Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer is using a proxy server on this computer to connect to the Internet


  • This topic is locked This topic is locked
44 replies to this topic

#1 dannya98

dannya98

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 29 August 2010 - 11:59 AM

Hello,

"Internet Explorer is using a proxy server on this computer to connect to the Internet." Hitman Pro gives me that message when I do a scan, and is unable to repair the problem. I did all steps suggested at this link, as that person's problem was very similar to mine:

http://www.bleepingcomputer.com/forums/topic335743.html ("internet proxy?"). None of the procedures and suggestions contained at that link have worked.

Also, Symantec's "Norton Power Eraser" reports two problems: m2wshlex.dll (shell extension) and deaddiskdoctor (directory).

I have now done the steps at this link:

http://www.bleepingcomputer.com/forums/topic34773.html ("Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help").

I've pasted the DDS.txt file immediately after this, and attached the Attach.txt and Ark.txt files. Thank you very much for your assistance.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 9:20:49.03 on Sun 08/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.288 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRAM FILES\COMMON FILES\GRASS VALLEY\PROCODER 3\Kernel\PNXSERVR.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboTaskBarIcon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\HAS\HAS.exe
C:\Program Files\PeerBlock\peerblock.exe
H:\Firefox Portable 3.6.3\FirefoxPortable\FirefoxPortable.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
H:\Firefox Portable 3.6.3\FirefoxPortable\App\Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/
uInternet Settings,ProxyOverride = local
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: InlineSearchHandleHotKeys Class: {b6ffe2ae-4d12-451f-b457-fe6125ffb1cf} - c:\program files\ieforge\inline search\InlineSearch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {B9F633F6-EA44-45F4-91EB-FABFC65A0634} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {6AA40521-14E7-4B1D-B1B4-98528C1388C9} - No File
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {CC1DC91A-F90E-4906-B40E-FA1811DE4EFF} - No File
EB: Inline Search: {d0e8345a-ed27-40a5-8114-9385728cce38} - c:\program files\ieforge\inline search\InlineSearch.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AcronisTimounterMonitor] "c:\program files\acronis\trueimagehome\TimounterMonitor.exe"
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [NexusServer] c:\program files\common files\grass valley\procoder 3\kernel\PNXSERVR.exe -SelfLaunch
mRun: [FinePrint Dispatcher v4] c:\windows\system32\spool\drivers\w32x86\3\fpdisp4.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [KeyScrambler] c:\program files\keyscrambler\getting_started.html
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\autoru~1\checkf~1.lnk - c:\program files\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\autoru~1\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
uPolicies-explorer: NoPrinters = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoChangeAnimation = 0 (0x0)
IE:
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: SWF Capture tool
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/b/e/5/be592e3e-4442-4588-b01e-8fe3a2e104ac/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1184152914953
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228868313453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257425448234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6wex85hi.default\
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6wex85hi.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6wex85hi.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_31.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6wex85hi.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6wex85hi.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\program files\google\google updater\2.3.1314.1135\npCIDetect12.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2010-5-21 120168]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-1 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-11-24 219728]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-11-24 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-11-24 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 67656]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-11-25 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-1 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-1 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-26 304464]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-11-24 1282248]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-11-24 3282120]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-1 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-1 40384]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-5-16 45616]
R3 ga302nd5;NETGEAR GA302T Gigabit Adapter;c:\windows\system32\drivers\ga302nd5.sys [2004-2-22 46405]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2009-7-20 109440]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-4-12 115312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-26 20952]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-6-29 18544]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-4-17 115944]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-7-20 12672]
S3 mbr;mbr;\??\c:\docume~1\admini~1\locals~1\temp\mbr.sys --> c:\docume~1\admini~1\locals~1\temp\mbr.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2f.tmp --> c:\windows\system32\2F.tmp [?]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2009-9-6 38976]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 12872]
S4 Ast Service;Ast Service;c:\windows\system32\AstSrv.exe [2010-8-13 57344]
S4 HDD & SSD access service;HDD & SSD access service;"c:\program files\common files\binarysense\disksvc.exe" --> c:\program files\common files\binarysense\disksvc.exe [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
S4 Nl10serr;Nl10serr; [x]
S4 pcipim;Internet Security Alliance Network Monitor;c:\windows\system32\drivers\pcipim.sys --> c:\windows\system32\drivers\pcipim.sys [?]
S4 QYBQKBRXL;QYBQKBRXL;c:\docume~1\admini~1\locals~1\temp\qybqkbrxl.exe --> c:\docume~1\admini~1\locals~1\temp\QYBQKBRXL.exe [?]
S4 ShieldClientService;Shield Client Service;c:\program files\shield\shieldclnt.exe --> c:\program files\shield\shieldclnt.exe [?]
S4 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-3-27 23552]
S4 tapavpn;Steganos Anonym VPN Adapter;c:\windows\system32\drivers\tapavpn.sys [2007-10-19 24320]
S4 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]
S4 USBAV708;Instant VideoMPX;c:\windows\system32\drivers\USBAV708.SYS [2004-11-14 101120]

=============== Created Last 30 ================

2010-08-29 13:18:21 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-08-27 16:55:06 0 d-----w- C:\microtrends
2010-08-19 19:39:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-16 18:11:37 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-08-15 16:43:25 83456 ----a-w- c:\windows\system32\l3codecx.ax
2010-08-15 16:43:25 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2010-08-15 16:43:25 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-08-13 16:15:21 0 ---ha-w- c:\windows\€AstInfo.dat
2010-08-13 12:12:38 0 d-----w- c:\program files\MetaTrader 4
2010-07-31 11:36:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Heatsoft
2010-07-31 11:35:23 0 d-----w- c:\program files\HAS

==================== Find3M ====================

2010-08-28 00:07:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-22 15:04:32 86016 ----a-w- c:\windows\system32\NtDirect.dll
2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr
2010-06-24 02:04:23 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-14 14:30:28 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
1998-08-24 17:09:10 10000 ----a-w- c:\windows\inf\unregpn.exe
2008-04-12 20:40:06 108 --sha-r- c:\windows\neoqaz2.dll
2006-06-14 21:00:48 5224 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:26:37.65 ===============










Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:20 AM

Posted 04 September 2010 - 06:26 AM

Hello dannya98, My name is Syler and I will be helping you to solve your malware issues. Sorry for the delay
in replying, we are very busy at the moment.

Please note because we are very busy, if I don't hear from you within 5 days the topic will be closed, If you
have since resolved your issues I would appreciate if you would let me no so I can close this topic.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Then please post back here with the following logs:
  • MBAM log
  • OTL.txt
  • Extra.txt

Thanks

unite.jpg


#3 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 04 September 2010 - 02:32 PM

Thanks for your response, Syler.

I followed your instructions carefully. Attached are:

1. MBAM log
2. OTL.txt
3. Extras.txt

Awaiting further instructions,

Regards,

Danny

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:20 AM

Posted 04 September 2010 - 04:43 PM

Hi Danny,

When replying with the logs, please copy and paste them into the topic rather than attaching them, thanks.


Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case µTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.



Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check all of the boxes. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    SRV - File not found [Disabled | Stopped] -- C:\Program Files\Shield\shieldclnt.exe -- (ShieldClientService)
    SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QYBQKBRXL.exe -- (QYBQKBRXL)
    SRV - File not found [Disabled | Stopped] --  -- (Nl10serr)
    SRV - File not found [Disabled | Stopped] -- C:\Program Files\Common Files\BinarySense\disksvc.exe -- (HDD & SSD access service)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\TMPassthru.sys -- (TMPassthruMP)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\pcipim.sys -- (pcipim)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\2F.tmp -- (MEMSWEEP2)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys -- (mbr)
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
    O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
    O3 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O3 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
    O3 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\..\Toolbar\WebBrowser: (no name) - {6AA40521-14E7-4B1D-B1B4-98528C1388C9} - No CLSID value found.
    O3 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\..\Toolbar\WebBrowser: (no name) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck]  File not found
    O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
    O4 - HKLM..\RunOnceEx: [Title]  File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
    O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
    [2005/09/06 18:40:00 | 000,000,059 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
    [2005/09/06 18:40:00 | 000,000,020 | -H-- | C] () -- C:\WINDOWS\akebook.ini
    [2005/09/06 18:40:00 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\a3kebook.ini@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4FA0E532
    @Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:39413AC3
    @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84098FD3
    @Alternate Data Stream - 108 bytes -> C:\WINDOWS:
    :Commands
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan by clicking Run Scan and post the new OTL log.


Then please post back here with the following logs:
  • RKUnHooker report
  • OTL results
  • New OTL log

Thanks

unite.jpg


#5 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 05 September 2010 - 07:16 AM

Hi Syler,

I had a rather severe problem running Rootkit Unhooker (RKUnhookerLE.exe).

The first time I ran it, it got all the way through to the tab called "Files" and was enumerating the files on my C drive. I noticed in the bottom left-hand corner of Rootkit Unhooker the "Hidden/Blocked Files: 0/0" had counted up to about 16,000 files and no blocked files were listed. Then, while still in this section, the program crashed with the following message from my system:

The instruction at "0.00401925" referenced memory at "0x0000000." The memory could not be "written". Click on OK to terminate the program. Click on Cancel to debug the program.

I then rebooted my machine (not sure if that was necessary), and tried again. Again, the program crashed at the same point (while looking for hidden/blocked files on my C Drive). I then tried to run Rootkit Unhooker in safe mode, and discovered it does not run in safe mode. On my last attempt, before running Rootkit Unhooker again, I disconnected my computer from the Network and shut down Online Armor (firewall), Zemana anti-keylogger, Malwarebytes, and stopped the 7 running services that comprise Avast. AGAIN Rootkit Unhooker crashed at the same point, so obviously I was unable to complete the run.

As that was unsuccessful, I did not complete the other instructions (another OTL run with new Custom/Scan fixes).

Please advise as to how I should proceed.

Thanks again,

Danny

Edited by dannya98, 05 September 2010 - 07:18 AM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:20 AM

Posted 05 September 2010 - 07:21 AM

Please go ahead and run the OTL instructions, then try running the following scanner instead.

  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Click on and wait for the scan to finish.
  8. If you see a rootkit warning window, click OK.
  9. Push and save the logfile to your desktop.
  10. Copy and Paste the contents of that file in your next post.

unite.jpg


#7 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 05 September 2010 - 02:45 PM

When I ran OTL with the custom instructions, the following happened:

Almost immediately after starting the OTL process, MBAM reported the MBAM Service terminated unexpectedly. OTL stated "Killing processes - do not interrupt." After 15 minutes or so I could see there was no progress, so I called up Task Manager which said OTL was non-responsive. I tried to reboot my computer but couldn't, so I did a hard reboot. After reboot the Event Viewer reported that in addition to the unexpected termination of the MBAM service, Diskeeper, Java Quick Starter, Acronis Schedule 2 and a-squared free services all terminated unexpectedly.

Even though you did not instruct me to do so, I ran OTL without the custom instructions after reboot, and have the log available if you wish to see it.

Meanwhile, I ran Gmer, per your instructions, and it ran uneventfully (although it took nearly 4 hours to complete). Here is the result of the Gmer log, and I await further instructions from you. Thanks.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-05 15:28:42
Windows 5.1.2600 Service Pack 2
Running: GMER.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwliqaoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xBA587F70]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xBA588730]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xBA4DECD2]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xBA5865E0]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwCreateFile [0xBA4B6EF6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xBA4DEB8E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xBA586290]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xBA582E80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xBA583270]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xBA582940]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwCreateThread [0xBA4B66FC]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xBA585450]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwDeleteKey [0xBA4B6CE4]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwDeleteValueKey [0xBA4B6BB6]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwDeviceIoControlFile [0xBA4B7384]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xBA4DE764]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwLoadDriver [0xBA4B6532]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwMapViewOfSection [0xBA4B62D4]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwOpenFile [0xBA4B71DC]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwOpenKey [0xBA4B6EB0]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwOpenProcess [0xBA4B681E]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwOpenSection [0xBA4B6984]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwOpenThread [0xBA4B68CE]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwProtectVirtualMemory [0xBA4B7372]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryDirectoryFile [0xBA587B00]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xBA4DED88]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwQueueApcThread [0xBA4B67AC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xBA4DF210]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xBA5871E0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xBA4DED48]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xBA585BB0]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwSecureConnectPort [0xBA4B730A]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwSetContextThread [0xBA4B6266]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwSetSystemInformation [0xBA4B668E]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwSetValueKey [0xBA4B6DB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xBA587560]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xBA585D90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xBA5859B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xBA5857E0]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwTerminateProcess [0xBA4B6A9C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xBA585000]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xBA5878C0]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB7AF66D0]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver (stand-alone)/Zemana Ltd.) ZwWriteVirtualMemory [0xBA4B6198]

INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA76B16D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA76AFC2

