Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stealth MBR rootkit/Mebroot/Sinowal?


  • This topic is locked This topic is locked
21 replies to this topic

#1 BillyAcer

BillyAcer

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 09 May 2011 - 05:46 AM

Thought it was my router, but after dealing with that, it seems I may have a root virus. Computer is working OK, a little slow, but there is a lot of anti-viral programs in the PC right now. The main problem is redirects and a delay on searches. What I mean by delay is, when I search something, the screen before comes up. I hit back, and I'm at the new search. (Doesn't happen all the time).

(DDS Txt)
DDS (Ver_11-03-05.01) - NTFSx86
Run by BoB at 21:57:59.84 on Sun 05/08/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.209 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\BoB\Desktop\dds(1).scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [DDCActiveMenu] "c:\program files\wildtangent\ddc\activemenu\DDCActiveMenu.exe" -boot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0AMQA4ADYAOAAyADEANgA1ADIALQBCADMALQBGAFAAOQArADMALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBYAE8AOQArADEALQBGADkATQAyACsAMQA"&"prod=90"&"ver=9.0.894
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255302378759
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\pw1bri3s.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bc65cd0&v=6.103.018.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\bob\application data\facebook\npfbplugin_1_0_3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S0 klhp;klhp;c:\windows\system32\drivers\hfnuri.sys --> c:\windows\system32\drivers\hfnuri.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
=============== Created Last 30 ================
.
2011-05-09 00:44:18 89088 ----a-w- C:\mbr.exe
2011-05-06 01:34:54 388096 ----a-r- c:\docume~1\bob\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-06 01:34:51 -------- d-----w- c:\program files\Trend Micro
2011-05-05 00:18:07 -------- d-----w- c:\program files\ESET
2011-05-04 02:45:06 -------- d-----w- c:\docume~1\bob\applic~1\SUPERAntiSpyware.com
2011-05-04 02:43:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-03 03:12:17 -------- d-----w- c:\docume~1\bob\applic~1\AVG10
2011-05-03 02:56:43 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-03 02:56:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-05-03 02:39:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-05-03 02:26:02 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-03 02:14:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-03 02:13:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-05-01 13:15:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-01 13:15:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-01 10:52:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-05-01 10:49:10 -------- d-----w- c:\docume~1\bob\applic~1\GetRightToGo
2011-05-01 03:18:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-30 00:33:11 -------- d-sh--w- C:\found.000
2011-04-28 00:24:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-28 00:24:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-27 01:18:00 122328 ----a-w- c:\program files\mozilla firefox\nsr33.tmp\crashreporter.exe
2011-04-23 13:31:45 77824 --sha-r- c:\windows\system32\kbdbep.dll
2011-04-17 16:26:32 -------- d-----w- c:\program files\HRBlock2010
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 22:00:33.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:19 PM

Posted 09 May 2011 - 01:49 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 09 May 2011 - 07:13 PM

Hi Novicate,

aswMBR.exe log:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-09 19:42:23
-----------------------------
19:42:23.343 OS Version: Windows 5.1.2600 Service Pack 3
19:42:23.343 Number of processors: 1 586 0x204
19:42:23.343 ComputerName: BOB_HP_TOWER UserName: BoB
19:42:40.984 Initialize success
19:43:40.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:43:40.281 Disk 0 Vendor: SAMSUNG_SV0602H RH100-09 Size: 57277MB BusType: 3
19:43:40.453 Disk 0 MBR read successfully
19:43:40.453 Disk 0 MBR scan
19:43:40.453 Disk 0 unknown MBR code
19:43:40.546 Disk 0 scanning sectors +117285840
19:43:40.687 Disk 0 malicious Win32:MBRoot code @ sector 117285843 !
19:43:40.750 Disk 0 PE file @ sector 117285865 !
19:43:40.859 Disk 0 scanning C:\WINDOWS\system32\drivers
19:44:31.328 Service scanning
19:44:38.937 Disk 0 trace - called modules:
19:44:38.968 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
19:44:38.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f75ab8]
19:44:38.968 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\00000066[0x86f49f18]
19:44:39.468 5 ACPI.sys[f743e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f06d98]
19:44:39.468 Scan finished successfully
20:08:31.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\BoB\Desktop\MBR.dat"
20:08:31.328 The log file has been saved successfully to "C:\Documents and Settings\BoB\Desktop\aswMBR.txt"

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:19 PM

Posted 10 May 2011 - 02:00 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#5 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 10 May 2011 - 08:37 PM

