Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer launches by itself


  • This topic is locked This topic is locked
18 replies to this topic

#1 alffla

alffla

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 10:09 AM

Hi,

My Internet Explorer launches by itself in background. I can close the process thanks to ProcessExplorer. Also I can see in Process Explorer the command line used for Internet Explorer:

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.findcrazy.org/ac.php?aid=484&sid=direc10
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.searchmotionless.org/ac.php?aid=484&sid=direc10
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.finddamp.org/ac.php?aid=484&sid=direc10

Sometimes I can hear some audio adverts. It might be video but I can't tell because I can't open the window.

I ran OTL with a custom scan:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

Here are the logs:
==============OTL==============================
OTL logfile created on: 10/03/2011 14:36:00 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\alain\rootkits\otl
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8080.16413)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 41.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.05 Gb Total Space | 21.76 Gb Free Space | 31.51% Space Free | Partition Type: NTFS
Drive D: | 70.00 Gb Total Space | 51.74 Gb Free Space | 73.91% Space Free | Partition Type: NTFS
Drive Y: | 913.09 Gb Total Space | 55.48 Gb Free Space | 6.08% Space Free | Partition Type: NTFS
Drive Z: | 913.09 Gb Total Space | 55.48 Gb Free Space | 6.08% Space Free | Partition Type: NTFS

Computer Name: GEOFFREY-PC | User Name: Geoffrey | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - D:\alain\rootkits\otl\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe ()
PRC - D:\alain\ProcessExplorer\procexp.exe (Sysinternals - www.sysinternals.com)
PRC - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe (Uniblue Software)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE ()


========== Modules (SafeList) ==========

MOD - D:\alain\rootkits\otl\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (WW) -- File not found
SRV - (PEDAPHEG) -- File not found
SRV - (IEIBWEBSY) -- File not found
SRV - (hasplms) -- File not found
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (Haspnt) -- C:\Windows\System32\drivers\Haspnt.sys (Aladdin Knowledge Systems)
DRV - (aksfridge) -- C:\Windows\System32\drivers\aksfridge.sys (Aladdin Knowledge Systems Ltd.)
DRV - (akshasp) -- C:\Windows\System32\drivers\akshasp.sys (Aladdin Knowledge Systems Ltd.)
DRV - (Hardlock) -- C:\Windows\system32\drivers\hardlock.sys (SafeNet Inc.)
DRV - (aksusb) -- C:\Windows\System32\drivers\aksusb.sys (Aladdin Knowledge Systems Ltd.)
DRV - (akshhl) -- C:\Windows\System32\drivers\akshhl.sys (Aladdin Knowledge Systems Ltd.)
DRV - (yukonw7) -- C:\Windows\System32\drivers\yk62x86.sys ()
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (WinUSB) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)
DRV - (Lbd) -- C:\Windows\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (DrmCVideo) -- C:\Windows\System32\drivers\DrmCVideo.sys (Windows ® 2000 DDK provider)
DRV - (DrmCAudio) -- C:\Windows\System32\drivers\DrmCAudio.sys (Windows ® Codename Longhorn DDK provider)
DRV - (KMDFMEMIO) -- C:\Windows\System32\drivers\KMDFMEMIO.sys (SAMSUNG ELECTRONICS CO., LTD.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (pnetmdm) -- C:\Windows\System32\drivers\pnetmdm.sys (June Fabrics Technology)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SYSTEM32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/12/15 17:10:29 | 000,000,000 | ---D | M]

[2009/12/15 17:24:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Geoffrey\AppData\Roaming\Mozilla\Extensions
[2008/11/10 22:23:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Geoffrey\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
File not found (No name found) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

O1 HOSTS File: ([2011/03/10 10:33:22 | 000,000,734 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE ()
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\wshbth.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{a6d1de41-51a5-11dd-80dd-8000600fe800}\Shell - "" = AutoRun
O33 - MountPoints2\{a6d1de41-51a5-11dd-80dd-8000600fe800}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{b8d481c1-e999-11de-9ef8-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{b8d481c1-e999-11de-9ef8-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found


