Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Takeover Or My Imagination?


  • This topic is locked This topic is locked
24 replies to this topic

#1 kiwipoppy

kiwipoppy

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 19 March 2011 - 09:27 PM

Hi,am running Windows 7,as the only user on a stand alone computer,slow dial up connection,and I can't type.Previous computer had various issues including theft of my credit card details,repeated scans showed nothing.ompletely scanned backup before reloading photos,and some 8bf plugins,on new machine.However tons of files, all dating from time old computer crashed. reappeared on new one after a while.A hidden partition was created with its own admin,and registry that I could not delete.A friend fixed enough of the problems to get me back on the internet,but I still feel that the computer is compromised.Windows updates are corrupted,access is denied on some files,previous anti virus programs on this machine were corrupted,and never showed anything anyway.Files are excluded from scanning due to settings i have not set.All applications have custom dlls loaded,the dllhost runs all the time,and just sends an invalid message whe I try to kill it(same on old computer where it appeared on rootkit revealer).Tasks are scheduled in the event viewer,that i have not set.Some or all of this might be normal,but I would like some reassurance.Log as follows
.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by SAGE at 23:29:02.21 on Sat 19/03/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.64.1033.18.1917.1139 [GMT 13:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

I also note that Trojan Remover scans files called C windows SysNative which I can't find anywhere.
Log shows some of the files dated july 14 2009 as follows

***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.2.2598. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 5:41:13 p.m. 20 Mar 2011
Using Database v7672
Operating System: Windows 7 x64 Home Premium [Build: 6.1.7600]
File System: NTFS
UAC is ENABLED [highest level]
UserData directory: C:\Users\SAGE\AppData\Roaming\Simply Super Software\Trojan Remover\
Database directory: C:\ProgramData\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Users\SAGE\Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files (x86)\Trojan Remover\
Running with Administrator privileges

************************************************************

************************************************************
5:41:13 p.m.: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
5:41:14 p.m.: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [explorer.exe]
File: explorer.exe
explorer.exe
2614272 bytes
Created: 3/02/2011 7:06 p.m.
Modified: 31/10/2009 6:45 p.m.
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [userinit.exe]
File: userinit.exe
userinit.exe
26112 bytes
Created: 14/07/2009 12:34 p.m.
Modified: 14/07/2009 2:14 p.m.
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name:
Value Data:
Blank entry: []
--------------------
Value Name: HP Software Update
Value Data: c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
54576 bytes
Created: 8/12/2008 4:50 p.m.
Modified: 8/12/2008 4:50 p.m.
Company: Hewlett-Packard
--------------------
Value Name: hpsysdrv
Value Data: c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
62768 bytes
Created: 20/11/2008 12:47 p.m.
Modified: 20/11/2008 12:47 p.m.
Company: Hewlett-Packard
--------------------
Value Name: avast5
Value Data: "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
C:\Program Files\Alwil Software\Avast5\avastUI.exe
3396624 bytes
Created: 5/02/2011 8:45 p.m.
Modified: 13/01/2011 9:47 p.m.
Company: AVAST Software
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files (x86)\Trojan Remover\Trjscan.exe /boot
C:\Program Files (x86)\Trojan Remover\Trjscan.exe
1233856 bytes
Created: 20/03/2011 4:48 p.m.
Modified: 20/03/2011 5:12 p.m.
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: HPADVISOR
Value Data: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
1685048 bytes
Created: 29/09/2009 5:26 p.m.
Modified: 29/09/2009 5:26 p.m.
Company: Hewlett-Packard
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

************************************************************
5:41:15 p.m.: Scanning -----SHELLEXECUTEHOOKS-----
ShellExecuteHooks key is empty

************************************************************
5:41:15 p.m.: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
5:41:15 p.m.: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.

************************************************************
5:41:15 p.m.: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
Path: %SystemRoot%\system32\unregmp2.exe /ShowWMP
C:\Windows\Sysnative\unregmp2.exe
323584 bytes
Created: 14/07/2009 1:23 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: >{26923b43-4d38-484f-9b9e-de460746276c}
Path: C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
C:\Windows\SysWOW64\ie4uinit.exe
176128 bytes
Created: 14/07/2009 12:43 p.m.
Modified: 14/07/2009 2:14 p.m.
Company: Microsoft Corporation
----------
Key: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}
Path: "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP
C:\Windows\SysWOW64\iedkcs32.dll
381440 bytes
Created: 18/03/2011 6:55 p.m.
Modified: 18/12/2010 6:29 p.m.
Company: Microsoft Corporation
----------
Key: {2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Path: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
C:\Windows\Sysnative\themeui.dll
2851328 bytes
Created: 14/07/2009 12:54 p.m.
Modified: 14/07/2009 2:41 p.m.
Company: Microsoft Corporation
----------
Key: {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Path: "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Program Files (x86)\Windows Mail\WinMail.exe
Key: {6BF52A52-394A-11d3-B153-00C04F79FAA6}
Path: %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\Sysnative\unregmp2.exe
323584 bytes
Created: 14/07/2009 1:23 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: {89820200-ECBD-11cf-8B85-00AA005B4340}
Path: regsvr32.exe /s /n /i:U shell32.dll
shell32.dll
12867584 bytes
Created: 3/02/2011 7:06 p.m.
Modified: 28/07/2010 3:03 a.m.
Company: Microsoft Corporation
----------
Key: {89820200-ECBD-11cf-8B85-00AA005B4383}
Path: C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
C:\Windows\SysWOW64\ie4uinit.exe
176128 bytes
Created: 14/07/2009 12:43 p.m.
Modified: 14/07/2009 2:14 p.m.
Company: Microsoft Corporation
----------
Key: {89B4C1CD-B018-4511-B0A1-5476DBF70820}
Path: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
C:\Windows\SysWOW64\mscories.dll
80720 bytes
Created: 14/07/2009 9:46 a.m.
Modified: 11/06/2009 10:23 a.m.
Company: Microsoft Corporation
----------

************************************************************
5:41:15 p.m.: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: hpqcxs08
Path: C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll
248832 bytes
Created: 21/05/2009 10:13 p.m.
Modified: 21/05/2009 10:13 p.m.
Company: Hewlett-Packard Co.
--------------------
Key: hpqddsvc
Path: C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll
133120 bytes
Created: 21/05/2009 10:03 p.m.
Modified: 21/05/2009 10:03 p.m.
Company: Hewlett-Packard Co.
--------------------