2011/05/10 21:31:09.0890 0428 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/10 21:31:10.0796 0428 ================================================================================
2011/05/10 21:31:10.0796 0428 SystemInfo:
2011/05/10 21:31:10.0796 0428
2011/05/10 21:31:10.0796 0428 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/10 21:31:10.0796 0428 Product type: Workstation
2011/05/10 21:31:10.0796 0428 ComputerName: BOB_HP_TOWER
2011/05/10 21:31:10.0796 0428 UserName: BoB
2011/05/10 21:31:10.0796 0428 Windows directory: C:\WINDOWS
2011/05/10 21:31:10.0796 0428 System windows directory: C:\WINDOWS
2011/05/10 21:31:10.0796 0428 Processor architecture: Intel x86
2011/05/10 21:31:10.0796 0428 Number of processors: 1
2011/05/10 21:31:10.0796 0428 Page size: 0x1000
2011/05/10 21:31:10.0796 0428 Boot type: Normal boot
2011/05/10 21:31:10.0796 0428 ================================================================================
2011/05/10 21:31:14.0843 0428 Initialize success
2011/05/10 21:31:27.0421 3616 ================================================================================
2011/05/10 21:31:27.0421 3616 Scan started
2011/05/10 21:31:27.0421 3616 Mode: Manual;
2011/05/10 21:31:27.0421 3616 ================================================================================
2011/05/10 21:31:30.0250 3616 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/10 21:31:30.0781 3616 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/10 21:31:31.0734 3616 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/10 21:31:32.0281 3616 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/10 21:31:32.0828 3616 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/05/10 21:31:33.0312 3616 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/10 21:31:35.0921 3616 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/05/10 21:31:37.0656 3616 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/05/10 21:31:39.0906 3616 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/10 21:31:40.0953 3616 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/10 21:31:42.0625 3616 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/10 21:31:43.0140 3616 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/10 21:31:43.0671 3616 AVGIDSDriver (646cccd12886facb8676bdd9b7d54e29) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/05/10 21:31:44.0203 3616 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/05/10 21:31:44.0671 3616 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/05/10 21:31:45.0125 3616 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/05/10 21:31:45.0656 3616 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/05/10 21:31:46.0203 3616 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/05/10 21:31:46.0671 3616 Avgrkx86 (ffbe8adeb1fd8640540bf6e4a137b3ef) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/05/10 21:31:47.0406 3616 Avgtdix (69e6adf5cbbdeb5f2b727c93937a5823) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/05/10 21:31:48.0000 3616 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/10 21:31:48.0484 3616 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/10 21:31:49.0343 3616 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/10 21:31:49.0828 3616 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/10 21:31:50.0312 3616 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/10 21:31:52.0968 3616 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/10 21:31:53.0718 3616 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/10 21:31:54.0546 3616 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/10 21:31:55.0062 3616 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/10 21:31:55.0562 3616 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/10 21:31:56.0484 3616 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/10 21:31:56.0968 3616 drvmcdb (a605a3d1a946d7b9b8e011a056445136) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/05/10 21:31:57.0468 3616 drvnddm (394d65a0da6bd18eaca54ae4fef28054) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/05/10 21:31:58.0000 3616 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/10 21:31:58.0578 3616 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/10 21:31:59.0156 3616 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/10 21:31:59.0687 3616 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/10 21:32:00.0171 3616 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/10 21:32:00.0687 3616 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/10 21:32:01.0218 3616 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/10 21:32:01.0750 3616 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/10 21:32:02.0281 3616 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/10 21:32:03.0687 3616 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/10 21:32:04.0171 3616 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/10 21:32:04.0687 3616 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/10 21:32:05.0250 3616 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/10 21:32:06.0687 3616 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/10 21:32:07.0218 3616 i81x (007dbb8f9c35df8f8a20b8e7c1204b8b) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/05/10 21:32:07.0718 3616 iAimFP0 (19f03895ce0b9e7fb514e67bb17edcb5) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/05/10 21:32:08.0187 3616 iAimFP1 (479278c265b596c4fc1a2e0f51e70736) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/05/10 21:32:08.0671 3616 iAimFP2 (66317ecbed58d15541cad4ed60888430) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/05/10 21:32:09.0156 3616 iAimFP3 (5807920dcd9fe760ffd733a1297d164a) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/05/10 21:32:09.0625 3616 iAimFP4 (afb6725ddf3f417495ab99198979ffb1) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/05/10 21:32:10.0296 3616 iAimTV0 (3de116fe9fc7f15b0a5e0e611b344236) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/05/10 21:32:10.0750 3616 iAimTV1 (275b8ec3a1aa555e3f1586eaf1302ac5) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/05/10 21:32:11.0234 3616 iAimTV3 (31d5981e35d0f158cd1031e0ee74c6fe) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/05/10 21:32:11.0687 3616 iAimTV4 (78b4456a11582a927e9b1eca87d1e4f6) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/05/10 21:32:12.0140 3616 ialm (86ba1718dee415bcd63fbe35f425d874) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/05/10 21:32:12.0656 3616 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/10 21:32:13.0546 3616 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/10 21:32:14.0031 3616 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/10 21:32:14.0687 3616 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/10 21:32:15.0140 3616 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/10 21:32:15.0625 3616 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/10 21:32:16.0140 3616 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/10 21:32:16.0718 3616 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/10 21:32:17.0218 3616 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/10 21:32:17.0687 3616 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/10 21:32:18.0156 3616 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/10 21:32:19.0062 3616 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/10 21:32:19.0593 3616 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/10 21:32:20.0765 3616 ltmodem5 (3070246fba35aa2e0c2251d55f5848f8) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2011/05/10 21:32:21.0531 3616 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/10 21:32:22.0015 3616 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/10 21:32:22.0500 3616 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/10 21:32:22.0984 3616 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/10 21:32:23.0890 3616 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/10 21:32:24.0578 3616 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/10 21:32:25.0265 3616 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/10 21:32:25.0718 3616 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/10 21:32:26.0171 3616 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/10 21:32:26.0609 3616 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/10 21:32:27.0093 3616 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/10 21:32:27.0562 3616 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/10 21:32:28.0062 3616 MxlW2k (19dd5c581eef70134ccef87d626f4417) C:\WINDOWS\system32\drivers\MxlW2k.sys