========== Files/Folders - Created Within 30 Days ==========

[2011/03/10 14:31:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Uniblue
[2011/03/10 14:31:34 | 000,000,000 | ---D | C] -- C:\Users\Geoffrey\AppData\Roaming\Uniblue
[2011/03/10 14:31:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpyEraser
[2011/03/10 14:31:10 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2011/03/10 12:59:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/10 11:54:54 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/03/10 11:41:56 | 000,056,400 | ---- | C] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/03/09 14:26:35 | 000,000,000 | ---D | C] -- C:\Users\Geoffrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
[2011/03/09 14:26:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unlocker
[2011/03/09 11:35:07 | 000,000,000 | ---D | C] -- C:\Windows\System32\SPReview
[2011/03/09 11:33:58 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2011/03/09 11:03:33 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2011/03/09 10:36:28 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2011/03/09 05:47:16 | 001,074,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/03/09 05:47:16 | 000,739,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2011/03/09 05:47:14 | 000,850,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 05:47:14 | 000,642,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll
[2011/03/09 05:47:14 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 05:47:14 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/08 16:06:28 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Explorer
[2011/03/08 16:05:42 | 000,161,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/03/08 16:05:42 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/03/08 16:05:41 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/03/08 16:05:41 | 000,162,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/03/08 16:05:41 | 000,130,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/03/08 16:05:41 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/03/08 16:05:41 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/03/08 16:05:41 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/03/08 16:05:41 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/03/08 16:05:41 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/03/08 16:05:40 | 003,695,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/03/08 16:05:40 | 002,382,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/03/08 16:05:40 | 001,791,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/03/08 16:05:40 | 001,426,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/03/08 16:05:40 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/03/08 16:05:40 | 000,580,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/03/08 16:05:40 | 000,434,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/03/08 16:05:40 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/03/08 16:05:40 | 000,367,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/03/08 16:05:40 | 000,356,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/03/08 16:05:40 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/03/08 16:05:40 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/03/08 16:05:40 | 000,227,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/03/08 16:05:40 | 000,223,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/03/08 16:05:40 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/03/08 16:05:40 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/03/08 16:05:40 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/03/08 16:05:40 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/03/08 16:05:40 | 000,117,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/03/08 16:05:40 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/03/08 16:05:40 | 000,078,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/03/08 16:05:40 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/03/08 16:05:40 | 000,074,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/03/08 16:05:40 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/03/08 16:05:40 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/03/08 16:05:40 | 000,035,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/03/08 16:05:40 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/03/08 16:05:40 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/03/08 16:05:40 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/03/08 16:03:47 | 000,000,000 | ---D | C] -- C:\Program Files\Feedback Tool
[2011/03/07 17:11:56 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2011/02/23 11:21:11 | 000,442,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/02/23 11:21:11 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/02/18 14:06:43 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\ST6UNST.EXE
[2011/02/18 02:02:37 | 000,000,000 | ---D | C] -- C:\Users\Geoffrey\Desktop\Indigo Hotel
[2011/02/09 18:56:07 | 002,329,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/02/09 18:55:41 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2011/02/09 18:55:41 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2011/02/09 18:55:39 | 003,957,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/02/09 18:55:39 | 003,901,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/02/09 18:55:27 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\upnp.dll
[2011/02/09 18:55:25 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\davclnt.dll
[2011/02/09 18:55:25 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wscapi.dll
[2011/02/09 18:55:25 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\slwga.dll
[2011/02/09 18:55:23 | 000,219,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\dxgmms1.sys
[2006/11/24 05:14:44 | 000,139,264 | ---- | C] ( ) -- C:\Windows\System32\MACSSDK_wiz.dll
[2006/11/24 05:14:44 | 000,126,976 | ---- | C] ( ) -- C:\Windows\System32\MACSSDK.dll
[8 C:\Users\Geoffrey\Documents\*.tmp files -> C:\Users\Geoffrey\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/10 14:31:21 | 000,001,029 | ---- | M] () -- C:\Users\Public\Desktop\SpyEraser.lnk
[2011/03/10 14:16:48 | 000,001,405 | ---- | M] () -- C:\Users\Geoffrey\Desktop\iexplore - no addons.lnk
[2011/03/10 12:15:07 | 000,678,072 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/10 12:15:07 | 000,128,978 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/10 12:10:43 | 000,015,600 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/10 12:10:43 | 000,015,600 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/10 12:02:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/10 12:02:20 | 1407,848,448 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/10 11:54:54 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/03/10 11:54:54 | 000,056,400 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/03/10 11:54:43 | 000,001,034 | ---- | M] () -- C:\Users\Geoffrey\Desktop\HijackThis.lnk
[2011/03/10 10:33:22 | 000,000,734 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/03/09 15:34:53 | 000,001,908 | ---- | M] () -- C:\Windows\diagwrn.xml
[2011/03/09 15:34:53 | 000,001,908 | ---- | M] () -- C:\Windows\diagerr.xml
[2011/03/08 16:09:51 | 000,001,407 | ---- | M] () -- C:\Users\Geoffrey\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/03/08 16:05:42 | 000,161,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/03/08 16:05:42 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/03/08 16:05:41 | 000,367,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/03/08 16:05:41 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/03/08 16:05:41 | 000,162,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/03/08 16:05:41 | 000,130,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/03/08 16:05:41 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/03/08 16:05:41 | 000,086,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/03/08 16:05:41 | 000,076,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/03/08 16:05:41 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/03/08 16:05:41 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/03/08 16:05:40 | 003,695,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/03/08 16:05:40 | 002,382,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/03/08 16:05:40 | 001,791,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/03/08 16:05:40 | 001,426,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/03/08 16:05:40 | 000,716,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/03/08 16:05:40 | 000,580,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/03/08 16:05:40 | 000,434,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/03/08 16:05:40 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/03/08 16:05:40 | 000,356,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/03/08 16:05:40 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/03/08 16:05:40 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/03/08 16:05:40 | 000,227,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/03/08 16:05:40 | 000,223,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/03/08 16:05:40 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/03/08 16:05:40 | 000,152,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/03/08 16:05:40 | 000,150,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/03/08 16:05:40 | 000,142,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/03/08 16:05:40 | 000,117,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/03/08 16:05:40 | 000,101,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/03/08 16:05:40 | 000,078,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/03/08 16:05:40 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/03/08 16:05:40 | 000,074,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/03/08 16:05:40 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2011/03/08 16:05:40 | 000,054,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/03/08 16:05:40 | 000,041,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/03/08 16:05:40 | 000,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/03/08 16:05:40 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/03/08 16:05:40 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/03/08 16:05:40 | 000,010,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/03/08 13:29:42 | 000,001,074 | ---- | M] () -- C:\Users\Geoffrey\Desktop\procexp.lnk
[2011/03/08 13:27:01 | 000,007,605 | ---- | M] () -- C:\Users\Geoffrey\AppData\Local\Resmon.ResmonCfg
[2011/03/08 11:22:56 | 000,001,368 | ---- | M] () -- C:\Users\Geoffrey\Desktop\CCleaner.lnk
[2011/03/08 09:46:21 | 000,434,415 | ---- | M] () -- C:\Users\Geoffrey\Documents\Kingwall Hall Service 1.dotx
[2011/03/08 09:43:47 | 000,494,080 | ---- | M] () -- C:\Users\Geoffrey\Documents\Royal Med Soc interior.pub
[2011/03/07 19:12:02 | 000,000,000 | ---- | M] () -- C:\Users\Geoffrey\Desktop\sa_podcast_110302.htm
[2011/03/07 11:48:43 | 000,048,378 | ---- | M] () -- C:\Users\Geoffrey\Desktop\476px-Sarin_test_rabbit.jpg
[2011/03/05 10:35:58 | 002,114,237 | ---- | M] () -- C:\Users\Geoffrey\Desktop\EN6BuildingRegsPartL.pdf
[2011/03/01 16:20:51 | 000,058,147 | ---- | M] () -- C:\Users\Geoffrey\Desktop\French Statement.pdf
[2011/02/23 17:54:48 | 001,220,054 | ---- | M] () -- C:\Users\Geoffrey\Desktop\___22.jpg.pdf
[2011/02/23 17:53:33 | 001,403,644 | ---- | M] () -- C:\Users\Geoffrey\Desktop\___20.jpg.pdf
[2011/02/19 11:35:16 | 003,322,319 | ---- | M] () -- C:\Users\Geoffrey\Desktop\d30046c8b25527289d4c9402acb9416c.PDF
[2011/02/19 05:32:48 | 001,074,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/02/19 05:32:35 | 000,739,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2011/02/19 02:09:54 | 000,004,608 | ---- | M] () -- C:\Users\Geoffrey\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/18 16:55:42 | 003,334,870 | ---- | M] () -- C:\Users\Geoffrey\Desktop\Manual_DP1500_All.pdf
[2011/02/18 14:07:49 | 000,001,569 | ---- | M] () -- C:\Windows\ST6UNST.001
[2011/02/18 14:07:40 | 000,073,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\ST6UNST.EXE
[2011/02/18 14:06:44 | 000,001,633 | ---- | M] () -- C:\Windows\ST6UNST.000
[2011/02/16 12:27:19 | 000,067,072 | ---- | M] () -- C:\Users\Geoffrey\Documents\Hilton Term 4.pub