************************************************************
5:41:16 p.m.: Scanning ----- SERVICES REGISTRY KEYS -----
Key: AdobeActiveFileMonitor4.0
ImagePath: C:\Program Files (x86)\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
102400 bytes
Created: 9/09/2005 3:24 a.m.
Modified: 9/09/2005 3:24 a.m.
Company: [no info]
----------
Key: AeLookupSvc
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: amdsata
ImagePath: \SystemRoot\system32\DRIVERS\amdsata.sys
C:\Windows\Sysnative\DRIVERS\amdsata.sys
106576 bytes
Created: 11/06/2009 9:36 a.m.
Modified: 14/07/2009 2:52 p.m.
Company: Advanced Micro Devices
----------
Key: amdxata
ImagePath: system32\DRIVERS\amdxata.sys
C:\Windows\Sysnative\DRIVERS\amdxata.sys
28752 bytes
Created: 14/07/2009 10:59 a.m.
Modified: 14/07/2009 2:52 p.m.
Company: Advanced Micro Devices
----------
Key: AppIDSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Appinfo
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: aswMonFlt
ImagePath: \??\C:\Windows\system32\drivers\aswMonFlt.sys
C:\Windows\Sysnative\drivers\aswMonFlt.sys
62032 bytes
Created: 5/02/2011 8:46 p.m.
Modified: 13/01/2011 9:37 p.m.
Company: AVAST Software
----------
Key: atapi
ImagePath: system32\DRIVERS\atapi.sys
C:\Windows\Sysnative\DRIVERS\atapi.sys
24128 bytes
Created: 14/07/2009 12:19 p.m.
Modified: 14/07/2009 2:52 p.m.
Company: Microsoft Corporation
----------
Key: AudioEndpointBuilder
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: AudioSrv
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: avast! Antivirus
ImagePath: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
40384 bytes
Created: 5/02/2011 8:45 p.m.
Modified: 13/01/2011 9:47 p.m.
Company: AVAST Software
----------
Key: AxInstSV
ImagePath: %SystemRoot%\system32\svchost.exe -k AxInstSVGroup
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: b06bdrv
ImagePath: \SystemRoot\system32\DRIVERS\bxvbda.sys
C:\Windows\Sysnative\DRIVERS\bxvbda.sys
468480 bytes
Created: 11/06/2009 9:34 a.m.
Modified: 11/06/2009 9:34 a.m.
Company: Broadcom Corporation
----------
Key: b57nd60a
ImagePath: system32\DRIVERS\b57nd60a.sys
C:\Windows\Sysnative\DRIVERS\b57nd60a.sys
270848 bytes
Created: 11/06/2009 9:34 a.m.
Modified: 11/06/2009 9:34 a.m.
Company: Broadcom Corporation
----------
Key: BDESVC
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: BFE
ImagePath: %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: BITS
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Browser
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: bthserv
ImagePath: %SystemRoot%\system32\svchost.exe -k bthsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: CAXHWBS2
ImagePath: system32\DRIVERS\CAXHWBS2.sys
C:\Windows\Sysnative\DRIVERS\CAXHWBS2.sys
409600 bytes
Created: 20/06/2007 4:30 a.m.
Modified: 20/06/2007 4:30 a.m.
Company: Conexant Systems, Inc.
----------
Key: CertPropSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: clr_optimization_v2.0.50727_64
ImagePath: %systemroot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
89920 bytes
Created: 14/07/2009 9:37 a.m.
Modified: 11/06/2009 9:39 a.m.
Company: Microsoft Corporation
----------
Key: clr_optimization_v4.0.30319_32
ImagePath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
130384 bytes
Created: 18/03/2010 1:16 p.m.
Modified: 18/03/2010 1:16 p.m.
Company: Microsoft Corporation
----------
Key: clr_optimization_v4.0.30319_64
ImagePath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
138576 bytes
Created: 18/03/2010 2:27 p.m.
Modified: 18/03/2010 2:27 p.m.
Company: Microsoft Corporation
----------
Key: CryptSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: DcomLaunch
ImagePath: %SystemRoot%\system32\svchost.exe -k DcomLaunch
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: defragsvc
ImagePath: %SystemRoot%\system32\svchost.exe -k defragsvc
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Dhcp
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Dnscache
ImagePath: %SystemRoot%\system32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: dot3svc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Dot4
ImagePath: system32\DRIVERS\Dot4.sys
C:\Windows\Sysnative\DRIVERS\Dot4.sys
145920 bytes
Created: 14/07/2009 1:00 p.m.
Modified: 14/07/2009 1:00 p.m.
Company: Microsoft Corporation
----------
Key: Dot4Print
ImagePath: system32\DRIVERS\Dot4Prt.sys
C:\Windows\Sysnative\DRIVERS\Dot4Prt.sys
19968 bytes
Created: 14/07/2009 1:00 p.m.
Modified: 14/07/2009 1:00 p.m.
Company: Microsoft Corporation
----------
Key: dot4usb
ImagePath: system32\DRIVERS\dot4usb.sys
C:\Windows\Sysnative\DRIVERS\dot4usb.sys
43008 bytes
Created: 14/07/2009 1:00 p.m.
Modified: 14/07/2009 1:00 p.m.
Company: Microsoft Corporation
----------
Key: DPS
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: EapHost
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: ebdrv
ImagePath: \SystemRoot\system32\DRIVERS\evbda.sys
C:\Windows\Sysnative\DRIVERS\evbda.sys
3286016 bytes
Created: 11/06/2009 9:34 a.m.
Modified: 11/06/2009 9:34 a.m.
Company: Broadcom Corporation
----------
Key: eventlog
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: EventSystem
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: fdPHost
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: FDResPub
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: FontCache
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: FontCache3.0.0.0
ImagePath: %systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
42840 bytes
Created: 14/07/2009 2:01 p.m.
Modified: 11/06/2009 9:30 a.m.
Company: Microsoft Corporation
----------
Key: gpsvc
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: hidserv
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: hkmsvc
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: HomeGroupListener
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: HomeGroupProvider
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: HP Health Check Service
ImagePath: "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe"
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
125440 bytes
Created: 24/09/2009 3:40 p.m.
Modified: 24/09/2009 3:40 p.m.
Company: Hewlett-Packard
----------
Key: hpqwmiex
ImagePath: "C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe"
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
229944 bytes
Created: 30/04/2009 5:58 p.m.
Modified: 30/04/2009 5:58 p.m.
Company: Hewlett-Packard Development Company, L.P.
----------
Key: HSF_DPV
ImagePath: system32\DRIVERS\CAX_DPV.sys
C:\Windows\Sysnative\DRIVERS\CAX_DPV.sys
1478656 bytes
Created: 20/06/2007 4:32 a.m.
Modified: 20/06/2007 4:32 a.m.
Company: Conexant Systems, Inc.
----------
Key: iaStorV
ImagePath: \SystemRoot\system32\DRIVERS\iaStorV.sys
C:\Windows\Sysnative\DRIVERS\iaStorV.sys
410688 bytes
Created: 11/06/2009 9:37 a.m.
Modified: 14/07/2009 2:48 p.m.
Company: Intel Corporation
----------
Key: idsvc
ImagePath: "%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
856384 bytes
Created: 14/07/2009 2:01 p.m.
Modified: 11/06/2009 9:30 a.m.
Company: Microsoft Corporation
----------
Key: igfx
ImagePath: system32\DRIVERS\igdkmd64.sys
C:\Windows\Sysnative\DRIVERS\igdkmd64.sys
7369728 bytes
Created: 20/01/2010 12:01 p.m.
Modified: 3/09/2009 12:54 a.m.
Company: Intel Corporation
----------
Key: IKEEXT
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: IntcAzAudAddService
ImagePath: system32\drivers\RTKVHD64.sys
C:\Windows\Sysnative\drivers\RTKVHD64.sys
2484072 bytes
Created: 7/09/2010 11:27 a.m.
Modified: 7/09/2010 11:27 a.m.
Company: Realtek Semiconductor Corp.
----------
Key: IPBusEnum
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: iphlpsvc
ImagePath: %SystemRoot%\System32\svchost.exe -k NetSvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: ksthunk
ImagePath: \SystemRoot\system32\drivers\ksthunk.sys
C:\Windows\Sysnative\drivers\ksthunk.sys
20992 bytes
Created: 14/07/2009 1:00 p.m.
Modified: 14/07/2009 1:00 p.m.
Company: Microsoft Corporation
----------
Key: KtmRm
ImagePath: %SystemRoot%\System32\svchost.exe -k NetworkServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: LanmanServer
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: LanmanWorkstation
ImagePath: %SystemRoot%\System32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: lltdsvc
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: lmhosts
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Mcx2Svc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: MMCSS
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: MpsSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: MSiSCSI
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: napagent
ImagePath: %SystemRoot%\System32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Netman
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: netprofm
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: NlaSvc
ImagePath: %SystemRoot%\System32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: nsi
ImagePath: %systemroot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: ose
ImagePath: "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
145184 bytes
Created: 26/10/2006 4:03 p.m.
Modified: 26/10/2006 4:03 p.m.
Company: Microsoft Corporation
----------
Key: p2pimsvc
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: p2psvc
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: PcaSvc
ImagePath: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: PerfHost
ImagePath: %SystemRoot%\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
20992 bytes
Created: 14/07/2009 12:11 p.m.
Modified: 14/07/2009 2:14 p.m.
Company: Microsoft Corporation
----------
Key: pla
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: PlugPlay
ImagePath: %SystemRoot%\system32\svchost.exe -k DcomLaunch
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: PNRPAutoReg
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: PNRPsvc
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: PolicyAgent
ImagePath: %SystemRoot%\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Power
ImagePath: %SystemRoot%\system32\svchost.exe -k DcomLaunch
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: ProfSvc
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: RasAuto
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: RasMan
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: rdpbus
ImagePath: \SystemRoot\system32\DRIVERS\rdpbus.sys
C:\Windows\Sysnative\DRIVERS\rdpbus.sys
24064 bytes
Created: 14/07/2009 1:17 p.m.
Modified: 14/07/2009 1:17 p.m.
Company: Microsoft Corporation
----------
Key: RemoteAccess
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: RemoteRegistry
ImagePath: %SystemRoot%\system32\svchost.exe -k regsvc
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: RpcEptMapper
ImagePath: %SystemRoot%\system32\svchost.exe -k RPCSS
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: RpcSs
ImagePath: %SystemRoot%\system32\svchost.exe -k rpcss
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: RTL8167
ImagePath: system32\DRIVERS\Rt64win7.sys
C:\Windows\Sysnative\DRIVERS\Rt64win7.sys
239616 bytes
Created: 21/01/2010 6:39 a.m.
Modified: 21/08/2009 1:05 p.m.
Company: Realtek
----------
Key: SCardSvr
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Schedule
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SCPolicySvc
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SDRSVC
ImagePath: %SystemRoot%\system32\svchost.exe -k SDRSVC
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SeaPort
ImagePath: "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe"
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
249136 bytes
Created: 22/09/2010 12:03 p.m.
Modified: 22/09/2010 12:03 p.m.
Company: Microsoft Corporation
----------
Key: SENS
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SensrSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Serenum
ImagePath: \SystemRoot\system32\DRIVERS\serenum.sys
C:\Windows\Sysnative\DRIVERS\serenum.sys
23552 bytes
Created: 14/07/2009 1:00 p.m.
Modified: 14/07/2009 1:00 p.m.
Company: Microsoft Corporation
----------
Key: Serial
ImagePath: \SystemRoot\system32\DRIVERS\serial.sys
C:\Windows\Sysnative\DRIVERS\serial.sys
94208 bytes
Created: 14/07/2009 1:00 p.m.
Modified: 14/07/2009 1:00 p.m.
Company: Microsoft Corporation
----------
Key: SessionEnv
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SharedAccess
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: ShellHWDetection
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: sppuinotify
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SrvHsfPCI
ImagePath: system32\DRIVERS\VSTBS26.SYS
C:\Windows\Sysnative\DRIVERS\VSTBS26.SYS
411136 bytes
Created: 14/07/2009 11:04 a.m.
Modified: 11/06/2009 10:01 a.m.
Company: Conexant Systems, Inc.
----------
Key: SrvHsfV92
ImagePath: system32\DRIVERS\VSTDPV6.SYS
C:\Windows\Sysnative\DRIVERS\VSTDPV6.SYS
1485312 bytes
Created: 14/07/2009 11:04 a.m.
Modified: 11/06/2009 10:01 a.m.
Company: Conexant Systems, Inc.
----------
Key: SrvHsfWinac
ImagePath: system32\DRIVERS\VSTCNXT6.SYS
C:\Windows\Sysnative\DRIVERS\VSTCNXT6.SYS
740864 bytes
Created: 14/07/2009 11:04 a.m.
Modified: 11/06/2009 10:01 a.m.
Company: Conexant Systems, Inc.
----------
Key: SSDPSRV
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SstpSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: stisvc
ImagePath: %SystemRoot%\system32\svchost.exe -k imgsvc
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: swprv
ImagePath: %SystemRoot%\System32\svchost.exe -k swprv
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: SysMain
ImagePath: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: TabletInputService
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: TapiSrv
ImagePath: %SystemRoot%\System32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: TBS
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: TermService
ImagePath: %SystemRoot%\System32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Themes
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: THREADORDER
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: TrkWks
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: upnphost
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: UxSms
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: W32Time
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WatAdminSvc
ImagePath: %SystemRoot%\system32\Wat\WatAdminSvc.exe
C:\Windows\Sysnative\Wat\WatAdminSvc.exe
1255736 bytes
Created: 3/02/2011 8:19 p.m.
Modified: 3/02/2011 8:19 p.m.
Company: Microsoft Corporation
----------
Key: WbioSrvc
ImagePath: %SystemRoot%\system32\svchost.exe -k WbioSvcGroup
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: wcncsvc
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WcsPlugInService
ImagePath: %SystemRoot%\system32\svchost.exe -k wcssvc
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WdiServiceHost
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WdiSystemHost
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WebClient
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Wecsvc
ImagePath: %SystemRoot%\system32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: wercplsupport
ImagePath: %SystemRoot%\System32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WerSvc
ImagePath: %SystemRoot%\System32\svchost.exe -k WerSvcGroup
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: winachsf
ImagePath: system32\DRIVERS\CAX_CNXT.sys
C:\Windows\Sysnative\DRIVERS\CAX_CNXT.sys
740352 bytes
Created: 20/06/2007 4:29 a.m.
Modified: 20/06/2007 4:29 a.m.
Company: Conexant Systems, Inc.
----------
Key: WinDefend
ImagePath: %SystemRoot%\System32\svchost.exe -k secsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WinHttpAutoProxySvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Winmgmt
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WinRM
ImagePath: %SystemRoot%\System32\svchost.exe -k NetworkService
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: Wlansvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: wlidsvc
ImagePath: "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2286976 bytes
Created: 21/09/2010 2:49 p.m.
Modified: 21/09/2010 2:49 p.m.
Company: Microsoft Corp.
----------
Key: WPCSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WPDBusEnum
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: wscsvc
ImagePath: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: wuauserv
ImagePath: %systemroot%\system32\svchost.exe -k netsvcs
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: wudfsvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: WwanSvc
ImagePath: %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Sysnative\svchost.exe
27136 bytes
Created: 14/07/2009 12:31 p.m.
Modified: 14/07/2009 2:39 p.m.
Company: Microsoft Corporation
----------
Key: XAudio
ImagePath: system32\DRIVERS\xaudio64.sys
C:\Windows\Sysnative\DRIVERS\xaudio64.sys
10240 bytes
Created: 29/06/2007 9:11 a.m.
Modified: 29/06/2007 9:11 a.m.
Company: Conexant Systems, Inc.
----------
Key: XAudioService
ImagePath: %SystemRoot%\system32\DRIVERS\xaudio64.exe
C:\Windows\Sysnative\DRIVERS\xaudio64.exe
412672 bytes
Created: 29/06/2007 9:11 a.m.
Modified: 29/06/2007 9:11 a.m.
Company: Conexant Systems, Inc.
----------

************************************************************
5:41:32 p.m.: Scanning -----VXD ENTRIES-----

************************************************************
5:41:32 p.m.: Scanning ----- WINLOGON\NOTIFY DLLS -----
No WINLOGON\NOTIFY DLLs found to scan
Rootkit scan of Winlogon\Notify key not possible [key may not exist]

************************************************************
5:41:32 p.m.: Scanning ----- CONTEXTMENUHANDLERS -----
Key: avast
CLSID: {472083B0-C522-11CF-8763-00608CC02F24}
Path: C:\Program Files\Alwil Software\Avast5\ashShell.dll
C:\Program Files\Alwil Software\Avast5\ashShell.dll
120712 bytes
Created: 5/02/2011 8:45 p.m.
Modified: 13/01/2011 9:47 p.m.
Company: AVAST Software
----------
Key: Trojan Remover
CLSID: {52B87208-9CCF-42C9-B88E-069281105805}
Path: C:\PROGRA~2\TROJAN~1\Trshlex.dll
C:\PROGRA~2\TROJAN~1\Trshlex.dll
484304 bytes
Created: 20/03/2011 4:48 p.m.
Modified: 20/03/2011 5:13 p.m.
Company: Simply Super Software
----------

************************************************************
5:41:32 p.m.: Scanning ----- FOLDER\COLUMNHANDLERS -----
No Folder\ColumnHandler entries found to scan

