configuration Driver;c:\windows\system32\DRIVERS\MTConfig.sys [2009-04-22 12288]
R3 NativeWifiP;NativeWiFi Filter;c:\windows\system32\DRIVERS\nwifi.sys [2009-04-22 267264]
R3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\system32\DRIVERS\ndiscap.sys [2009-04-22 27136]
R3 nfrd960;nfrd960;c:\windows\system32\DRIVERS\nfrd960.sys [2009-04-22 44624]
R3 nvstor;nvstor;c:\windows\system32\DRIVERS\nvstor.sys [2009-04-22 142416]
R3 PcaSvc;Program Compatibility Assistant-service;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 pla;Performance Logs & Alerts;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 PNRPAutoReg;PNRP Machine Name Publication-service;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 ql2300;ql2300;c:\windows\system32\DRIVERS\ql2300.sys [2009-04-22 1383504]
R3 ql40xx;ql40xx;c:\windows\system32\DRIVERS\ql40xx.sys [2009-04-22 105552]
R3 s3cap;s3cap;c:\windows\system32\DRIVERS\vms3cap.sys [2009-04-22 5632]
R3 scfilter;Klassefilterstuurprogramma voor smartcard-PnP;c:\windows\system32\DRIVERS\scfilter.sys [2009-04-22 26624]
R3 SCPolicySvc;Smart Card Removal Policy;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 SDRSVC;Windows Back-up;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 SensrSvc;Adaptive Brightness;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\system32\DRIVERS\sffp_mmc.sys [2009-04-22 12288]
R3 SiSRaid4;SiSRaid4;c:\windows\system32\DRIVERS\sisraid4.sys [2009-04-22 77904]
R3 Smb;Bericht-georiŰnteerd TCP/IP- en TCP/IPv6-protocol (SMB-sessie);c:\windows\system32\DRIVERS\smb.sys [2009-04-22 71168]
R3 sppsvc;Software Protection;c:\windows\system32\sppsvc.exe [2009-04-22 3179520]
R3 sppuinotify;SPP Notification-service;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 stexstor;stexstor;c:\windows\system32\DRIVERS\stexstor.sys [2009-04-22 21072]
R3 storvsc;storvsc;c:\windows\system32\DRIVERS\storvsc.sys [2009-04-22 28240]
R3 TabletInputService;Tablet PC Input Service;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 TBS;TPM Base Services;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 THREADORDER;Thread Ordering Server;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 TrustedInstaller;Windows Modules Installer;c:\windows\servicing\TrustedInstaller.exe [2009-04-22 204800]
R3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\system32\DRIVERS\tssecsrv.sys [2009-04-22 30208]
R3 UI0Detect;Interactive Services Detection;c:\windows\system32\UI0Detect.exe [2009-04-22 35840]
R3 uliagpkx;Uli AGP Bus Filter;c:\windows\system32\DRIVERS\uliagpkx.sys [2009-04-22 57424]
R3 UmRdpService;Remote Desktop Services UserMode Port Redirector;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\system32\DRIVERS\usbcir.sys [2009-04-22 86016]
R3 VaultSvc;Referentiebeheer;c:\windows\system32\lsass.exe [2009-04-22 22528]
R3 vhdmp;vhdmp;c:\windows\system32\DRIVERS\vhdmp.sys [2009-04-22 158288]
R3 ViaC7;VIA C7 Processor Driver;c:\windows\system32\DRIVERS\viac7.sys [2009-04-22 52736]
R3 vmbus;vmbus;c:\windows\system32\DRIVERS\vmbus.sys [2009-04-22 175824]
R3 VMBusHID;VMBusHID;c:\windows\system32\DRIVERS\VMBusHID.sys [2009-04-22 17920]
R3 vsmraid;vsmraid;c:\windows\system32\DRIVERS\vsmraid.sys [2009-04-22 141904]
R3 vwifibus;Stuurprogramma voor Virtual WiFi-bus;c:\windows\System32\drivers\vwifibus.sys [2009-04-22 19968]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2009-04-22 21632]
R3 wbengine;Block Level Backup Engine-service;c:\windows\system32\wbengine.exe [2009-04-22 1203200]
R3 WbioSrvc;Windows Biometric Service;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 wcncsvc;Windows Connect Now - Config Registrar;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 WcsPlugInService;Windows Color System;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 Wd;Wd;c:\windows\system32\DRIVERS\wd.sys [2009-04-22 19024]
R3 Wecsvc;Windows Event Collector;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 wercplsupport;Problem Reports and Solutions Control Panel Support;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 WerSvc;Windows Error Reporting Service;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 WIMMount;WIMMount;c:\windows\system32\drivers\wimmount.sys [2009-04-22 19024]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 Wlansvc;WLAN Auto Config;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 WwanSvc;WWAN AutoConfig;c:\windows\system32\svchost.exe [2009-04-22 20992]
R4 Mcx2Svc;Media Center Extender-service;c:\windows\system32\svchost.exe [2009-04-22 20992]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-30 691696]
S0 amdxata;amdxata;c:\windows\system32\DRIVERS\amdxata.sys [2009-04-22 23120]
S0 CLFS;Common Log (CLFS);c:\windows\System32\CLFS.sys [2009-04-22 249424]
S0 CNG;CNG;c:\windows\System32\Drivers\cng.sys [2009-04-22 369056]
S0 FileInfo;File Information FS MiniFilter;c:\windows\system32\drivers\fileinfo.sys [2009-04-22 58448]
S0 fvevol;Filterstuurprogramma Bitlocker-stationsvergrendeling;c:\windows\System32\DRIVERS\fvevol.sys [2009-04-22 194488]
S0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [2009-04-22 13904]
S0 KSecPkg;KSecPkg;c:\windows\System32\Drivers\ksecpkg.sys [2009-04-22 133200]
S0 msisadrv;msisadrv;c:\windows\system32\DRIVERS\msisadrv.sys [2009-04-22 13904]
S0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [2009-04-22 42576]
S0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [2009-04-22 173648]
S0 spldr;Security Processor Loader Driver; [x]
S0 storflt;Schijf - Filterstuurprogramma voor Virtual Machine-busaccelerator;c:\windows\system32\DRIVERS\vmstorfl.sys [2009-04-22 40912]
S0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;c:\windows\system32\DRIVERS\vdrvroot.sys [2009-04-22 32848]
S0 volmgr;Volume Manager Driver;c:\windows\system32\DRIVERS\volmgr.sys [2009-04-22 52304]