2011/05/10 21:32:28.0593 3616 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/10 21:32:29.0125 3616 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/10 21:32:29.0750 3616 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/10 21:32:30.0234 3616 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/10 21:32:30.0734 3616 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/10 21:32:31.0203 3616 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/10 21:32:31.0718 3616 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/10 21:32:32.0296 3616 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/10 21:32:32.0937 3616 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/10 21:32:33.0625 3616 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/10 21:32:34.0421 3616 nv (5e00e941e2bfcde1db2edc02034d987c) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/10 21:32:35.0546 3616 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys
2011/05/10 21:32:36.0281 3616 nv_agp (97e6e7dc388ac4d0052edc375b0e1a0c) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2011/05/10 21:32:36.0734 3616 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/10 21:32:37.0203 3616 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/10 21:32:37.0703 3616 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/05/10 21:32:38.0250 3616 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/10 21:32:38.0750 3616 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/10 21:32:39.0234 3616 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/10 21:32:39.0765 3616 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/10 21:32:41.0187 3616 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/10 21:32:41.0875 3616 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/10 21:32:45.0250 3616 pfc (c4aa89518e8a2934eaf503c9587ff157) C:\WINDOWS\system32\drivers\pfc.sys
2011/05/10 21:32:45.0765 3616 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/10 21:32:46.0265 3616 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/10 21:32:46.0750 3616 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys
2011/05/10 21:32:47.0234 3616 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/10 21:32:47.0750 3616 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/10 21:32:48.0234 3616 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/05/10 21:32:51.0015 3616 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/10 21:32:51.0500 3616 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/10 21:32:52.0000 3616 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/10 21:32:52.0500 3616 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/10 21:32:52.0984 3616 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/10 21:32:53.0515 3616 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/10 21:32:54.0015 3616 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/10 21:32:54.0546 3616 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/10 21:32:55.0140 3616 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/05/10 21:32:55.0640 3616 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/10 21:32:56.0140 3616 S3Psddr (6d9e6867f89a3b06cf317fc4c7ee5029) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
2011/05/10 21:32:56.0375 3616 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/10 21:32:56.0562 3616 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/10 21:32:57.0078 3616 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/10 21:32:57.0546 3616 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/10 21:32:58.0031 3616 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/10 21:32:58.0546 3616 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/10 21:32:59.0500 3616 SiS315 (22a668951fe95d2a19e45f83b480cddc) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
2011/05/10 21:33:00.0031 3616 SISAGP (c729eb60dd40948e5eb3fb53dc9cad44) C:\WINDOWS\system32\DRIVERS\SISAGP.sys
2011/05/10 21:33:01.0031 3616 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/10 21:33:01.0546 3616 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
2011/05/10 21:33:02.0296 3616 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/10 21:33:02.0843 3616 sscdbhk5 (0885506bd787a1ae7041ea1d0e0f7922) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/05/10 21:33:03.0296 3616 ssrtln (a9e4acee2d7c9736cd753d630e13a386) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/05/10 21:33:03.0812 3616 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/10 21:33:04.0281 3616 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/10 21:33:05.0343 3616 SymEvent (a3e7deab1ec157750ed8041d0eaddb3c) C:\Program Files\Symantec\SYMEVENT.SYS
2011/05/10 21:33:06.0828 3616 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/10 21:33:07.0468 3616 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/10 21:33:08.0046 3616 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/10 21:33:08.0484 3616 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/10 21:33:08.0968 3616 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/10 21:33:10.0437 3616 tfsnboio (471b28101ee53b965b836033d8fe7955) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/05/10 21:33:10.0906 3616 tfsncofs (70766ef81e05ea358118468a722fa1f5) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/05/10 21:33:11.0343 3616 tfsndrct (66fd0aac1648bc38cd3cd130a4ea12e0) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/05/10 21:33:11.0796 3616 tfsndres (2b35fcaa75b1c475374d1474a1c2efe1) C:\WINDOWS\system32\dla\tfsndres.sys
2011/05/10 21:33:12.0656 3616 tfsnopio (a56ebc32e332f66488cbf9c5ef4e084a) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/05/10 21:33:13.0093 3616 tfsnpool (53809135b8eb9eb2b29525f125456741) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/05/10 21:33:13.0593 3616 tfsnudf (03e0ce19e5f6a8009ebdc3cc087a6c9c) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/05/10 21:33:14.0109 3616 tfsnudfa (3f8f05be8f1d68a598412927aeb57bd9) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/05/10 21:33:15.0515 3616 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/10 21:33:16.0546 3616 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/10 21:33:17.0187 3616 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/10 21:33:17.0687 3616 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/10 21:33:18.0187 3616 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/10 21:33:18.0687 3616 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/10 21:33:19.0140 3616 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/10 21:33:19.0609 3616 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/10 21:33:20.0109 3616 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/10 21:33:20.0593 3616 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/10 21:33:21.0093 3616 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/10 21:33:21.0640 3616 viaagp1 (099f10c7b9d4c7a2bf48d4c6eca1e7f1) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2011/05/10 21:33:22.0109 3616 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/10 21:33:22.0562 3616 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/10 21:33:23.0062 3616 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/10 21:33:23.0984 3616 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/10 21:33:24.0578 3616 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/10 21:33:25.0125 3616 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/10 21:33:25.0625 3616 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/10 21:33:26.0171 3616 {6080A529-897E-4629-A488-ABA0C29B635E} (5b3d453a2f38105bcd0c573b94dea346) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/05/10 21:33:26.0687 3616 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (e147bd61a697701096ca5c830a5adb90) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/05/10 21:33:26.0796 3616 ================================================================================
2011/05/10 21:33:26.0796 3616 Scan finished
2011/05/10 21:33:26.0796 3616 ================================================================================