************************************************************
5:41:33 p.m.: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B}
BHO: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
191792 bytes
Created: 22/09/2010 12:03 p.m.
Modified: 22/09/2010 12:03 p.m.
Company: Microsoft Corporation
----------
Key: {9030D464-4C02-4ABF-8ECC-5164760863C6}
BHO: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
439168 bytes
Created: 21/09/2010 2:08 p.m.
Modified: 21/09/2010 2:08 p.m.
Company: Microsoft Corp.
----------
Key: {d2ce3e00-f94a-4740-988e-03dc2f38c34f}
BHO: C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
612616 bytes
Created: 22/09/2010 1:19 p.m.
Modified: 22/09/2010 1:19 p.m.
Company: Microsoft Corporation
----------

************************************************************
5:41:33 p.m.: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
5:41:33 p.m.: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
No SharedTaskScheduler entries found to scan

************************************************************
5:41:33 p.m.: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
5:41:33 p.m.: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank or does not exist

************************************************************
5:41:33 p.m.: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
5:41:33 p.m.: Scanning ------ COMMON STARTUP GROUP ------
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-HS- 174 bytes
Created: 14/07/2009 5:54 p.m.
Modified: 14/07/2009 5:54 p.m.
Company: [no info]
--------------------
HP Digital Imaging Monitor.lnk - links to C:\PROGRA~2\hp\DIGITA~1\bin\hpqtra08.exe
C:\PROGRA~2\hp\DIGITA~1\bin\hpqtra08.exe
275768 bytes
Created: 21/05/2009 10:13 p.m.
Modified: 21/05/2009 10:13 p.m.
Company: Hewlett-Packard Co.
--------------------

************************************************************
5:41:33 p.m.: Scanning ----- USER STARTUP GROUPS -----
Checking Startup Group for: Administrator
[C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-HS- 174 bytes
Created: 29/01/2011 4:43 p.m.
Modified: 3/02/2011 8:17 p.m.
Company: [no info]
----------
--------------------
Checking Startup Group for: CHENNA
[C:\Users\CHENNA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup]
C:\Users\CHENNA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-HS- 174 bytes
Created: 17/10/2010 11:34 p.m.
Modified: 4/02/2011 8:08 p.m.
Company: [no info]
----------
--------------------
Checking Startup Group for: SAGE
[C:\Users\SAGE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup]
C:\Users\SAGE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-HS- 174 bytes
Created: 21/10/2010 4:34 p.m.
Modified: 4/02/2011 7:34 p.m.
Company: [no info]
----------
--------------------

************************************************************
5:41:34 p.m.: Scanning ----- SCHEDULED TASKS -----
Taskname: {966C0948-FD5E-46B4-8BB9-972A1521BBAC}
File: E:\install_artrage_2.6.0.exe
Schedule: At task creation/modification
Next Run Time:
Status: Ready
Creator:
Comments:
E:\install_artrage_2.6.0.exe - [file not found to scan]
----------
Taskname: {E2EAB2EA-FB54-471E-82A5-B01165CF89DB}
File: E:\install_artrage_2.6.0.exe
Schedule: At task creation/modification
Next Run Time:
Status: Ready
Creator:
Comments:
E:\install_artrage_2.6.0.exe - [file not found to scan]
----------
Taskname: {F16D646C-D25E-43C0-AEB4-DCFB1AC17A51}
File: E:\install_artrage_2.6.0.exe
Schedule: At task creation/modification
Next Run Time:
Status: Ready
Creator:
Comments:
E:\install_artrage_2.6.0.exe - [file not found to scan]
----------
Taskname: CLMLSvc
File: c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
210216 bytes
Created: 22/10/2009 8:50 p.m.
Modified: 22/10/2009 8:50 p.m.
Company: CyberLink
Schedule: At logon
Next Run Time:
Status: Running
Creator: CyberLink
Comments:
----------
Taskname: DVDAgent
File: c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
Schedule: At logon
Next Run Time:
Status: Ready
Creator: CyberLink
Comments:
c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe - [file not found to scan]
----------
Taskname: PCDRScheduledMaintenance
File: C:\Program Files\PC-Doctor for Windows\pcdrcui.exe
C:\Program Files\PC-Doctor for Windows\pcdrcui.exe
147440 bytes
Created: 18/09/2009 8:11 p.m.
Modified: 18/09/2009 8:11 p.m.
Company: PC-Doctor, Inc.
Parameters: -fh scripts\monthly.xml -st PCDRScheduledMaintenance
Schedule: Multiple schedule times
Next Run Time: 28/02/2012 10:00:00 a.m.
Status: Ready
Creator: PC-Doctor
Comments:
----------
Taskname: RecoveryCDWin7
File: C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe
C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe
26680 bytes
Created: 20/01/2010 12:26 p.m.
Modified: 20/10/2009 10:58 p.m.
Company:
Parameters: RecoveryCDWin7 ShowMessageTask
Schedule: At 12:00:00 a.m. every 14 days
Next Run Time: 3/04/2011
Status: Ready
Creator:
Comments:
----------
Taskname: Registration
File: C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe
C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe
26680 bytes
Created: 20/01/2010 12:26 p.m.
Modified: 20/10/2009 10:58 p.m.
Company:
Parameters: Registration ShowMessageTask2D
Schedule: At 12:00:00 a.m. on 27/10/2010
Next Run Time:
Status: Ready
Creator:
Comments:
----------

************************************************************
5:41:35 p.m.: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----
Key: SharingPrivate
CLSID: {08244EE6-92F0-47f2-9FC9-929BAA2E7235}
File: %SystemRoot%\system32\ntshrui.dll
C:\Windows\Sysnative\ntshrui.dll
509952 bytes
Created: 14/07/2009 12:57 p.m.
Modified: 14/07/2009 2:41 p.m.
Company: Microsoft Corporation
----------

************************************************************
5:41:35 p.m.: Scanning ----- DEVICE DRIVER ENTRIES -----
Value: msacm.l3acm
File: C:\Windows\SysWOW64\l3codeca.acm
C:\Windows\SysWOW64\l3codeca.acm
64000 bytes
Created: 14/07/2009 1:07 p.m.
Modified: 14/07/2009 2:14 p.m.
Company: Fraunhofer Institut Integrierte Schaltungen IIS
----------
Value: msacm.l3codecp
File: l3codecp.acm
l3codecp.acm
220672 bytes
Created: 14/07/2009 1:09 p.m.
Modified: 14/07/2009 2:14 p.m.
Company: Fraunhofer Institut Integrierte Schaltungen IIS
----------

************************************************************
5:41:36 p.m.: ----- ADDITIONAL CHECKS -----
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\Users\SAGE\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
C:\Users\SAGE\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
811322 bytes
Created: 4/02/2011 7:34 p.m.
Modified: 20/03/2011 12:02 a.m.
Company: [no info]
----------
Web Desktop Wallpaper entry is blank
----------
DNS Server information:
Interface: Realtek PCIe FE Family Controller
NameServers: 192.168.1.1
Checks for rogue DNS NameServers completed
----------
Additional checks completed

************************************************************
5:41:36 p.m.: Scanning ----- RUNNING PROCESSES -----

C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe - file already scanned
--------------------
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe - file already scanned
--------------------
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe - file already scanned
--------------------
C:\Program Files\Alwil Software\Avast5\AvastUI.exe - file already scanned
--------------------
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe - file already scanned
--------------------
C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
FileSize: 3761072
[This is a Trojan Remover component]
--------------------

************************************************************
5:41:36 p.m.: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\Windows\SysWOW64\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://go.microsoft.com/fwlink/?LinkId=54896
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://g.jp.msn.com/HPALL/15
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\Windows\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft.com/fwlink/?LinkId=54896
HKCU\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://g.jp.msn.com/HPALL/15

************************************************************
=== NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES ===
Scan completed at: 5:41:36 p.m. 20 Mar 2011
Total Scan time: 00:00:22
************************************************************


***** WINDOWS UPDATE POLICIES RESET *****
Trojan Remover Ver 6.8.2.2598. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 5:40:51 p.m. 20 Mar 2011
Using Database v7672
Operating System: Windows 7 x64 Home Premium [Build: 6.1.7600]
File System: NTFS
UAC is ENABLED [highest level]
UserData directory: C:\Users\SAGE\AppData\Roaming\Simply Super Software\Trojan Remover\
Database directory: C:\ProgramData\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Users\SAGE\Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files (x86)\Trojan Remover\
Running with Administrator privileges

************************************************************
No invalid Windows Update Policies found to reset.
************************************************************


Also I don't use Internet explorer.P2P,illegal downloads,watch porn,and am vey cautious about websites,and opening attachments.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\hp\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\SAGE\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_Plugin.exe -update plugin
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\hp\Digital Imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TCP: {5A0B3988-8A74-4458-B6DF-3A9F9D96E975} = 192.168.1.1
TCP: {B60BB0AF-77C3-4D69-BA3B-0BDC68338018} = 60.234.1.1 60.234.2.2
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SAGE\AppData\Roaming\Mozilla\Firefox\Profiles\0mo3ljx4.default\
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-2-5 273488]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-2-5 20560]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-2-5 62032]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-2-5 40384]
R3 CAXHWBS2;CAXHWBS2;C:\Windows\System32\drivers\CAXHWBS2.sys [2007-6-20 409600]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-1-21 239616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 SrvHsfPCI;SrvHsfPCI;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-14 411136]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-2-3 1255736]
.
=============== Created Last 30 ================
.
2011-03-19 02:23:46 -------- d-----w- C:\Users\SAGE\AppData\Local\Mozilla
2011-03-18 11:00:35 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{E5ACB0B5-0766-423B-8A9D-BBC6E7EDA397}\mpengine.dll
2011-03-18 06:16:20 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-03-18 06:16:20 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-03-18 06:16:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-03-18 06:16:20 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-03-18 05:58:44 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-03-18 05:58:44 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-03-18 05:28:08 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-03-18 05:20:51 5510528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-03-18 05:20:50 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-03-18 05:20:50 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-03-18 05:20:50 1739176 ----a-w- C:\Windows\System32\ntdll.dll
2011-03-18 05:20:50 1293120 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-03-18 05:14:12 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-03-18 05:14:12 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-03-18 05:14:12 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-03-18 05:14:11 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-03-18 05:11:46 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2011-03-18 05:11:46 723968 ----a-w- C:\Windows\System32\EncDec.dll
2011-03-18 05:11:45 850432 ----a-w- C:\Windows\SysWow64\sbe.dll
2011-03-18 05:11:45 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2011-03-18 05:11:45 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-03-18 05:11:45 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2011-03-18 05:11:45 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2011-03-18 05:11:45 1118720 ----a-w- C:\Windows\System32\sbe.dll
2011-03-18 05:02:47 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-03-18 05:02:47 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-03-18 03:44:53 714752 ----a-w- C:\Windows\System32\kerberos.dll
2011-03-18 03:44:53 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2011-03-18 03:34:44 3127808 ----a-w- C:\Windows\System32\win32k.sys
2011-03-18 03:11:10 3138048 ----a-w- C:\Windows\System32\mstscax.dll
2011-03-18 03:11:10 2690560 ----a-w- C:\Windows\SysWow64\mstscax.dll
2011-03-18 03:11:09 1097216 ----a-w- C:\Windows\System32\mstsc.exe
2011-03-18 03:11:09 1034240 ----a-w- C:\Windows\SysWow64\mstsc.exe
2011-03-18 02:45:08 214016 ----a-w- C:\Windows\System32\winsrv.dll
2011-02-24 08:04:54 22104 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-02-02 05:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
2011-01-13 08:47:35 38848 ----a-w- C:\Windows\avastSS.scr
2011-01-13 08:37:23 62032 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-01-06 07:35:04 14161920 ----a-w- C:\Diary.txt
2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll
2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll
2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
.
============= FINISH: 23:29:37.12 ===============

Attached Files


Edited by kiwipoppy, 20 March 2011 - 08:17 PM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:16 PM

Posted 25 March 2011 - 12:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 25 March 2011 - 08:53 PM