[2011/02/15 15:41:04 | 000,000,355 | ---- | M] () -- C:\Users\Geoffrey\Desktop\Computer - Shortcut.lnk
[2011/02/15 00:39:36 | 000,155,648 | ---- | M] () -- C:\Users\Geoffrey\Documents\Publicationled1.pub
[2011/02/14 10:31:08 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/02/10 14:42:35 | 004,863,423 | ---- | M] () -- C:\Users\Geoffrey\Desktop\ox_LED Bay And Recessed.pdf
[2011/02/10 02:50:55 | 000,481,792 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[8 C:\Users\Geoffrey\Documents\*.tmp files -> C:\Users\Geoffrey\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/10 14:31:21 | 000,020,232 | ---- | C] () -- C:\Windows\System32\AntiSpyNative64.exe
[2011/03/10 14:31:21 | 000,016,648 | ---- | C] () -- C:\Windows\System32\AntiSpyNative32.exe
[2011/03/10 14:31:21 | 000,001,029 | ---- | C] () -- C:\Users\Public\Desktop\SpyEraser.lnk
[2011/03/10 14:16:39 | 000,001,405 | ---- | C] () -- C:\Users\Geoffrey\Desktop\iexplore - no addons.lnk
[2011/03/10 11:54:43 | 000,001,034 | ---- | C] () -- C:\Users\Geoffrey\Desktop\HijackThis.lnk
[2011/03/08 16:05:40 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2011/03/08 13:29:42 | 000,001,074 | ---- | C] () -- C:\Users\Geoffrey\Desktop\procexp.lnk
[2011/03/08 13:27:01 | 000,007,605 | ---- | C] () -- C:\Users\Geoffrey\AppData\Local\Resmon.ResmonCfg
[2011/03/08 11:22:56 | 000,001,368 | ---- | C] () -- C:\Users\Geoffrey\Desktop\CCleaner.lnk
[2011/03/08 09:43:47 | 000,494,080 | ---- | C] () -- C:\Users\Geoffrey\Documents\Royal Med Soc interior.pub
[2011/03/07 19:12:01 | 000,000,000 | ---- | C] () -- C:\Users\Geoffrey\Desktop\sa_podcast_110302.htm
[2011/03/07 11:48:58 | 000,048,378 | ---- | C] () -- C:\Users\Geoffrey\Desktop\476px-Sarin_test_rabbit.jpg
[2011/03/05 10:35:58 | 002,114,237 | ---- | C] () -- C:\Users\Geoffrey\Desktop\EN6BuildingRegsPartL.pdf
[2011/03/01 16:20:50 | 000,058,147 | ---- | C] () -- C:\Users\Geoffrey\Desktop\French Statement.pdf
[2011/02/23 17:54:47 | 001,220,054 | ---- | C] () -- C:\Users\Geoffrey\Desktop\___22.jpg.pdf
[2011/02/23 17:53:31 | 001,403,644 | ---- | C] () -- C:\Users\Geoffrey\Desktop\___20.jpg.pdf
[2011/02/19 02:09:36 | 000,004,608 | ---- | C] () -- C:\Users\Geoffrey\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/18 16:55:19 | 003,334,870 | ---- | C] () -- C:\Users\Geoffrey\Desktop\Manual_DP1500_All.pdf
[2011/02/18 14:07:38 | 000,001,569 | ---- | C] () -- C:\Windows\ST6UNST.001
[2011/02/18 14:06:43 | 001,199,525 | ---- | C] () -- C:\Windows\Main.cab
[2011/02/18 14:06:43 | 000,001,633 | ---- | C] () -- C:\Windows\ST6UNST.000
[2011/02/18 13:51:57 | 003,322,319 | ---- | C] () -- C:\Users\Geoffrey\Desktop\d30046c8b25527289d4c9402acb9416c.PDF
[2011/02/16 12:27:19 | 000,067,072 | ---- | C] () -- C:\Users\Geoffrey\Documents\Hilton Term 4.pub
[2011/02/15 15:41:04 | 000,000,355 | ---- | C] () -- C:\Users\Geoffrey\Desktop\Computer - Shortcut.lnk
[2011/02/15 00:39:36 | 000,155,648 | ---- | C] () -- C:\Users\Geoffrey\Documents\Publicationled1.pub
[2011/02/14 10:31:08 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/02/14 10:31:07 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/02/10 14:42:32 | 004,863,423 | ---- | C] () -- C:\Users\Geoffrey\Desktop\ox_LED Bay And Recessed.pdf
[2010/12/21 22:07:44 | 000,000,120 | ---- | C] () -- C:\Users\Geoffrey\AppData\Local\Pkirogagimo.dat
[2010/07/16 19:48:37 | 000,000,000 | ---- | C] () -- C:\Windows\ViewNX.INI
[2010/06/17 20:17:28 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Piano Med
[2010/06/17 20:17:28 | 000,000,268 | RH-- | C] () -- C:\Users\Geoffrey\AppData\Roaming\Perl
[2010/06/17 20:17:28 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdw.DAT
[2010/06/17 20:15:01 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Piano
[2010/06/17 20:15:01 | 000,000,268 | RH-- | C] () -- C:\Users\Geoffrey\AppData\Roaming\People
[2010/06/17 20:15:01 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdu.DAT
[2010/02/02 21:19:36 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNWISE.EXE
[2010/02/02 21:19:36 | 000,024,576 | ---- | C] () -- C:\Windows\System32\hdduinst.exe
[2009/12/15 17:43:00 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2009/12/15 09:49:44 | 000,038,463 | ---- | C] () -- C:\Users\Geoffrey\AppData\Roaming\Comma Separated Values (DOS).ADR
[2009/12/15 09:46:30 | 000,009,348 | ---- | C] () -- C:\Users\Geoffrey\AppData\Roaming\Comma Separated Values (DOS).EML
[2009/12/10 14:58:11 | 010,160,640 | ---- | C] () -- C:\Windows\System32\ffmpeg.exe
[2009/11/10 01:47:26 | 000,000,025 | ---- | C] () -- C:\Windows\cdplayer.ini
[2009/11/02 09:22:46 | 001,049,600 | ---- | C] () -- C:\Windows\System32\oxtron.dll
[2009/08/11 22:00:54 | 000,000,000 | ---- | C] () -- C:\Windows\DbgOut.INI
[2009/07/31 13:34:01 | 000,038,446 | ---- | C] () -- C:\Users\Geoffrey\AppData\Roaming\Comma Separated Values (Windows).ADR
[2009/07/14 04:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 04:33:53 | 000,481,792 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 02:05:48 | 000,678,072 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 02:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 02:05:48 | 000,128,978 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 02:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 02:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 02:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 23:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/30 08:37:56 | 000,000,357 | ---- | C] () -- C:\Windows\odbcinst.ini
[2009/06/30 08:37:49 | 000,000,075 | ---- | C] () -- C:\Windows\SLS.INI
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2009/05/12 13:44:02 | 000,000,587 | ---- | C] () -- C:\Windows\System32\AcaTTS.ini
[2009/01/08 18:24:46 | 000,000,101 | ---- | C] () -- C:\Windows\BUZZTWLC.INI
[2009/01/08 18:18:21 | 000,000,359 | ---- | C] () -- C:\Windows\SoftWriting.ini
[2008/11/05 09:35:50 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/09/24 15:10:52 | 000,001,028 | ---- | C] () -- C:\Users\Geoffrey\AppData\Roaming\WavCodec.wff
[2008/09/12 17:17:07 | 000,000,383 | ---- | C] () -- C:\Windows\System32\haspdos.sys
[2008/08/21 11:51:44 | 000,111,932 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
[2008/08/21 11:51:44 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
[2008/08/21 11:51:44 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
[2008/08/21 11:51:44 | 000,026,154 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
[2008/08/21 11:51:44 | 000,024,903 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
[2008/08/21 11:51:44 | 000,021,390 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
[2008/08/21 11:51:44 | 000,020,148 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
[2008/08/21 11:51:44 | 000,011,811 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
[2008/08/21 11:51:44 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
[2008/08/21 11:51:44 | 000,001,146 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_DU.dat
[2008/08/21 11:51:44 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
[2008/08/21 11:51:44 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
[2008/08/21 11:51:44 | 000,001,136 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
[2008/08/21 11:51:44 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
[2008/08/21 11:51:44 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
[2008/08/21 11:51:44 | 000,001,120 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_IT.dat
[2008/08/21 11:51:44 | 000,001,107 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_GE.dat
[2008/08/21 11:51:44 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
[2008/08/21 11:51:44 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2008/08/06 11:10:54 | 000,001,127 | ---- | C] () -- C:\Windows\JJTIS.INI
[2008/06/23 15:01:47 | 000,000,133 | ---- | C] () -- C:\Windows\System32\AddPort.ini
[2008/06/23 15:01:46 | 000,003,399 | R--- | C] () -- C:\Windows\System32\hptcpmon.ini
[2008/06/23 15:01:30 | 000,749,568 | R--- | C] () -- C:\Windows\System32\agissi.dll
[2008/06/23 15:01:29 | 011,194,368 | R--- | C] () -- C:\Windows\System32\zhhp_res.dll
[2008/06/23 15:01:29 | 000,241,664 | R--- | C] () -- C:\Windows\System32\zhhp2600.exe
[2008/06/23 15:01:28 | 000,327,680 | R--- | C] () -- C:\Windows\System32\zshp2600.exe
[2008/06/23 15:01:28 | 000,114,688 | R--- | C] () -- C:\Windows\System32\vshp2600.dll
[2008/06/23 15:00:32 | 000,000,578 | ---- | C] () -- C:\Windows\hpntwksetup.ini
[2008/06/18 14:59:56 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/05/28 17:40:00 | 000,000,191 | ---- | C] () -- C:\Windows\WinHelp.ini
[2008/05/19 18:10:20 | 000,023,888 | ---- | C] () -- C:\Users\Geoffrey\AppData\Roaming\UserTile.png
[2008/02/19 04:18:27 | 000,221,184 | ---- | C] () -- C:\Windows\SetDisplayResolution.exe
[2008/02/19 03:06:19 | 000,004,744 | ---- | C] () -- C:\Windows\HotFixList.ini
[2008/02/19 02:28:20 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/02/18 09:20:12 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/02/18 09:20:07 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/02/18 09:20:07 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/02/18 09:20:07 | 000,144,773 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2007/11/09 13:53:34 | 000,172,032 | ---- | C] () -- C:\Windows\System32\AcaTtsSapi5.dll
[2007/04/24 09:32:56 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2007/02/26 07:49:12 | 006,139,774 | ---- | C] () -- C:\Windows\System32\imagine digital freedom.dat
[2007/02/15 07:51:02 | 000,274,432 | ---- | C] () -- C:\Windows\System32\NDADLL.dll
[2006/11/29 08:00:30 | 000,045,056 | ---- | C] () -- C:\Windows\System32\MAWebControl.exe
[2006/11/29 08:00:28 | 000,307,200 | ---- | C] () -- C:\Windows\System32\LDBGenWizView.dll
[2006/10/09 01:01:28 | 000,061,440 | ---- | C] () -- C:\Windows\System32\AVSAudioWideStereoDMO.dll
[2006/05/02 13:24:38 | 000,070,144 | R--- | C] () -- C:\Windows\System32\ENCODE32.DLL
[2006/05/02 13:24:38 | 000,018,944 | R--- | C] () -- C:\Windows\System32\TALDM32A.dll
[2006/05/02 13:24:38 | 000,017,408 | R--- | C] () -- C:\Windows\System32\TALDM32.DLL
[2004/02/28 05:30:12 | 000,049,152 | ---- | C] () -- C:\Windows\System32\TrustSupport.dll
[2003/08/07 14:01:52 | 000,237,568 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2001/11/14 04:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[1998/07/12 00:13:00 | 000,053,760 | ---- | C] () -- C:\Windows\System32\zlib.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/14 01:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/14 01:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/14 01:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys
[2009/07/14 01:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_bc1a57271cf2f285\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 01:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/14 01:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/14 01:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys
[2009/07/14 01:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 01:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/14 01:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 01:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/14 01:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 01:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys
[2010/11/20 12:29:54 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_b118bc63e60a139a\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2010/11/20 12:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_ffbf212e963c0162\netlogon.dll
[2009/07/14 01:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/14 01:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2010/11/20 12:30:06 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_3be22d131d40bd72\nvstor.sys
[2009/07/14 01:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/14 01:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 01:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 01:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/14 01:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll
[2010/11/20 12:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_3a154c47375d881d\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2011/03/08 16:05:40 | 000,117,760 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\iepeers.dll