S0 volmgrx;Dynamisch Volumebeheer;c:\windows\System32\drivers\volmgrx.sys [2009-04-22 297040]
S1 blbdrive;blbdrive;c:\windows\system32\DRIVERS\blbdrive.sys [2009-04-22 35328]
S1 CSC;Offlinebestandenstuurprogramma;c:\windows\system32\drivers\csc.sys [2009-04-22 387584]
S1 DfsC;DFS Namespace Client Driver;c:\windows\system32\Drivers\dfsc.sys [2009-04-22 78336]
S1 discache;System Attribute Cache;c:\windows\system32\drivers\discache.sys [2009-04-22 32768]
S1 nsiproxy;NSI proxy service driver.;c:\windows\system32\drivers\nsiproxy.sys [2009-04-22 16896]
S1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\system32\drivers\rdpencdd.sys [2009-04-22 6656]
S1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\system32\drivers\rdprefmp.sys [2009-04-22 7168]
S1 tdx;Stuurprogramma voor ondersteuning van NetIO Legacy TDI;c:\windows\system32\DRIVERS\tdx.sys [2009-04-22 74240]
S1 Wanarpv6;IPv6 ARP-stuurprogramma voor externe toegang;c:\windows\system32\DRIVERS\wanarp.sys [2009-04-22 63488]
S1 WfpLwf;WFP Lightweight Filter;c:\windows\system32\DRIVERS\wfplwf.sys [2009-04-22 9728]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 AudioEndpointBuilder;Windows Audio Endpoint Builder;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 BFE;Base Filtering Engine;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 CscService;Offline Files;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 DPS;Diagnostic Policy Service;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 FDResPub;Function Discovery Resource Publication;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 gpsvc;Group Policy Client;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 iphlpsvc;IP Helper;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\system32\DRIVERS\lltdio.sys [2009-04-22 48128]
S2 luafv;Virtualisatie van UAC-bestanden;c:\windows\system32\drivers\luafv.sys [2009-04-22 86528]
S2 MMCSS;Multimedia Class Scheduler;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 NlaSvc;Network Location Awareness;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 nsi;Network Store Interface-service;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 PEAUTH;PEAUTH;c:\windows\system32\drivers\peauth.sys [2009-04-22 586752]
S2 Power;Power;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 ProfSvc;User Profile-service;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 RpcEptMapper;RPC Endpoint Mapper;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 SysMain;Superfetch;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\system32\drivers\tcpipreg.sys [2009-04-22 34816]
S2 UxSms;Desktop Window Manager Session Manager;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\system32\DRIVERS\1394ohci.sys [2009-04-22 162816]
S3 Appinfo;Application Information;c:\windows\system32\svchost.exe [2009-04-22 20992]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2009-10-13 49152]
S3 bowser;Stuurprogramma voor browserondersteuning;c:\windows\system32\DRIVERS\bowser.sys [2009-04-22 69632]
S3 CompositeBus;Composite Bus Enumerator Driver;c:\windows\system32\DRIVERS\CompositeBus.sys [2009-04-22 31232]
S3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [2009-04-22 720384]
S3 fdPHost;Function Discovery Provider Host;c:\windows\system32\svchost.exe [2009-04-22 20992]
S3 HomeGroupListener;HomeGroup Listener;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 HomeGroupProvider;HomeGroup Provider;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 KeyIso;CNG Key Isolation;c:\windows\system32\lsass.exe [2009-04-22 22528]
S3 monitor;Microsoft Monitor Class Function Driver Service;c:\windows\system32\DRIVERS\monitor.sys [2009-04-22 23552]
S3 mpsdrv;Autorisatiestuurprogramma van Windows Firewall;c:\windows\system32\drivers\mpsdrv.sys [2009-04-22 60416]
S3 mrxsmb10;SMB 1.x mini-redirector;c:\windows\system32\DRIVERS\mrxsmb10.sys [2009-04-22 220672]
S3 mrxsmb20;SMB 2.0 mini-redirector;c:\windows\system32\DRIVERS\mrxsmb20.sys [2009-04-22 94720]
S3 netprofm;Network List-service;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\system32\DRIVERS\AgileVpn.sys [2009-04-22 49152]
S3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\system32\DRIVERS\rdpbus.sys [2009-04-22 18432]
S3 srv2;Stuurprogramma Server SMB 2.xxx;c:\windows\system32\DRIVERS\srv2.sys [2009-09-10 306688]
S3 srvnet;srvnet;c:\windows\system32\DRIVERS\srvnet.sys [2009-04-22 113664]
S3 tunnel;Microsoft Tunnel Miniport Adapter Driver;c:\windows\system32\DRIVERS\tunnel.sys [2009-04-22 108032]
S3 umbus;UMBus Enumerator Driver;c:\windows\system32\DRIVERS\umbus.sys [2009-04-22 39936]
S3 WdiServiceHost;Diagnostic Service Host;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 WdiSystemHost;Diagnostic System Host;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 WPDBusEnum;Portable Device Enumerator-service;c:\windows\system32\svchost.exe [2009-04-22 20992]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RPCSS REG_MULTI_SZ RpcEptMapper RpcSs
defragsvc REG_MULTI_SZ defragsvc
WerSvcGroup REG_MULTI_SZ wersvc
LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc
swprv REG_MULTI_SZ swprv
LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg
NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm
regsvc REG_MULTI_SZ RemoteRegistry
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS AppIDSvc FontCache fdrespub QWAVE wcncsvc Mcx2Svc SensrSvc
DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent
sdrsvc REG_MULTI_SZ sdrsvc
WbioSvcGroup REG_MULTI_SZ WbioSrvc
wcssvc REG_MULTI_SZ WcsPlugInService
secsvcs REG_MULTI_SZ WinDefend
AxInstSVGroup REG_MULTI_SZ AxInstSV
PeerDist REG_MULTI_SZ PeerDistSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
EapHost
wercplsupport
ProfSvc
hkmsvc
winmgmt
SessionEnv
schedule
browser
BDESVC
Themes
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
homegrouplistener