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:19 PM

Posted 11 May 2011 - 01:37 PM

Good evening. :)

Due the your choice of anti-virus program, AVG, you will need to temporarily uninstall it in order to run the next tool. It incorrectly identifies parts of ComboFix as malicious and blocks their actions - this renders the tool ineffective.

As you are using an older version of AVG you might like to take the opportunity to upgrade. The latest, free, version is available here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download both the AV installation file and ComboFix, log off from the internet, uninstall your AV, reboot, run CF, then reinstall your AV and that's that.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename, BEFORE saving it, to svchost.exe
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#7 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 11 May 2011 - 11:41 PM

ComboFix 11-05-11.01 - BoB 05/12/2011 0:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.708 [GMT -4:00]
Running from: c:\documents and settings\BoB\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\BoB\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HelpAssistant\WINDOWS
c:\documents and settings\Katie\WINDOWS
c:\documents and settings\Owner\WINDOWS
C:\Install.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
.
.
2011-05-12 02:48 . 2011-05-12 04:25 -------- d-----w- c:\documents and settings\Administrator
2011-05-09 00:44 . 2011-05-09 00:44 89088 ----a-w- C:\mbr.exe
2011-05-06 01:34 . 2011-05-06 01:34 388096 ----a-r- c:\documents and settings\BoB\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-06 01:34 . 2011-05-06 01:34 -------- d-----w- c:\program files\Trend Micro
2011-05-05 00:18 . 2011-05-05 00:18 -------- d-----w- c:\program files\ESET
2011-05-03 03:12 . 2011-05-03 03:12 -------- d-----w- c:\documents and settings\BoB\Application Data\AVG10
2011-05-03 02:56 . 2011-05-12 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-05-03 02:39 . 2011-05-12 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-05-03 02:26 . 2011-05-03 02:26 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-03 02:14 . 2011-05-03 02:14 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-03 02:13 . 2011-05-03 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-05-01 10:52 . 2011-05-01 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-05-01 10:52 . 2011-05-01 12:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-05-01 10:49 . 2011-05-01 11:00 -------- d-----w- c:\documents and settings\BoB\Application Data\GetRightToGo
2011-05-01 03:18 . 2011-05-01 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-30 00:33 . 2011-04-30 00:33 -------- d-----w- C:\found.000
2011-04-28 00:24 . 2011-05-12 01:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-28 00:24 . 2011-05-12 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-27 01:18 . 2011-03-24 11:54 122328 ----a-w- c:\program files\Mozilla Firefox\nsr33.tmp\crashreporter.exe
2011-04-23 13:31 . 2011-04-23 13:31 77824 --sha-r- c:\windows\system32\kbdbep.dll
2011-04-17 16:26 . 2011-04-17 16:27 -------- d-----w- c:\program files\HRBlock2010
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-10-12 01:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2009-10-12 01:08 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-08-04 01:46 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2009-10-12 01:07 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2009-10-12 01:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-08-04 01:45 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-08-04 01:46 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-10-13 02:09 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2002-08-04 01:43 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2009-10-12 01:06 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-04-30 10:58 . 2011-04-27 01:28 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-07-16 106549]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-05-15 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-05-15 114688]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"DDCActiveMenu"="c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [2002-06-08 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\BoB\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-12-26 333088]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=c:\windows\pss\hp center UI.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=c:\windows\pss\hp center.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
2002-06-08 08:20 86016 ----a-w- c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
2002-06-08 08:18 122880 ----a-w- c:\program files\WildTangent\DDC\DDCManager\DDCMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2001-07-07 04:56 61440 ----a-w- c:\hp\KBD\KBD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2002-05-04 00:06 364544 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-06-14 23:39 81920 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2001-12-19 06:39 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
2002-05-09 15:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Legacy\\FamilySearch\\LegacyFS.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6042:TCP"= 6042:TCP:Services
"6043:TCP"= 6043:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
.
S0 klhp;klhp;c:\windows\system32\drivers\hfnuri.sys --> c:\windows\system32\drivers\hfnuri.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-07-27 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\BoB\Application Data\Mozilla\Firefox\Profiles\pw1bri3s.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bc65cd0&v=6.103.018.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-CamMonitor - c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\Malwarebytes' Anti-Malware\unins000.exe
AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-12 00:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2011-05-12 00:31:44

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:19 PM

Posted 12 May 2011 - 02:17 PM

Good evening. :)

I'm not seeing any of the usual suspects with the symptoms you are having, so we'll need to look further afield.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download OTL by OldTimer from here and save it to your Desktop.
  • Close all open program windows and then double click the file to run it.
  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    ndis.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT


  • Please don't change any of the settings.
  • Click the Quick Scan button and let it do it's thing - it shouldn't take too long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please paste the contents of these two files into your next reply, checking that all the data makes it into your post - large files may get cut off.

So long, and thanks for all the fish.

 

 


#9 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 13 May 2011 - 05:48 AM

The ESET came up clean.

NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe - ()
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe - ()
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe - (Microsoft Corporation)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: DDCActiveMenu - hkey= - key= - C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe (WildTangent)
MsConfig - StartUpReg: DDCM - hkey= - key= - C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe (WildTangent)
MsConfig - StartUpReg: hpsysdrv - hkey= - key= - c:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: KBD - hkey= - key= - C:\hp\KBD\KBD.EXE (Hewlett-Packard Company)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\MSMSGS.EXE (Microsoft Corporation)
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
MsConfig - StartUpReg: nwiz - hkey= - key= - File not found
MsConfig - StartUpReg: PS2 - hkey= - key= - File not found
MsConfig - StartUpReg: Recguard - hkey= - key= - C:\WINDOWS\SMINST\Recguard.exe ()
MsConfig - StartUpReg: StorageGuard - hkey= - key= - C:\Program Files\VERITAS Software\Update Manager\sgtray.exe (VERITAS Software, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: hitmanpro35 - Reg Error: Value error.
SafeBootNet: hitmanpro35.sys - Reg Error: Value error.
SafeBootNet: HitmanPro35Crusader - Reg Error: Value error.
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2eac6a2d-57a8-44d4-96f7-e32bab40ca5f} - Windows Update
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {429D8DD3-05E0-4F56-B6D6-AC0730567C02} - Euro Update Tool
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4d64f3ba-f112-4efe-a02e-96680859937c} - KB918899
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5b7bf89d-d196-4c32-a303-a57b8ab7f18d} - KB918439
ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {dd772a76-bef3-44d7-8b39-502c8504c1f1} - KB925486
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {f15ee071-deb7-4cbb-951f-431c98338d8e} - KB911567
ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - C:\WINDOWS\System32\LCodcCMP.dll (LEAD Technologies, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/05/12 07:37:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BoB\Local Settings\Application Data\AVG Security Toolbar
[2011/05/12 06:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/05/12 06:50:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2011
[2011/05/12 06:45:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2011/05/12 00:31:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/12 00:15:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/05/12 00:11:32 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/12 00:11:32 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/12 00:11:32 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/12 00:11:32 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/12 00:11:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/11 23:54:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\BoB\Recent
[2011/05/11 23:30:46 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/11 22:56:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\Copy of My Pictures
[2011/05/05 21:34:51 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/05/05 21:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BoB\Start Menu\Programs\HiJackThis
[2011/05/04 20:18:07 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/05/02 23:12:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BoB\Application Data\AVG10
[2011/05/02 22:56:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/05/02 22:39:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/02 22:26:02 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2011/05/02 22:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/05/01 14:21:34 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\BoB\Desktop\TDSSKiller.exe
[2011/05/01 06:52:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/05/01 06:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/05/01 06:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BoB\Desktop\Downloads
[2011/05/01 06:49:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\BoB\Application Data\GetRightToGo
[2011/04/30 23:18:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/04/29 20:33:11 | 000,000,000 | ---D | C] -- C:\found.000
[2011/04/27 20:24:49 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/27 20:24:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/17 12:27:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\H&R Block 2010
[2011/04/17 12:26:32 | 000,000,000 | ---D | C] -- C:\Program Files\HRBlock2010
[2011/04/14 21:28:42 | 000,134,480 | ---- | C] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSDriver.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/13 00:13:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2011/05/12 07:22:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/12 07:21:48 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/12 07:02:02 | 114,850,379 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/05/12 06:50:16 | 000,000,701 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2011/05/12 00:26:02 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/12 00:16:02 | 000,000,316 | RHS- | M] () -- C:\BOOT.INI
[2011/05/10 22:04:11 | 000,143,360 | ---- | M] () -- C:\Documents and Settings\BoB\My Documents\heyrich.paf
[2011/05/10 07:29:14 | 000,447,259 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\burger plot.jpg
[2011/05/09 20:08:31 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\BoB\Desktop\MBR.dat
[2011/05/08 21:54:34 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\BoB\Desktop\dds(1).scr
[2011/05/08 21:52:56 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\BoB\defogger_reenable
[2011/05/08 20:44:15 | 000,089,088 | ---- | M] () -- C:\mbr.exe
[2011/05/08 09:44:11 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\BoB\Desktop\HiJackThis.lnk
[2011/05/02 22:26:02 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2011/05/02 22:14:23 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/05/01 20:48:39 | 000,014,758 | -HS- | M] () -- C:\Documents and Settings\BoB\Local Settings\Application Data\q7ntce130ok4
[2011/05/01 20:48:39 | 000,014,758 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q7ntce130ok4
[2011/05/01 15:38:43 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/01 14:21:34 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\BoB\Desktop\TDSSKiller.exe
[2011/04/29 22:35:37 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\BoB\Local Settings\Application Data\prvlcl.dat
[2011/04/27 23:36:30 | 000,000,611 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110501-194935.backup
[2011/04/26 21:28:28 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\BoB\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/23 09:31:45 | 000,077,824 | RHS- | M] () -- C:\WINDOWS\System32\kbdbep.dll
[2011/04/22 23:38:50 | 000,094,597 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Image2.jpg
[2011/04/17 12:40:32 | 000,001,693 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2010.lnk
[2011/04/14 21:28:42 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSDriver.sys
[2011/04/14 03:37:23 | 000,306,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/14 03:10:04 | 000,463,840 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/14 03:10:04 | 000,078,990 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/12 07:02:02 | 114,850,379 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/05/12 06:50:16 | 000,000,701 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2011/05/12 00:16:02 | 000,000,199 | ---- | C] () -- C:\Boot.bak
[2011/05/12 00:15:55 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/05/12 00:11:32 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/12 00:11:32 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/12 00:11:32 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/12 00:11:32 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/12 00:11:32 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/11 23:41:13 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/09 20:08:31 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\BoB\Desktop\MBR.dat
[2011/05/08 21:54:33 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\BoB\Desktop\dds(1).scr
[2011/05/08 21:52:56 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\BoB\defogger_reenable
[2011/05/08 20:44:18 | 000,089,088 | ---- | C] () -- C:\mbr.exe
[2011/05/05 21:34:51 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\BoB\Desktop\HiJackThis.lnk
[2011/05/02 22:14:23 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/05/01 19:31:39 | 000,014,758 | -HS- | C] () -- C:\Documents and Settings\BoB\Local Settings\Application Data\q7ntce130ok4
[2011/05/01 19:31:39 | 000,014,758 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q7ntce130ok4
[2011/04/26 21:28:28 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\BoB\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/26 21:28:28 | 000,000,741 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/04/26 21:28:28 | 000,000,735 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/24 20:39:23 | 000,199,980 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\kool aid man.jpg
[2011/04/23 09:31:45 | 000,077,824 | RHS- | C] () -- C:\WINDOWS\System32\kbdbep.dll
[2010/04/18 18:15:01 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll
[2010/04/14 21:25:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\BoB\Local Settings\Application Data\prvlcl.dat
[2009/12/15 23:17:34 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\BoB\Application Data\PFP100JPR.{PB
[2009/12/15 23:17:34 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\BoB\Application Data\PFP100JCM.{PB
[2009/10/17 21:59:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/10/17 19:55:57 | 000,102,833 | ---- | C] () -- C:\WINDOWS\HPFins09.dat
[2009/10/17 19:55:57 | 000,003,732 | ---- | C] () -- C:\WINDOWS\hpfmdl09.dat
[2009/10/17 19:55:15 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2009/10/14 21:49:15 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/14 19:30:47 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\BoB\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/12 00:06:13 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/10/11 21:06:11 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/03 21:45:46 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/08/03 21:45:46 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/08/03 21:45:41 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/08/03 21:45:36 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/08/03 21:45:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/08/03 21:44:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/08/03 21:44:59 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/08/03 21:44:28 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/07/26 23:41:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/07/24 20:39:39 | 000,082,864 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2002/07/24 20:36:04 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2002/07/24 20:33:13 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.1.0.153.exe
[2002/07/24 20:32:31 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpREG.DLL
[2002/07/24 20:32:31 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2002/07/24 19:41:48 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2002/07/24 19:34:36 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2002/07/24 19:10:35 | 000,000,029 | ---- | C] () -- C:\WINDOWS\ALSndMgr.ini
[2002/07/24 18:58:11 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2002/07/24 18:58:11 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2002/07/24 18:57:49 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2002/07/24 03:29:49 | 000,000,799 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/07/24 03:20:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2002/07/24 03:16:03 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/07/24 03:14:33 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2002/07/24 03:05:50 | 000,000,663 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2002/07/24 03:05:34 | 000,463,840 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/07/24 03:05:34 | 000,078,990 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/07/23 20:10:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/07/23 20:09:58 | 000,306,008 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/06/01 01:59:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/05/24 22:46:08 | 000,036,864 | ---- | C] () -- C:\WINDOWS\hpfsched.exe
[2002/05/24 22:44:48 | 000,004,760 | ---- | C] () -- C:\WINDOWS\hphmdl11.dat
[2002/05/22 22:44:14 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2002/05/22 22:04:26 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2002/05/15 06:26:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2002/02/28 02:07:34 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis740.bin
[2002/02/28 02:01:10 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis650.bin
[2001/09/01 01:33:58 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll
[2001/08/08 16:13:22 | 000,012,351 | ---- | C] () -- C:\WINDOWS\System32\i81xcoin.dll

