Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:WIN32/Alureon.CT keeps coming back


  • Please log in to reply
9 replies to this topic

#1 heartsurgeonno1

heartsurgeonno1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 06 August 2010 - 10:34 PM

For the past 4 days, Microsoft Security Essentials detected and removed the Win32/Alureon.CT trojan at exactly 9pm each day. The only previous detected item before these was on 7/30/2010: an Exploit:HTML/iframeRef.gen in a firefox profiles folder.

My computer is running normally and I haven't experienced anything suspicious yet.

I ran a Malwarebytes scan and nothing was detected.

I googled around and found out that this was a rootkit which would be difficult to remove
I ran Kaspersky's TDSS rootkit removing tool and it detected and quarantined C:\Windows\system32\Drivers\sptd.sys

Then I found this site clapping.gif
I followed your preparation guide but I couldn't run GMER because it gives me the error "C:\Windows\system32\config\system: The system cannot find the file specified" when I open it.

Should I start backing up my files now? Would moving files from the C: drive to a different partition on the same drive be sufficient, or should I invest in an external HD? What shouldn't I do until this gets fixed?

Anyways, here is the DDS log:

DDS (Ver_10-03-17.01) - NTFSX64
Run by Tom at 22:02:23.26 on Fri 08/06/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4063.2578 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files (x86)\gdipp\gdipp_svc_32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\gdipp\gdipp_svc_64.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\Samsung\PanelMgr\caller64.exe
C:\Users\Tom\xwd202\XWD.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Tom\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Microsoft Antimalware Script Scanner: {97055cd1-f6c4-40f8-af50-932f1890e7f5} - c:\program

files (x86)\microsoft security client\antimalware\MpBHO.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program

files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files

(x86)\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files (x86)\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files (x86)\common files\adobe

\acrobat\activex\AcroIEFavClient.dll
uRun: [Google Update] "c:\users\tom\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [<NO NAME>]
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
StartupFolder: c:\users\tom\appdata\roaming\micros~1\windows\startm~1\programs\startup

\xwindo~1.lnk - c:\users\tom\xwd202\XWD.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\rainme~1.lnk - c:\program

files\rainmeter\Rainmeter.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\common files\adobe\acrobat

\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex

\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex

\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex

\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} -

hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-

windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-

windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-

windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype

\SKYPE4~1.DLL
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: acaptuser32.dll
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun-x64: [Apoint] c:\program files\apoint\Apoint.exe
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun-x64: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
AppInit_DLLs-X64: acaptuser64.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tom\appdata\roaming\mozilla\firefox\profiles\9yj7c25j.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&q=
FF - component: c:\users\tom\appdata\roaming\mozilla\firefox\profiles\9yj7c25j.default\extensions

\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files (x86)\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\tom\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows",

false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref

("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref

("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref

("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref

("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--

mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--

mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai",

true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--

mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm",

false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type",

5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",

false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",

2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",

1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings",

25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize",

604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",

25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",

5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref

("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref

("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08

-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08

-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add",

"addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews",

false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled",

false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-

18 188936]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009

-11-7 203264]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x64.sys [2010-1-8 19432]
R2 CronService;Cron Service for Prey;c:\program files (x86)\prey\platform\windows\cronsvc.exe

[2010-7-29 17920]
R2 gdipp_svc_32;gdipp Service (32 bit);c:\program files (x86)\gdipp\gdipp_svc_32.exe [2010-6-16

109056]
R2 gdipp_svc_64;gdipp Service (64 bit);c:\program files (x86)\gdipp\gdipp_svc_64.exe [2010-6-16

121856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys

[2009-12-4 72216]
R2 RtkAudioService;Realtek Audio Service;c:\program files\realtek\audio\hda\RtkAudioService64.exe

[2009-11-7 189984]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 54824]
R3 CAXHWAZL;CAXHWAZL;c:\windows\system32\drivers\CAXHWAZL.sys [2009-11-7 300032]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys

[2009-6-18 40832]
R3 netw5v64;Intel« Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:

\windows\system32\drivers\NETw5v64.sys [2009-11-7 5435904]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-6-29

72064]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware

\NisSrv.exe [2010-6-27 346984]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2007-8-3 11392]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows

\system32\drivers\yk62x64.sys [2009-6-10 389120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows

\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows

\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe

[2010-6-1 136176]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-11-30 12672]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship

\daupdatersvc.service.exe [2009-12-15 25832]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows

\system32\GameMon.des -service [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-8-3 31800]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-10-16 50176]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe

[2010-3-1 1255736]

=============== Created Last 30 ================

2010-08-07 02:50:59 20 ----a-w- c:\users\tom\defogger_reenable
2010-08-07 02:28:37 0 d-----w- c:\users\tom\appdata\roaming\Malwarebytes
2010-08-07 02:28:30 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-07 02:28:30 0 d-----w- c:\programdata\Malwarebytes
2010-08-07 02:28:30 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-08-07 02:24:07 0 d-----w- C:\TDSSKiller_Quarantine
2010-08-06 18:09:20 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-08-06 18:09:20 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-08-06 18:09:20 145184 ----a-w- c:\windows\syswow64\java.exe
2010-08-04 02:48:37 0 d-----w- c:\users\tom\appdata\roaming\Trillian
2010-08-04 02:38:05 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-08-04 02:38:03 0 d-----w- c:\program files\VS Revo Group
2010-08-03 23:51:43 0 d-----w- c:\program files (x86)\StarCraft II
2010-08-02 20:07:08 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-08-01 02:25:47 0 d-----w- c:\program files (x86)\The KMPlayer
2010-08-01 02:11:26 0 d-----w- c:\users\tom\fontconfig
2010-08-01 02:10:52 0 d-----w- c:\users\tom\.smplayer
2010-07-31 19:09:39 0 d-----w- c:\program files (x86)\CoreCodec
2010-07-31 17:45:51 0 d-----w- c:\program files (x86)\Prey
2010-07-30 18:35:22 0 d-----w- c:\programdata\ATI
2010-07-30 18:32:38 0 d-----w- c:\program files\ATI Technologies
2010-07-30 18:29:37 0 d-----w- C:\ATI
2010-07-27 17:36:06 0 d-----w- c:\users\tom\appdata\roaming\TCB Networks
2010-07-26 22:28:18 0 d-----w- c:\programdata\Yammm
2010-07-20 22:48:39 0 d-----w- c:\program files (x86)\Microsoft Security Client
2010-07-20 22:48:25 0 d-----w- c:\windows\TempA12C6131-1AFF-4A18-79B0-

5DBA405C42DB-Signatures
2010-07-20 22:48:00 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2010-07-20 22:48:00 1898376 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-07-20 22:47:26 0 d-----w- c:\program files\Microsoft Security Client
2010-07-20 22:39:18 230352 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2010-07-15 00:11:24 0 d-----w- c:\users\tom\Guitar Pro Tabs
2010-07-14 23:58:40 0 d-----w- c:\programdata\Guitar Pro 6
2010-07-14 23:50:21 0 d-----w- c:\users\tom\appdata\roaming\Guitar Pro 6
2010-07-14 18:23:16 0 d-----w- c:\programdata\InstallShield
2010-07-14 18:19:03 0 d-----w- c:\program files (x86)\Nokia
2010-07-14 04:11:45 0 d-----w- c:\program files (x86)\Logon Screen
2010-07-13 19:14:32 144384 ----a-w- c:\windows\system32\cdd.dll

==================== Find3M ====================

2010-07-17 10:00:04 423656 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-06-30 04:56:42 72064 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2010-06-30 04:56:40 40832 ----a-w- c:\windows\system32\drivers\MpNWMon.sys
2010-06-30 04:56:40 188936 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2010-06-19 19:27:41 8107 ----a-w- c:\windows\w7dsd.reg
2010-06-19 19:27:41 8089 ----a-w- c:\windows\w7dse.reg
2010-06-19 19:17:00 275360 ----a-w- c:\windows\system32\DreamScene.dll
2010-06-15 04:22:10 69632 ----a-w- c:\windows\cadSSaver.scr
2010-06-14 19:33:02 28288 ----a-w- c:\windows\fonts\HandelGotD.ttf
2010-06-10 10:03:28 109360 ----a-w- c:\windows\syswow64\GEARAspi.dll
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\syswow64\GPhotos.scr
2010-06-01 17:37:48 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-05-31 22:23:19 178800 ----a-w- c:\windows\syswow64\CmdLineExt_x64.dll
2010-05-27 07:24:13 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-05-27 06:34:09 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 04:11:32 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-21 05:52:30 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-05-21 05:18:06 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-05-21 05:14:50 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-05-19 03:51:58 161776 ---ha-w- c:\windows\syswow64\mlfcache.dat
2010-05-09 09:46:00 961024 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:45:57 552960 ----a-w- c:\windows\system32\msdri.dll
2010-05-09 09:14:55 641536 ----a-w- c:\windows\syswow64\CPFilters.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-04-20 21:27:43 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata

\roaming\microsoft\windows\ietldcache\index.dat
2010-01-23 18:23:04 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata

\local\microsoft\windows\history\history.ie5\index.dat
2010-01-23 18:23:04 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata

\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-23 18:23:04 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata

\roaming\microsoft\windows\cookies\index.dat
2010-01-23 18:23:04 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata

\roaming\microsoft\windows\ietldcache\index.dat
2009-11-11 01:23:27 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata

\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-

app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-

app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 22:02:55.69 ===============

Attached Files


Edited by heartsurgeonno1, 06 August 2010 - 10:35 PM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 AM

Posted 14 August 2010 - 09:37 AM

Hello,
You may backup your personal files and documents to offline media; just do consider them suspect until any rootkit or malware issues are resolved.
Other than that, do not make changes or additions (hardware or software) without checking here first.