Hi,thanks for trying to help.
I am running Windows Home Premium,64 bit
I am reposting original DDS log,and have not disabled my antivirus,I have had so much trouble installing,and getting any AV to work properly that I hesitate to mess with this.
Although scans show nothing except a lot of files that cannot be accessed as "in use by another process"
Trying to run DDS again resulted in Notepad producing a dat log that was all in script,so this is the original.
I also posted A trojan Remover log above that I thought might be useful,a lot of files it scans are not visible on my computer

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by SAGE at 23:29:02.21 on Sat 19/03/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.64.1033.18.1917.1139 [GMT 13:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\hp\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\SAGE\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_Plugin.exe -update plugin
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\hp\Digital Imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TCP: {5A0B3988-8A74-4458-B6DF-3A9F9D96E975} = 192.168.1.1
TCP: {B60BB0AF-77C3-4D69-BA3B-0BDC68338018} = 60.234.1.1 60.234.2.2
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SAGE\AppData\Roaming\Mozilla\Firefox\Profiles\0mo3ljx4.default\
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-2-5 273488]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-2-5 20560]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-2-5 62032]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-2-5 40384]
R3 CAXHWBS2;CAXHWBS2;C:\Windows\System32\drivers\CAXHWBS2.sys [2007-6-20 409600]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-1-21 239616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 SrvHsfPCI;SrvHsfPCI;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-14 411136]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-2-3 1255736]
.
=============== Created Last 30 ================
.
2011-03-19 02:23:46 -------- d-----w- C:\Users\SAGE\AppData\Local\Mozilla
2011-03-18 11:00:35 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{E5ACB0B5-0766-423B-8A9D-BBC6E7EDA397}\mpengine.dll
2011-03-18 06:16:20 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-03-18 06:16:20 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-03-18 06:16:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-03-18 06:16:20 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-03-18 05:58:44 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-03-18 05:58:44 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-03-18 05:28:08 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-03-18 05:20:51 5510528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-03-18 05:20:50 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-03-18 05:20:50 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-03-18 05:20:50 1739176 ----a-w- C:\Windows\System32\ntdll.dll
2011-03-18 05:20:50 1293120 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-03-18 05:14:12 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-03-18 05:14:12 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-03-18 05:14:12 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-03-18 05:14:11 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-03-18 05:11:46 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2011-03-18 05:11:46 723968 ----a-w- C:\Windows\System32\EncDec.dll
2011-03-18 05:11:45 850432 ----a-w- C:\Windows\SysWow64\sbe.dll
2011-03-18 05:11:45 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2011-03-18 05:11:45 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-03-18 05:11:45 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2011-03-18 05:11:45 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2011-03-18 05:11:45 1118720 ----a-w- C:\Windows\System32\sbe.dll
2011-03-18 05:02:47 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-03-18 05:02:47 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-03-18 03:44:53 714752 ----a-w- C:\Windows\System32\kerberos.dll
2011-03-18 03:44:53 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2011-03-18 03:34:44 3127808 ----a-w- C:\Windows\System32\win32k.sys
2011-03-18 03:11:10 3138048 ----a-w- C:\Windows\System32\mstscax.dll
2011-03-18 03:11:10 2690560 ----a-w- C:\Windows\SysWow64\mstscax.dll
2011-03-18 03:11:09 1097216 ----a-w- C:\Windows\System32\mstsc.exe
2011-03-18 03:11:09 1034240 ----a-w- C:\Windows\SysWow64\mstsc.exe
2011-03-18 02:45:08 214016 ----a-w- C:\Windows\System32\winsrv.dll
2011-02-24 08:04:54 22104 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-02-02 05:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
2011-01-13 08:47:35 38848 ----a-w- C:\Windows\avastSS.scr
2011-01-13 08:37:23 62032 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-01-06 07:35:04 14161920 ----a-w- C:\Diary.txt
2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll
2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll
2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
.
============= FINISH: 23:29:37.12 ===============

#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 28 March 2011 - 08:51 AM

Hi kiwipoppy,


I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you are having, along with any steps you may have performed so far.


Thanks!!
PW

#5 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 28 March 2011 - 10:35 AM

Hi kiwipoppy,

For information purposes:

Trojan Remover will run on 64bit systems, as a 32bit program. However it cannot access/scan running 64bit processes. A fully-compatible 64bit version cannot, regrettably, be produced until a 64bit Delphi compiler is released, which is not expected until late 2011.


Do you have a Windows7 installation disk?

Your DDS log doesn't show anything malicious. Let's start checking for other problems.


Step 1.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Step 2.

I need you to run MBAM.
  • Open MBAM
  • Click on the UpdateTab before performing a scan. Click on the Check for Updates button. If an update is found, the program will automatically update itself. After the update press the OK button to close that box and continue.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Step 3.

We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply please include the following:

TDSSKiller log
MBAM log
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


What problems are you experiencing presently?


Thanks!!
PW

#6 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 29 March 2011 - 04:52 AM

Hi,Windows 7 preinstalled,only have recovery disk
TDSS gives me the following message tdsskiller.exe is not a valid win32 application.Changing the filename gives the same result.
Mbam will not install.starts to download,then disappears.
Will try other two tomorrow,
Currently computer is running very slowly.Avast scans exclude a lot of files as "being in use by another process"
Boot scans show some windows update are corrupted and a deep scan turns off the computer.Various tasks have been scheduled,but not by me.
Files from previously infected computer have appeared on this one(all dated July 2009,despite only transferring photos,and 8bfs
The dllhost,which previously appeared on rootkit scans is always running,and cannot be killed.
Show hidden files has always been enabled,but Trojan Remover(looking fwd to new version) scans lots of files named windows/sysnative,and windows/assembly/native images,
these are not visible,anywhere
The secret partion,and registry appears to have gone
My user account became an admin account without any input from me
Web shield in avast was turned off without my input.
Custom dlls are loaded for every application
This is a stand alone computer,and I am the only user
Previously credit card details were stolen
Access is denied on some files,,even when running as built in admin(which I don't normally do)
Several user accounts in registry,that I can't identify,they only use numbers,not user names
Will try and get other logs to you
Thanks

#7 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 29 March 2011 - 07:20 AM

Hi kiwipoppy,

Try running TDSSKiller and MBAM in safe mode.

Please reboot into Safe Mode.

This can be done tapping the F8 key as soon as you start your computer. You will be brought to a menu where you can choose to boot into safe mode.

Make sure you choose the option with networking support.

Instructions on booting into Safe Mode can be found here

Now run TDSSKiller and try downloading and running MBAM in safe mode then try running OTL in normal mode.


Thanks!!

Edited by pwgib, 29 March 2011 - 07:24 AM.

PW

#8 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 30 March 2011 - 12:16 AM

MBAM (downloaded from DVD)log shows nothing run in safe mode,and won't update(button is greyed out)
MBAM won't download from internet,pretty sure something is interfering with downloading and running of security files.
Also feel my AV is corrupted which is what happened to 2 previous paid for AV programs I tried.
TDSS would not run in safe mode,tried another download which produced this log