========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2010/03/27 07:52:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2011/05/12 20:04:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/05/12 06:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/04/29 22:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/27 18:30:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/04/14 12:01:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\dNnDeGkDfJm06504
[2011/05/02 22:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/09 19:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/12 06:42:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2009/10/18 12:26:21 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2002/07/27 00:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2010/03/31 06:49:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/05/01 08:57:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2002/07/27 00:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sbsi
[2011/05/11 21:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/30 23:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/10/15 22:02:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2011/04/17 12:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2011/05/01 08:57:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/11 19:18:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\10806\AcrobatUpdater.exe
[2010/09/21 14:37:40 | 000,932,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\10806\AdobeARM.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\10806\ReaderUpdater.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\13074\AcrobatUpdater.exe
[2010/09/21 14:37:40 | 000,932,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\13074\AdobeARM.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\13074\ReaderUpdater.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\2117\AcrobatUpdater.exe
[2010/09/21 14:37:40 | 000,932,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\2117\AdobeARM.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\2117\ReaderUpdater.exe
[2011/04/12 07:22:31 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\22388\AcrobatUpdater.exe
[2010/09/21 14:37:40 | 000,932,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\22388\AdobeARM.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\22388\ReaderUpdater.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\23384\AcrobatUpdater.exe
[2010/09/21 14:37:40 | 000,932,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\23384\AdobeARM.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\23384\ReaderUpdater.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5652\AcrobatUpdater.exe
[2010/09/21 14:37:40 | 000,932,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5652\AdobeARM.exe
[2010/09/21 14:37:40 | 000,338,856 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5652\ReaderUpdater.exe
[2011/05/09 14:12:34 | 004,350,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\MFAData\pack\avgmfapx.exe
[2011/02/07 23:33:06 | 000,276,320 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\MFAData\pack\avgntdumpx.exe
[2011/02/07 23:33:28 | 000,249,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\MFAData\pack\avgrunasx.exe
[2011/05/02 22:39:23 | 004,316,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\MFAData\SelfUpd\avgmfapx.exe
[2011/05/02 22:39:20 | 000,276,320 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\MFAData\SelfUpd\avgntdumpx.exe
[2011/02/07 23:33:28 | 000,249,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users\Application Data\MFAData\SelfUpd\avgrunasx.exe
[2010/03/27 07:48:03 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
[2005/01/21 21:30:58 | 000,090,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem495\Message.exe
[2005/01/21 22:32:16 | 000,079,504 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem495\setup.exe
[2010/04/14 20:55:47 | 003,108,544 | ---- | M] (HRB Technology, LLC. ) -- C:\Documents and Settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockNJ.exe
[2010/03/21 20:39:51 | 021,195,208 | ---- | M] (Acresso Software Inc. ) -- C:\Documents and Settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
[2011/04/17 16:21:15 | 003,004,320 | ---- | M] (HRB Technology, LLC. ) -- C:\Documents and Settings\All Users\Application Data\TaxCut\2010\Downloads\HRBlockNJ.exe

< %APPDATA%\*. >
[2010/04/11 07:36:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Adobe
[2009/10/17 21:04:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\ArcSoft
[2011/05/02 23:12:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\AVG10
[2009/12/15 23:17:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Corel
[2010/04/25 19:19:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\enchant
[2010/03/14 09:33:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Facebook
[2011/05/01 07:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\GetRightToGo
[2009/12/15 23:22:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Help
[2002/07/27 00:23:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Identities
[2009/12/26 15:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\InstallShield
[2002/07/27 00:23:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\InterTrust
[2009/10/18 20:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Macromedia
[2010/04/09 21:16:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Malwarebytes
[2011/04/29 22:36:27 | 000,000,000 | --SD | M] -- C:\Documents and Settings\BoB\Application Data\Microsoft
[2010/04/18 21:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Millennia
[2009/10/17 21:59:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Mozilla
[2002/07/27 00:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Share-to-Web Upload Folder
[2009/12/26 16:05:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Sony Corporation
[2010/01/17 12:43:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Sun
[2002/07/27 00:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Symantec
[2011/04/17 12:29:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\TaxCut
[2002/07/27 00:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\VERITAS
[2009/10/17 21:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\BoB\Application Data\Windows Search

< %APPDATA%\*.exe /s >
[2010/03/14 09:33:22 | 000,050,354 | ---- | M] (Facebook, Inc.) -- C:\Documents and Settings\BoB\Application Data\Facebook\uninstall.exe
[2010/01/31 21:45:40 | 000,038,784 | ---- | M] () -- C:\Documents and Settings\BoB\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
[2009/12/26 15:56:36 | 000,010,134 | R--- | M] () -- C:\Documents and Settings\BoB\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
[2011/05/05 21:34:54 | 000,388,096 | R--- | M] (Trend Micro Inc.) -- C:\Documents and Settings\BoB\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

< %SYSTEMDRIVE%\*.exe >
[2002/07/15 21:20:56 | 003,534,931 | ---- | M] () -- C:\0712i32.exe
[2002/07/15 21:53:56 | 003,537,441 | ---- | M] () -- C:\0715i32.exe
[2011/05/08 20:44:15 | 000,089,088 | ---- | M] () -- C:\mbr.exe

< %systemroot%\system32\*.dll /lockedfiles >
[2011/04/23 09:31:45 | 000,077,824 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\kbdbep.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2009/10/12 21:01:48 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/10/13 23:08:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/10/12 21:01:48 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/10/13 23:08:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\AGP440.SYS
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2009/10/11 21:09:16 | 012,091,533 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2009/10/12 21:01:48 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/10/13 23:08:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/10/11 21:09:16 | 012,091,533 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp1.cab:atapi.sys
[2009/10/12 21:01:48 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/10/13 23:08:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NDIS.SYS >
[2008/04/13 15:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ERDNT\cache\ndis.sys
[2008/04/13 15:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ServicePackFiles\i386\ndis.sys
[2008/04/13 15:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\system32\drivers\ndis.sys
[2004/08/04 02:14:28 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\$NtServicePackUninstall$\ndis.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USERINIT.EXE >
[2004/08/04 03:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< %systemroot%\system32\drivers\*.sys /90 >
[2011/04/14 21:28:42 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys
[2011/02/22 08:13:02 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys
[2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys
[2011/03/16 16:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgrkx86.sys
[2011/04/05 00:59:56 | 000,297,168 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2011/05/02 22:14:23 | 000,016,968 | ---- | M] () -- C:\WINDOWS\system32\drivers\hitmanpro35.sys
[2011/02/17 09:18:24 | 000,455,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2011/02/17 09:18:03 | 000,357,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2002/07/23 20:09:11 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2002/07/23 20:09:11 | 000,606,208 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2002/07/23 20:09:11 | 000,376,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2011/04/23 09:31:45 | 000,077,824 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\kbdbep.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