< %systemroot%\System32\config\*.sav >

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Users\Geoffrey\AppData\Roaming\Comma Separated Values (DOS).EML:OECustomProperty

< End of report >


==============Extras==============================
OTL Extras logfile created on: 10/03/2011 14:36:01 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\alain\rootkits\otl
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8080.16413)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 41.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.05 Gb Total Space | 21.76 Gb Free Space | 31.51% Space Free | Partition Type: NTFS
Drive D: | 70.00 Gb Total Space | 51.74 Gb Free Space | 73.91% Space Free | Partition Type: NTFS
Drive Y: | 913.09 Gb Total Space | 55.48 Gb Free Space | 6.08% Space Free | Partition Type: NTFS
Drive Z: | 913.09 Gb Total Space | 55.48 Gb Free Space | 6.08% Space Free | Partition Type: NTFS

Computer Name: GEOFFREY-PC | User Name: Geoffrey | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with XnView] -- "C:\Program Files\XnView\xnview.exe" "%1" (XnView, http://www.xnview.com)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\MasterSuite\ArtMaster\Engine\Engine.exe" = C:\Program Files\MasterSuite\ArtMaster\Engine\Engine.exe:*:Enabled:Engine.exe


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.5000
"{082DF5B7-6572-6B88-F9F3-E1A41707F4A7}" = CCC Help Czech
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0EE315C8-0081-8B6B-12AF-D26BBF275A82}" = CCC Help Korean
"{10F29C04-6DFA-65AD-B5AA-744255B4D7C8}" = CCC Help Polish
"{13A5E785-5197-4EAD-8EE3-D660271E49BC}" = Feedback Tool
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{237a4b22-78c2-11d6-a394-00104bd190b1}" = QuickBooks Pro Edition 2003
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{253FCC55-E03D-40D4-A407-3470BE4101C0}" = VistaPrint Electronic Business Card
"{287A32EF-A420-6596-ADDA-A9DE9A897796}" = CCC Help Portuguese
"{2AE84E70-5E53-C8B0-F423-C6494B4FEBED}" = CCC Help German
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2EB709B5-0355-B855-8CC0-00821C49DA8B}" = Catalyst Control Center Localization Dutch
"{2F00CF0D-C670-9BD6-51FD-8DD1A0A42E37}" = Catalyst Control Center Localization Czech
"{2F2BB2EC-8494-3C43-6ABF-FEF5C05F3DA6}" = Catalyst Control Center Localization Polish
"{313EAEC4-F4E1-31B9-4F38-107FF621B31F}" = CCC Help Turkish
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32E64DF2-8426-C9E0-2829-5485AB959225}" = Catalyst Control Center Core Implementation
"{3345B08C-5CAF-AF8C-301C-1B159BB51556}" = Catalyst Control Center Localization Japanese
"{36BEAD11-8577-49AD-9250-E06A50AE87B0}" = Microsoft SOAP Toolkit 2.0 SP2
"{3C25440D-FBA4-A668-D088-26842B689ADB}" = CCC Help French
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3DFAF6BC-4FE2-5B0D-1C9B-F2055968277B}" = Catalyst Control Center Localization German
"{3FFE6A7B-13B9-494C-29D7-EB46E9E6646C}" = Catalyst Control Center Localization Russian
"{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}" = ATI Catalyst Install Manager
"{436B50D2-4CA3-A53D-00CF-482A886A1524}" = CCC Help Finnish
"{450063AA-643B-417C-8CF5-405BA3F4EF40}" = Autodesk Design Review 2009
"{46623DE3-FDA8-2141-C951-1A2DFA420D03}" = Skins
"{480F7F23-279B-96A4-FAD2-7014D36B79C4}" = Catalyst Control Center Localization Turkish
"{4C2FFF92-0B63-4D18-9690-ED310E3A604D}" = Rachel
"{4C446789-8CF5-4F7A-9CAD-E57A70557F49}" = NaturalReader9
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53ACEA2E-B4DC-47A3-A0A2-8930536EE806}" = Realtime Landscaping Pro 4
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56682EAB-48F1-7187-4F48-1FF9645A1D07}" = Catalyst Control Center Localization Finnish
"{5783F2D6-7028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2009
"{5A6ED905-D19D-4954-8499-0DAF386460F7}" = Media Manager for WALKMAN 1.2
"{5E031BFC-0827-26D4-FDD3-B8D68472DAE1}" = Catalyst Control Center Localization Portuguese
"{5F29B192-AE83-2636-747D-C5D83E79E8FE}" = Catalyst Control Center Localization Chinese Traditional
"{5FE21275-8D6C-CD0F-5B36-394636C0D264}" = CCC Help Thai
"{6001A55E-2A00-C407-67DB-DCFB3E0CD6F2}" = Catalyst Control Center Graphics Previews Vista
"{6290211A-CB26-FD7E-F214-21B15A5F7C87}" = Catalyst Control Center Localization Korean
"{659B48CD-0608-4ED5-94C0-0B6C87114F10}" = Apple Mobile Device Support
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{681C334E-6E93-84BF-E371-26109B7BF8B8}" = Catalyst Control Center Localization Italian
"{6ABA3523-4F11-4787-8839-C249BBF0B8D1}" = Rosetta Stone 2.2.0.0A
"{6B898739-AE0B-574E-9E7F-DCC7907372A0}" = CCC Help English
"{6B991234-EB5B-4FB3-5873-3946854F0850}" = Catalyst Control Center Localization Hungarian
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71A51B09-E7D3-11DB-A386-005056C00008}" = Vimicro UVC Camera
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78225D0F-D12C-09E4-5D6D-A64D763E8982}" = BBC iPlayer Desktop
"{79538CDE-83AC-0264-3125-145F33D63B88}" = Catalyst Control Center Graphics Light
"{7A00BF8A-A7E5-D3E0-B17F-06BC5AEC48F6}" = CCC Help Japanese
"{7b7e564b-0c70-4506-9ab6-b7a2044425ab}" = Gigaset QuickSync
"{7D97029D-B047-F3A1-D6C0-BFF3647AC943}" = Catalyst Control Center Localization French
"{87009005-9492-1307-F01A-25C1554F4F32}" = ccc-core-static
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{87824C5E-2830-63FC-177E-05E16F55F596}" = CCC Help Swedish
"{8E8FFB67-9316-F95E-969F-402722568272}" = CCC Help Italian
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{961DC9E8-DDAF-6271-AD0A-689909295476}" = CCC Help Chinese Standard
"{A413023B-583C-4BDD-A639-346B1579DC01}" = Catalyst Control Center Localization Thai
"{A54A1F3D-E2E0-C9F9-8112-8F0C5A6B06E0}" = Catalyst Control Center Localization Swedish
"{A5C67209-3FC7-A6FF-F7FB-079586F223CC}" = Catalyst Control Center Localization Danish
"{A777CB31-A5EC-4E32-A462-2E24F45D4D4F}_is1" = Moyea FLV to Video Converter Pro 2 version: 2.0.17.194
"{A7A27439-E5CD-AF54-FD49-8A08354D5122}" = Catalyst Control Center Localization Chinese Standard
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AD92E291-E249-4AAD-C8FF-BAF0FC7AFE9C}" = CCC Help Greek
"{B15C935A-8944-937D-6FA4-D69BEFFEA643}" = CCC Help Spanish
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}" = PixiePack Codec Pack
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B395BC1D-CC06-425E-9049-4CD985EFF004}" = LightScribe 1.8.15.1
"{B7263C56-AED3-3D55-918C-E0BAFCCBF0C7}" = CCC Help Russian
"{BB219FC1-008E-7D0D-91A0-CAE6D03DAC8C}" = Catalyst Control Center Localization Norwegian
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}" = Microsoft SQL Server VSS Writer
"{C550F812-14C4-23F5-F369-6761A9C0E864}" = CCC Help Dutch
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CAED2BFB-E4D5-D367-7179-D09E73C85938}" = Catalyst Control Center Localization Greek
"{CAF81DB8-F5DC-DF09-18A6-DD61635305E8}" = CCC Help Chinese Traditional
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D4186013-EE74-7570-17D3-38BC3632D51A}" = CCC Help Norwegian
"{D9CE4019-982E-BF95-18CE-5EBB5D75D939}" = Catalyst Control Center Graphics Full New
"{DDD45306-E4F0-D309-447F-7B1A0F6F9CAB}" = Catalyst Control Center Localization Spanish
"{DF0102B1-4E96-4953-8625-E73CEBC491E9}" = SmartStamp
"{E28201F3-2C09-FCD1-6934-84A3A9E4F0BF}" = CCC Help Danish
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A7EE8F-94F0-374C-E4F2-B7CDDE56ECA8}" = Catalyst Control Center Graphics Full Existing
"{F790AD19-127F-9BD7-2655-13E3DA0D7BC2}" = ccc-utility
"{FC20E3FB-60DB-8CFB-4649-CB2F2092F6B2}" = CCC Help Hungarian
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.58 beta
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ArtMaster" = ArtMaster___demo UNINSTALL
"Autodesk Design Review 2009" = Autodesk Design Review 2009
"BTHomeHub" = BTHomeHub
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 5.0.0.609
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CCleaner" = CCleaner
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-09-21 16:18
"Data Access Objects (DAO) 3.5" = Data Access Objects (DAO) 3.5
"DWG TrueView 2009" = DWG TrueView 2009
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ESET Online Scanner" = ESET Online Scanner v3
"FileZilla Client" = FileZilla Client 3.1.5.1
"FLV Player" = FLV Player 2.0, build 24
"Foxit Reader" = Foxit Reader
"Free Audio Editor" = Free Audio Editor
"Free WMA to MP3 Converter_is1" = Free WMA to MP3 Converter 1.16
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.61
"HASP Device Drivers" = HASP Device Drivers
"HP-Color LaserJet 2600n" = Color LaserJet 2600n
"InfraRecorder" = InfraRecorder
"InstallShield_{6ABA3523-4F11-4787-8839-C249BBF0B8D1}" = Rosetta Stone 2.2.0.0A
"InstallShield_{DF0102B1-4E96-4953-8625-E73CEBC491E9}" = SmartStamp
"JDiskReport 1.3.1" = JGoodies JDiskReport 1.3.1
"JTIS" = JTIS
"MagicDisc 2.5.74" = MagicDisc 2.5.74
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MotionMaster" = MotionMaster UNINSTALL
"Mp3tag" = Mp3tag v2.43
"MP4 Converter_is1" = MP4 Converter 1.0
"PdaNet_is1" = PdaNet for Android 2.17
"PROHYBRIDR" = 2007 Microsoft Office system
"R4" = R4
"RealPlayer 12.0" = RealPlayer
"SimpleOCR 3.1" = SimpleOCR 3.1
"SpyEraser_is1" = Uniblue SpyEraser
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Unlocker" = Unlocker 1.8.8
"uTorrent" = ÁTorrent
"WavePad" = WavePad Sound Editor
"web'n'walk USB manager" = web'n'walk USB manager
"Windows Mobile Device Handbook" = Windows Mobile« MDA Vario III Handbook
"XnView_is1" = XnView 1.94.2
"ZyTouch v1.0.1 (Serial)_is1" = ZyTouch v1.0.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 09/03/2011 08:24:53 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 08:25:00 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 08:25:00 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 08:25:11 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 08:25:11 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 08:26:48 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 08:26:50 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 08:57:55 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 09/03/2011 10:18:46 | Computer Name = Geoffrey-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8080.16413 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 964 Start
Time: 01cbde64b81a4b1f Termination Time: 0 Application Path: C:\Program Files\Internet
Explorer\iexplore.exe Report Id:

Error - 09/03/2011 10:47:30 | Computer Name = Geoffrey-PC | Source = VSS | ID = 8194
Description =

[ Media Center Events ]
Error - 06/04/2010 18:10:50 | Computer Name = Geoffrey-PC | Source = MCUpdate | ID = 0
Description = 11:10:40 PM - Error connecting to the internet. 11:10:40 PM - Unable
to contact server..

Error - 06/04/2010 19:10:57 | Computer Name = Geoffrey-PC | Source = MCUpdate | ID = 0
Description = 12:10:54 AM - Error connecting to the internet. 12:10:54 AM - Unable
to contact server..

Error - 07/04/2010 03:43:23 | Computer Name = Geoffrey-PC | Source = MCUpdate | ID = 0
Description = 8:43:14 AM - Error connecting to the internet. 8:43:14 AM - Unable
to contact server..

Error - 07/04/2010 15:24:03 | Computer Name = Geoffrey-PC | Source = MCUpdate | ID = 0
Description = 8:23:53 PM - Error connecting to the internet. 8:23:53 PM - Unable
to contact server..

Error - 07/04/2010 22:46:33 | Computer Name = Geoffrey-PC | Source = MCUpdate | ID = 0
Description = 3:46:33 AM - Error connecting to the internet. 3:46:33 AM - Unable
to contact server..

Error - 07/04/2010 22:46:45 | Computer Name = Geoffrey-PC | Source = MCUpdate | ID = 0
Description = 3:46:39 AM - Error connecting to the internet. 3:46:39 AM - Unable
to contact server..

Error - 08/04/2010 15:02:13 | Computer Name = Geoffrey-PC | Source = MCUpdate | ID = 0
Description = 8:02:04 PM - Error connecting to the internet. 8:02:04 PM - Unable
to contact server..

[ OSession Events ]
Error - 11/06/2009 23:38:21 | Computer Name = Geoffrey-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 86547
seconds with 1620 seconds of active time. This session ended with a crash.

Error - 16/06/2009 23:34:40 | Computer Name = Geoffrey-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 64370
seconds with 540 seconds of active time. This session ended with a crash.

Error - 05/10/2009 23:53:03 | Computer Name = Geoffrey-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 67202
seconds with 6060 seconds of active time. This session ended with a crash.

Error - 17/05/2010 07:53:09 | Computer Name = Geoffrey-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 11578
seconds with 420 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 09/03/2011 11:53:42 | Computer Name = Geoffrey-PC | Source = DCOM | ID = 10010
Description =

Error - 09/03/2011 12:01:54 | Computer Name = Geoffrey-PC | Source = Service Control Manager | ID = 7000
Description = The Sentinel HASP License Manager service failed to start due to the
following error: %%2

Error - 09/03/2011 12:26:31 | Computer Name = Geoffrey-PC | Source = DCOM | ID = 10010
Description =

Error - 09/03/2011 12:34:55 | Computer Name = Geoffrey-PC | Source = Service Control Manager | ID = 7000
Description = The Sentinel HASP License Manager service failed to start due to the
following error: %%2

Error - 10/03/2011 06:33:33 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-DNS-Client | ID = 1012
Description = There was an error while attempting to read the local hosts file.