Code 866CFCEC ZwRequestPort
Code 866CFC4C ZwTraceEvent
Code 866CFCEB NtRequestPort
Code 866CFC4B NtTraceEvent
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + C8 804E2734 2 Bytes [E0, 65] {LOOPNZ 0x67}
.text ntoskrnl.exe!_abnormal_termination + CB 804E2737 1 Byte [BA]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 10 Bytes [90, 62, 58, BA, 80, 2E, 58, ...]
.text ntoskrnl.exe!_abnormal_termination + 10F 804E277B 1 Byte [BA]
.text ntoskrnl.exe!_abnormal_termination + 1FD 804E2869 3 Bytes [62, 4B, BA] {BOUND ECX, [EBX-0x46]}
.text ...
.text ntoskrnl.exe!NtTraceEvent 80545018 5 Bytes JMP 866CFC50
PAGE ntoskrnl.exe!ObInsertObject 80564423 5 Bytes JMP BA4E8F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtRequestPort 80589CA0 5 Bytes JMP 866CFCF0
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A29A4 5 Bytes JMP BA4E75B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
init C:\WINDOWS\System32\Drivers\kbdcap.SYS entry point in "init" section [0xF60635B0]
.text win32k.sys!EngUnmapFontFileFD + EE41 BF841183 5 Bytes JMP 866CF6B0
.text win32k.sys!FONTOBJ_pxoGetXform + DE42 BF85AD4E 5 Bytes JMP 866CFA70
.text win32k.sys!EngCreateClip + 19C1 BF913245 5 Bytes JMP 866CFB10
.text win32k.sys!EngCreateClip + 1F51 BF9137D5 5 Bytes JMP 866CFBB0
.text C:\WINDOWS\System32\drivers\hardlock.sys section is writeable [0xB7C81400, 0x7960C, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB7D23420] C:\WINDOWS\System32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB7D23420]
.protect˙˙˙˙hardlockunknown last code section [0xB7D23200, 0x5049, 0xE0000020] C:\WINDOWS\System32\drivers\hardlock.sys unknown last code section [0xB7D23200, 0x5049, 0xE0000020]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[372] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\System32\locator.exe[664] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\a-squared Free\a2service.exe[704] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\a-squared Free\a2service.exe[704] kernel32.dll!CreateThread + 1A 7C810661 4 Bytes CALL 00454E05 C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[784] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\System32\alg.exe[880] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\Sandboxie\SbieSvc.exe[936] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\csrss.exe[972] KERNEL32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\winlogon.exe[996] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text ...
.text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe[1388] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008E0001
.text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe[1388] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe[1388] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe[1388] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe[1388] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\PROGRAM FILES\COMMON FILES\GRASS VALLEY\PROCODER 3\Kernel\PNXSERVR.exe[1412] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F10001
.text C:\PROGRAM FILES\COMMON FILES\GRASS VALLEY\PROCODER 3\Kernel\PNXSERVR.exe[1412] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRAM FILES\COMMON FILES\GRASS VALLEY\PROCODER 3\Kernel\PNXSERVR.exe[1412] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRAM FILES\COMMON FILES\GRASS VALLEY\PROCODER 3\Kernel\PNXSERVR.exe[1412] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\PROGRAM FILES\COMMON FILES\GRASS VALLEY\PROCODER 3\Kernel\PNXSERVR.exe[1412] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\Program Files\Tall Emu\Online Armor\OAcat.exe[1652] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text ...
.text C:\WINDOWS\Explorer.EXE[2428] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E80001
.text C:\WINDOWS\Explorer.EXE[2428] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[2428] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[2428] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\Explorer.EXE[2428] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[2428] iphlpapi.dll!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[2852] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AF0001
.text C:\WINDOWS\system32\wscntfy.exe[2852] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2852] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2852] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\wscntfy.exe[2852] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[3304] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008F0001
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[3304] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[3304] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[3304] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[3304] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[3356] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00DB0001
.text C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[3356] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[3356] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[3356] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[3356] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3408] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 009E0001
.text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3408] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3408] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3408] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3408] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\rundll32.exe[3672] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00CF0001
.text C:\WINDOWS\system32\rundll32.exe[3672] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\rundll32.exe[3672] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\rundll32.exe[3672] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\rundll32.exe[3672] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7712300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7712360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7712610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7712650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7712610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7712360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7712300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7712300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7712360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7712650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F7712610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1044] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[1044] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)
Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 kbdcap.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 kbdcap.SYS

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xA0 0xE1 0xBC 0x07 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{115D7CE6-D245-06FA-A878-5EEB3F079CBF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{115D7CE6-D245-06FA-A878-5EEB3F079CBF}@abnpnkmmjijbeebeoalmelmbmhbiaomggh 0x69 0x61 0x63 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{115D7CE6-D245-06FA-A878-5EEB3F079CBF}@maeaikkhphglfokbfdenlpaghg 0x6F 0x61 0x6A 0x6E ...

---- EOF - GMER 1.0.15 ----



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:20 AM

Posted 05 September 2010 - 03:05 PM

I suspect that the scans are taking a while and some are locking up because of all the protection software you have installed.
Could you try running the OTL script again, but first make sure you disable any protection software you have, you can find
some instruction here on how to disable them. Also, sometimes OTL may appear to have froze and widows will tell you it's not
responding, but that isn't always the case, so please make sure you leave it to run for a while before deciding to stop it.

unite.jpg


#9 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 05 September 2010 - 03:37 PM

Before running OTL with the custom script, I did as you suggested and disconnected from the Net, exited MBAM, Zemana, and Online Armor, and turned off the 7 Avast shields, and also pre-shutoff Java Quick Starter, a-squared free, Diskeeper, and Acronis Schedule 2 services. This time OTL with the custom script ran very quickly, and gave a success message (within about 10 seconds). Upon reboot, everything was fine except Online Armour said "C:\Documents and Settings\Administrator\Desktop\OTL.exe -- Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them." Does that mean OTL wasn't able to complete its script? Meanwhile, Hitman Pro still reports that Internet Explorer's using a proxy server.

As far as the extreme time it took for Gmer, it's because the scan included all files, and I have a very large number of programs installed, some of which are quite huge (Visual Studio, for example, which takes nearly a half-hour to scan by itself). In lieu of Gmer, due to the length of the scan, can I try Rootkit Unhooker again? I'll be sure to turn off the myriad of protection services before I use it and am confident it'll work this time.

In any case, you're calling the shots, so I'll await further instructions. Thanks again.





#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:20 AM

Posted 05 September 2010 - 03:47 PM

I could be wrong but I don't think a rootkit is involved here, so you can leave Rootkit Unhooker for now. Is the proxy server
message the only problem you are having or is there any thing else?

Please run OTL again as you did here, then post back with the new log, thanks.

unite.jpg


#11 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 September 2010 - 07:29 AM

Syler,

When I went to run OTL again like you asked, when I clicked on the executable the first thing that happened is the log from yesterday's OTL run, that included the big custom script. I don't know why I didn't see that log yesterday when it finished (that was the run that finished very quickly). In any case, here is the log from yesterday's OTL custom script run, which appears to contain some information that looks valuable. As soon as I post this log information from yesterday, I will do another OTL run per your last request of yesterday and post that log.

All processes killed
Error: Unable to interpret <CODE> in the current context!
========== OTL ==========
Service ShieldClientService stopped successfully!
Service ShieldClientService deleted successfully!
File C:\Program Files\Shield\shieldclnt.exe not found.
Service QYBQKBRXL stopped successfully!
Service QYBQKBRXL deleted successfully!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QYBQKBRXL.exe not found.
Service Nl10serr stopped successfully!
Service Nl10serr deleted successfully!
Service HDD & SSD access service stopped successfully!
Service HDD & SSD access service deleted successfully!
File C:\Program Files\Common Files\BinarySense\disksvc.exe not found.
Service TMPassthruMP stopped successfully!
Service TMPassthruMP deleted successfully!
File C:\WINDOWS\System32\DRIVERS\TMPassthru.sys not found.
Service pcipim stopped successfully!
Service pcipim deleted successfully!
File C:\WINDOWS\System32\DRIVERS\pcipim.sys not found.
Service MEMSWEEP2 stopped successfully!
Service MEMSWEEP2 deleted successfully!
File C:\WINDOWS\System32\2F.tmp not found.
Service mbr stopped successfully!
Service mbr deleted successfully!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_USERS\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{6AA40521-14E7-4B1D-B1B4-98528C1388C9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6AA40521-14E7-4B1D-B1B4-98528C1388C9}\ not found.
Registry value HKEY_USERS\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\Flags deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\Title deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control Microsoft XML Parser for Java Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
C:\WINDOWS\wc98pp.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ic32pp\ deleted successfully.
Invalid CLSID key: C:\WINDOWS\wc98pp.dll
File C:\WINDOWS\wc98pp.dll not found.
C:\WINDOWS\ANS2000.INI moved successfully.
C:\WINDOWS\akebook.ini moved successfully.
C:\WINDOWS\a3kebook.ini moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:39413AC3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:84098FD3 deleted successfully.
Unable to delete ADS C:\WINDOWS: .
File ptytemp] not found.
File ptyflash] not found.

OTL by OldTimer - Version 3.2.11.0 log created on 09052010_161632

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:20 AM

Posted 06 September 2010 - 07:52 AM

It looks like the OTL script didn't copy correctly, can you run this new script please and when you have copied it into OTL
make sure that it shows exactly what you copied, you also don't need to copy the word CODE, just what is inside the code box.


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    @Alternate Data Stream - 108 bytes -> C:\WINDOWS:
    :Commands
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan by clicking Run Scan and post the new OTL log.

unite.jpg


#13 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 September 2010 - 08:50 AM

OTL log after reboot for the run requested in your post immediately above; new OTL run requested is in process now and will post results very shortly.