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Set Windows to show all files and all folders.
Set Folder options to show all hidden files and folders:
  • Click the Start button , click Control Panel, click Appearance and Personalization, and then click Folder Options.
  • Click the View tab.
  • Under Advanced settings, click Show hidden files, folders, and drives, and then click OK.
Step 3
Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.


Step 4
Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista or Windows 7, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Step 5
Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.
Download Security Check by screen317 and save it to your Desktop: here or here
  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):
  • the contents of Rooter log
  • the contents of OTL.txt
  • the contents of Extras.txt
  • the contents of checkup.txt
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 14 August 2010 - 09:39 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 heartsurgeonno1

heartsurgeonno1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 14 August 2010 - 03:33 PM

Thank you for your reply!

I couldn't scan using Rooter.exe with Microsoft Security Essentials' real time protection disabled. When I press the scan button it gives me a windows error "Malware Finder has stopped working".
It successfully scanned after I enabled MSE though.



Rooter log

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7600)
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Disabled !
.
Internet Explorer 8.0.7600.16385
Mozilla Firefox 3.6.8 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:197 Go - Free:49 Go )
D:\ [Fixed-NTFS] .. ( Total:100 Go - Free:30 Go )
E:\ [CD_Rom]
F:\ [Removable]
G:\ [Removable]
.
Scan : 15:19.01
Path : C:\Users\Tom\Desktop\Rooter.exe
User : Tom ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ???"?????? (308)
______ ???"?????? (488)
______ ???"?????? (552)
______ ???"?????? (572)
______ ???"?????? (616)
______ ???"?????? (652)
______ ???"?????? (664)
______ ???"?????? (672)
______ ???"?????? (796)
______ ???"?????? (872)
______ ???"?????? (932)
______ ???"?????? (324)
______ ???"?????? (480)
______ ???"?????? (744)
______ ???"?????? (492)
______ ???"?????? (1084)
______ ???"?????? (1116)
______ ???"?????? (1232)
______ ???"?????? (1308)
______ ???"?????? (1360)
______ ???"?????? (1672)
______ ???"?????? (1708)
______ ???"?????? (1796)
______ ???"?????? (1904)
______ ???"?????? (1280)
______ C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe (344)
______ ???"?????? (1216)
______ C:\Program Files (x86)\gdipp\gdipp_svc_32.exe (1872)
______ ???"?????? (1880)
______ C:\Windows\SysWOW64\DllHost.exe (2172)
______ C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe (2236)
______ ???"?????? (2464)
______ ???"?????? (2672)
______ ???"?????? (2844)
______ ???"?????? (2872)
______ ???"?????? (464)
______ ???"?????? (3132)
______ ???"?????? (3176)
______ ???"?????? (3408)
______ ???"?????? (3436)
______ ???"?????? (3476)
______ ???"?????? (3496)
______ ???"?????? (3888)
______ ???"?????? (3916)
______ ???"?????? (3980)
______ ???"?????? (4040)
______ ???"?????? (3652)
______ ???"?????? (3452)
______ ???"?????? (2564)
______ ???"?????? (768)
______ C:\Users\Tom\xwd202\XWD.exe (2820)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (4488)
______ C:\Users\Tom\Desktop\Rooter.exe (108)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:104857600)
\Device\Harddisk0\Partition2 (Start_Offset:105906176 | Length:212277919744)
\Device\Harddisk0\Partition3 (Start_Offset:212383825920 | Length:107687706624)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3513507862-3738819510-2213337168-1001Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3513507862-3738819510-2213337168-1001UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 15:19.29
.
C:\Rooter$\Rooter_1.txt - (14/08/2010 | 15:19.29)





OTL.Txt

OTL logfile created on: 8/14/2010 03:00:38 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Tom\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 69.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 197.70 Gb Total Space | 49.25 Gb Free Space | 24.91% Space Free | Partition Type: NTFS
Drive D: | 100.29 Gb Total Space | 30.62 Gb Free Space | 30.53% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOM-PC
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/14 14:59:44 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
PRC - [2010/06/16 14:18:58 | 000,109,056 | ---- | M] (gdipp Project) -- C:\Program Files (x86)\gdipp\gdipp_svc_32.exe
PRC - [2009/07/14 12:15:12 | 000,204,648 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
PRC - [2009/07/14 12:15:12 | 000,112,488 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe


========== Modules (SafeList) ==========

MOD - [2010/08/14 14:59:44 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
MOD - [2010/06/16 14:18:52 | 000,662,528 | ---- | M] (gdipp Project) -- C:\Program Files (x86)\gdipp\gdimm_32.dll
MOD - [2010/06/16 14:18:36 | 000,295,936 | ---- | M] (gdipp Project) -- C:\Program Files (x86)\gdipp\gdipp_common_32.dll
MOD - [2010/06/01 19:00:52 | 000,278,288 | ---- | M] (COMODO) -- C:\Windows\SysWOW64\guard32.dll
MOD - [2010/04/26 01:09:32 | 000,098,304 | ---- | M] () -- C:\Windows\SysWOW64\EasyHook32.dll
MOD - [2009/07/13 20:15:21 | 000,014,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\fltLib.dll
MOD - [2009/07/13 20:15:13 | 001,069,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\DWrite.dll
MOD - [2009/07/13 20:15:09 | 000,854,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\dbghelp.dll
MOD - [2009/07/13 20:15:07 | 000,828,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\d2d1.dll
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Windows\SysNative\GameMon.des -- (npggsvc)
SRV:64bit: - [2010/06/27 01:31:30 | 000,346,984 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2010/06/27 01:31:30 | 000,012,272 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/06/01 19:00:54 | 002,348,600 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:64bit: - [2009/09/03 17:15:38 | 000,189,984 | ---- | M] (Realtek Semiconductor) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe -- (RtkAudioService)
SRV:64bit: - [2009/09/01 11:15:08 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/08/05 17:06:34 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysNative\drivers\XAudio64.exe -- (XAudioService)
SRV:64bit: - [2009/07/20 13:36:14 | 000,160,784 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/07/29 18:09:32 | 000,017,920 | ---- | M] (Fork Ltd.) [Auto | Running] -- C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe -- (CronService)
SRV - [2010/06/16 14:19:54 | 000,121,856 | ---- | M] (gdipp Project) [Auto | Running] -- C:\Program Files (x86)\gdipp\gdipp_svc_64.exe -- (gdipp_svc_64) gdipp Service (64 bit)
SRV - [2010/06/16 14:18:58 | 000,109,056 | ---- | M] (gdipp Project) [Auto | Running] -- C:\Program Files (x86)\gdipp\gdipp_svc_32.exe -- (gdipp_svc_32) gdipp Service (32 bit)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/15 15:07:16 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/11/27 17:58:16 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/12 12:08:00 | 003,403,420 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
SRV - [2009/07/16 17:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/07/14 12:15:12 | 000,204,648 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser_lowerfltx64.sys -- (upperdev)
DRV:64bit: - File not found [Kernel | Auto | Stopped] -- C:\Windows\SysNative\Drivers\SSPORT.sys -- (SSPORT)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\npptNT2.sys -- (NPPTNT2)
DRV:64bit: - File not found [Kernel | Auto | Stopped] -- C:\Windows\SysNative\Drivers\DgiVecp.sys -- (DgiVecp)
DRV:64bit: - [2010/07/20 17:39:18 | 000,230,352 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt)
DRV:64bit: - [2010/06/29 23:56:42 | 000,072,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:64bit: - [2010/01/11 19:58:32 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2009/11/07 20:28:47 | 000,834,544 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2009/10/16 02:33:06 | 000,050,176 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/10/09 21:41:20 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/09/28 20:35:32 | 000,087,384 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2009/09/09 11:04:46 | 005,435,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2009/09/01 11:15:16 | 006,038,016 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/08/05 17:06:34 | 000,009,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\XAudio64.sys -- (XAudio)
DRV:64bit: - [2009/08/05 17:06:32 | 001,511,936 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2009/08/05 17:06:32 | 000,731,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2009/08/05 17:06:32 | 000,300,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2009/08/05 17:06:32 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV:64bit: - [2009/07/24 10:54:32 | 000,205,472 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2009/07/22 16:16:48 | 000,076,288 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\risdsn64.sys -- (risdptsk)
DRV:64bit: - [2009/07/22 16:15:20 | 000,085,504 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rimssn64.sys -- (rimsptsk)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 15:19:54 | 000,193,072 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2009/06/17 11:54:46 | 000,040,976 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV:64bit: - [2009/06/17 11:54:30 | 000,057,872 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2009/06/17 11:54:22 | 000,055,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2009/06/10 16:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 16:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 16:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/03/27 02:23:54 | 000,019,432 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\cpuz132_x64.sys -- (cpuz132)
DRV:64bit: - [2008/08/11 13:40:58 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2008/08/11 13:40:32 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2007/08/03 06:35:54 | 000,011,392 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SFEP.sys -- (SFEP)
DRV:64bit: - [2007/08/02 18:33:04 | 000,012,672 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dadder.sys -- (DAdderFltr)
DRV - [2010/06/10 05:03:28 | 000,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/08/27 00:30:17 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Stopped] -- C:\Windows\SysWOW64\drivers\SSPORT.SYS -- (SSPORT)
DRV - [2004/12/31 10:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 60 CB F3 B7 A4 2F CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.addSBtoToolbar: false
FF - prefs.js..browser.search.autosizerwizard: ""
FF - prefs.js..browser.search.minwidth: 125
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "chrome://speeddial/content/speeddial.xul"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: abhere2@moztw.org:3.6.20100801
FF - prefs.js..extensions.enabledItems: apptabs@frankyan.com:0.6.2
FF - prefs.js..extensions.enabledItems: bettergmail2@ginatrapani.org:1.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7
FF - prefs.js..extensions.enabledItems: {21cfaec0-dbb3-11dc-95ff-0800200c9a66}:1.1.2.4
FF - prefs.js..extensions.enabledItems: {E6463D12-450D-45eb-9D47-804AEB0A9561}:2.2.0
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.8
FF - prefs.js..extensions.enabledItems: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e}:0.6.4.1
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}:6.0.4
FF - prefs.js..extensions.enabledItems: {EDA7B1D7-F793-4e03-B074-E6F303317FB0}:1.2.6
FF - prefs.js..extensions.enabledItems: {210249CE-F888-11DD-B868-4CB456D89593}:2.1.5
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2c}:0.6.4
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.3.2
FF - prefs.js..extensions.enabledItems: savefileto@mozdev.org:2.0.2
FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:4.6
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.0.11
FF - prefs.js..extensions.enabledItems: tineye@ideeinc.com:1.0
FF - prefs.js..extensions.enabledItems: {0fa2149e-bb2c-4ac2-a8d3-479599819475}:1.6.1
FF - prefs.js..extensions.enabledItems: firegestures@xuldev.org:1.6b4
FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:2.0.6
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.69.1
FF - prefs.js..extensions.enabledItems: realurl@rod.whiteley:0.52
FF - prefs.js..extensions.enabledItems: {70171e70-9057-11da-9562-00e08161165f}:1.0
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3
FF - prefs.js..extensions.enabledItems: {5F590AA2-1221-4113-A6F4-A4BB62414FAC}:0.45.6.20100202.1
FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.5.6
FF - prefs.js..extensions.enabledItems: bug447571@alice0775:1.5
FF - prefs.js..extensions.enabledItems: findtocenter@alice0775:0.2010070901
FF - prefs.js..extensions.enabledItems: {39952c40-5197-11da-8cd6-0800200c9a66}:0.5.3
FF - prefs.js..extensions.enabledItems: {e36db930-f18d-4449-b45f-e286cfb9e03a}:3.6.10021200
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {cbbbbcd0-3cf7-11dd-ae16-0800200c9a66}:2.0
FF - prefs.js..extensions.enabledItems: {113c2360-15a3-11de-8c30-0800200c9a66}:0.9
FF - prefs.js..extensions.enabledItems: Strata40@SpewBoy.au:0.6.2
FF - prefs.js..extensions.enabledItems: Foxdie@tanjihay.com:3.6.1
FF - prefs.js..extensions.enabledItems: macfox_nostalgia@smartbright:1.04.03
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/07/23 21:32:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/07/23 21:32:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/06/24 18:46:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2010/06/01 15:13:18 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Extensions
[2010/06/01 15:13:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/11/07 20:10:23 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Extensions\songbird@songbirdnest.com
[2010/08/14 00:14:08 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions
[2010/07/08 22:03:22 | 000,000,000 | ---D | M] (URL Fixer) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{0fa2149e-bb2c-4ac2-a8d3-479599819475}
[2010/08/13 12:04:04 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2009/11/25 22:52:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{113c2360-15a3-11de-8c30-0800200c9a66}
[2010/02/11 19:26:55 | 000,000,000 | ---D | M] (Image Zoom) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
[2010/07/06 19:35:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{1fbe1e70-502c-11de-8a39-0800200c9a66}
[2010/07/05 00:46:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{210249CE-F888-11DD-B868-4CB456D89593}
[2009/11/07 14:27:15 | 000,000,000 | ---D | M] (Easy DragToGo) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{21cfaec0-dbb3-11dc-95ff-0800200c9a66}
[2009/11/19 16:18:26 | 000,000,000 | ---D | M] (Organize Status Bar) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2c}
[2009/11/07 14:27:14 | 000,000,000 | ---D | M] (PDF Download) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/07/27 13:14:55 | 000,000,000 | ---D | M] (Tab Control) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{39952c40-5197-11da-8cd6-0800200c9a66}
[2009/11/07 14:27:15 | 000,000,000 | ---D | M] (Gmail Notifier) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
[2010/08/09 23:21:55 | 000,000,000 | ---D | M] (Stylish) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
[2010/07/04 23:58:12 | 000,000,000 | ---D | M] (SmoothWheel (mozdev.org)) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
[2010/08/12 00:57:08 | 000,000,000 | ---D | M] (Speed Dial) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{64161300-e22b-11db-8314-0800200c9a66}
[2010/06/24 02:42:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{70171e70-9057-11da-9562-00e08161165f}
[2009/12/09 21:46:39 | 000,000,000 | ---D | M] (MR Tech Toolkit) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
[2010/07/06 19:35:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{bb230b90-cfd6-11dd-ad8b-0800200c9a66}
[2010/01/01 00:45:59 | 000,000,000 | ---D | M] (StrataStripe) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{cbbbbcd0-3cf7-11dd-ae16-0800200c9a66}
[2010/07/31 16:30:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}
[2010/07/10 12:43:55 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/31 16:30:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/07/13 23:14:29 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/07/28 18:08:24 | 000,000,000 | ---D | M] (Wired-Marker) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}
[2010/04/08 22:30:39 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/01/13 08:27:18 | 000,000,000 | ---D | M] (Find Toolbar Tweaks) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{E6463D12-450D-45eb-9D47-804AEB0A9561}
[2009/11/07 14:27:13 | 000,000,000 | ---D | M] (Menu Editor) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
[2010/07/17 18:04:49 | 000,000,000 | ---D | M] (SearchPreview) -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
[2010/08/07 00:17:03 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\abhere2@moztw.org
[2010/01/05 19:37:39 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\apptabs@frankyan.com
[2010/05/20 14:36:35 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\bettergmail2@ginatrapani.org
[2010/07/06 19:48:04 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\bug447571@alice0775
[2010/03/29 18:11:10 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\CompactMenuCE@Merci.chao
[2010/07/11 14:51:54 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\findtocenter@alice0775
[2010/07/31 19:31:58 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\firegestures@xuldev.org