Error - 10/03/2011 07:31:19 | Computer Name = Geoffrey-PC | Source = DCOM | ID = 10010
Description =

Error - 10/03/2011 07:33:36 | Computer Name = Geoffrey-PC | Source = Service Control Manager | ID = 7000
Description = The Sentinel HASP License Manager service failed to start due to the
following error: %%2

Error - 10/03/2011 07:52:42 | Computer Name = Geoffrey-PC | Source = Service Control Manager | ID = 7000
Description = The Sentinel HASP License Manager service failed to start due to the
following error: %%2

Error - 10/03/2011 08:03:31 | Computer Name = Geoffrey-PC | Source = Service Control Manager | ID = 7000
Description = The Sentinel HASP License Manager service failed to start due to the
following error: %%2

Error - 10/03/2011 09:44:52 | Computer Name = Geoffrey-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070020: Windows 7 Service Pack 1 (KB976932).


< End of report >



Can you help, please?

Alain

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:55 PM

Posted 10 March 2011 - 10:34 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply




Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

1.logs from DDS
2.RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 11:25 AM

hi,
thanks for helping me.
here are the logs

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:55 PM

Posted 10 March 2011 - 11:35 AM

Please Do Not Attach Reports Unless Asked To Do So




Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 10 March 2011 - 11:36 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 11:53 AM

hi,

I'm sorry for attaching the files. I thought it was clearly on the website.
Thanks for your help.

Here's the log for Combofix:

ComboFix 11-03-09.05 - Geoffrey 10/03/2011 16:39:31.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.1790.1253 [GMT 0:00]
Running from: c:\users\Geoffrey\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-10 16:46 . 2011-03-10 16:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-10 14:31 . 2011-03-10 15:24 -------- d-----w- c:\programdata\Uniblue
2011-03-10 12:59 . 2011-03-10 12:59 -------- d-----w- c:\program files\ESET
2011-03-10 11:54 . 2011-03-10 11:54 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-10 11:41 . 2011-03-10 11:54 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-03-09 11:35 . 2011-03-09 11:35 -------- d-----w- c:\windows\system32\SPReview
2011-03-09 11:33 . 2011-03-09 11:34 -------- d-----w- c:\windows\system32\EventProviders
2011-03-09 11:03 . 2011-01-17 05:38 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-09 10:36 . 2011-03-09 10:36 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-03-09 05:47 . 2011-02-19 05:33 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-03-09 05:47 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-03-09 05:47 . 2011-02-19 05:32 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-09 05:47 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 05:47 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 05:47 . 2010-12-23 05:28 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 05:47 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 05:47 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 05:47 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 16:03 . 2011-03-08 16:03 -------- d-----w- c:\program files\Feedback Tool
2011-03-08 10:34 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0E6412C9-78FA-4314-9D40-39C92B76BDB1}\mpengine.dll
2011-03-07 17:11 . 2011-03-09 14:26 -------- d-----w- c:\program files\Unlocker
2011-02-24 06:50 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-23 11:21 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-23 11:21 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-18 14:06 . 2011-02-18 14:07 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-02-09 18:56 . 2011-01-05 03:37 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-09 18:56 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 17:11 . 2009-11-09 20:26 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"OLP-Tray"="c:\program files\Royal Mail\SmartStamp\BINARY\STRAY.EXE" [2006-07-17 40960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe [x]
R3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [2009-02-12 23096]
R3 DrmCVideo;DrmCVideo;c:\windows\system32\DRIVERS\DrmCVideo.sys [2009-02-12 3768]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\C17A.tmp [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-22 1343400]
R4 IEIBWEBSY;IEIBWEBSY;c:\users\Geoffrey\AppData\Local\Temp\IEIBWEBSY.exe [x]
R4 PEDAPHEG;PEDAPHEG;c:\users\Geoffrey\AppData\Local\Temp\PEDAPHEG.exe [x]
R4 WW;WW;c:\users\Geoffrey\AppData\Local\Temp\WW.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-22 64160]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\DRIVERS\kmdfmemio.sys [2008-02-19 13312]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NORMANDY
*Deregistered* - Normandy
*Deregistered* - PROCEXP141
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {03A802CD-C56B-4B66-BD3D-D28A2C928B41} = 192.168.1.254
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C17A.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-10 16:50:17
ComboFix-quarantined-files.txt 2011-03-10 16:50
.
Pre-Run: 23,669,919,744 bytes free
Post-Run: 23,612,813,312 bytes free
.
- - End Of File - - C48C742268DEDAF31BCC2D2E54EC823B



Alain

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:55 PM

Posted 10 March 2011 - 12:37 PM

I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Driver::
IEIBWEBSY
PEDAPHEG


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 01:02 PM

Hi,


It all went fine. The issue is still there though. I could here an audio add. You'll see there are four instances of iexplore. I ran RootkitRevealer before asking for your help. I don't know if that would help. Thanks again.

here's the log:

ComboFix 11-03-09.05 - Geoffrey 10/03/2011 17:43:18.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.1790.1049 [GMT 0:00]
Running from: c:\users\Geoffrey\Desktop\ComboFix.exe
Command switches used :: c:\users\Geoffrey\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_IEIBWEBSY
-------\Service_PEDAPHEG
.
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-10 17:49 . 2011-03-10 17:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-10 15:59 . 2011-03-10 17:53 -------- d-----w- c:\users\Geoffrey\AppData\Local\temp
2011-03-10 14:31 . 2011-03-10 15:24 -------- d-----w- c:\programdata\Uniblue
2011-03-10 12:59 . 2011-03-10 12:59 -------- d-----w- c:\program files\ESET
2011-03-10 11:54 . 2011-03-10 11:54 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-10 11:41 . 2011-03-10 11:54 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-03-09 11:35 . 2011-03-09 11:35 -------- d-----w- c:\windows\system32\SPReview
2011-03-09 11:33 . 2011-03-09 11:34 -------- d-----w- c:\windows\system32\EventProviders
2011-03-09 11:03 . 2011-01-17 05:38 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-09 10:36 . 2011-03-09 10:36 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-03-09 05:47 . 2011-02-19 05:33 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-03-09 05:47 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-03-09 05:47 . 2011-02-19 05:32 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-09 05:47 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 05:47 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 05:47 . 2010-12-23 05:28 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 05:47 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 05:47 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 05:47 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 16:03 . 2011-03-08 16:03 -------- d-----w- c:\program files\Feedback Tool
2011-03-08 10:34 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0E6412C9-78FA-4314-9D40-39C92B76BDB1}\mpengine.dll
2011-03-07 17:11 . 2011-03-09 14:26 -------- d-----w- c:\program files\Unlocker
2011-02-24 06:50 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-23 11:21 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-23 11:21 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-18 14:06 . 2011-02-18 14:07 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-02-09 18:56 . 2011-01-05 03:37 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-09 18:56 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 17:11 . 2009-11-09 20:26 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"OLP-Tray"="c:\program files\Royal Mail\SmartStamp\BINARY\STRAY.EXE" [2006-07-17 40960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe [x]
R3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [2009-02-12 23096]
R3 DrmCVideo;DrmCVideo;c:\windows\system32\DRIVERS\DrmCVideo.sys [2009-02-12 3768]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\C17A.tmp [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-22 1343400]
R4 WW;WW;c:\users\Geoffrey\AppData\Local\Temp\WW.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-22 64160]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\DRIVERS\kmdfmemio.sys [2008-02-19 13312]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {03A802CD-C56B-4B66-BD3D-D28A2C928B41} = 192.168.1.254
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C17A.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2528)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-03-10 17:58:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-10 17:58
.
Pre-Run: 23,437,754,368 bytes free
Post-Run: 23,202,295,808 bytes free
.
- - End Of File - - BA85E9BE23C63AD76A5A7B7EA66DB80A

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:55 PM

Posted 10 March 2011 - 01:14 PM

Hello

Thanks for letting me know about the ads

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 01:57 PM

Hello,

I tried to run the program but it did not work at first so I tried running it as administrator but no success. Then I rebooted in safe mode and again it did not work. The program started to run, I could see it in the processes list, but about 10 seconds later it disappeared. It never showed a GUI. I rebooted to standard mode and tried again but no luck. I renamed the file and run it from different locations but again I had no luck.

Any ideas?

Alain.

#10 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 02:09 PM

Hi,

I have restarted the system and it showed an instance of Internet Explorer. I checked with ProcessExplorer the processes and I could see four instances of Internet Explorer.