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
WdiServiceHost
sppuinotify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
lanmanworkstation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
homegroupprovider

.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 22:16]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 22:16]

2010-03-02 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2007-04-26 13:39]
.
.
------- Supplementary Scan -------
.
uStart Page = google.com
mStart Page = google.com
IE: E&xporteren naar Microsoft Excel - j:\office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Noname\AppData\Roaming\Mozilla\Firefox\Profiles\bbqo7j0t.default\
FF - prefs.js: browser.startup.homepage - Google.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: j:\adobe\Reader\browser\nppdf32.dll
FF - plugin: j:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: j:\divx\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\conhost.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-03-04 19:39:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 18:39
ComboFix2.txt 2010-03-03 21:37
ComboFix3.txt 2010-03-03 21:14

Pre-Run: 70,756,540,416 bytes beschikbaar
Post-Run: 70,505,140,224 bytes beschikbaar

- - End Of File - - 368D3692713DFC4163984349309D6A34

#12 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 04 March 2010 - 01:52 PM

MBAM log, post was too long.

Malwarebytes' Anti-Malware 1.44
Database versie: 3825
Windows 6.1.7100
Internet Explorer 8.0.7100.0

3/4/2010 7:49:35 PM
mbam-log-2010-03-04 (19-49-35).txt

Scan type: Snelle Scan
Objecten gescand: 104907
Verstreken tijd: 2 minute(s), 43 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)


#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 04 March 2010 - 02:03 PM

Very well done. thumbup2.gif Any further problems?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:09:27 PM

Posted 04 March 2010 - 02:29 PM

The ESET scan couldnt find anything, but svchost.exe are still running.
Ill let the comp run for an hour, it used to crash within 90 minuten. Lets see if it lasts. If so, how to really confirm im malware/TH/rootkit free?

Many thanks for your help, its been very helpfull so far smile.gif

greets Covec

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 04 March 2010 - 03:19 PM

Let me get one more scan to make sure your all clear.

We need to run an OTL Custom Scan
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  3. Push
  4. A report will open. Copy and Paste that report in your next reply.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users