[2010/07/07 19:41:58 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\Foxdie@tanjihay.com
[2010/07/07 19:42:16 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\foxdie_ext_ocelot@foxdie.us
[2010/04/06 12:47:55 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\isreaditlater@ideashower.com
[2010/07/27 15:45:17 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\macfox_nostalgia@smartbright
[2010/06/15 22:08:52 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\realurl@rod.whiteley
[2010/05/30 23:49:22 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\savefileto@mozdev.org
[2010/08/13 12:04:04 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\staged-xpis
[2010/04/19 20:38:38 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\Strata40@SpewBoy.au
[2010/04/18 19:05:47 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\StrataBuddy@ReduxTeam
[2010/07/13 14:08:03 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\support@lastpass.com
[2010/07/01 16:45:14 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\tineye@ideeinc.com
[2010/04/19 20:38:38 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\extensions\Strata40@SpewBoy.au\chrome\mozapps\extensions
[2010/08/12 18:38:39 | 000,002,726 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\demonoid---by-seeders.xml
[2010/01/25 03:31:05 | 000,002,102 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\digitalhive.xml
[2010/08/09 18:59:23 | 000,002,492 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\flixster.xml
[2010/08/12 18:38:39 | 000,001,811 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\h33t.xml
[2009/08/26 01:47:34 | 000,001,512 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\imdb.xml
[2009/09/03 19:21:08 | 000,002,305 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\lastfm.xml
[2010/08/12 18:38:39 | 000,002,307 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\rotten-tomatoes.xml
[2010/08/14 00:34:08 | 000,001,400 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\ultimate-guitar---tabs.xml
[2009/08/14 01:34:08 | 000,002,013 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\urban-dictionary.xml
[2009/12/13 22:35:44 | 000,001,987 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\wolframalpha.xml
[2009/08/26 01:47:18 | 000,004,153 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\9yj7c25j.default\searchplugins\youtube.xml
[2010/08/14 00:14:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/08/06 13:09:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/07/14 18:51:53 | 000,000,861 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activation.guitar-pro.com
O2 - BHO: (Microsoft Antimalware Script Scanner) - {97055CD1-F6C4-40F8-AF50-932F1890E7F5} - c:\Program Files (x86)\Microsoft Security Client\Antimalware\MpBHO.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Tom\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
O4 - Startup: C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWindows Dock.lnk = C:\Users\Tom\xwd202\XWD.exe (Lichonos Vladimir)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab (DLC Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - AppInit_DLLs: (acaptuser64.dll) - C:\Windows\SysNative\acaptuser64.dll (Adobe Systems, Inc.)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (acaptuser32.dll) - C:\Windows\SysWow64\acaptuser32.dll (Adobe Systems, Inc.)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - Reg Error: Key error. - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\Windows\SysWow64\VESWinlogon.dll (Sony Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/14 14:59:41 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
[2010/08/14 14:53:32 | 000,173,119 | ---- | C] (Eric_71) -- C:\Users\Tom\Desktop\Rooter.exe
[2010/08/14 14:52:23 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/08/14 14:51:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2010/08/14 14:51:20 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Tom\Desktop\erunt-setup.exe
[2010/08/14 02:28:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Plasma Pong
[2010/08/12 12:49:00 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\Apps
[2010/08/11 16:29:27 | 005,507,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2010/08/11 16:29:25 | 003,955,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2010/08/11 16:29:25 | 003,899,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2010/08/11 16:29:13 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2010/08/11 16:29:12 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2010/08/11 16:29:11 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2010/08/11 16:29:11 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2010/08/11 16:29:09 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2010/08/11 16:29:09 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2010/08/11 16:29:07 | 000,052,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rtutils.dll
[2010/08/11 16:29:06 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rtutils.dll
[2010/08/11 16:29:05 | 000,082,944 | ---- | C] (Radius Inc.) -- C:\Windows\SysWow64\iccvid.dll
[2010/08/10 15:26:03 | 000,000,000 | ---D | C] -- C:\Users\Tom\Desktop\eqs
[2010/08/07 21:17:50 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\ATI
[2010/08/07 15:45:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VS Revo Group
[2010/08/07 15:32:37 | 000,000,000 | R--D | C] -- C:\Users\Tom\Searches
[2010/08/07 14:22:00 | 000,000,000 | ---D | C] -- C:\ProgramData\COMODO
[2010/08/07 14:15:38 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2010/08/06 21:28:37 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\Malwarebytes
[2010/08/06 21:28:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/08/06 21:28:30 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/08/06 21:28:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/08/06 21:28:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/08/06 21:24:07 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2010/08/06 21:18:48 | 001,196,368 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Tom\Desktop\TDSSKiller.exe
[2010/08/06 13:09:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2010/08/06 13:09:20 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2010/08/06 13:09:20 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2010/08/06 13:09:20 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/08/03 18:51:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II
[2010/07/31 21:27:58 | 000,000,000 | ---D | C] -- C:\Users\Tom\Documents\The KMPlayer
[2010/07/31 21:25:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The KMPlayer
[2010/07/31 21:10:52 | 000,000,000 | ---D | C] -- C:\Users\Tom\.smplayer
[2010/07/31 14:09:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CoreCodec
[2010/07/31 12:45:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Prey
[2010/07/30 13:35:22 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010/07/30 13:32:38 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2010/07/30 13:29:37 | 000,000,000 | ---D | C] -- C:\ATI
[2010/07/29 21:46:14 | 000,000,000 | ---D | C] -- C:\Users\Tom\Documents\StarCraft II
[2010/07/27 21:49:57 | 000,000,000 | ---D | C] -- C:\Users\Tom\Documents\ConvertXToDVD
[2010/07/27 21:45:17 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\Vso
[2010/07/27 12:36:06 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\TCB Networks
[2010/07/20 17:48:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2010/07/20 17:48:25 | 000,000,000 | ---D | C] -- C:\Windows\TempA12C6131-1AFF-4A18-79B0-5DBA405C42DB-Signatures
[2010/07/20 17:48:00 | 000,374,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\netio.sys
[2010/07/20 17:47:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2010/07/20 17:39:18 | 000,230,352 | ---- | C] (TrueCrypt Foundation) -- C:\Windows\SysNative\drivers\truecrypt.sys
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/14 15:00:44 | 003,932,160 | -HS- | M] () -- C:\Users\Tom\NTUSER.DAT
[2010/08/14 15:00:18 | 000,869,051 | ---- | M] () -- C:\Users\Tom\Desktop\SecurityCheck.exe
[2010/08/14 14:59:58 | 000,743,392 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/08/14 14:59:58 | 000,635,210 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/08/14 14:59:58 | 000,111,610 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/08/14 14:59:44 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
[2010/08/14 14:55:28 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/08/14 14:55:28 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/08/14 14:55:05 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/14 14:55:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/14 14:53:33 | 000,173,119 | ---- | M] (Eric_71) -- C:\Users\Tom\Desktop\Rooter.exe
[2010/08/14 14:51:58 | 000,000,894 | ---- | M] () -- C:\Users\Tom\Desktop\NTREGOPT.lnk
[2010/08/14 14:51:58 | 000,000,875 | ---- | M] () -- C:\Users\Tom\Desktop\ERUNT.lnk
[2010/08/14 14:51:28 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\Tom\Desktop\erunt-setup.exe
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\tasks\At5.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\tasks\At4.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\tasks\At3.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\tasks\At2.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\tasks\At1.job
[2010/08/14 14:48:07 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/08/14 14:47:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/08/14 14:47:53 | 3195,289,600 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/14 01:36:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3513507862-3738819510-2213337168-1001UA.job
[2010/08/14 00:36:00 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3513507862-3738819510-2213337168-1001Core.job
[2010/08/13 00:10:50 | 003,590,026 | -H-- | M] () -- C:\Users\Tom\AppData\Local\IconCache.db
[2010/08/12 12:59:06 | 000,000,062 | ---- | M] () -- C:\Windows\settings.ini
[2010/08/12 12:19:43 | 000,422,176 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/08 23:54:28 | 000,000,920 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWindows Dock.lnk
[2010/08/08 12:57:22 | 000,001,023 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2010/08/06 22:43:48 | 000,008,107 | ---- | M] () -- C:\Windows\w7dsd.reg
[2010/08/06 22:43:48 | 000,008,089 | ---- | M] () -- C:\Windows\w7dse.reg
[2010/08/06 21:58:01 | 000,525,824 | ---- | M] () -- C:\Users\Tom\Desktop\dds.scr
[2010/08/06 21:51:00 | 000,000,020 | ---- | M] () -- C:\Users\Tom\defogger_reenable
[2010/08/06 21:50:19 | 000,050,477 | ---- | M] () -- C:\Users\Tom\Desktop\Defogger.exe
[2010/08/04 15:07:42 | 001,196,368 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Tom\Desktop\TDSSKiller.exe
[2010/08/03 19:02:14 | 000,001,063 | ---- | M] () -- C:\Users\Public\Desktop\StarCraft II.lnk
[2010/07/31 16:52:47 | 000,014,336 | ---- | M] () -- C:\Users\Tom\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/29 01:30:34 | 000,082,944 | ---- | M] (Radius Inc.) -- C:\Windows\SysWow64\iccvid.dll
[2010/07/27 22:35:48 | 000,001,173 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\vso_ts_preview.xml
[2010/07/20 17:48:43 | 000,757,008 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/07/20 17:39:18 | 000,230,352 | ---- | M] (TrueCrypt Foundation) -- C:\Windows\SysNative\drivers\truecrypt.sys
[2010/07/17 05:00:12 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2010/07/17 05:00:12 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2010/07/17 05:00:10 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2010/07/15 19:34:01 | 000,214,592 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/14 15:00:17 | 000,869,051 | ---- | C] () -- C:\Users\Tom\Desktop\SecurityCheck.exe
[2010/08/14 14:51:58 | 000,000,894 | ---- | C] () -- C:\Users\Tom\Desktop\NTREGOPT.lnk
[2010/08/14 14:51:58 | 000,000,875 | ---- | C] () -- C:\Users\Tom\Desktop\ERUNT.lnk
[2010/08/08 12:57:22 | 000,001,023 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2010/08/07 15:42:22 | 000,000,372 | ---- | C] () -- C:\Windows\tasks\At5.job
[2010/08/07 15:33:15 | 000,000,372 | ---- | C] () -- C:\Windows\tasks\At4.job
[2010/08/06 22:04:20 | 000,293,376 | ---- | C] () -- C:\Users\Tom\Desktop\gmer.exe
[2010/08/06 21:58:17 | 000,000,372 | ---- | C] () -- C:\Windows\tasks\At3.job
[2010/08/06 21:57:38 | 000,525,824 | ---- | C] () -- C:\Users\Tom\Desktop\dds.scr
[2010/08/06 21:50:59 | 000,000,020 | ---- | C] () -- C:\Users\Tom\defogger_reenable
[2010/08/06 21:49:34 | 000,050,477 | ---- | C] () -- C:\Users\Tom\Desktop\Defogger.exe
[2010/08/03 22:09:55 | 000,000,372 | ---- | C] () -- C:\Windows\tasks\At2.job
[2010/08/03 21:38:58 | 000,000,372 | ---- | C] () -- C:\Windows\tasks\At1.job
[2010/08/03 18:51:43 | 000,001,063 | ---- | C] () -- C:\Users\Public\Desktop\StarCraft II.lnk
[2010/07/27 21:45:17 | 000,001,173 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\vso_ts_preview.xml
[2010/06/21 19:17:22 | 000,000,062 | ---- | C] () -- C:\Windows\settings.ini
[2010/04/26 01:09:32 | 000,098,304 | ---- | C] () -- C:\Windows\SysWow64\EasyHook32.dll
[2010/04/25 14:41:08 | 000,757,008 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll

========== LOP Check ==========

[2010/06/30 14:47:42 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\CD Art Display
[2009/11/07 20:54:14 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\DAEMON Tools Lite
[2010/08/14 14:49:18 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Dropbox
[2010/06/03 00:14:41 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\GARMIN
[2010/05/17 15:54:52 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\ImgBurn
[2010/01/21 00:19:12 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\IrfanView
[2010/06/21 22:42:11 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Mp3tag
[2010/08/10 14:45:55 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\MusicBee
[2010/07/01 17:13:55 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Rainmeter
[2009/11/30 01:20:51 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Razer
[2010/03/04 04:12:05 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\rockbox.org
[2010/07/27 12:36:06 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\TCB Networks
[2010/06/01 15:13:18 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Thunderbird
[2010/07/23 19:41:26 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\TrueCrypt
[2010/08/12 21:59:48 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\uTorrent
[2010/07/27 22:35:49 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Vso
[2010/08/14 14:55:19 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\XWindows Dock
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\Tasks\At4.job
[2010/08/14 14:48:08 | 000,000,372 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2010/06/28 13:39:12 | 000,032,604 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >





Extras.Txt

OTL Extras logfile created on: 8/14/2010 03:00:38 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Tom\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 69.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 197.70 Gb Total Space | 49.25 Gb Free Space | 24.91% Space Free | Partition Type: NTFS
Drive D: | 100.29 Gb Total Space | 30.62 Gb Free Space | 30.53% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOM-PC
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05E6FB0F-C681-4FE6-B230-ABDD9337FCA0}" = Microsoft Antimalware
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{48A49473-FD82-491D-B681-B8446A7D4B25}" = PDF-XChange Viewer
"{4AB37210-D5CC-4784-92BC-A3DA41629376}" = Microsoft Security Client
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{4D668D4F-FAA2-4726-834C-31F4614F312E}" = MSVC80_x64_v2
"{71596D05-3463-439F-A0D4-4D04768A5E87}" = gdipp
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Alps Pointing-device for VAIO
"{AB071C8B-873C-459F-ACA9-9EBE03C3E89B}" = MSVC90_x64
"{AC76BA86-1033-0000-0064-0003D0000004}" = Adobe Acrobat 9 Pro Extended 64-bit Add-On
"{AF81FB63-8419-35A3-D9B1-BAFB441C81DE}" = ccc-utility64
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{CC6B1BB4-4E06-4A5B-A166-B371B551324B}" = COMODO Internet Security
"{D035FBF6-FDEF-487D-89CA-6F9DD07B783F}" = Dolby Control Center
"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F3F18612-7B5D-4C05-86C9-AB50F6F71727}" = KhalInstallWrapper
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F8597D20-ACC7-FD03-56FA-23894108BA06}" = ATI Catalyst Install Manager
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.53.1
"CPUID HWMonitor_is1" = CPUID HWMonitor 1.15
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"QuickSFV" = QuickSFV (Remove only)
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{002DD827-7FAC-A09F-7382-BCF61E6744C8}" = CCC Help Portuguese
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0C255F02-22AF-F50B-E945-B8D763E1A077}" = CCC Help Greek
"{0C5F09B4-5C7A-6F41-89F4-65B419A639B9}" = CCC Help Chinese Standard
"{0CA267D3-3CBC-4852-910C-5995698F4914}" = MusicBee
"{1730D13B-7517-4321-A88B-64627CF67CDC}_is1" = Logon Screen 2.20
"{180641E1-F6C2-6053-1022-78B9C49D173D}" = CCC Help Finnish
"{18A2FD82-910A-0208-3AE1-169E92F2AFA4}" = CCC Help Dutch
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 21
"{2822F016-69E9-A368-B612-685CCF4A9B83}" = CCC Help English
"{2A07F8DD-96E5-8A5D-3C6A-D60F38D1F34B}" = CCC Help Turkish
"{2D397BD2-ED49-F9B9-4F65-D60D00AD6C5F}" = CCC Help Norwegian
"{30C4566A-85AC-1713-71B2-3BE50C7146F8}" = CCC Help Thai
"{3380D2BE-EAE4-034C-1096-3CA28F82A2F9}" = CCC Help French
"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale
"{4067974F-F2E5-5893-E7A3-10C345089305}" = CCC Help Polish
"{4177BBB8-D654-4364-A898-BA00A68D7897}" = CCC Help Swedish
"{41CD70E9-E193-8358-A837-A3A900565840}" = CCC Help Russian
"{44B4C2E3-D570-16B4-8CED-3D83AAF5D6F7}" = Catalyst Control Center Localization All
"{473937BF-F1ED-764D-01A8-12A672DED3E0}" = CCC Help Spanish
"{48A25E19-D9AE-4BBE-9411-6F4C5D328B39}" = SkypeÖ Beta 5.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4ECC1D06-672F-2935-E570-CA2D210AE0CE}" = Catalyst Control Center InstallProxy
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{72042FA6-5609-489F-A8EA-3C2DD650F667}" = VAIO Control Center
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}" = RollerCoaster Tycoon 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D7CCD59-BEBB-57D4-23EC-B9A9DB173EAA}" = Catalyst Control Center Graphics Previews Vista
"{8EE4C584-C82E-9BE3-41C1-BC2A53774DE6}" = CCC Help Korean
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{940C416E-1BE6-58C0-949E-1A588349B0C7}" = CCC Help Hungarian
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A7DA438C-2E43-4C20-BFDA-C1F4A6208558}" = Setting Utility Series
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B7D833B7-915D-C859-D7A6-3639423E878C}" = CCC Help Danish
"{B9F76257-02B5-EB70-2A72-6D56C9359985}" = CCC Help Italian
"{BB778F28-FD55-C8FD-8E0B-482814C05D6B}" = CCC Help Chinese Traditional
"{BF076135-7D69-3255-D72B-487E67146727}" = CCC Help Japanese
"{C7477742-DDB4-43E5-AC8D-0259E1E661B1}" = VAIO Event Service
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB829D09-6426-F17D-C95D-303A6613A190}" = ccc-core-static
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.9.322
"{E5A5844F-80CB-665D-0AF9-9D712F4E6238}" = CCC Help German
"{EB1B8449-CD8F-485B-ADB6-02FBCFE180D3}" = Razer DeathAdder™ Mouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F958FF6B-B2B8-03F6-B56D-7D5E04768AA8}" = CCC Help Czech
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"CD Art Display_is1" = CD Art Display 3.0.1212 Beta
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)
"Digsby" = Digsby
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"ImgBurn" = ImgBurn
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Mozilla Thunderbird (3.1)" = Mozilla Thunderbird (3.1)
"Mp3tag" = Mp3tag v2.46a
"Picasa 3" = Picasa 3
"Plasma Pong_is1" = Plasma Pong v1.2
"Rainmeter" = Rainmeter (remove only)
"Revo Uninstaller" = Revo Uninstaller 1.89
"Samsung ML-2525W Series" = Maintenance Samsung ML-2525W Series
"StarCraft II" = StarCraft II
"The KMPlayer" = The KMPlayer (remove only)
"TrueCrypt" = TrueCrypt
"uTorrent" = ÁTorrent
"VLC media player" = VLC media player 1.1.2
"Warcraft III" = Warcraft III