Here are the command lines of two of them:

"C:\Program Files\Internet Explorer\iexplore.exe" -restart /WERRESTART

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.searchmuddy.org/ac.php?aid=484&sid=direc10

I hope it helps.

Alain

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:55 PM

Posted 10 March 2011 - 02:19 PM

MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 02:30 PM

this is the MBRCheck

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
System Product Name: R59P/R60P/R61P
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 191):
0x8304F000 \SystemRoot\system32\ntoskrnl.exe
0x83018000 \SystemRoot\system32\halmacpi.dll
0x80BD2000 \SystemRoot\system32\kdcom.dll
0x88C1D000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x88C95000 \SystemRoot\system32\PSHED.dll
0x88CA6000 \SystemRoot\system32\BOOTVID.dll
0x88CAE000 \SystemRoot\system32\CLFS.SYS
0x88CF0000 \SystemRoot\system32\CI.dll
0x88D9B000 \SystemRoot\system32\drivers\Wdf01000.sys
0x88E0C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x88E1A000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x88E62000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x88E6B000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x88E73000 \SystemRoot\system32\DRIVERS\pci.sys
0x88E9D000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x88EA8000 \SystemRoot\System32\drivers\partmgr.sys
0x88EB9000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x88EC1000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x88ECC000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x88EDC000 \SystemRoot\System32\drivers\volmgrx.sys
0x88F27000 \SystemRoot\system32\DRIVERS\pciide.sys
0x88F2E000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x88F3C000 \SystemRoot\System32\drivers\mountmgr.sys
0x88F52000 \SystemRoot\system32\DRIVERS\atapi.sys
0x88F5B000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x88F7E000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x88F87000 \SystemRoot\system32\drivers\fltmgr.sys
0x88FBB000 \SystemRoot\system32\drivers\fileinfo.sys
0x88FCC000 \SystemRoot\system32\DRIVERS\Lbd.sys
0x8903C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8916B000 \SystemRoot\System32\Drivers\msrpc.sys
0x89196000 \SystemRoot\System32\Drivers\ksecdd.sys
0x891A9000 \SystemRoot\System32\Drivers\cng.sys
0x89206000 \SystemRoot\System32\drivers\pcw.sys
0x89214000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8921D000 \SystemRoot\system32\drivers\ndis.sys
0x892D4000 \SystemRoot\system32\drivers\NETIO.SYS
0x89312000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x89410000 \SystemRoot\System32\drivers\tcpip.sys
0x89559000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8958A000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x895C9000 \SystemRoot\System32\Drivers\spldr.sys
0x895D1000 \SystemRoot\System32\drivers\rdyboost.sys
0x895FE000 \SystemRoot\System32\Drivers\mup.sys
0x8960E000 \SystemRoot\System32\drivers\hwpolicy.sys
0x89616000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x89648000 \SystemRoot\system32\DRIVERS\disk.sys
0x89659000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8967E000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
0x896B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x896D7000 \SystemRoot\System32\Drivers\Null.SYS
0x896DE000 \SystemRoot\System32\Drivers\Beep.SYS
0x896E5000 \SystemRoot\System32\drivers\vga.sys
0x896F1000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x89712000 \SystemRoot\System32\drivers\watchdog.sys
0x8971F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x89727000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8972F000 \SystemRoot\system32\drivers\rdprefmp.sys
0x89737000 \SystemRoot\System32\Drivers\Msfs.SYS
0x89742000 \SystemRoot\System32\Drivers\Npfs.SYS
0x89750000 \SystemRoot\system32\DRIVERS\tdx.sys
0x89767000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x89772000 \SystemRoot\System32\DRIVERS\netbt.sys
0x897A4000 \SystemRoot\system32\drivers\afd.sys
0x89400000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x89337000 \SystemRoot\system32\DRIVERS\pacer.sys
0x89356000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x89367000 \SystemRoot\system32\DRIVERS\netbios.sys
0x89375000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x89388000 \SystemRoot\system32\DRIVERS\termdd.sys
0x89398000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x893D9000 \SystemRoot\system32\drivers\nsiproxy.sys
0x893E3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x893ED000 \SystemRoot\System32\drivers\discache.sys
0x89000000 \SystemRoot\System32\Drivers\dfsc.sys
0x89018000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x88FDB000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x89026000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x89407000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8F01B000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x8F6F3000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8F7AA000 \SystemRoot\System32\drivers\dxgmms1.sys
0x92408000 \SystemRoot\system32\DRIVERS\athr.sys
0x92535000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x9253F000 \SystemRoot\system32\DRIVERS\yk62x86.sys
0x92590000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x9259A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x925E5000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x925F4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x92613000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x9262B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x92638000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x92666000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x92668000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x92675000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x92682000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x92694000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x926AC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x926B7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x926D9000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x926F1000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x92708000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x9271F000 \SystemRoot\system32\DRIVERS\pnetmdm.sys
0x92722000 \SystemRoot\system32\drivers\modem.sys
0x9272F000 \SystemRoot\system32\DRIVERS\swenum.sys
0x92731000 \SystemRoot\system32\DRIVERS\ks.sys
0x92765000 \SystemRoot\system32\DRIVERS\umbus.sys
0x92773000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x927B7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8243C000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x82542000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8274F000 \SystemRoot\system32\drivers\portcls.sys
0x8277E000 \SystemRoot\system32\drivers\drmk.sys
0x82797000 \SystemRoot\System32\Drivers\crashdmp.sys
0x827A4000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x827AF000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x827B8000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x928B0000 \SystemRoot\System32\win32k.sys
0x827C9000 \SystemRoot\System32\drivers\Dxapi.sys
0x827D3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x827DE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x827F1000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x82400000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8240B000 \SystemRoot\system32\DRIVERS\monitor.sys
0x92B10000 \SystemRoot\System32\TSDDD.dll
0x92B40000 \SystemRoot\System32\cdd.dll
0x82416000 \SystemRoot\system32\drivers\luafv.sys
0x927C8000 \SystemRoot\system32\drivers\WudfPf.sys
0x82431000 \SystemRoot\system32\DRIVERS\kmdfmemio.sys
0x927E2000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x94820000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x94866000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x94876000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x94889000 \SystemRoot\system32\drivers\HTTP.sys
0x9490E000 \SystemRoot\system32\DRIVERS\bowser.sys
0x94927000 \SystemRoot\System32\drivers\mpsdrv.sys
0x94939000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9495C000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x94997000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x949B2000 \??\C:\Windows\system32\drivers\Haspnt.sys
0x949D6000 \SystemRoot\system32\DRIVERS\aksfridge.sys
0x94A31000 \SystemRoot\system32\drivers\hardlock.sys
0x94AC1000 \SystemRoot\System32\Drivers\fastfat.SYS
0x94AEB000 \SystemRoot\system32\drivers\peauth.sys
0x94B82000 \SystemRoot\System32\Drivers\secdrv.SYS
0x94B8C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x94BAD000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9A40A000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9A459000 \SystemRoot\System32\DRIVERS\srv.sys
0x9A4AA000 \??\C:\Windows\system32\Drivers\PROCEXP141.SYS
0x9A519000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x9A539000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77AF0000 \Windows\System32\ntdll.dll
0x48460000 \Windows\System32\smss.exe
0x77D30000 \Windows\System32\apisetschema.dll
0x00C10000 \Windows\System32\autochk.exe
0x77D00000 \Windows\System32\imm32.dll
0x77990000 \Windows\System32\ole32.dll
0x77CE0000 \Windows\System32\sechost.dll
0x77870000 \Windows\System32\wininet.dll
0x77C80000 \Windows\System32\shlwapi.dll
0x77790000 \Windows\System32\kernel32.dll
0x76B40000 \Windows\System32\shell32.dll
0x76AB0000 \Windows\System32\clbcatq.dll
0x769E0000 \Windows\System32\user32.dll
0x76930000 \Windows\System32\rpcrt4.dll
0x76820000 \Windows\System32\urlmon.dll
0x77C70000 \Windows\System32\lpk.dll
0x76780000 \Windows\System32\usp10.dll
0x766E0000 \Windows\System32\advapi32.dll
0x77C60000 \Windows\System32\nsi.dll
0x76630000 \Windows\System32\msvcrt.dll
0x765E0000 \Windows\System32\Wldap32.dll
0x77C50000 \Windows\System32\normaliz.dll
0x76560000 \Windows\System32\comdlg32.dll
0x76510000 \Windows\System32\gdi32.dll
0x76350000 \Windows\System32\iertutil.dll
0x76280000 \Windows\System32\msctf.dll
0x76240000 \Windows\System32\ws2_32.dll
0x760A0000 \Windows\System32\setupapi.dll
0x77C40000 \Windows\System32\psapi.dll
0x76040000 \Windows\System32\difxapi.dll
0x75FB0000 \Windows\System32\oleaut32.dll
0x75F80000 \Windows\System32\imagehlp.dll
0x75F50000 \Windows\System32\cfgmgr32.dll
0x75F00000 \Windows\System32\KernelBase.dll
0x75ED0000 \Windows\System32\wintrust.dll
0x75DB0000 \Windows\System32\crypt32.dll
0x75D20000 \Windows\System32\comctl32.dll
0x75D00000 \Windows\System32\devobj.dll
0x77C30000 \Windows\System32\msasn1.dll