2011/03/30 18:07:30.0512 3732 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/30 18:07:32.0533 3732 ================================================================================
2011/03/30 18:07:32.0533 3732 SystemInfo:
2011/03/30 18:07:32.0533 3732
2011/03/30 18:07:32.0533 3732 OS Version: 6.1.7600 ServicePack: 0.0
2011/03/30 18:07:32.0533 3732 Product type: Workstation
2011/03/30 18:07:32.0543 3732 ComputerName: CHENNA-PC
2011/03/30 18:07:32.0543 3732 UserName: Administrator
2011/03/30 18:07:32.0543 3732 Windows directory: C:\Windows
2011/03/30 18:07:32.0543 3732 System windows directory: C:\Windows
2011/03/30 18:07:32.0543 3732 Running under WOW64
2011/03/30 18:07:32.0543 3732 Processor architecture: Intel x64
2011/03/30 18:07:32.0543 3732 Number of processors: 2
2011/03/30 18:07:32.0543 3732 Page size: 0x1000
2011/03/30 18:07:32.0543 3732 Boot type: Normal boot
2011/03/30 18:07:32.0543 3732 ================================================================================
2011/03/30 18:07:34.0053 3732 Initialize success
2011/03/30 18:07:42.0057 3452 ================================================================================
2011/03/30 18:07:42.0067 3452 Scan started
2011/03/30 18:07:42.0067 3452 Mode: Manual;
2011/03/30 18:07:42.0067 3452 ================================================================================
2011/03/30 18:07:43.0590 3452 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/03/30 18:07:43.0670 3452 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2011/03/30 18:07:43.0760 3452 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/03/30 18:07:43.0950 3452 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/03/30 18:07:44.0050 3452 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/03/30 18:07:44.0130 3452 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/03/30 18:07:44.0340 3452 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2011/03/30 18:07:44.0420 3452 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2011/03/30 18:07:44.0600 3452 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2011/03/30 18:07:44.0680 3452 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2011/03/30 18:07:44.0760 3452 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/03/30 18:07:44.0900 3452 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/03/30 18:07:44.0980 3452 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2011/03/30 18:07:45.0080 3452 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/03/30 18:07:45.0210 3452 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2011/03/30 18:07:45.0330 3452 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2011/03/30 18:07:45.0580 3452 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/03/30 18:07:45.0650 3452 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/03/30 18:07:45.0750 3452 aswFsBlk (f810e3ea3d1f3c3ba26f2f4719bdca4f) C:\Windows\system32\drivers\aswFsBlk.sys
2011/03/30 18:07:45.0940 3452 aswMonFlt (3687fd9cedf56d3b9f18923f4e14f3f9) C:\Windows\system32\drivers\aswMonFlt.sys
2011/03/30 18:07:46.0020 3452 aswRdr (e99e48596b35e5d5240104bcd61b3471) C:\Windows\system32\drivers\aswRdr.sys
2011/03/30 18:07:46.0170 3452 aswSnx (84ad8fb3fd2efa52d8599a0028bbb6fe) C:\Windows\system32\drivers\aswSnx.sys
2011/03/30 18:07:46.0360 3452 aswSP (8cba6cc5dca9e3829f1792bf98f06901) C:\Windows\system32\drivers\aswSP.sys
2011/03/30 18:07:46.0520 3452 aswTdi (184248f2ded7b1641c7f3b30381baa2a) C:\Windows\system32\drivers\aswTdi.sys
2011/03/30 18:07:46.0730 3452 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/30 18:07:46.0850 3452 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2011/03/30 18:07:47.0152 3452 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/03/30 18:07:47.0232 3452 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/03/30 18:07:47.0414 3452 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/03/30 18:07:47.0664 3452 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/03/30 18:07:47.0754 3452 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/30 18:07:47.0844 3452 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/03/30 18:07:47.0984 3452 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/03/30 18:07:48.0124 3452 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/03/30 18:07:48.0234 3452 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/03/30 18:07:48.0394 3452 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/03/30 18:07:48.0526 3452 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/03/30 18:07:48.0596 3452 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/03/30 18:07:48.0786 3452 CAXHWBS2 (797c36e597f9fc4efd88e6e0e98abe37) C:\Windows\system32\DRIVERS\CAXHWBS2.sys
2011/03/30 18:07:48.0896 3452 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/30 18:07:49.0016 3452 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/30 18:07:49.0166 3452 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/03/30 18:07:49.0286 3452 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/03/30 18:07:49.0646 3452 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/30 18:07:49.0726 3452 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2011/03/30 18:07:49.0806 3452 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2011/03/30 18:07:49.0896 3452 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/30 18:07:49.0986 3452 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/03/30 18:07:50.0166 3452 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/03/30 18:07:50.0416 3452 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2011/03/30 18:07:50.0586 3452 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/03/30 18:07:50.0756 3452 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/03/30 18:07:50.0956 3452 Dot4 (b42ed0320c6e41102fde0005154849bb) C:\Windows\system32\DRIVERS\Dot4.sys
2011/03/30 18:07:51.0026 3452 Dot4Print (85135ad27e79b689335c08167d917cde) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/03/30 18:07:51.0146 3452 dot4usb (fd05a02b0370bc3000f402e543ca5814) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/03/30 18:07:51.0286 3452 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/03/30 18:07:51.0406 3452 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/30 18:07:51.0656 3452 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/03/30 18:07:51.0926 3452 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/03/30 18:07:51.0996 3452 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2011/03/30 18:07:52.0186 3452 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/03/30 18:07:52.0426 3452 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/03/30 18:07:52.0576 3452 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/30 18:07:52.0806 3452 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/03/30 18:07:52.0916 3452 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/03/30 18:07:52.0996 3452 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/30 18:07:53.0166 3452 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2011/03/30 18:07:53.0336 3452 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/03/30 18:07:53.0416 3452 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/30 18:07:53.0636 3452 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/03/30 18:07:53.0776 3452 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/03/30 18:07:53.0906 3452 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/03/30 18:07:54.0056 3452 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/30 18:07:54.0146 3452 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/03/30 18:07:54.0246 3452 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/03/30 18:07:54.0356 3452 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/03/30 18:07:54.0616 3452 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/30 18:07:55.0006 3452 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/03/30 18:07:55.0126 3452 HSF_DPV (1e260b33f6555146a0b826f047238c00) C:\Windows\system32\DRIVERS\CAX_DPV.sys
2011/03/30 18:07:55.0336 3452 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2011/03/30 18:07:55.0426 3452 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2011/03/30 18:07:55.0536 3452 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/30 18:07:55.0636 3452 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/03/30 18:07:55.0971 3452 igfx (2d18c9e1f23970de32d78d3b1cdda0a7) C:\Windows\system32\DRIVERS\igdkmd64.sys
2011/03/30 18:07:56.0193 3452 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/03/30 18:07:56.0403 3452 IntcAzAudAddService (3c4b4ee54febb09f7e9f58776de96dca) C:\Windows\system32\drivers\RTKVHD64.sys
2011/03/30 18:07:56.0553 3452 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2011/03/30 18:07:56.0643 3452 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/30 18:07:56.0763 3452 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/30 18:07:56.0893 3452 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/03/30 18:07:57.0023 3452 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/03/30 18:07:57.0113 3452 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/03/30 18:07:57.0193 3452 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2011/03/30 18:07:57.0343 3452 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/30 18:07:57.0443 3452 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/30 18:07:57.0543 3452 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/03/30 18:07:57.0713 3452 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/30 18:07:57.0803 3452 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2011/03/30 18:07:57.0903 3452 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/03/30 18:07:58.0233 3452 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/30 18:07:58.0458 3452 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/03/30 18:07:58.0558 3452 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/03/30 18:07:58.0678 3452 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/03/30 18:07:58.0808 3452 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/03/30 18:07:58.0908 3452 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/03/30 18:07:59.0058 3452 mdmxsdk (e4f44ec214b3e381e1fc844a02926666) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/03/30 18:07:59.0218 3452 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/03/30 18:07:59.0338 3452 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/03/30 18:07:59.0478 3452 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/03/30 18:07:59.0638 3452 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/30 18:07:59.0738 3452 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/30 18:07:59.0818 3452 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/03/30 18:07:59.0988 3452 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2011/03/30 18:08:00.0068 3452 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2011/03/30 18:08:00.0178 3452 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/30 18:08:00.0328 3452 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2011/03/30 18:08:00.0488 3452 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/30 18:08:00.0608 3452 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/30 18:08:00.0708 3452 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/30 18:08:00.0868 3452 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2011/03/30 18:08:00.0948 3452 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2011/03/30 18:08:01.0118 3452 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/03/30 18:08:01.0318 3452 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/03/30 18:08:01.0408 3452 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/03/30 18:08:01.0578 3452 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/30 18:08:01.0678 3452 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/30 18:08:01.0768 3452 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/03/30 18:08:01.0868 3452 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2011/03/30 18:08:02.0108 3452 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/30 18:08:02.0228 3452 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/03/30 18:08:02.0352 3452 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/03/30 18:08:02.0452 3452 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/03/30 18:08:02.0672 3452 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/30 18:08:02.0802 3452 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2011/03/30 18:08:02.0982 3452 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/03/30 18:08:03.0082 3452 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/30 18:08:03.0202 3452 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/30 18:08:03.0318 3452 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/30 18:08:03.0519 3452 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2011/03/30 18:08:03.0711 3452 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/30 18:08:03.0801 3452 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/30 18:08:04.0191 3452 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/03/30 18:08:04.0381 3452 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/03/30 18:08:04.0531 3452 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/30 18:08:04.0701 3452 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2011/03/30 18:08:04.0921 3452 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/03/30 18:08:05.0051 3452 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/03/30 18:08:05.0151 3452 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2011/03/30 18:08:05.0241 3452 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/03/30 18:08:05.0393 3452 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/03/30 18:08:05.0653 3452 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/03/30 18:08:05.0753 3452 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2011/03/30 18:08:05.0903 3452 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2011/03/30 18:08:05.0993 3452 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2011/03/30 18:08:06.0143 3452 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/03/30 18:08:06.0243 3452 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/03/30 18:08:06.0373 3452 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/03/30 18:08:07.0107 3452 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/30 18:08:07.0197 3452 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/03/30 18:08:07.0477 3452 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/30 18:08:07.0627 3452 PSI (fb46e9a827a8799ebd7bfa9128c91f37) C:\Windows\system32\DRIVERS\psi_mf.sys
2011/03/30 18:08:07.0757 3452 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/03/30 18:08:07.0917 3452 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/03/30 18:08:08.0077 3452 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/30 18:08:08.0187 3452 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/30 18:08:08.0317 3452 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/03/30 18:08:08.0497 3452 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/30 18:08:08.0647 3452 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/30 18:08:08.0777 3452 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/03/30 18:08:08.0897 3452 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/30 18:08:09.0027 3452 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/03/30 18:08:09.0127 3452 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/30 18:08:09.0277 3452 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/30 18:08:09.0417 3452 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/03/30 18:08:09.0567 3452 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2011/03/30 18:08:09.0747 3452 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2011/03/30 18:08:10.0152 3452 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/30 18:08:10.0302 3452 RTL8167 (3b01789ee4eaee97f5eb46b711387d5e) C:\Windows\system32\DRIVERS\Rt64win7.sys
2011/03/30 18:08:10.0452 3452 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/03/30 18:08:10.0652 3452 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2011/03/30 18:08:10.0984 3452 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/03/30 18:08:11.0264 3452 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/03/30 18:08:11.0414 3452 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/03/30 18:08:11.0524 3452 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/03/30 18:08:11.0834 3452 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/03/30 18:08:11.0954 3452 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/03/30 18:08:12.0074 3452 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/03/30 18:08:12.0214 3452 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/03/30 18:08:12.0524 3452 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/03/30 18:08:12.0654 3452 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/03/30 18:08:12.0784 3452 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/03/30 18:08:13.0074 3452 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/03/30 18:08:13.0416 3452 srv (de6f5658da951c4bc8e498570b5b0d5f) C:\Windows\system32\DRIVERS\srv.sys
2011/03/30 18:08:13.0536 3452 srv2 (4d33d59c0b930c523d29f9bd40cda9d2) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/30 18:08:13.0706 3452 SrvHsfPCI (93132c69394a99d992095d8cfe464801) C:\Windows\system32\DRIVERS\VSTBS26.SYS
2011/03/30 18:08:13.0846 3452 SrvHsfV92 (02071d207a9858fbe3a48cbfd59c4a04) C:\Windows\system32\DRIVERS\VSTDPV6.SYS
2011/03/30 18:08:14.0056 3452 SrvHsfWinac (18e40c245dbfaf36fd0134a7ef2df396) C:\Windows\system32\DRIVERS\VSTCNXT6.SYS
2011/03/30 18:08:14.0176 3452 srvnet (5a663fd67049267bc5c3f3279e631ffb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/30 18:08:14.0456 3452 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/03/30 18:08:14.0626 3452 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/30 18:08:14.0986 3452 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
2011/03/30 18:08:15.0176 3452 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/30 18:08:15.0358 3452 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/30 18:08:15.0528 3452 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/03/30 18:08:15.0628 3452 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/03/30 18:08:15.0808 3452 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/30 18:08:15.0918 3452 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/30 18:08:16.0388 3452 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/30 18:08:16.0518 3452 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/30 18:08:16.0688 3452 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/03/30 18:08:16.0818 3452 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/30 18:08:17.0078 3452 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/03/30 18:08:17.0258 3452 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/30 18:08:17.0368 3452 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/03/30 18:08:17.0538 3452 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/30 18:08:17.0648 3452 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2011/03/30 18:08:17.0748 3452 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/30 18:08:17.0928 3452 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/30 18:08:18.0048 3452 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2011/03/30 18:08:18.0158 3452 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/03/30 18:08:18.0338 3452 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
2011/03/30 18:08:18.0438 3452 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/30 18:08:18.0538 3452 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/30 18:08:18.0758 3452 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/03/30 18:08:18.0918 3452 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/30 18:08:19.0018 3452 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/03/30 18:08:19.0138 3452 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/03/30 18:08:19.0238 3452 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2011/03/30 18:08:19.0348 3452 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/03/30 18:08:19.0548 3452 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2011/03/30 18:08:19.0668 3452 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2011/03/30 18:08:19.0778 3452 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/03/30 18:08:20.0028 3452 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
2011/03/30 18:08:20.0260 3452 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/03/30 18:08:20.0406 3452 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/30 18:08:20.0518 3452 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/30 18:08:20.0958 3452 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/03/30 18:08:21.0078 3452 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/30 18:08:21.0600 3452 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/03/30 18:08:21.0760 3452 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/03/30 18:08:21.0930 3452 winachsf (cbdeb4b3b5cf8c49acc221d45f1c50c1) C:\Windows\system32\DRIVERS\CAX_CNXT.sys
2011/03/30 18:08:22.0575 3452 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/03/30 18:08:22.0935 3452 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/30 18:08:23.0237 3452 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/03/30 18:08:23.0357 3452 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/30 18:08:23.0617 3452 XAudio (2f2ce5e47b014f52bc722ae28b19cbf3) C:\Windows\system32\DRIVERS\xaudio64.sys
2011/03/30 18:08:23.0837 3452 ================================================================================
2011/03/30 18:08:23.0837 3452 Scan finished
2011/03/30 18:08:23.0837 3452 ================================================================================

#9 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 30 March 2011 - 12:50 AM

Installing OTL caused a shutdown,but managed to run it in safe mode

OTL logfile created on: 30/03/2011 6:24:10 p.m. - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\SAGE\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000c09 | Country: New Zealand | Language: ENZ | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.00 Gb Total Space | 407.14 Gb Free Space | 89.48% Space Free | Partition Type: NTFS
Drive D: | 10.76 Gb Total Space | 1.23 Gb Free Space | 11.45% Space Free | Partition Type: NTFS
Drive E: | 2.36 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: CHENNA-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/30 18:21:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\SAGE\Desktop\OTL.exe


========== Modules (SafeList) ==========

MOD - [2011/03/30 18:21:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\SAGE\Desktop\OTL.exe
MOD - [2010/08/21 18:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/02/24 04:04:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2009/07/14 14:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2007/06/29 09:11:36 | 000,412,672 | ---- | M] (Conexant Systems, Inc.) [Auto | Stopped] -- C:\Windows\SysNative\drivers\XAudio64.exe -- (XAudioService)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/11 10:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2005/09/09 03:24:30 | 000,102,400 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/02/24 03:55:05 | 000,064,344 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2010/09/01 21:30:58 | 000,017,976 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\psi_mf.sys -- (PSI)
DRV:64bit: - [2009/09/03 00:54:20 | 007,369,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/08/21 13:05:06 | 000,239,616 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/07/14 14:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 14:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 14:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 14:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 14:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 14:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/11 10:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/11 10:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/11 10:01:11 | 000,411,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTBS26.SYS -- (SrvHsfPCI)
DRV:64bit: - [2009/06/11 09:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/11 09:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/11 09:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/11 09:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/11 09:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/06/29 09:11:24 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\XAudio64.sys -- (XAudio)
DRV:64bit: - [2007/06/20 04:32:58 | 001,478,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2007/06/20 04:30:22 | 000,409,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAXHWBS2.sys -- (CAXHWBS2)
DRV:64bit: - [2007/06/20 04:29:14 | 000,740,352 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2006/06/19 06:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\mdmxsdk.sys -- (mdmxsdk)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/15
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/15
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/15
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://g.jp.msn.com/HPALL/15
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/15
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/15
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://g.jp.msn.com/HPALL/15
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/15
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2683396715-2669940847-296592165-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/15
IE - HKU\S-1-5-21-2683396715-2669940847-296592165-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/15
IE - HKU\S-1-5-21-2683396715-2669940847-296592165-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2683396715-2669940847-296592165-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/15
IE - HKU\S-1-5-21-2683396715-2669940847-296592165-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.5