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"cd436d2f0be5b427" = GVNotifier
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"LastPass" = LastPass (uninstall only)
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >





checkup.txt

Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Adobe Flash Player 10.1.53.64
Mozilla Firefox (3.6.8)
Mozilla Thunderbird (3.1.) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 AM

Posted 14 August 2010 - 03:55 PM

Close any programs that you may have started. The next step will do a reboot/restart as part of it's tasks.
  • Please right-click on OTL.exe and choose Run As Administrator to start it.
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    :processes

    :files
    C:\Windows\Tasks\At1.job
    C:\Windows\Tasks\At2.job
    C:\Windows\Tasks\At3.job
    C:\Windows\Tasks\At4.job
    C:\Windows\Tasks\At5.job
    recycler /alldrives

    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next step
Download and SAVE HijackThis

Save the HJT to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.
Do a "Scan and Save log".


Reply with copy of the OTL MovedFiles log
and the HijackThis log


~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 heartsurgeonno1

heartsurgeonno1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 14 August 2010 - 06:22 PM

Hi,

here are the OTL and hijackthis logs:

OTL log
All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Windows\Tasks\At1.job moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Windows\Tasks\At3.job moved successfully.
C:\Windows\Tasks\At4.job moved successfully.
C:\Windows\Tasks\At5.job moved successfully.
recycler not found in C:\
recycler not found in D:\
recycler not found in H:\
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Tom
->Temp folder emptied: 395865621 bytes
->Temporary Internet Files folder emptied: 890509 bytes
->Java cache emptied: 8847591 bytes
->FireFox cache emptied: 47718164 bytes
->Google Chrome cache emptied: 16580510 bytes
->Flash cache emptied: 3960 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 155648 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 795310 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 13285 bytes

Total Files Cleaned = 449.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Tom
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08142010_181443

Files\Folders moved on Reboot...
C:\Users\Tom\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...


hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 06:19:56 PM, on 8/14/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Users\Tom\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\Tom\xwd202\XWD.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Tom\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Microsoft Antimalware Script Scanner - {97055CD1-F6C4-40F8-AF50-932F1890E7F5} - c:\Program Files (x86)\Microsoft Security Client\Antimalware\MpBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Tom\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: XWindows Dock.lnk = Tom\xwd202\XWD.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acaptuser32.dll C:\Windows\SysWOW64\guard32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Cron Service for Prey (CronService) - Fork Ltd. - C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gdipp Service (32 bit) (gdipp_svc_32) - gdipp Project - C:\Program Files (x86)\gdipp\gdipp_svc_32.exe
O23 - Service: gdipp Service (64 bit) (gdipp_svc_64) - gdipp Project - C:\Program Files (x86)\gdipp\gdipp_svc_64.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 9755 bytes


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 AM

Posted 14 August 2010 - 06:39 PM

You will want to print out or copy these instructions to Notepad for offline reference!

Step 1
Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.
Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here
    http://www.eset.com/onlinescan/cac4.php?page=faq
    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break
Step 2
Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
========================================================

RIGHT-click gmer.exe and select Run as Administrator. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
Step 3
Reply with copy of the Eset scan log
and the Gmer log

Edited by Maurice Naggar, 14 August 2010 - 06:41 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 heartsurgeonno1

heartsurgeonno1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 14 August 2010 - 09:13 PM

Hello.

I still get the same error I mentioned in my first post when I click on GMER: "C:\Windows\system32\config\system: The system cannot find the file specified"

Here is the ESET scan log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=90a6d77a0aa7f943a0c0a7db67296d22
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-15 01:55:19
# local_time=2010-08-14 08:55:19 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777213 80 92 538777 17632796 0 0
# compatibility_mode=5893 16776574 100 94 20319531 33377188 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=215687
# found=0
# cleaned=0
# scan_time=3581


#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 AM

Posted 15 August 2010 - 12:39 PM

The ESET online scan found nothing, which is very good sign.
We will not run GMER anymore, but where did you put the program ? on the Desktop ?

Next step
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".
Step 2
Download, save, then RUN as Administrator
the Microsoft« Windows« Malicious Software Removal Tool from the Microsoft Download Center
This link is for the 64-bit version
http://www.microsoft.com/downloads/details...;displaylang=en


After a run of MSRT has finished, you will find the log at C:\WINDOWS\Debug\mrt.log or C:\WINNT\Debug\mrt.log
The file may be opened and viewed with Notepad or similar text editor.


Additional information Microsoft« Windows« Malicious Software Removal Tool is here http://support.microsoft.com/?kbid=890830

If no infections were found, you will see in your log
QUOTE
Results Summary:
----------------
No infection found.


Step 3
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.
Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • RIGHT-Click on TDSSKiller.exe and select Run as Administrator to run the application, then on Start Scan.


  • If an infected file is detected, the default action will be Cure, click on Continue.




  • If a suspicious file is detected, the default action will be Skip, click on Continue.




  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.




  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Reply with copy of the MBAM scan log
and the MRT log (if you find it)
and the log from TDSSKILLER
and advise me if you have seen any message about Alureon in the past couple of days.

Edited by Maurice Naggar, 15 August 2010 - 12:52 PM.
added TDSSKILLER

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 heartsurgeonno1

heartsurgeonno1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 15 August 2010 - 06:19 PM

Hi,

I installed Comodo Firewall shortly after discovering the Alureon.CT trojan (before I found this forum), and everyday at 9PM comodo would detect "wareg51.exe" located in the user\appdata\local\temp folder trying to connect to the internet. I blocked the request. Here is a screenshot of the comodo log:

I looked in that folder but there wasn't a wareg51.exe anywhere.
This is the only suspicious object detected by comodo. Microsoft Security Essentials has not detected anything in the past few days (last Alureon.CT detection was August 6). And the computer is still running as usual.