#10 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 13 May 2011 - 06:00 AM

EXtras.txt

OTL Extras logfile created on: 5/12/2011 11:50:29 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\BoB\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 496.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.90 Gb Total Space | 14.76 Gb Free Space | 28.99% Space Free | Partition Type: NTFS
Drive D: | 5.02 Gb Total Space | 1.18 Gb Free Space | 23.43% Space Free | Partition Type: FAT32

Computer Name: BOB_HP_TOWER | User Name: BoB | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"6042:TCP" = 6042:TCP:*:Enabled:Services
"6043:TCP" = 6043:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"6042:TCP" = 6042:TCP:*:Enabled:Services
"6043:TCP" = 6043:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Legacy\FamilySearch\LegacyFS.exe" = C:\Legacy\FamilySearch\LegacyFS.exe:*:Enabled:LegacyFS -- (Legacy Family Tree)
"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = RecordNow Update Manager
"{0E243038-5F19-457F-A5A1-287477354D75}" = H&R Block New Jersey 2010
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = DLA
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{1EEE2A9F-6471-42fa-8923-E8879168CE26}" = HP Photo and Imaging 1.1 - Photosmart Cameras
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{230E8DDC-FB78-4F9F-8461-22ED20DBC3BA}" = AVG 2011
"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Productivity Pack
"{2B5DDB2C-0807-47FD-9C11-80EA761902C0}" = easy Internet sign-up
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4EDAE550-ACA5-4EF6-88BD-9F2B8BC2982D}" = GemMaster 2
"{4F0AE1FB-4082-4A27-8363-05D292D92FB0}" = Virtual Warfare
"{5122DF4B-3740-4F0B-B423-48C46BA5834C}" = H&R Block New Jersey 2009
"{529A52D1-5521-436B-83AB-1322780DCDAD}" = H&R Block Premium + Efile + State 2010
"{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009
"{63272979-21F0-48EF-9B97-A83DBC05BE39}" = Disney's Lilo and Stitch Pinball
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{753FE96B-D926-4B6C-BCFB-CC59153D004A}" = Snowboard Extreme
"{7ADE9F27-A175-447F-A4B4-B05FA82735E1}" = HP Deskjet 6900 series
"{8214CC02-6271-4DC8-B8DD-779933450264}" = RecordNow
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® 845G Chipset Graphics Driver Software
"{90CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{922B6E62-57DC-4153-97E3-12443BB5F9AE}" = SabreWing 2
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9FA01E11-9015-4140-B10A-5C6AA949B2FC}" = Space Rocks
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B279B0DA-6F60-4FBD-9847-0C9AB79A3674}" = PigPen
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1939820-A945-11D4-86F6-0001031E5712}" = InterVideo WinDVD
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Music Transfer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4E53304-1F6C-4111-9872-1BCD2CF5B642}" = AVG 2011
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D6CAB2F4-26A4-48F4-A35D-CA83063E3928}" = Speedway
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 ESD
"{D94A8E22-DF2B-4107-9E51-608A60A7671D}" = Personal Ancestral File 5
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{E62C706B-1352-4DCA-B4D4-81C24750B70F}" = Detto IntelliMover Demo
"{F7A4D9BE-D989-45B9-BB49-2C0EA34B9991}" = Kublox
"{FF384BDE-429B-45AD-A0C6-E593393D9D1C}" = HP Memories Disc
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"AbiWord2" = AbiWord 2.8.4
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ArcSoft Software Suite" = ArcSoft Software Suite
"AVG" = AVG 2011
"BackWeb-137903 Uninstaller" = hp center
"CCleaner" = CCleaner (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESET Online Scanner" = ESET Online Scanner v3
"HP Instant Support" = HP Instant Support
"HPTOOLKIT" = hp toolkit
"ie8" = Windows Internet Explorer 8
"Inactive HP Printer Drivers (Remove only)" = Inactive HP Printer Drivers (Remove only)
"Legacy 7.4" = Legacy 7.4
"LegacyChart7_is1" = Legacy Charting 7.4
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate1.7" = LiveUpdate 1.7 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PS2" = PS2
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"Quicken Financial Center" = Quicken Financial Center
"S3Display" = S3Display
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"S3Overlay" = S3Overlay
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"WIC" = Windows Imaging Component
"WildTangentDDC" = WildTangent Channel Manager
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinVNC_is1" = VNC 3.3.6
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WordPerfect Productivity Pack" = WordPerfect Productivity Pack
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/8/2010 8:31:52 PM | Computer Name = BOB_HP_TOWER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3726, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/13/2010 11:12:41 AM | Computer Name = BOB_HP_TOWER | Source = Application Error | ID = 1000
Description = Faulting application psp.exe, version 7.0.0.0, faulting module mfc42.dll,
version 6.2.4131.0, fault address 0x00098f5a.

Error - 4/27/2010 9:56:23 PM | Computer Name = BOB_HP_TOWER | Source = Application Error | ID = 1000
Description = Faulting application psp.exe, version 7.0.0.0, faulting module psp.exe,
version 7.0.0.0, fault address 0x00415424.

Error - 4/30/2010 7:07:46 AM | Computer Name = BOB_HP_TOWER | Source = MsiInstaller | ID = 10005
Description = Product: AOL Mail and AIM Gadget -- You can only install this product
on Windows Vista

Error - 5/12/2010 3:28:04 AM | Computer Name = BOB_HP_TOWER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\BOB\RECENT\DESKTOP.INI> in the
hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A
device attached to the system is not functioning. (0x8007001f)

Error - 6/22/2010 11:04:49 AM | Computer Name = BOB_HP_TOWER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\BOB\RECENT\12-26-2009.LNK> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 6/22/2010 11:04:49 AM | Computer Name = BOB_HP_TOWER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\BOB\RECENT\12-26-2009.LNK> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 8/24/2010 1:35:05 PM | Computer Name = BOB_HP_TOWER | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3834, faulting module
js3250.dll, version 4.0.0.0, fault address 0x0003b399.