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/02/01 21:01:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/02/04 21:25:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/02/04 20:52:17 | 000,000,000 | ---D | M]

[2011/02/04 21:25:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2011/02/04 21:25:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\l7qnlc0m.default\extensions
[2011/02/04 20:52:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/02/01 21:01:28 | 000,000,000 | ---D | M] (HP Smart Web Printing) -- C:\PROGRAM FILES (X86)\HP\DIGITAL IMAGING\SMART WEB PRINTING\MOZILLAADDON3
[2010/12/04 06:47:02 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/04 06:47:02 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/04 06:47:02 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/04 06:47:02 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/11 10:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (@C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2683396715-2669940847-296592165-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2683396715-2669940847-296592165-500\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files (x86)\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4:64bit: - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\SysNative\WerFault.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\S-1-5-21-2683396715-2669940847-296592165-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - File not found
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/05/07 11:05:04 | 000,000,083 | ---- | M] () - E:\AUTORUN.INF -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/30 18:23:09 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/30 16:33:04 | 001,708,808 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Administrator\Documents\Procmon64.exe
[2011/03/30 16:26:34 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes
[2011/03/30 16:26:26 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/03/30 16:26:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 16:26:22 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/03/30 16:24:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Secunia PSI
[2011/03/29 20:52:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Secunia
[2011/03/25 16:32:46 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Simply Super Software
[2011/03/25 14:04:53 | 001,074,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\DWrite.dll
[2011/03/25 14:04:52 | 001,540,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2011/03/25 14:04:52 | 000,902,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll
[2011/03/25 14:04:52 | 000,739,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d2d1.dll
[2011/03/25 13:55:53 | 000,505,176 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2011/03/25 13:55:50 | 000,040,648 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/03/24 22:56:09 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TwistedBrush
[2011/03/21 13:33:25 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Documents\Simply Super Software
[2011/03/20 16:48:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trojan Remover
[2011/03/20 16:48:25 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ztvcabinet.dll
[2011/03/20 16:48:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trojan Remover
[2011/03/20 16:48:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2011/03/20 16:45:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Pixarra
[2011/03/18 19:18:29 | 000,264,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\upnp.dll
[2011/03/18 19:18:29 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\upnp.dll
[2011/03/18 19:18:28 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\davclnt.dll
[2011/03/18 19:18:28 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wscapi.dll
[2011/03/18 19:18:27 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\davclnt.dll
[2011/03/18 19:18:27 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wscapi.dll
[2011/03/18 19:18:27 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\slwga.dll
[2011/03/18 19:18:27 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\slwga.dll
[2011/03/18 19:16:20 | 000,366,080 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2011/03/18 19:16:20 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2011/03/18 19:16:20 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2011/03/18 19:16:20 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2011/03/18 18:55:22 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/03/18 18:55:22 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2011/03/18 18:55:21 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2011/03/18 18:55:21 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2011/03/18 18:55:21 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2011/03/18 18:55:21 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2011/03/18 18:55:21 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/03/18 18:55:21 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/03/18 18:55:21 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll
[2011/03/18 18:55:21 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
[2011/03/18 18:55:21 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2011/03/18 18:55:21 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2011/03/18 18:28:08 | 001,837,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll
[2011/03/18 18:28:08 | 001,170,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d10warp.dll
[2011/03/18 18:28:07 | 001,863,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ExplorerFrame.dll
[2011/03/18 18:28:07 | 001,495,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ExplorerFrame.dll
[2011/03/18 18:28:07 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll
[2011/03/18 18:28:07 | 000,265,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\dxgmms1.sys
[2011/03/18 18:28:07 | 000,229,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsRasterService.dll
[2011/03/18 18:28:07 | 000,218,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d10_1core.dll
[2011/03/18 18:28:07 | 000,135,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsRasterService.dll
[2011/03/18 18:28:06 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll
[2011/03/18 18:28:06 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d10_1.dll
[2011/03/18 18:28:06 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdd.dll
[2011/03/18 18:20:51 | 005,510,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2011/03/18 18:20:50 | 003,957,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2011/03/18 18:20:50 | 003,901,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2011/03/18 18:20:50 | 001,739,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll
[2011/03/18 18:14:12 | 000,662,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsPrint.dll
[2011/03/18 18:14:12 | 000,475,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2011/03/18 18:14:12 | 000,442,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll
[2011/03/18 18:14:11 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2011/03/18 18:11:46 | 000,961,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\CPFilters.dll
[2011/03/18 18:11:46 | 000,723,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/03/18 18:11:45 | 001,118,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbe.dll
[2011/03/18 18:11:45 | 000,850,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbe.dll
[2011/03/18 18:11:45 | 000,642,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\CPFilters.dll
[2011/03/18 18:11:45 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/03/18 18:11:45 | 000,259,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mpg2splt.ax
[2011/03/18 18:11:45 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mpg2splt.ax
[2011/03/18 18:02:48 | 000,852,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2011/03/18 18:02:47 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2011/03/18 18:02:47 | 000,612,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2011/03/18 16:11:10 | 003,138,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2011/03/18 16:11:10 | 002,690,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2011/03/18 16:11:09 | 001,097,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
[2011/03/18 16:11:09 | 001,034,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
[2011/03/18 15:45:08 | 000,214,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll

========== Files - Modified Within 30 Days ==========

[2011/03/30 18:23:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/30 18:23:03 | 631,312,063 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/30 18:23:03 | 1507,778,560 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/30 17:26:09 | 000,023,296 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/30 17:26:09 | 000,023,296 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/30 17:23:29 | 000,727,724 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/03/30 17:23:29 | 000,628,024 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/03/30 17:23:29 | 000,110,208 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/03/29 20:52:14 | 000,001,108 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/03/25 13:55:53 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2011/03/24 22:56:10 | 000,002,057 | ---- | M] () -- C:\Users\Administrator\Desktop\TwistedBrush Pro Studio.lnk
[2011/03/24 22:56:10 | 000,001,199 | ---- | M] () -- C:\Users\Administrator\Desktop\TwistedBrush FAQ.lnk
[2011/03/18 20:06:05 | 000,540,072 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2011/03/29 20:52:14 | 000,001,108 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/03/29 20:52:14 | 000,001,071 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
[2011/03/24 22:56:10 | 000,002,057 | ---- | C] () -- C:\Users\Administrator\Desktop\TwistedBrush Pro Studio.lnk
[2011/03/24 22:56:10 | 000,001,199 | ---- | C] () -- C:\Users\Administrator\Desktop\TwistedBrush FAQ.lnk
[2011/03/20 16:48:25 | 000,162,304 | ---- | C] () -- C:\Windows\SysWow64\ztvunrar36.dll
[2011/03/20 16:48:25 | 000,153,088 | ---- | C] () -- C:\Windows\SysWow64\UNRAR3.dll
[2011/03/20 16:48:25 | 000,077,312 | ---- | C] () -- C:\Windows\SysWow64\ztvunace26.dll
[2011/03/20 16:48:25 | 000,075,264 | ---- | C] () -- C:\Windows\SysWow64\unacev2.dll
[2011/02/04 21:25:24 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/12/26 15:11:21 | 000,160,911 | ---- | C] () -- C:\Windows\hpoins44.dat.temp
[2010/12/26 15:11:21 | 000,000,586 | ---- | C] () -- C:\Windows\hpomdl44.dat.temp
[2010/12/02 17:06:55 | 000,160,839 | ---- | C] () -- C:\Windows\hpoins44.dat
[2010/10/17 23:56:35 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2010/01/20 12:01:13 | 000,982,220 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/01/20 12:01:12 | 000,439,300 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/01/20 12:01:12 | 000,134,592 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2010/01/20 12:01:12 | 000,092,216 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2009/09/29 17:25:16 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL
[2009/07/14 18:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 15:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 15:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 13:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 12:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/14 10:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/11 22:30:02 | 000,000,586 | ---- | C] () -- C:\Windows\hpomdl44.dat
[2009/06/11 10:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:F8B88761
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:CB0AACC9

< End of report >

OTL Extras logfile created on: 30/03/2011 6:24:10 p.m. - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\SAGE\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000c09 | Country: New Zealand | Language: ENZ | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.00 Gb Total Space | 407.14 Gb Free Space | 89.48% Space Free | Partition Type: NTFS
Drive D: | 10.76 Gb Total Space | 1.23 Gb Free Space | 11.45% Space Free | Partition Type: NTFS
Drive E: | 2.36 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: CHENNA-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 File not found
htmlfile [print] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{55D55008-E5F6-47D6-B16F-B2A40D4D145F}" = 64 Bit HP CIO Components Installer
"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{88E60521-1E4E-4785-B9F1-1798A4BD0C30}" = HP MediaSmart SmartMenu
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{CDBF8C2D-04B0-4F9B-9AE1-7422F7F0EC94}" = HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CNXT_MODEM_PCI_HSF" = Soft Data Fax Modem with SmartCP
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"PC-Doctor for Windows" = Hardware Diagnostic Tools
"Shop for HP Supplies" = Shop for HP Supplies

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{10CCF16B-F1C9-4B24-9570-B4CCEE42392D}" = LightScribe System Software
"{12766F00-807F-4978-8D24-FDD0A3D60EE4}" = ArtRage 2
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{17B4760F-334B-475D-829F-1A3E94A6A4E6}" = HP Setup
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{3023EBDA-BF1B-4831-B347-E5018555F26E}" = Movie Theme Pack for HP MediaSmart Video
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor
"{42E2EEB2-D48E-4A47-B181-32ECA031D93B}" = DJ_AIO_06_F2400_SW_Min
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = Recovery Manager
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{65C0025A-2CDE-43C5-82D0-C7A56EF0DB39}" = Bing Bar Platform
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BAA71B6-8F43-4C72-931A-3354ABB0258A}" = F2400
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{741CFE3A-1C0B-4A7D-8E08-5D78C911C09D}" = HP Support Assistant
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{922E8525-AC7E-4294-ACAA-43712D4423C0}" = Adobe Flash Player 10 ActiveX
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0383B7D-81A2-49D3-BE06-C0FD9EFB9DFC}" = Corel Painter IX
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"{B8AC1A89-FFD1-4F97-8051-E505A160F562}" = HP Odometer
"{B9A03B7B-E0FF-4FB3-BA83-762E58A1B0AA}" = HP Support Information
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Norton Online Backup
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C611CF88-969D-43E6-A877-D6D6439DD081}" = HP Remote Solution
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}" = Microsoft Search Enhancement Pack
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D46D081B-F60E-467E-A7C4-117B70D76731}" = HP Update
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}" = Adobe Photoshop Elements 4.0
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FAF26102-09D7-4C58-AB01-0D59A2E517CA}" = Copy
"{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}" = DVD Menu Pack for HP MediaSmart Video
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 4" = Adobe Photoshop Elements 4.0
"avast" = avast! Free Antivirus
"EasyBCD" = EasyBCD 2.0
"HP Remote Solution" = HP Remote Solution
"Inkscape" = Inkscape 0.48.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"Secunia PSI" = Secunia PSI (2.0.0.3001)
"Trojan Remover_is1" = Trojan Remover 6.8.2
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"TwistedBrush Pro Studio" = TwistedBrush Pro Studio