Anyways, all of the scans you told me to do came up clean. Here are the logs:

mbam-log-2010-08-15 (17-17-30)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4434

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/15/2010 05:17:30 PM
mbam-log-2010-08-15 (17-17-30).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 338495
Time elapsed: 1 hour(s), 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





mrt.log


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.10, August 2010
Started On Sun Aug 15 16:05:34 2010
->Scan ERROR: resource process://pid:940 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1268 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:3340 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:940 (code 0x00000005 (5))

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Sun Aug 15 16:08:30 2010


Return code: 0 (0x0)





TDSSKiller log

2010/08/15 17:55:04.0893 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/15 17:55:04.0893 ================================================================================
2010/08/15 17:55:04.0893 SystemInfo:
2010/08/15 17:55:04.0893
2010/08/15 17:55:04.0893 OS Version: 6.1.7600 ServicePack: 0.0
2010/08/15 17:55:04.0893 Product type: Workstation
2010/08/15 17:55:04.0893 ComputerName: TOM-PC
2010/08/15 17:55:04.0894 UserName: Tom
2010/08/15 17:55:04.0894 Windows directory: C:\Windows
2010/08/15 17:55:04.0894 System windows directory: C:\Windows
2010/08/15 17:55:04.0894 Running under WOW64
2010/08/15 17:55:04.0894 Processor architecture: Intel x64
2010/08/15 17:55:04.0894 Number of processors: 2
2010/08/15 17:55:04.0894 Page size: 0x1000
2010/08/15 17:55:04.0894 Boot type: Normal boot
2010/08/15 17:55:04.0894 ================================================================================
2010/08/15 17:55:04.0894 Utility is running under WOW64, functionality is limited.
2010/08/15 17:55:05.0507 Initialize success
2010/08/15 17:55:06.0450 ================================================================================
2010/08/15 17:55:06.0450 Scan started
2010/08/15 17:55:06.0450 Mode: Manual;
2010/08/15 17:55:06.0450 ================================================================================
2010/08/15 17:55:07.0144 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/08/15 17:55:07.0205 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2010/08/15 17:55:07.0256 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/08/15 17:55:07.0312 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/08/15 17:55:07.0438 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2010/08/15 17:55:07.0490 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2010/08/15 17:55:07.0553 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2010/08/15 17:55:07.0609 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2010/08/15 17:55:07.0771 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2010/08/15 17:55:07.0832 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2010/08/15 17:55:07.0876 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2010/08/15 17:55:08.0195 amdkmdag (3d07f9c090c7a1d76d624972a5384471) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/08/15 17:55:08.0403 amdkmdap (99ab7e4b24c80155dc4296f657faf3c7) C:\Windows\system32\DRIVERS\atikmpag.sys
2010/08/15 17:55:08.0486 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2010/08/15 17:55:08.0545 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2010/08/15 17:55:08.0685 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/08/15 17:55:08.0720 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2010/08/15 17:55:08.0811 ApfiltrService (22fecb5b3de1eb8b1b2761338922f681) C:\Windows\system32\DRIVERS\Apfiltr.sys
2010/08/15 17:55:08.0962 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2010/08/15 17:55:09.0066 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2010/08/15 17:55:09.0100 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2010/08/15 17:55:09.0243 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/15 17:55:09.0304 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2010/08/15 17:55:09.0530 atikmdag (3d07f9c090c7a1d76d624972a5384471) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/08/15 17:55:09.0761 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2010/08/15 17:55:09.0860 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2010/08/15 17:55:09.0999 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2010/08/15 17:55:10.0112 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/08/15 17:55:10.0163 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/15 17:55:10.0245 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/08/15 17:55:10.0347 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/08/15 17:55:10.0464 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2010/08/15 17:55:10.0519 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/08/15 17:55:10.0552 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/08/15 17:55:10.0585 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/08/15 17:55:10.0699 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\DRIVERS\BthEnum.sys
2010/08/15 17:55:10.0803 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/08/15 17:55:10.0863 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys
2010/08/15 17:55:10.0988 BTHPORT (a51fa9d0e85d5adabef72e67f386309c) C:\Windows\system32\Drivers\BTHport.sys
2010/08/15 17:55:11.0069 BTHUSB (f740b9a16b2c06700f2130e19986bf3b) C:\Windows\system32\Drivers\BTHUSB.sys
2010/08/15 17:55:11.0135 btusbflt (2641a3fe3d7b0646308f33b67f3b5300) C:\Windows\system32\drivers\btusbflt.sys
2010/08/15 17:55:11.0257 CAXHWAZL (fdb53a8d3bc52dc29884587e768e3388) C:\Windows\system32\DRIVERS\CAXHWAZL.sys
2010/08/15 17:55:11.0346 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/15 17:55:11.0410 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/15 17:55:11.0525 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2010/08/15 17:55:11.0609 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2010/08/15 17:55:11.0816 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/08/15 17:55:11.0929 cmdGuard (82a2bb05e25dc7c4f591ec7cc040f728) C:\Windows\system32\DRIVERS\cmdguard.sys
2010/08/15 17:55:11.0979 cmdHlp (332179e46d2aa3e79fe2fcbca272267f) C:\Windows\system32\DRIVERS\cmdhlp.sys
2010/08/15 17:55:12.0081 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2010/08/15 17:55:12.0133 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2010/08/15 17:55:12.0206 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2010/08/15 17:55:12.0333 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/08/15 17:55:12.0480 cpuz132 (c9c25778efe890baa4087e32937016a0) C:\Windows\system32\drivers\cpuz132_x64.sys
2010/08/15 17:55:12.0607 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/08/15 17:55:12.0910 DAdderFltr (5bc67f1efb6b1d039b151cf7353ec742) C:\Windows\system32\drivers\dadder.sys
2010/08/15 17:55:13.0058 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2010/08/15 17:55:13.0312 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2010/08/15 17:55:13.0432 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2010/08/15 17:55:13.0575 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2010/08/15 17:55:13.0803 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/15 17:55:13.0974 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2010/08/15 17:55:14.0186 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2010/08/15 17:55:14.0266 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2010/08/15 17:55:14.0441 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2010/08/15 17:55:14.0495 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2010/08/15 17:55:14.0576 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/15 17:55:14.0647 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2010/08/15 17:55:14.0773 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2010/08/15 17:55:14.0833 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/15 17:55:14.0891 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2010/08/15 17:55:14.0951 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2010/08/15 17:55:14.0990 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/15 17:55:15.0116 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2010/08/15 17:55:15.0185 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/08/15 17:55:15.0393 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/08/15 17:55:15.0520 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2010/08/15 17:55:15.0661 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2010/08/15 17:55:15.0726 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/15 17:55:15.0787 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/08/15 17:55:15.0831 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2010/08/15 17:55:15.0954 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2010/08/15 17:55:16.0036 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2010/08/15 17:55:16.0122 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/08/15 17:55:16.0296 HSF_DPV (e90d0e3d9715f3bec7db2d6321dddee8) C:\Windows\system32\DRIVERS\CAX_DPV.sys
2010/08/15 17:55:16.0478 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2010/08/15 17:55:16.0577 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2010/08/15 17:55:16.0678 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/15 17:55:16.0738 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/08/15 17:55:16.0925 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2010/08/15 17:55:17.0056 inspect (08069a7784fc040f343f8767c4e359f9) C:\Windows\system32\DRIVERS\inspect.sys
2010/08/15 17:55:17.0243 IntcAzAudAddService (b16fc828ce7a76a8f1ce682e6ead2627) C:\Windows\system32\drivers\RTKVHD64.sys
2010/08/15 17:55:17.0406 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2010/08/15 17:55:17.0451 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/15 17:55:17.0524 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/15 17:55:17.0675 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/08/15 17:55:17.0723 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2010/08/15 17:55:17.0766 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2010/08/15 17:55:17.0817 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2010/08/15 17:55:17.0959 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/15 17:55:18.0022 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/15 17:55:18.0084 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/08/15 17:55:18.0217 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/15 17:55:18.0291 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2010/08/15 17:55:18.0335 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2010/08/15 17:55:18.0573 LHidFilt (b6552d382ff070b4ed34cbd6737277c0) C:\Windows\system32\DRIVERS\LHidFilt.Sys
2010/08/15 17:55:18.0647 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/15 17:55:18.0864 lmimirr (413ecdcfad9a82804d3674c8d7eec24e) C:\Windows\system32\DRIVERS\lmimirr.sys
2010/08/15 17:55:18.0957 LMIRfsDriver (c57d3faa50e6f395759ffb7c709bd944) C:\Windows\system32\drivers\LMIRfsDriver.sys
2010/08/15 17:55:19.0039 LMouFilt (73c1f563ab73d459dffe682d66476558) C:\Windows\system32\DRIVERS\LMouFilt.Sys
2010/08/15 17:55:19.0179 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/08/15 17:55:19.0216 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/08/15 17:55:19.0258 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/08/15 17:55:19.0289 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/08/15 17:55:19.0328 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2010/08/15 17:55:19.0411 LUsbFilt (9d9714e78eac9e5368208649489c920e) C:\Windows\system32\Drivers\LUsbFilt.Sys