All processes killed
========== OTL ==========
Unable to delete ADS C:\WINDOWS: .
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 185124 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 38623297 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes

User: NetworkService
->Temp folder emptied: 408130 bytes
->FireFox cache emptied: 2505107 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1551132 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 41.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.11.0 log created on 09062010_092409

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...


#14 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 September 2010 - 09:24 AM

Most recent OTL report:

OTL logfile created on: 9/6/2010 9:32:01 AM - Run 4
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 339.00 Mb Available Physical Memory | 33.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 4095 4095 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 12.12 Gb Free Space | 32.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 149.05 Gb Total Space | 68.59 Gb Free Space | 46.02% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1397.26 Gb Total Space | 134.74 Gb Free Space | 9.64% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 33.87 Gb Total Space | 27.63 Gb Free Space | 81.56% Space Free | Partition Type: NTFS
Drive K: | 33.91 Gb Total Space | 29.17 Gb Free Space | 86.02% Space Free | Partition Type: NTFS
Drive T: | 436.47 Gb Total Space | 115.04 Gb Free Space | 26.36% Space Free | Partition Type: NTFS

Computer Name: DELL2400-2
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/04 14:28:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/06/28 16:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/06/09 22:02:44 | 001,843,312 | ---- | M] (PeerBlock, LLC) -- C:\Program Files\PeerBlock\peerblock.exe
PRC - [2010/05/21 07:31:15 | 002,387,304 | ---- | M] (Zemana Ltd.) -- C:\Program Files\AntiLogger\AntiLogger.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/25 12:36:06 | 001,872,320 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2010/04/17 06:56:10 | 000,020,200 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
PRC - [2010/04/17 06:56:08 | 000,394,984 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieCtrl.exe
PRC - [2010/04/17 06:56:08 | 000,022,248 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SandboxieRpcSs.exe
PRC - [2010/04/17 06:56:06 | 000,073,960 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe
PRC - [2010/04/02 16:57:28 | 000,144,920 | ---- | M] (PortableApps.com) -- H:\Firefox Portable 3.6.3\FirefoxPortable\FirefoxPortable.exe
PRC - [2010/04/01 13:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- H:\Firefox Portable 3.6.3\FirefoxPortable\App\Firefox\firefox.exe
PRC - [2009/12/24 08:55:22 | 001,732,960 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2009/11/04 06:39:32 | 006,615,752 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oaui.exe
PRC - [2009/11/04 06:39:32 | 003,282,120 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oasrv.exe
PRC - [2009/11/04 06:39:32 | 003,037,896 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oahlp.exe
PRC - [2009/11/04 06:39:32 | 001,282,248 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oacat.exe
PRC - [2009/09/25 18:36:05 | 000,160,592 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2009/08/22 18:45:07 | 000,819,712 | ---- | M] (ZabKat) -- C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe
PRC - [2008/08/05 10:35:22 | 000,520,192 | ---- | M] () -- C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/09 21:50:00 | 001,945,960 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/02/09 21:39:16 | 000,149,024 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/02/09 21:39:08 | 000,407,072 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/02/09 21:33:32 | 001,165,680 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2002/10/30 17:47:02 | 000,364,544 | ---- | M] (FinePrint Software, LLC) -- C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe


========== Modules (SafeList) ==========

MOD - [2010/09/04 14:28:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2009/11/04 06:39:32 | 000,941,256 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oawatch.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 03:56:46 | 000,053,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\winsta.dll
MOD - [2004/08/04 03:56:46 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\wsock32.dll
MOD - [2004/08/04 03:56:46 | 000,018,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\wtsapi32.dll
MOD - [2004/08/04 02:01:17 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/09/04 21:33:46 | 000,006,656 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\4758DABE.exe -- (4758DABE)
SRV - [2010/09/04 20:32:25 | 000,006,656 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\ED6EFD7E.exe -- (ED6EFD7E)
SRV - [2010/09/04 19:58:45 | 000,006,656 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\F1EB8C4C.exe -- (F1EB8C4C)
SRV - [2010/09/04 18:57:55 | 000,006,656 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\905E8698.exe -- (905E8698)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/04/25 12:36:06 | 001,872,320 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2010/04/17 06:56:06 | 000,073,960 | ---- | M] (tzuk) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2010/03/29 08:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/01/26 14:46:16 | 001,033,480 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe -- (PDEngine)
SRV - [2010/01/26 14:46:14 | 000,939,272 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe -- (PDAgent)
SRV - [2009/12/24 08:55:22 | 001,732,960 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2009/11/04 06:39:32 | 003,282,120 | ---- | M] (Tall Emu) [Auto | Running] -- C:\Program Files\Tall Emu\Online Armor\oasrv.exe -- (SvcOnlineArmor)
SRV - [2009/11/04 06:39:32 | 001,282,248 | ---- | M] (Tall Emu) [Auto | Running] -- C:\Program Files\Tall Emu\Online Armor\OAcat.exe -- (OAcat)
SRV - [2008/01/07 11:04:10 | 000,057,344 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\System32\\AstSrv.exe -- (Ast Service)
SRV - [2007/11/14 21:46:00 | 000,131,072 | ---- | M] (Brio) [On_Demand | Stopped] -- C:\Program Files\FolderSize\FolderSizeSvc.exe -- (FolderSize)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/02/09 21:39:08 | 000,407,072 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2006/12/02 06:17:54 | 002,805,000 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2005/10/14 13:02:02 | 000,670,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2002/05/03 12:29:42 | 001,118,208 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\NMSSvc.Exe -- (NMSSvc) Intel®
SRV - [2001/09/10 19:08:50 | 000,032,256 | ---- | M] (C-Dilla Ltd) [Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\CDANTSRV.EXE -- (C-DillaSrv)