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"TwistedBrush Pro Studio" = TwistedBrush Pro Studio

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22/03/2011 5:31:22 a.m. | Computer Name = CHENNA-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on,
or the storage drivers installed on this computer; or the disk is missing. Windows
closed the program tbrush.exe because of this error. Program: tbrush.exe File: The
error value is listed in the Additional Data section. User Action 1. Open the file
again. This situation might be a temporary problem that corrects itself when the
program runs again. 2. If the file still cannot be accessed and - It is on the network,
your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: 00000000 Disk
type: 0

Error - 22/03/2011 5:32:57 a.m. | Computer Name = CHENNA-PC | Source = Application Error | ID = 1000
Description = Faulting application name: tbrush.exe, version: 0.0.0.0, time stamp:
0x49962ab3 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000096 Fault offset: 0x00453aa8 Faulting process id: 0x27c Faulting application
start time: 0x01cbe87420d3089a Faulting application path: C:\Program Files (x86)\Pixarra\TwistedBrush\tbrush.exe
Faulting
module path: unknown Report Id: 5e94ffdc-5467-11e0-8822-18a905bca52a

Error - 22/03/2011 5:32:57 a.m. | Computer Name = CHENNA-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on,
or the storage drivers installed on this computer; or the disk is missing. Windows
closed the program tbrush.exe because of this error. Program: tbrush.exe File: The
error value is listed in the Additional Data section. User Action 1. Open the file
again. This situation might be a temporary problem that corrects itself when the
program runs again. 2. If the file still cannot be accessed and - It is on the network,
your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: 00000000 Disk
type: 0

Error - 23/03/2011 1:13:01 a.m. | Computer Name = CHENNA-PC | Source = RasClient | ID = 20227
Description =

Error - 23/03/2011 1:13:41 a.m. | Computer Name = CHENNA-PC | Source = RasClient | ID = 20227
Description =

Error - 23/03/2011 5:38:39 a.m. | Computer Name = CHENNA-PC | Source = RasClient | ID = 20227
Description =

Error - 23/03/2011 5:39:23 a.m. | Computer Name = CHENNA-PC | Source = RasClient | ID = 20227
Description =

Error - 23/03/2011 5:41:10 a.m. | Computer Name = CHENNA-PC | Source = Application Error | ID = 1000
Description = Faulting application name: tbrush.exe, version: 0.0.0.0, time stamp:
0x49962ab3 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000096 Fault offset: 0x00343aa8 Faulting process id: 0xf08 Faulting application
start time: 0x01cbe93e6f44c78e Faulting application path: C:\Program Files (x86)\Pixarra\TwistedBrush\tbrush.exe
Faulting
module path: unknown Report Id: ae81399c-5531-11e0-8493-18a905bca52a

Error - 23/03/2011 5:41:10 a.m. | Computer Name = CHENNA-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on,
or the storage drivers installed on this computer; or the disk is missing. Windows
closed the program tbrush.exe because of this error. Program: tbrush.exe File: The
error value is listed in the Additional Data section. User Action 1. Open the file
again. This situation might be a temporary problem that corrects itself when the
program runs again. 2. If the file still cannot be accessed and - It is on the network,
your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: 00000000 Disk
type: 0

Error - 23/03/2011 6:04:34 a.m. | Computer Name = CHENNA-PC | Source = Application Hang | ID = 1002
Description = The program NOTEPAD.EXE version 6.1.7600.16385 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: bc4 Start
Time: 01cbe9419b766ed9 Termination Time: 3 Application Path: C:\Windows\system32\NOTEPAD.EXE

Report
Id: e95404c4-5534-11e0-8493-18a905bca52a

[ Hewlett-Packard Events ]
Error - 1/02/2011 3:27:00 a.m. | Computer Name = CHENNA-PC | Source = Hewlett-Packard | ID = 0
Description = en-NZ Could not find file 'C:\Program Files (x86)\Hewlett-Packard\HP
Support Framework\Logs\SystemInfoAA.xml'. mscorlib at System.IO.__Error.WinIOError(Int32
errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode
mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32
bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath,
Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode,
FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String
msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks,
Int32 bufferSize) at System.IO.StreamReader..ctor(String path, Encoding encoding)

at System.IO.File.ReadAllText(String path, Encoding encoding) at n.a(Object
A_0, EventArgs A_1)

Error - 1/02/2011 3:27:01 a.m. | Computer Name = CHENNA-PC | Source = Hewlett-Packard | ID = 0
Description = en-NZ Could not find file 'C:\Program Files (x86)\Hewlett-Packard\HP
Support Framework\Logs\SystemInfoAA.xml'. mscorlib at System.IO.__Error.WinIOError(Int32
errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode
mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32
bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath,
Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode,
FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String
msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks,
Int32 bufferSize) at System.IO.StreamReader..ctor(String path, Encoding encoding)

at System.IO.File.ReadAllText(String path, Encoding encoding) at n.a(Object
A_0, EventArgs A_1)

Error - 1/03/2011 3:30:10 a.m. | Computer Name = CHENNA-PC | Source = Hewlett-Packard | ID = 0
Description = en-NZ Could not find file 'C:\Program Files (x86)\Hewlett-Packard\HP
Support Framework\Logs\SystemInfoAA.xml'. mscorlib at System.IO.__Error.WinIOError(Int32
errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode
mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32
bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath,
Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode,
FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String
msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks,
Int32 bufferSize) at System.IO.StreamReader..ctor(String path, Encoding encoding)

at System.IO.File.ReadAllText(String path, Encoding encoding) at n.a(Object
A_0, EventArgs A_1)

[ System Events ]
Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the hpqcxs08
service to connect.

Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7000
Description = The hpqcxs08 service failed to start due to the following error: %%1053

Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the hpqcxs08
service to connect.

Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7000
Description = The hpqcxs08 service failed to start due to the following error: %%1053

Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the hpqcxs08
service to connect.

Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7000
Description = The hpqcxs08 service failed to start due to the following error: %%1053

Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the hpqcxs08
service to connect.

Error - 26/03/2011 8:52:58 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7000
Description = The hpqcxs08 service failed to start due to the following error: %%1053

Error - 26/03/2011 9:41:12 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the HP
CUE DeviceDiscovery Service service to connect.

Error - 26/03/2011 9:41:12 p.m. | Computer Name = CHENNA-PC | Source = Service Control Manager | ID = 7000
Description = The HP CUE DeviceDiscovery Service service failed to start due to
the following error: %%1053


< End of report >

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 30 March 2011 - 11:53 AM

Hi kiwipoppy,

Your logs are clean. I still see no signs of infection.

previous anti virus programs on this machine were corrupted,and never showed anything anyway

What makes you think your antivirus programs were corrupted? If an antivirus program finds nothing, this is good.

Boot scans show some windows update are corrupted and a deep scan turns off the computer

What scanner? Chckdsk?

Files from previously infected computer have appeared on this one.

Which files? can you give an example?

The dllhost,which previously appeared on rootkit scans is always running,and cannot be killed.

What dllhost file?

Show hidden files has always been enabled,but Trojan Remover(looking fwd to new version) scans lots of files named windows/sysnative,and windows/assembly/native images,

These are Windows operating system files.

The secret partion,and registry appears to have gone

When did this happen?

Several user accounts in registry,that I can't identify,they only use numbers,not user names

You should never muck around in the registry unless you know what you are doing and have made a backup.

I'm not sure if your problems are malware related. It appears that you or your friend might have removed or altered some system files/registry entries.

When you insert the recovery disk what options do you get? Please list them here.


NOTE: To run many of the tools we use you must be logged in as "Administrator" then right click and "Run as Administrator"


Step 1.


We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - File not found
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    @Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:F8B88761
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:CB0AACC9
    
    :commands
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.


Step 2.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to Disable your Security Applications
    Note - If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications <----Important
    Refer to this page if you are not sure how. You can reinstall AVG when we are finished and can temporarily install another antivirus if you wish. Some good antivirus programs free for non-commercial home use are:
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


In your next reply please respond to my questions and include the following:


OTLFix report
Combofix.txt



Do you have a USB/thumb drive?


Thanks!!
PW

#11 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 30 March 2011 - 11:08 PM

hi,yes I have a thumb drive
Ran OTL fix,but a report did not appear
Earlier antivirus Kaspersky for instance,Action Center showed I had 2 AV running when I checked They were both Kaspersky,listed twice,Kaspersky told me this was not possible,but thats what was showing
Avast is full of files that I cabnnot change the properties on,access is denied,eg AvastSS.dll,
Earlier AV refused to be uninstalled
Avast bootscan shows windows update files corrupted
After previous computer became infected(Credit card details stolen,programs disappeared,access denied everywhere) a lot of files dated July 14 2009 appeared
They reappeared on new computer,mostly windows files,especially drivers.They WERE NOT there when I fist bought computer
Why Don't Sysnative,and Native images appear on my computer then?
After Otl fix,dllhost.exe which appeared in earlier rootkit scans,and has always been running,and unkillable,seems to have gone from Task Manager
Have NOT messed around in registry(I know better)but spend time there,to familiarise myself with whats there,
especially when my user account gets changed to an admin account without my input.
Creator Owner owns a lot ofthe files there anyway,and I couldn't change them even if i wanted to,you guessed it,access is denied
Will let you know on other questions,you may well be right,may not have any malware,
but what I do know is I had a beautiful new computer,that ran perfectly,until I reinstalled files from old computer,
Since then files like firefox.exe*32,and others with *32 seems more common,also dlls with 32 in the name,shell32.dll,oleaut32.dll etc,etc(probably not relevant)
Will try the combofix now,will post as soon as i can,thanks again for all your help,and patience

#12 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 31 March 2011 - 12:23 AM