2010/08/15 17:55:19.0580 mdmxsdk (e4f44ec214b3e381e1fc844a02926666) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/08/15 17:55:19.0640 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2010/08/15 17:55:19.0679 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/08/15 17:55:19.0747 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2010/08/15 17:55:19.0856 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/15 17:55:19.0913 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/15 17:55:19.0983 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2010/08/15 17:55:20.0106 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2010/08/15 17:55:20.0236 MpFilter (988abe9a125174796fdb6f2b93fefbcc) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/08/15 17:55:20.0390 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2010/08/15 17:55:20.0500 MpNWMon (eed25e860937ae5461dbc463a1524b6e) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/08/15 17:55:20.0560 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/15 17:55:20.0718 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2010/08/15 17:55:20.0793 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/15 17:55:20.0844 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/15 17:55:20.0913 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/15 17:55:21.0031 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2010/08/15 17:55:21.0099 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2010/08/15 17:55:21.0185 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2010/08/15 17:55:21.0303 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2010/08/15 17:55:21.0349 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/08/15 17:55:21.0433 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/15 17:55:21.0637 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/15 17:55:21.0827 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2010/08/15 17:55:21.0879 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2010/08/15 17:55:22.0016 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/15 17:55:22.0073 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2010/08/15 17:55:22.0116 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/08/15 17:55:22.0216 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2010/08/15 17:55:22.0408 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/15 17:55:22.0607 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2010/08/15 17:55:22.0722 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/08/15 17:55:22.0789 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/15 17:55:22.0843 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/15 17:55:22.0895 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/15 17:55:22.0997 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2010/08/15 17:55:23.0059 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/15 17:55:23.0117 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/15 17:55:23.0397 netw5v64 (705283c02177809ca9fa7cc58a4f1e77) C:\Windows\system32\DRIVERS\netw5v64.sys
2010/08/15 17:55:23.0567 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/08/15 17:55:23.0664 NisDrv (96dd56e8324042e5dfdfd04119c129df) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2010/08/15 17:55:23.0842 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2010/08/15 17:55:23.0998 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/15 17:55:24.0171 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2010/08/15 17:55:24.0322 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2010/08/15 17:55:24.0425 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/08/15 17:55:24.0453 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2010/08/15 17:55:24.0496 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/08/15 17:55:24.0572 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/15 17:55:24.0728 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2010/08/15 17:55:24.0789 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2010/08/15 17:55:24.0880 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2010/08/15 17:55:25.0029 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2010/08/15 17:55:25.0079 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/08/15 17:55:25.0166 pcouffin (af7ce12c4f3dc8cb2b07685c916bbcfe) C:\Windows\system32\Drivers\pcouffin.sys
2010/08/15 17:55:25.0288 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2010/08/15 17:55:25.0358 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2010/08/15 17:55:25.0666 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/15 17:55:25.0714 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2010/08/15 17:55:25.0809 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/15 17:55:25.0959 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2010/08/15 17:55:26.0037 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/08/15 17:55:26.0099 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/15 17:55:26.0232 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/15 17:55:26.0294 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/08/15 17:55:26.0426 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/15 17:55:26.0579 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/15 17:55:26.0615 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/15 17:55:26.0667 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/15 17:55:26.0743 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/08/15 17:55:26.0857 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/15 17:55:26.0904 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/15 17:55:26.0948 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2010/08/15 17:55:27.0029 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2010/08/15 17:55:27.0146 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2010/08/15 17:55:27.0287 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys
2010/08/15 17:55:27.0392 rimsptsk (7eae3999b94a8ce60bfbaa83462b89a1) C:\Windows\system32\DRIVERS\rimssn64.sys
2010/08/15 17:55:27.0447 risdptsk (fa6d7cd63ad08a01d9259f58e0c5c09e) C:\Windows\system32\DRIVERS\risdsn64.sys
2010/08/15 17:55:27.0641 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/15 17:55:27.0737 RTHDMIAzAudService (7421a35c45484b95e83b5e9e107cefc2) C:\Windows\system32\drivers\RtHDMIVX.sys
2010/08/15 17:55:27.0908 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/08/15 17:55:27.0997 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2010/08/15 17:55:28.0108 sdbus (2c8d162efaf73abd36d8bcbb6340cae7) C:\Windows\system32\DRIVERS\sdbus.sys
2010/08/15 17:55:28.0334 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2010/08/15 17:55:28.0509 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2010/08/15 17:55:28.0551 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2010/08/15 17:55:28.0676 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2010/08/15 17:55:28.0788 SFEP (70f9c476b62de4f2823e918a6c181ade) C:\Windows\system32\DRIVERS\SFEP.sys
2010/08/15 17:55:28.0923 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/08/15 17:55:28.0982 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/08/15 17:55:29.0009 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/08/15 17:55:29.0070 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/08/15 17:55:29.0220 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/08/15 17:55:29.0285 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/08/15 17:55:29.0349 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2010/08/15 17:55:29.0516 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2010/08/15 17:55:29.0678 sptd (602884696850c86434530790b110e8eb) C:\Windows\System32\Drivers\sptd.sys
2010/08/15 17:55:29.0840 srv (43067a65522eaec33d31a12d6fa8e3f4) C:\Windows\system32\DRIVERS\srv.sys
2010/08/15 17:55:29.0914 srv2 (03715cf9c30b563da35fc5f2b8f7b8e0) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/15 17:55:30.0049 SrvHsfHDA (0c4540311e11664b245a263e1154cef8) C:\Windows\system32\DRIVERS\VSTAZL6.SYS
2010/08/15 17:55:30.0130 SrvHsfV92 (02071d207a9858fbe3a48cbfd59c4a04) C:\Windows\system32\DRIVERS\VSTDPV6.SYS
2010/08/15 17:55:30.0325 SrvHsfWinac (18e40c245dbfaf36fd0134a7ef2df396) C:\Windows\system32\DRIVERS\VSTCNXT6.SYS
2010/08/15 17:55:30.0552 srvnet (fbd09635227a8026c0f7790f604343c6) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/15 17:55:30.0819 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2010/08/15 17:55:30.0927 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/15 17:55:31.0173 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
2010/08/15 17:55:31.0399 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/15 17:55:31.0561 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/15 17:55:31.0628 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2010/08/15 17:55:31.0669 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2010/08/15 17:55:31.0712 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/15 17:55:31.0757 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/15 17:55:31.0967 truecrypt (c4238af5aaf167c3e5113f98f5427a0b) C:\Windows\system32\drivers\truecrypt.sys
2010/08/15 17:55:32.0045 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/15 17:55:32.0098 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/15 17:55:32.0217 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2010/08/15 17:55:32.0295 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/15 17:55:32.0369 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/08/15 17:55:32.0491 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/15 17:55:32.0569 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2010/08/15 17:55:32.0691 USBAAPL64 (5cf1ead086176dd3348e920a40bed03d) C:\Windows\system32\Drivers\usbaapl64.sys
2010/08/15 17:55:32.0850 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/15 17:55:32.0916 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2010/08/15 17:55:32.0958 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/15 17:55:33.0007 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/15 17:55:33.0133 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2010/08/15 17:55:33.0188 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2010/08/15 17:55:33.0222 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/15 17:55:33.0259 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/15 17:55:33.0320 usbvideo (d501e12614b00a3252073101d6a1a74b) C:\Windows\system32\Drivers\usbvideo.sys
2010/08/15 17:55:33.0508 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/08/15 17:55:33.0588 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/15 17:55:33.0632 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2010/08/15 17:55:33.0683 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/08/15 17:55:33.0822 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2010/08/15 17:55:33.0894 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/08/15 17:55:33.0952 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2010/08/15 17:55:34.0002 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2010/08/15 17:55:34.0131 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/08/15 17:55:34.0209 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
2010/08/15 17:55:34.0283 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2010/08/15 17:55:34.0426 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/15 17:55:34.0461 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/15 17:55:34.0696 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2010/08/15 17:55:34.0777 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/15 17:55:35.0013 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/08/15 17:55:35.0085 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2010/08/15 17:55:35.0172 winachsf (057b062cf9a11e04db45b8c3afc28b11) C:\Windows\system32\DRIVERS\CAX_CNXT.sys
2010/08/15 17:55:35.0419 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
2010/08/15 17:55:35.0526 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/08/15 17:55:35.0642 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/15 17:55:35.0805 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2010/08/15 17:55:35.0899 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/15 17:55:36.0153 XAudio (638c99d993afab0e1fab226e2bbe6d79) C:\Windows\system32\DRIVERS\xaudio64.sys
2010/08/15 17:55:36.0281 yukonw7 (b3eeacf62445e24fbb2cd4b0fb4db026) C:\Windows\system32\DRIVERS\yk62x64.sys
2010/08/15 17:55:36.0330 ================================================================================
2010/08/15 17:55:36.0330 Scan finished
2010/08/15 17:55:36.0330 ================================================================================


#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 AM

Posted 16 August 2010 - 06:03 AM

The suspect file had been in your Temp folder. And the warning message has not appeared now for several days.
Keep and use TFC on a regular (daily) basis either at start or preferrably, at end of each day, so that you have deleted all temporary files on a steady basis.
MBAM also did not show any suspect files.
We can wrap this up on the next round.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users