========== Driver Services (SafeList) ==========

DRV - [2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/06/23 07:23:55 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/06/09 22:02:40 | 000,018,544 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2010/05/21 07:31:17 | 000,120,168 | ---- | M] (Zemana Ltd.) [Kernel | System | Running] -- C:\Program Files\AntiLogger\AntiLog32.sys -- (AntiLog32)
DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys -- (MBAMProtector)
DRV - [2010/04/17 06:56:02 | 000,115,944 | ---- | M] (tzuk) [Kernel | On_Demand | Running] -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2010/03/05 14:27:56 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/03/05 14:27:56 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/10 14:48:40 | 000,045,616 | ---- | M] (Diskeeper Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DKRtWrt.sys -- (DKRtWrt)
DRV - [2009/11/23 09:10:58 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\pssdk42.sys -- (PSSDK42)
DRV - [2009/11/04 06:05:22 | 000,024,656 | ---- | M] (Tall Emu) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OAmon.sys -- (OAmon)
DRV - [2009/11/04 06:05:08 | 000,029,776 | ---- | M] (Tall Emu Pty Ltd) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OAnet.sys -- (OAnet)
DRV - [2009/11/04 06:05:02 | 000,219,728 | ---- | M] (Tall Emu) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OADriver.sys -- (OADevice)
DRV - [2009/10/04 17:33:14 | 000,115,312 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\keyscrambler.sys -- (KeyScrambler)
DRV - [2009/08/20 12:11:30 | 000,073,232 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2009/07/20 13:35:04 | 000,109,440 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\KbdCap.sys -- (kbdcap)
DRV - [2009/03/27 01:16:28 | 000,012,672 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\cpuz132_x32.sys -- (cpuz132)
DRV - [2009/02/24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mcdbus.sys -- (mcdbus)
DRV - [2009/01/25 09:11:37 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys -- (tmcomm)
DRV - [2008/12/18 23:43:54 | 000,079,248 | ---- | M] (Logitech, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LMouKE.Sys -- (LMouKE)
DRV - [2008/12/18 23:43:12 | 000,063,248 | ---- | M] (Logitech, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\L8042mou.Sys -- (L8042mou)
DRV - [2008/12/18 23:43:06 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/10/19 04:50:50 | 000,024,320 | ---- | M] (Steganos GmbH) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\tapavpn.sys -- (tapavpn)
DRV - [2007/07/30 08:29:37 | 000,070,001 | ---- | M] (GMER) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys -- (gmer)
DRV - [2007/03/04 14:41:15 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\timntr.sys -- (timounter)
DRV - [2007/03/04 14:41:15 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys -- (tifsfilter)
DRV - [2007/03/04 14:40:53 | 000,114,048 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\snapman.sys -- (snapman)
DRV - [2007/01/26 12:55:32 | 000,017,328 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2007/01/26 12:55:26 | 000,012,464 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiRemFil.sys -- (SiRemFil)
DRV - [2007/01/26 12:55:08 | 000,069,168 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3112.sys -- (SI3112)
DRV - [2006/03/27 11:03:42 | 000,023,552 | ---- | M] (The OpenVPN Project) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\tap0801.sys -- (tap0801)
DRV - [2005/10/14 13:01:56 | 000,029,440 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\InCDPass.sys -- (InCDPass)
DRV - [2005/10/14 13:00:36 | 000,101,760 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\InCDfs.sys -- (InCDfs)
DRV - [2005/10/14 13:00:26 | 000,022,016 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\InCDRm.sys -- (incdrm)
DRV - [2005/07/28 09:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\hardlock.sys -- (hardlock)
DRV - [2005/02/15 22:34:20 | 000,857,088 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/04 02:10:10 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\61883.sys -- (61883)
DRV - [2004/08/04 02:10:10 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\avc.sys -- (Avc)
DRV - [2004/08/04 02:09:58 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\msdv.sys -- (MSDV)
DRV - [2004/08/04 02:07:55 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/04 02:07:42 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 02:07:42 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 01:59:50 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nmnt.sys -- (nm)
DRV - [2004/08/04 01:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2004/07/06 22:35:42 | 000,101,120 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\USBAV708.SYS -- (USBAV708)
DRV - [2003/11/25 18:51:04 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Haspnt.sys -- (Haspnt)
DRV - [2003/09/26 03:53:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys -- (pfc)
DRV - [2003/09/19 19:23:40 | 000,045,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\VMNetSrv.sys -- (VPCNetS2)
DRV - [2002/10/15 00:00:00 | 000,101,431 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeChnDr.sys -- (IdeChnDr) Intel®
DRV - [2002/10/15 00:00:00 | 000,013,891 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeBusDr.sys -- (IdeBusDr)
DRV - [2002/08/14 15:03:36 | 000,017,005 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/01/24 22:40:52 | 000,046,405 | R--- | M] (NETGEAR Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ga302nd5.sys -- (ga302nd5)
DRV - [2001/09/10 19:09:46 | 000,057,392 | ---- | M] (Macrovision) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\CDANT.SYS -- (C-Dilla)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:58:00 | 000,019,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hidbatt.sys -- (HidBatt)
DRV - [2001/08/17 14:52:24 | 000,038,144 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\hpt3xx.sys -- (hpt3xx)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 13:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4.SYS -- (nv4)
DRV - [2001/08/17 13:48:52 | 000,281,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mpaa.sys -- (ati2mpaa)
DRV - [2001/08/17 13:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\AC97INTC.SYS -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
IE - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local


========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.87
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: keyscrambler@qfx.software.corporation:2.6.0.0
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.99
FF - prefs.js..extensions.enabledItems: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}:1.0.1
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.47.4
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: {902D2C4A-457A-4EF9-AD43-7014562929FF}:0.4.5
FF - prefs.js..extensions.enabledItems: cookiekiller@joseph.moran:1.0.7
FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.91.20100528
FF - prefs.js..extensions.enabledItems: {00084897-021a-4361-8423-083407a033e0}:1.4
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.2
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: {4BBDD651-70CF-4821-84F8-2B918CF89CA3}:6.3.3.2
FF - prefs.js..extensions.enabledItems: {0b457cAA-602d-484a-8fe7-c1d894a011ba}:0.81
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.13
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: IncredibleBookmarks@visibotech.com:0.7.3
FF - prefs.js..extensions.enabledItems: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}:6.0.4
FF - prefs.js..extensions.enabledItems: {1ced4832-f06e-413f-aa14-9eb63ad40ace}:1.0.2
FF - prefs.js..extensions.enabledItems: oldAddBookmarkBehavior@alice:2.0
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.0.9
FF - prefs.js..extensions.enabledItems: sortplaces@andyhalford.com:1.6.7
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.3

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/01 12:23:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/03 16:35:27 | 000,000,000 | ---D | M]