Bluescreen shutdown again,ran in safe mode
noticed a new file appeared in the c drive at the same time as the log was produced
Named
32788R22FWJFW
Contents EN-US
cmd.cfxxe.mui (7/14/2009)
Log as follows
ComboFix 11-03-30.01 - Administrator 31/03/2011 17:44:48.1.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.64.1033.18.1917.1012 [GMT 13:00]
Running from: c:\users\Administrator\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-31 04:47 . 2011-03-31 04:47 -------- d-----w- c:\users\SAGE\AppData\Local\temp
2011-03-31 04:47 . 2011-03-31 04:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-31 04:47 . 2011-03-31 04:47 -------- d-----w- c:\users\CHENNA\AppData\Local\temp
2011-03-31 03:03 . 2011-03-31 03:03 -------- d-----w- C:\_OTL
2011-03-30 03:26 . 2011-03-30 03:26 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2011-03-30 03:26 . 2010-12-20 05:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-03-30 03:26 . 2010-12-20 05:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 03:24 . 2011-03-30 03:24 -------- d-----w- c:\users\Administrator\AppData\Local\Secunia PSI
2011-03-29 09:30 . 2011-03-15 05:17 8424784 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BA3560B-C002-4AE0-BB03-AF148A9DAEE7}\mpengine.dll
2011-03-29 07:53 . 2011-03-29 07:53 -------- d-----w- c:\users\CHENNA\AppData\Local\Secunia PSI
2011-03-29 07:52 . 2011-03-29 07:52 -------- d-----w- c:\program files (x86)\Secunia
2011-03-28 10:21 . 2011-03-28 10:21 -------- d-----w- c:\users\CHENNA\AppData\Roaming\Simply Super Software
2011-03-25 03:32 . 2011-03-25 03:32 -------- d-----w- c:\users\Administrator\AppData\Roaming\Simply Super Software
2011-03-25 01:04 . 2011-02-19 06:37 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-03-25 01:04 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-03-25 01:04 . 2011-02-19 06:37 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-03-25 01:04 . 2011-02-19 06:36 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-03-25 01:04 . 2011-02-19 05:32 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-03-25 00:55 . 2011-02-23 14:57 505176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-25 00:55 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-20 03:48 . 2006-06-18 23:01 69632 ----a-w- c:\windows\SysWow64\ztvcabinet.dll
2011-03-20 03:48 . 2006-05-25 01:52 162304 ----a-w- c:\windows\SysWow64\ztvunrar36.dll
2011-03-20 03:48 . 2005-08-25 11:50 77312 ----a-w- c:\windows\SysWow64\ztvunace26.dll
2011-03-20 03:48 . 2003-02-02 06:06 153088 ----a-w- c:\windows\SysWow64\UNRAR3.dll
2011-03-20 03:48 . 2002-03-05 11:00 75264 ----a-w- c:\windows\SysWow64\unacev2.dll
2011-03-20 03:48 . 2011-03-25 03:36 -------- d-----w- c:\program files (x86)\Trojan Remover
2011-03-20 03:48 . 2011-03-20 03:48 -------- d-----w- c:\users\SAGE\AppData\Roaming\Simply Super Software
2011-03-20 03:48 . 2011-03-20 03:48 -------- d-----w- c:\programdata\Simply Super Software
2011-03-20 03:45 . 2011-03-20 03:45 -------- d-----w- c:\program files (x86)\Pixarra
2011-03-19 10:50 . 2011-03-19 10:50 -------- d-----w- c:\users\SAGE\AppData\Roaming\Corel
2011-03-19 02:23 . 2011-03-19 02:23 -------- d-----w- c:\users\SAGE\AppData\Local\Mozilla
2011-03-18 06:16 . 2011-01-07 08:06 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-03-18 06:16 . 2011-01-07 07:27 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-03-18 06:16 . 2011-01-07 05:49 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-03-18 06:16 . 2011-01-07 05:33 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-03-18 05:58 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-18 05:58 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-03-18 05:28 . 2010-11-02 05:12 1837568 ----a-w- c:\windows\system32\d3d10warp.dll
2011-03-18 05:28 . 2010-11-02 04:35 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2011-03-18 05:28 . 2011-01-26 06:53 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-03-18 05:28 . 2011-01-26 06:53 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-03-18 05:28 . 2010-11-02 05:18 229888 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-03-18 05:28 . 2010-11-02 05:12 320512 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-03-18 05:28 . 2010-11-02 04:41 135168 ----a-w- c:\windows\SysWow64\XpsRasterService.dll
2011-03-18 05:28 . 2010-11-02 04:35 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-03-18 05:28 . 2010-06-26 05:31 1863680 ----a-w- c:\windows\system32\ExplorerFrame.dll
2011-03-18 05:28 . 2010-06-26 05:14 1495040 ----a-w- c:\windows\SysWow64\ExplorerFrame.dll
2011-03-18 05:28 . 2011-01-26 06:31 144384 ----a-w- c:\windows\system32\cdd.dll
2011-03-18 05:28 . 2010-11-02 05:12 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-18 05:28 . 2010-11-02 04:35 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-03-18 05:20 . 2010-10-27 05:18 5510528 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-03-18 05:20 . 2010-10-27 05:16 1739176 ----a-w- c:\windows\system32\ntdll.dll
2011-03-18 05:20 . 2010-10-27 04:43 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-03-18 05:20 . 2010-10-27 04:43 3957120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-03-18 05:20 . 2010-10-27 04:40 1293120 ----a-w- c:\windows\SysWow64\ntdll.dll
2011-03-18 05:14 . 2011-01-07 08:07 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-18 05:14 . 2011-01-07 08:07 475648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-18 05:14 . 2011-01-07 07:31 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-03-18 05:14 . 2011-01-07 07:31 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-03-18 05:11 . 2010-12-23 06:07 961024 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-18 05:11 . 2010-12-23 06:07 723968 ----a-w- c:\windows\system32\EncDec.dll
2011-03-18 05:11 . 2010-12-23 06:07 1118720 ----a-w- c:\windows\system32\sbe.dll
2011-03-18 05:11 . 2010-12-23 06:02 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-18 05:11 . 2010-12-23 05:28 850432 ----a-w- c:\windows\SysWow64\sbe.dll
2011-03-18 05:11 . 2010-12-23 05:28 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2011-03-18 05:11 . 2010-12-23 05:28 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-03-18 05:11 . 2010-12-23 05:24 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2011-03-18 05:02 . 2011-01-05 06:20 612352 ----a-w- c:\windows\system32\vbscript.dll
2011-03-18 05:02 . 2011-01-05 05:37 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-03-18 03:44 . 2010-12-18 06:11 714752 ----a-w- c:\windows\system32\kerberos.dll
2011-03-18 03:44 . 2010-12-18 05:29 541184 ----a-w- c:\windows\SysWow64\kerberos.dll
2011-03-18 03:34 . 2011-01-05 04:00 3127808 ----a-w- c:\windows\system32\win32k.sys
2011-03-18 03:11 . 2010-12-18 06:12 3138048 ----a-w- c:\windows\system32\mstscax.dll
2011-03-18 03:11 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\SysWow64\mstscax.dll
2011-03-18 03:11 . 2010-12-18 06:08 1097216 ----a-w- c:\windows\system32\mstsc.exe
2011-03-18 03:11 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\SysWow64\mstsc.exe
2011-03-18 02:45 . 2010-12-21 06:16 214016 ----a-w- c:\windows\system32\winsrv.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2011-02-05 07:45 190016 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-02-23 15:04 . 2011-02-05 07:46 238968 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 14:57 . 2011-02-05 07:46 280408 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2011-02-05 07:46 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2011-02-05 07:46 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:55 . 2011-02-05 07:46 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-02-23 14:54 . 2011-02-05 07:46 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-02 05:11 . 2011-02-03 06:55 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-01-29 07:16 . 2011-01-29 04:17 181064 ----a-w- c:\windows\PSEXESVC.EXE
2011-01-06 07:35 . 2011-01-06 07:35 14161920 ----a-w- C:\Diary.txt
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-09-29 1685048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-19 62768]
"TrojanScanner"="c:\program files (x86)\Trojan Remover\Trjscan.exe" [2011-03-20 1233856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\hp\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-1-11 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 CAXHWBS2;CAXHWBS2;c:\windows\system32\DRIVERS\CAXHWBS2.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2010-10-19 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-18 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-18 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-18 365592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: {5A0B3988-8A74-4458-B6DF-3A9F9D96E975} = 192.168.1.1
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\l7qnlc0m.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)
AddRemove-HP Remote Solution - c:\programdata\{B12D13C3-76FD-479D-AD99-8C6F18156BC9}\HP_Remote_Solution_Install.exe
AddRemove-{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79} - c:\program files (x86)\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe
AddRemove-{3023EBDA-BF1B-4831-B347-E5018555F26E} - c:\program files (x86)\InstallShield Installation Information\{3023EBDA-BF1B-4831-B347-E5018555F26E}\setup.exe
AddRemove-{40BF1E83-20EB-11D8-97C5-0009C5020658} - c:\program files (x86)\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe
AddRemove-{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5} - c:\program files (x86)\InstallShield Installation Information\{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}\setup.exe
AddRemove-{741CFE3A-1C0B-4A7D-8E08-5D78C911C09D} - c:\program files (x86)\InstallShield Installation Information\{741CFE3A-1C0B-4A7D-8E08-5D78C911C09D}\setup.exe
AddRemove-{B2EE25B9-5B00-4ACF-94F0-92433C28C39E} - c:\program files (x86)\InstallShield Installation Information\{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}\setup.exe
AddRemove-{C59C179C-668D-49A9-B6EA-0121CCFC1243} - c:\program files (x86)\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\setup.exe
AddRemove-{C611CF88-969D-43E6-A877-D6D6439DD081} - c:\programdata\{B12D13C3-76FD-479D-AD99-8C6F18156BC9}\HP_Remote_Solution_Install.exe
AddRemove-{CB099890-1D5F-11D5-9EA9-0050BAE317E1} - c:\program files (x86)\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe
AddRemove-{DCCAD079-F92C-44DA-B258-624FC6517A5A} - c:\program files (x86)\InstallShield Installation Information\{DCCAD079-F92C-44DA-B258-624FC6517A5A}\setup.exe
AddRemove-{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF} - c:\program files (x86)\InstallShield Installation Information\{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,94,95,c8,93,dc,0a,40,b1,76,69,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,94,95,c8,93,dc,0a,40,b1,76,69,\
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat\UserChoice]
@Denied: (2) (Administrator)
"Progid"="dat_auto_file"
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LOG\UserChoice]
@Denied: (2) (Administrator)
"Progid"="txtfile"
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PNF\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2683396715-2669940847-296592165-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-31 17:49:27
ComboFix-quarantined-files.txt 2011-03-31 04:49
.
Pre-Run: 436,903,227,392 bytes free
Post-Run: 436,978,368,512 bytes free
.
- - End Of File - - 92CF0312050B9E2F651A0AA3C2CF9C5D

#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 31 March 2011 - 06:39 PM

Hi kiwipoppy,

Avast is full of files that I cabnnot change the properties on,access is denied,eg AvastSS.dll,

Why do you want to change the properties of these files? Where are they located? Are they quarantined or files that have been scanned?

Earlier AV refused to be uninstalled

Which AV? I only see Avast.

a lot of files dated July 14 2009 appeared
They reappeared on new computer,mostly windows files,especially drivers.They WERE NOT there when I fist bought computer

Did you transfer files from the old computer to the new one? Keep in mind that drivers get installed when you install programs/hardware.

Why Don't Sysnative,and Native images appear on my computer then?

They are hidden system files.

"C:\Windows\Sysnative is for 32-bit application to access C:\Windows\System32 on 64-bit editions of Windows otherwise they are redirected to C:\Windows\SysWOW64".
http://msdn.microsoft.com/en-us/library/aa384187(v=vs.85).aspx
http://www.nynaeve.net/?p=133

"The Native Image Generator (Ngen.exe) is a tool that improves the performance of managed applications"
http://msdn.microsoft.com/en-us/library/6t9t5wcf(v=vs.71).aspx
http://msdn.microsoft.com/en-us/library/6t9t5wcf(v=vs.80).aspx

what I do know is I had a beautiful new computer,that ran perfectly,until I reinstalled files from old computer,

This should tell you that something in the old files borked your system. When you transfer files from one computer to another you can only transfer data files not programs. If you upgraded from XP, Microsoft makes it easy to transfer files with Windows Easy Transfer. Of course you need to make sure that the files you transfer are from a clean computer. :)

Since then files like firefox.exe*32,and others with *32 seems more common,also dlls with 32 in the name,shell32.dll,oleaut32.dll etc,etc(probably not relevant)

Parts of the Windows operating system.

I still don't see any malware.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


In your next reply please include the following:

ESET scan results (if any)

Thanks!!

PW

#14 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 01 April 2011 - 04:28 AM

Thanks again,will try that but just wanted to ask re CF log,can you explain following

uStart Page = hxxp://www.google.com/

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"

The locked registry keys,why are they locked

Also where I can find out how user accounts should appear in a normal win 7 64 bit registry
I have 12 separate users listed,I expect 4 maybe 5
Guest,admin,builtin admin,and std user( and the NT authority/System seems to run a user account as well)

Re properties,when running as admin I should be able to access anything,access denied seems wrong

I did transfer jpegs and 8bfs from a backup drive,but obviously all the rest of the stuff came uninvited
The previous Computer was Xp SP2,I could never get SP3 ito install,which I understand left me vulnerable to infection of windows system files

#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 01 April 2011 - 11:19 AM

Hi kiwipoppy,

We keep straying from the task at hand. That being to determine if you are infected or not. I am not a Windows operating system instructor nor a Windows registry instructor and this forum is not the place to be straying into those areas. I have been trained in malware removal so we need to stick to that area of my expertise. If you would like to learn more about malware removal visit the Malware Removal Training Program topic.

You can also visit the Windows 7 topic in the Operating Systems Forum. This is where I will send you when I determine you are not infected.

If you would like to learn more about the Windows 7 registry then let Google be your friend. :)
Do a Google search on Windows registry . There is enough reading material to last you a long time. :thumbup2:

An excellent introduction to the Windows registry can be found here at BC.

Demystifying the Windows Registry


Please let me know about the ESET scan


Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users