Processes (total 39):
0 System Idle Process
4 System
284 C:\Windows\System32\smss.exe
424 csrss.exe
484 csrss.exe
492 C:\Windows\System32\wininit.exe
528 C:\Windows\System32\winlogon.exe
588 C:\Windows\System32\services.exe
596 C:\Windows\System32\lsass.exe
604 C:\Windows\System32\lsm.exe
712 C:\Windows\System32\svchost.exe
796 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\Ati2evxx.exe
924 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\svchost.exe
1240 C:\Windows\System32\Ati2evxx.exe
1300 C:\Windows\System32\svchost.exe
1468 C:\Windows\System32\spoolsv.exe
1496 C:\Windows\System32\svchost.exe
1592 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
1612 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1644 C:\Windows\System32\svchost.exe
1772 C:\Windows\System32\svchost.exe
1320 C:\Windows\System32\taskhost.exe
1292 C:\Windows\System32\dwm.exe
2056 C:\Windows\explorer.exe
2512 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2520 C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
2708 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3668 C:\Windows\System32\svchost.exe
808 C:\Windows\System32\audiodg.exe
3444 WmiPrvSE.exe
1096 C:\Users\Geoffrey\Desktop\MBRCheck.exe
4088 C:\Windows\System32\conhost.exe
2716 C:\Program Files\Internet Explorer\iexplore.exe
3752 C:\Program Files\Internet Explorer\iexplore.exe
2124 MpCmdRun.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`c3300000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM160HI, Rev: HH100-06

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:55 PM

Posted 10 March 2011 - 02:34 PM

Hello


Let me know about the ads after this please


System Recovery Environment

To access the System Recovery Environment in Windows 7, simply boot your PC,

  • just before the system loads the Windows operating system, hit the [F8] Function 8 key on your keyboard which will launch the Advanced Boot Options menu.
  • There you will see a new option 'Repair Your Computer', select this option and hit 'Enter' on your keyboard.
  • Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
  • From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
  • Type the following into the "Command Prompt Window": and press enter

    bootrec.exe /fixmbr

If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

bootrec.exe /fixboot
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 03:05 PM

the add is still there. the command line shown in ProcessExplorer is:

"c:\progam files\internet explorer\iexplore.exe" http://www.searchpolitical.org/ac.php?aid=484&id=direc10


that is a difficult one to get rid of!!!

#15 alffla

alffla
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 March 2011 - 03:17 PM

below is the content of the page that gets loaded from the link I posted earlier:


From: "Saved by Windows Internet Explorer 9"
Subject:
Date: Thu, 10 Mar 2011 20:10:53 -0000
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://www.searchpolitical.org/ac.php?q=yahoo+messenger+invisible+hack&aid=484&sid=direc10
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7600.16543

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 9.00.8080.16413"></HEAD>
<BODY>searching for yahoo messenger invisible hack<BR>searching for =
yahoo=20
messenger invisible hack<BR><A id=3Dmylink0=20
href=3D"http://www.searchpolitical.org/go.php?userip=3D80.42.248.8&amp;re=
ferer=3Dhttp%3A%2F%2Fwww.searchpolitical.org%2Fsearch.php%3Fq%3Dyahoo%2Bm=
essenger%2Binvisible%2Bhack%26aid%3D484%26sid%3Ddirec10&amp;curl=3Dhttp%3=
A%2F%2F213.174.149.102%2Ftd%3Faid%3DA91447%26said%3D484-direc10%26q%3Dyah=
oo%2520messenger%2520invisible%2520hack&amp;aid=3D484&amp;sid=3Ddirec10">=
http://www.searchpolitical.org/go.php?userip=3D80.42.248.8&amp;referer=3D=
http%3A%2F%2Fwww.searchpolitical.org%2Fsearch.php%3Fq%3Dyahoo%2Bmessenger=
%2Binvisible%2Bhack%26aid%3D484%26sid%3Ddirec10&amp;curl=3Dhttp%3A%2F%2F2=
13.174.149.102%2Ftd%3Faid%3DA91447%26said%3D484-direc10%26q%3Dyahoo%2520m=
essenger%2520invisible%2520hack&amp;aid=3D484&amp;sid=3Ddirec10</A><BR><B=
R>looking=20
for yahoo messenger invisible hack<BR>looking for yahoo messenger =
invisible=20
hack<BR><A id=3Dmylink1=20
href=3D"http://www.searchpolitical.org/go.php?userip=3D80.42.248.8&amp;re=
ferer=3Dhttp%3A%2F%2Fwww.searchpolitical.org%2Fsearch.php%3Fq%3Dyahoo%2Bm=
essenger%2Binvisible%2Bhack%26aid%3D484%26sid%3Ddirec10&amp;curl=3Dhttp%3=
A%2F%2F213.174.149.102%2Ftd%3Faid%3DA91447%26said%3D484-direc10%26q%3Dyah=
oo%2520messenger%2520invisible%2520hack&amp;aid=3D484&amp;sid=3Ddirec10">=
http://www.searchpolitical.org/go.php?userip=3D80.42.248.8&amp;referer=3D=
http%3A%2F%2Fwww.searchpolitical.org%2Fsearch.php%3Fq%3Dyahoo%2Bmessenger=
%2Binvisible%2Bhack%26aid%3D484%26sid%3Ddirec10&amp;curl=3Dhttp%3A%2F%2F2=
13.174.149.102%2Ftd%3Faid%3DA91447%26said%3D484-direc10%26q%3Dyahoo%2520m=
essenger%2520invisible%2520hack&amp;aid=3D484&amp;sid=3Ddirec10</A><BR><B=
R>yahoo=20
messenger invisible hack<BR>yahoo messenger invisible hack<BR><A =
id=3Dmylink2=20
href=3D"http://www.searchpolitical.org/go.php?userip=3D80.42.248.8&amp;re=
ferer=3Dhttp%3A%2F%2Fwww.searchpolitical.org%2Fsearch.php%3Fq%3Dyahoo%2Bm=
essenger%2Binvisible%2Bhack%26aid%3D484%26sid%3Ddirec10&amp;curl=3Dhttp%3=
A%2F%2F213.174.149.102%2Ftd%3Faid%3DA91447%26said%3D484-direc10%26q%3Dyah=
oo%2520messenger%2520invisible%2520hack&amp;aid=3D484&amp;sid=3Ddirec10">=
http://www.searchpolitical.org/go.php?userip=3D80.42.248.8&amp;referer=3D=
http%3A%2F%2Fwww.searchpolitical.org%2Fsearch.php%3Fq%3Dyahoo%2Bmessenger=
%2Binvisible%2Bhack%26aid%3D484%26sid%3Ddirec10&amp;curl=3Dhttp%3A%2F%2F2=
13.174.149.102%2Ftd%3Faid%3DA91447%26said%3D484-direc10%26q%3Dyahoo%2520m=
essenger%2520invisible%2520hack&amp;aid=3D484&amp;sid=3Ddirec10</A><BR><B=
R>2&lt;50
<script>setTimeout("document.getElementById('mylink0').click();",8432);</=
SCRIPT>
</BODY></HTML>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users