[2010/04/12 14:34:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/05/14 13:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\prism@developer.mozilla.org
[2010/06/19 15:30:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions
[2010/04/21 13:24:15 | 000,000,000 | ---D | M] (CS Lite) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{00084897-021a-4361-8423-083407a033e0}
[2010/04/21 13:24:11 | 000,000,000 | ---D | M] (FireShot) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2010/04/21 13:24:17 | 000,000,000 | ---D | M] (Auto Copy) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2010/04/21 13:24:07 | 000,000,000 | ---D | M] (Nuke Anything Enhanced) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
[2010/04/21 13:12:19 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}
[2010/04/21 13:24:10 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/06/19 15:29:40 | 000,000,000 | ---D | M] (Stylish) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
[2010/06/19 15:29:42 | 000,000,000 | ---D | M] (FEBE) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2010/06/19 15:29:57 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/04/21 13:24:16 | 000,000,000 | ---D | M] (Context Search) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{902D2C4A-457A-4EF9-AD43-7014562929FF}
[2010/04/21 13:24:07 | 000,000,000 | ---D | M] (MR Tech Toolkit) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
[2010/04/21 13:24:11 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/06/19 15:29:56 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/21 13:24:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/06/19 15:29:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/04/21 13:24:16 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2010/04/21 13:24:10 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/21 13:24:14 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/04/21 13:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\cookiekiller@joseph.moran
[2010/06/19 15:29:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\ietab@ip.cn
[2010/06/19 15:30:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\ietab@ip.cn-trash
[2010/06/19 15:29:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\IncredibleBookmarks@visibotech.com
[2010/04/21 12:46:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\keyscrambler@qfx.software.corporation
[2010/04/21 13:24:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\oldAddBookmarkBehavior@alice
[2010/04/21 13:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wex85hi.default\extensions\sortplaces@andyhalford.com
[2010/05/26 17:09:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions
[2010/05/26 17:10:13 | 000,000,000 | ---D | M] (CS Lite) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{00084897-021a-4361-8423-083407a033e0}
[2010/05/26 17:09:45 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/05/26 17:09:59 | 000,000,000 | ---D | M] (FireShot) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2010/05/26 17:10:15 | 000,000,000 | ---D | M] (Netcraft Anti-Phishing Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{0e10f3d7-07f6-4f12-97b9-9b27e07139a5}
[2010/05/26 17:10:09 | 000,000,000 | ---D | M] (Auto Copy) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2010/05/26 17:09:42 | 000,000,000 | ---D | M] (Nuke Anything Enhanced) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
[2010/05/26 17:10:19 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}
[2010/05/26 17:10:07 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/05/26 17:10:00 | 000,000,000 | ---D | M] (Stylish) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
[2010/05/26 17:10:14 | 000,000,000 | ---D | M] (FEBE) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2010/05/26 17:10:18 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/05/26 17:10:18 | 000,000,000 | ---D | M] (Context Search) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{902D2C4A-457A-4EF9-AD43-7014562929FF}
[2010/05/26 17:10:05 | 000,000,000 | ---D | M] (MR Tech Toolkit) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
[2010/05/26 17:10:15 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/05/26 17:10:14 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/05/26 17:09:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/05/26 17:10:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/05/26 17:10:01 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2010/05/26 17:10:03 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/05/26 17:10:20 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/05/26 17:10:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\cookiekiller@joseph.moran
[2010/05/26 17:10:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\ietab@ip.cn
[2010/05/26 17:10:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\IncredibleBookmarks@visibotech.com
[2010/05/26 17:10:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\keyscrambler@qfx.software.corporation
[2010/05/26 17:10:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\febeprof.Profile from Portable Firefox\extensions\sortplaces@andyhalford.com
[2010/08/19 15:39:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/19 15:39:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2008/08/09 17:26:17 | 000,000,686 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (KeyScramblerBHO Class) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (InlineSearchHandleHotKeys Class) - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll ()
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [@OnlineArmor GUI] C:\Program Files\Tall Emu\Online Armor\oaui.exe (Tall Emu)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AntiLogger] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana Ltd.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CANON DR2080C SVC] C:\WINDOWS\System32\DR2KSVC.DLL (Canon Electronics)
O4 - HKLM..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\fpdisp4.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NexusServer] C:\PROGRAM FILES\COMMON FILES\GRASS VALLEY\PROCODER 3\Kernel\PNXSERVR.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500..\Run: [RoboForm] C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
O4 - HKU\.DEFAULT..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html ()
O4 - HKU\S-1-5-18..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html ()
O4 - HKU\S-1-5-19..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html ()
O4 - HKU\S-1-5-20..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutorunsDisabled [2010/03/12 08:56:07 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/09/25 10:46:01 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoManageMyComputerVerb = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuSubFolders = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPrinterTabs = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDeletePrinter = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAddPrinter = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPrinters = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeAnimation = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeKeyboardNavigationIndicators = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKU\S-1-5-21-1023915045-2681017343-4103935507-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\Sandbox_Administrator_DefaultBox\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Sandbox_Administrator_DefaultBox\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll ()
O9 - Extra 'Tools' menuitem : Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll ()
O9 - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/b/e...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://test.catalog.update.microsoft.com/v...b?1184152914953 (MUCatalogWebControl Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1228868313453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1257425448234 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://support.f-secure.com/ols/fscax.cab (F-Secure Online Scanner 3.3)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Application Data\JugglerWallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Application Data\JugglerWallpaper.bmp
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - C:\Program Files\Tall Emu\Online Armor\oaevent.dll (Tall Emu)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/21 14:27:00 | 000,000,008 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/11/13 11:54:16 | 000,000,000 | -H-- | M] () - J:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk /p \??\U:) - File not found
O34 - HKLM BootExecute: (autocheck autochk /p \??\I:) - File not found
O34 - HKLM BootExecute: (autocheck autochk /r \??\G:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/05 11:54:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/09/04 20:56:17 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/09/04 14:27:57 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/02 14:19:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
[2010/09/02 14:14:58 | 000,839,680 | ---- | C] (http://www.mp3dev.org/) -- C:\WINDOWS\System32\lameACM.acm
[2010/09/02 14:14:58 | 000,217,088 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2010/09/02 14:14:58 | 000,151,552 | ---- | C] (fccHandler) -- C:\WINDOWS\System32\ac3acm.acm
[2010/09/02 14:14:51 | 000,000,000 | ---D | C] -- C:\Program Files\K-Lite Codec Pack
[2010/09/01 12:22:43 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/08/31 13:06:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TS Support
[2010/08/31 10:41:29 | 000,000,000 | ---D | C] -- C:\Program Files\CandleWorks
[2010/08/31 10:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TS Support
[2010/08/31 10:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\TS Support
[2010/08/27 12:55:06 | 000,000,000 | ---D | C] -- C:\microtrends
[2010/08/19 15:39:02 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/19 15:39:02 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/19 15:39:01 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/19 15:39:01 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/16 14:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/08/15 12:43:25 | 001,706,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\gdiplus.dll
[2010/08/15 12:43:25 | 000,438,272 | ---- | C] (On2.com) -- C:\WINDOWS\System32\vp6vfw.dll
[2010/08/15 12:43:25 | 000,123,392 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/08/15 12:43:25 | 000,083,456 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\WINDOWS\System32\l3codecx.ax
[2010/08/15 12:40:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\GRETECH
[2010/08/13 18:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Numeral_Technology_LLC
[2010/08/13 18:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Numeral Technology LLC
[2010/08/13 12:14:39 | 002,586,112 | ---- | C] (Steema Software SL) -- C:\WINDOWS\System32\TeeChart5.ocx
[2010/08/13 12:14:37 | 000,057,344 | ---- | C] (Nalpeiron Ltd.) -- C:\WINDOWS\System32\AstSrv.exe
[2010/08/13 12:14:37 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml4a.dll
[2010/08/13 12:14:32 | 000,207,360 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LTKRN61N.DLL
[2010/08/13 12:14:32 | 000,204,873 | ---- | C] (Equis International) -- C:\WINDOWS\System32\msfl11.dll
[2010/08/13 12:14:32 | 000,030,720 | ---- | C] (Forefront, Incorporated) -- C:\WINDOWS\System32\ffJmpWeb.dll
[2010/08/13 12:14:31 | 000,217,167 | ---- | C] (Equis International) -- C:\WINDOWS\System32\EqNotify.dll
[2010/08/13 12:14:31 | 000,036,864 | ---- | C] (Equis International) -- C:\WINDOWS\System32\EqCCWrapper.dll
[2010/08/13 08:12:38 | 000,000,000 | ---D | C] -- C:\Program Files\MetaTrader 4
[2010/08/10 05:15:58 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/08/10 05:15:58 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts

========== Files - Modified Within 30 Days ==========

[2010/09/06 09:30:20 | 000,588,114 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/06 09:30:20 | 000,498,666 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/09/06 09:30:20 | 000,079,244 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/09/06 09:26:11 | 008,405,015 | ---- | M] () -- C:\WINDOWS\TempFile
[2010/09/06 09:26:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/06 09:25:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/09/06 09:24:33 | 024,903,680 | ---- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/06 09:24:33 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\NTUSER.INI
[2010/09/05 21:33:32 | 000,001,614 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Corrupt downloads.rtf
[2010/09/05 17:56:19 | 001,062,233 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Norton Power Eraser Scan 090510.rtf
[2010/09/05 17:01:39 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/09/05 10:14:36 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word 2003.lnk
[2010/09/05 09:33:03 | 000,000,717 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\drive.lnk
[2010/09/05 09:12:59 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/04 21:41:25 | 000,000,468 | ---- | M] () -- C:\WINDOWS\System32\RW_FileFlag.dat
[2010/09/04 21:33:46 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\4758DABE.exe
[2010/09/04 21:01:41 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\4AFC9072.exe
[2010/09/04 20:32:25 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\ED6EFD7E.exe
[2010/09/04 19:58:45 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\F1EB8C4C.exe
[2010/09/04 18:57:55 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\905E8698.exe
[2010/09/04 18:32:39 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\060B96BE.exe
[2010/09/04 15:54:33 | 000,000,100 | ---- | M] () -- C:\WINDOWS\Pex.INI
[2010/09/04 15:51:30 | 000,000,030 | ---- | M] () -- C:\WINDOWS\Iedit.INI
[2010/09/04 14:28:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/04 12:01:58 | 000,138,752 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/03 14:16:31 | 000,009,634 | ---- | M] () -- C:\WINDOWS\SetScan.ini
[2010/09/02 16:23:05 | 000,000,372 | ---- | M] () -- C:\WINDOWS\QTW.INI
[2010/09/01 08:11:59 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2010/09/01 07:41:10 | 000,410,288 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/31 20:34:35 | 000,122,328 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/30 19:22:13 | 000,000,620 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Metatrader 4.lnk
[2010/08/29 19:11:36 | 000,000,518 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Bleepingcomputer Rootkit Procedures and Tests.lnk
[2010/08/29 09:18:21 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/08/27 12:00:44 | 025,094,368 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tws40_install.exe
[2010/08/21 14:44:21 | 000,000,103 | ---- | M] () -- C:\Documents and Settings\Administrator\default.pls
[2010/08/21 13:02:21 | 000,004,372 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2010/08/20 11:51:23 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NinjaTrader.lnk
[2010/08/17 15:32:13 | 000,000,449 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\-- U Drive Transfer --.lnk
[2010/08/16 13:41:58 | 000,001,794 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/08/15 16:32:08 | 000,043,062 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\UserImages.bmp
[2010/08/13 12:15:21 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\€AstInfo.dat
[2010/08/13 08:58:25 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\MetaTrader 4.lnk
[2010/08/12 04:00:00 | 000,108,032 | ---- | M] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/08/12 04:00:00 | 000,000,038 | ---- | M] () -- C:\WINDOWS\avisplitter.ini
[2010/08/10 16:53:16 | 043,696,142 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Mastering the Trade - to page 144.pdf
[2010/08/10 05:15:58 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/08/10 05:15:58 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts

========== Files Created - No Company Name ==========

[2010/09/05 17:56:19 | 001,062,233 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Norton Power Eraser Scan 090510.rtf
[2010/09/05 09:33:03 | 000,000,717 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\drive.lnk
[2010/09/04 21:41:25 | 000,000,468 | ---- | C] () -- C:\WINDOWS\System32\RW_FileFlag.dat
[2010/09/04 21:33:46 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\4758DABE.exe
[2010/09/04 21:01:41 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\4AFC9072.exe
[2010/09/04 20:32:25 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\ED6EFD7E.exe
[2010/09/04 19:58:45 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\F1EB8C4C.exe
[2010/09/04 18:57:55 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\905E8698.exe
[2010/09/04 18:32:39 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\060B96BE.exe
[2010/09/04 08:49:22 | 025,094,368 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tws40_install.exe
[2010/09/03 13:59:50 | 000,001,614 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Corrupt downloads.rtf
[2010/09/02 14:15:07 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/09/02 14:14:58 | 000,000,414 | ---- | C] () -- C:\WINDOWS\System32\lame_acm.xml
[2010/09/02 14:14:57 | 000,790,528 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/09/02 14:14:57 | 000,134,144 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/09/02 14:14:57 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/09/02 14:14:56 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/08/30 19:22:13 | 000,000,620 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Metatrader 4.lnk
[2010/08/29 19:11:36 | 000,000,518 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Bleepingcomputer Rootkit Procedures and Tests.lnk
[2010/08/29 09:18:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/08/20 11:51:23 | 000,000,617 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NinjaTrader.lnk
[2010/08/17 15:32:12 | 000,000,449 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\-- U Drive Transfer --.lnk
[2010/08/15 16:32:08 | 000,043,062 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\UserImages.bmp
[2010/08/13 12:15:21 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\€AstInfo.dat
[2010/08/13 12:14:32 | 000,164,864 | ---- | C] () -- C:\WINDOWS\System32\patchw32.dll
[2010/08/13 12:14:32 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\Lfpng61n.dll
[2010/08/13 12:14:32 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\LTFIL61N.DLL
[2010/08/13 12:14:32 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\MSWTHK32.DLL
[2010/08/13 12:14:32 | 000,003,360 | ---- | C] () -- C:\WINDOWS\System32\MSWTHK16.DLL
[2010/08/13 12:14:31 | 000,158,720 | ---- | C] () -- C:\WINDOWS\System32\LFCMP61N.DLL
[2010/08/13 12:14:31 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2010/08/13 08:58:25 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\MetaTrader 4.lnk
[2010/08/10 16:53:17 | 043,696,142 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Mastering the Trade - to page 144.pdf
[2010/08/03 17:54:02 | 000,000,093 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010/06/01 17:58:13 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/14 15:38:21 | 000,003,200 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\com.koingosw.LibrarianPro.xml
[2010/05/08 22:06:04 | 000,004,372 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2010/04/24 10:28:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\asym.ini
[2009/12/15 09:30:26 | 000,000,457 | ---- | C] () -- C:\WINDOWS\fractalx.INI
[2009/11/23 09:54:01 | 000,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI
[2009/10/15 08:34:17 | 000,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2009/09/06 11:18:19 | 000,000,426 | ---- | C] () -- C:\WINDOWS\psa_fe.ini
[2009/08/25 18:56:42 | 000,000,068 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/08/11 14:57:48 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\expat.dll
[2009/07/21 08:15:13 | 000,000,100 | ---- | C] () -- C:\WINDOWS\pnmedia.ini
[2009/07/20 13:35:04 | 000,109,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\KbdCap.sys
[2009/07/17 18:40:31 | 000,000,023 | ---- | C] () -- C:\WINDOWS\DownloadStudio.INI
[2009/07/15 15:02:21 | 000,000,009 | ---- | C] () -- C:\WINDOWS\Ietis.ini
[2009/05/14 12:46:41 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\avisynth.dll
[2009/05/07 12:35:07 | 000,150,016 | ---- | C] () -- C:\WINDOWS\System32\bwmedia.dll
[2009/04/05 21:39:43 | 000,138,752 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/05 17:01:00 | 000,070,144 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/25 10:07:12 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Winchat.ini
[2008/09/04 17:14:47 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/09/02 11:00:31 | 000,000,328 | ---- | C] () -- C:\WINDOWS\VivTV.ini
[2008/08/13 14:54:59 | 000,000,160 | ---- | C] () -- C:\WINDOWS\MyDrivers.ini
[2008/04/12 16:40:06 | 000,000,108 | RHS- | C] () -- C:\WINDOWS\neoqaz2.dll
[2008/02/13 17:26:03 | 000,000,077 | ---- | C] () -- C:\WINDOWS\huffyuv.ini
[2008/01/16 17:23:10 | 000,002,560 | ---- | C] () -- C:\WINDOWS\System32\pavedius.dll
[2008/01/16 17:23:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\hasp_windows.dll
[2007/12/05 15:28:49 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2007/10/08 16:32:15 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/09/07 15:59:28 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/08/01 12:00:27 | 000,000,052 | ---- | C] () -- C:\WINDOWS\ib.ini
[2007/08/01 12:00:19 | 000,026,624 | ---- | C] () -- C:\WINDOWS\GetIe.dll
[2007/07/30 08:29:41 | 000,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2007/07/30 08:29:37 | 000,585,791 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2007/07/16 12:03:04 | 000,000,022 | ---- | C] () -- C:\WINDOWS\Kruptos.INI
[2007/03/21 14:16:48 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll
[2007/02/14 14:18:21 | 000,000,254 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2007/02/14 14:14:35 | 000,000,376 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2006/04/21 14:27:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2006/02/03 10:56:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2006/01/31 10:08:04 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/01/27 12:19:13 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\Hlinkprx.dll
[2006/01/27 12:19:06 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\vb32dx8pl.dll
[2006/01/05 16:07:25 | 000,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2006/01/05 15:47:53 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2005/05/02 11:01:25 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/28 12:39:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Aeditor.INI
[2005/03/27 08:53:38 | 000,000,312 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/03/26 15:04:10 | 000,000,026 | ---- | C] () -- C:\WINDOWS\icset25.ini
[2005/03/26 12:07:21 | 000,004,510 | ---- | C] () -- C:\WINDOWS\CDMMP3.ini
[2005/03/26 11:06:56 | 000,000,277 | ---- | C] () -- C:\WINDOWS\maketorrent.ini
[2005/02/19 14:52:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsrex.INI
[2005/01/28 17:45:54 | 000,005,224 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/01/28 17:45:54 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\4B503BEA36.sys.old
[2004/11/16 20:00:56 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/11/14 11:04:16 | 000,101,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBAV708.SYS
[2004/10/29 17:15:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WINWORD6.INI
[2004/10/03 10:26:31 | 000,000,111 | ---- | C] () -- C:\WINDOWS\OED.INI
[2004/09/29 00:20:44 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\cbSendMail.dll
[2004/08/29 10:27:40 | 000,000,290 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/05/31 12:42:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ole2ct.dll
[2004/05/31 12:42:00 | 000,000,073 | ---- | C] () -- C:\WINDOWS\FCabinet.ini
[2004/05/31 12:41:54 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\mwMenu6.dll
[2004/05/31 12:41:54 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\jciniref.dll
[2004/05/31 12:41:51 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2004/05/30 17:13:16 | 000,000,052 | ---- | C] () -- C:\WINDOWS\jpegcrop.INI
[2004/04/23 13:08:15 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\PeerLibF.dll
[2004/04/23 13:08:15 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\PeerLibK.dll
[2004/04/23 13:08:15 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\PSWPMod.dll
[2004/04/04 10:03:49 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\SndDrv32x.ini
[2004/01/29 18:32:05 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\WETSTD32.DLL
[2004/01/29 18:32:01 | 001,204,224 | ---- | C] () -- C:\WINDOWS\System32\DTENGINE.DLL
[2004/01/19 13:20:38 | 000,000,035 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2004/01/01 19:38:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/01/01 19:32:19 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS5c.DLL
[2004/01/01 17:16:06 | 000,000,486 | ---- | C] () -- C:\WINDOWS\DEMO.INI
[2003/12/06 16:52:08 | 000,000,334 | ---- | C] () -- C:\WINDOWS\pixcache.ini
[2003/12/06 15:36:26 | 000,009,634 | ---- | C] () -- C:\WINDOWS\SetScan.ini
[2003/11/28 16:52:40 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2003/11/27 11:46:11 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll
[2003/11/25 18:51:04 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2003/10/10 18:06:30 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\WINKRNME.DLL
[2003/09/10 11:06:04 | 000,002,154 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2003/06/29 10:20:57 | 000,000,049 | ---- | C] () -- C:\WINDOWS\accgnat.ini
[2003/06/29 10:20:50 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\stdsoap2.dll
[2003/04/27 17:14:02 | 000,000,065 | ---- | C] () -- C:\WINDOWS\TOPO.INI
[2003/04/18 16:10:45 | 000,000,042 | ---- | C] () -- C:\WINDOWS\AcrobatSetupStatus.ini
[2003/04/04 19:17:40 | 000,008,813 | ---- | C] () -- C:\WINDOWS\SCWRITER.INI
[2003/04/03 12:24:37 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2003/03/19 13:28:29 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2003/02/10 13:50:55 | 000,000,023 | ---- | C] () -- C:\WINDOWS\msdevctl.ini
[2003/02/10 13:22:00 | 000,000,132 | ---- | C] () -- C:\WINDOWS\dswplug.ini
[2003/02/09 14:07:36 | 000,012,499 | ---- | C] () -- C:\WINDOWS\System32\EONSYSREV_1.DLL
[2003/02/09 12:42:51 | 000,000,030 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2003/01/15 10:53:03 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit.INI
[2003/01/14 16:58:44 | 000,000,100 | ---- | C] () -- C:\WINDOWS\Pex.INI
[2003/01/14 16:49:17 | 000,002,848 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2003/01/13 16:19:09 | 000,000,017 | ---- | C] () -- C:\WINDOWS\pixworks.ini
[2003/01/13 16:19:03 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\LFCMP60N.DLL
[2003/01/13 16:19:03 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\LTFIL60N.DLL
[2003/01/13 16:19:03 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\LFBMP60N.DLL
[2003/01/13 16:19:02 | 000,000,372 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/29 17:13:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\autorun.INI
[2002/12/29 13:58:06 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\acdbres.dll
[2002/12/29 12:37:31 | 000,000,444 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2002/12/15 13:41:13 | 000,001,065 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2002/12/14 19:52:45 | 000,000,045 | ---- | C] () -- C:\WINDOWS\WALLSTRT.INI
[2002/12/06 14:55:23 | 000,245,760 | ---- | C] () -- C:\WINDOWS\ddedll.dll
[2002/12/06 14:55:22 | 000,027,136 | ---- | C] () -- C:\WINDOWS\toFront.dll
[2002/12/05 18:51:00 | 000,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2002/12/05 16:49:53 | 000,041,068 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2002/10/25 17:23:04 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2002/10/22 18:37:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/10/22 18:29:37 | 000,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/10/22 18:21:51 | 000,000,112 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/10/22 16:19:46 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/03/19 17:30:00 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2002/02/06 10:04:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\NMSInst.dll
[2002/01/21 16:17:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PROInst.dll
[2002/01/18 21:56:54 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\mp3enc.dll
[2000/02/04 01:18:12 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2000/01/05 12:51:22 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\Welsof32.dll
[1995/03/14 00:22:21 | 000,000,160 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4FA0E532
@Alternate Data Stream - 108 bytes -> C:\WINDOWS:
< End of report >


#15 dannya98

dannya98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 September 2010 - 09:39 AM

Yesterday, you asked about any other issues, as you didn't think I had a rootkit.

I ran MBAM quick scan, which said o.k.

I ran Avast quick scan, which said o.k.

I ran Norton Power Eraser, and it reported: m2wshlex.dll, deaddiskdoctor (directory), 4758dabe.exe, 905e8698.exe, ed6efd73.exe, f1eb8c4c.exe (the last 4 all in the system 32 folder, all installed 090410, so they're either an MBAM update or related to the scans we've been doing -- I haven't installed anything new), and rsdownloader2.exe (a Rapidshare downloader).

When I uploaded all the files flagged by Norton Power Eraser to VirusTotal, the rsdownloader2.exe was rated totally fine. The executables installed 090410 were flagged by only 3 out of 42 services, and the VirusTotal reports were exactly the same for all of them: (McAfee said Suspect-D!2F5B3D5BCAB8, Panda said Suspicious file, and Symantec said WS.Reputation.1). m2wshlex.dll is is a process belonging to the Mp3 to Wave Converter Plus Shell Extension program, and when submitted to VirusTotal is reported as 100% clean, so I have no idea why Norton Power Eraser flagged it. And finally, of course, Hitman's reporting of the Internet Explorer Proxy Server issue.








0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users