Error - 8/24/2010 4:19:13 PM | Computer Name = BOB_HP_TOWER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3834, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/28/2010 2:33:31 PM | Computer Name = BOB_HP_TOWER | Source = Application Error | ID = 1000
Description = Faulting application spuvolumewatcher.exe, version 1.3.0.11130, faulting
module msvcr90.dll, version 9.0.30729.1, fault address 0x0006c955.

[ System Events ]
Error - 5/11/2011 11:44:17 PM | Computer Name = BOB_HP_TOWER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/11/2011 11:45:05 PM | Computer Name = BOB_HP_TOWER | Source = System Error | ID = 1003
Description = Error code 000000f4, parameter1 00000003, parameter2 86b64540, parameter3
86b646b4, parameter4 805fb1d6.

Error - 5/11/2011 11:59:28 PM | Computer Name = BOB_HP_TOWER | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 5/12/2011 12:00:51 AM | Computer Name = BOB_HP_TOWER | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 5/12/2011 12:00:51 AM | Computer Name = BOB_HP_TOWER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/12/2011 12:22:10 AM | Computer Name = BOB_HP_TOWER | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume C:.

Error - 5/12/2011 7:24:02 AM | Computer Name = BOB_HP_TOWER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to
connect.

Error - 5/12/2011 7:24:02 AM | Computer Name = BOB_HP_TOWER | Source = Service Control Manager | ID = 7000
Description = The AVGIDSAgent service failed to start due to the following error:
%%1053

Error - 5/12/2011 7:24:23 AM | Computer Name = BOB_HP_TOWER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 5/12/2011 9:32:25 PM | Computer Name = BOB_HP_TOWER | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume C:.


< End of report >
Note: chkdsk want to run at every start up.

Update note: I flushed the dns before the combofix run. I don't seem to have any more redirects. Does this make any sense?

Edited by BillyAcer, 13 May 2011 - 06:11 AM.


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:19 PM

Posted 13 May 2011 - 01:37 PM

Good evening. :)

chkdsk want to run at every start up.

Let it do so. Windows is programmed to keep an eye out for disk issues and it will repair what it can and work around what it can't, as long as you let it.

I flushed the dns before the combofix run. I don't seem to have any more redirects. Does this make any sense?

Yup, makes perfect sense. I can explain it if you're interested, or nor if you aren't.


Let Windows run chkdsk and then let me know how the PC is behaving itself.

So long, and thanks for all the fish.

 

 


#12 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 13 May 2011 - 08:35 PM

Ran chkdsk and not getting any redirects. Seems a little slow to start up, but it seems to be running fine. What now?

Also, please explain about fix. Very curious.

Edited by BillyAcer, 13 May 2011 - 08:37 PM.


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:19 PM

Posted 14 May 2011 - 02:51 PM

Good evening. :)

The difficulty with speed issues is that it is hard to nail down the exact cause. The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

Let me know how you get on.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In some ways the internet can be seen as working in a similar way to the phone system - sit back and learn more! :busy:

In order to connect to somebody using the phone, you need to know their phone number. If you have it to hand, you enter it in the phone and that's that. If you don't you call directory enquires, give them the name and/or address of the person you are trying to contact, and they supply the necessary info which you can then use to get who you want on the phone.

With the internet, you need to know the equivalent of a phone number, an IP address. IP stands for Internet Protocol, which is just a fancy name for the rules that make the internet work and which tells us what is and isn't a legitimate address - much as phone numbers need to be of a certain structure to be legitimate.

If you know the IP address, you enter that in the browser and connect to the appropriate website. If you don't, you need the internet equivalent of directory enquiries - a Domain Name Server.

Normally you don't involve yourself on this as your browser is coded to handle all this sort of thing behind the scenes. You enter the web address in the browser, your browser contacts a DNS to get the IP address, it replies and then your browser contacts the appropriate server that the IP address refers to to get the web page that you want to look at. All this happens in fractions of a second usually, so you have to admire the whole set-up.

In order to cut down on the amount of times you contact a DNS, your browser has a place that it keeps the IP addresses it asks for, to save asking again if you visit the same site again - the DNS cache.

Your browser has no checks coded into it to ensure that these stored addresses are accurate, so it goes where the address points regardless of where that is. The infection you had resulted in your browser receiving inaccurate IP addresses, which is why you couldn't get your PC to go where you intended, and your browser not knowing any better stored these addresses for future use. Removing the cause of these inaccurate addresses meant that all new DNS requests were accurate, but it didn't remove the old, flawed, data and your browser still referred to the cache and followed the addresses that it had. Removing this data, or "flushing the cache", meant that your browser had to start afresh with it's list and all new info being legit meant no more redirects.

Just as an example, you can connect to Google.com either by entering www.google.com in the address bar, or 209.85.147.99 - which is google.com's IP address.

So long, and thanks for all the fish.

 

 


#14 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 16 May 2011 - 06:15 AM

OK, ran TFC and defrag. Still running well!

Interesting explanation. When was the infection actually removed? I ask this because when I flushed the DNS before after running programs, the redirects came back.

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:19 PM

Posted 16 May 2011 - 02:16 PM

Good evening. :)

When was the infection actually removed? I ask this because when I flushed the DNS before after running programs, the redirects came back.

No idea, but assuming that flushing the cache actually solved the problem, sometime between the last time you did it and the time before.
I don't see anything in the logs that you posted, for the removal tools that I had you run, to indicate that anything that I can identify as the cause has been removed, so it's possible that your resident AV got rid of the nasty, or perhaps some other tool that you ran.

It looks like the top of the OTL.Txt file got cut off when you posted it, so i'd like you to post it again - it should start OTL logfile created on: and yours is NetSvcs: NWCWorkstation - File not found

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users