Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32:Alureon or Windows Restore virus (not sure)


  • This topic is locked This topic is locked
26 replies to this topic

#1 Micke87

Micke87

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 09 May 2011 - 09:53 PM

Hi, this is my first post here in the forums!

Yesterday, my computer was infected with what seems quite similar to the Windows Restore virus as described here: http://www.bleepingcomputer.com/virus-removal/remove-windows-restore
However, a virus scan revealed something called "Win32:Alureon-PS" and "Win32:Trojan-gen" so I´m not sure if there is a difference or if these are multiple viruses. I´ll post the log entries from Avast at the time here as well:

2011-05-09 02:29:47 SYSTEM 1324 Sign of "JS:Pdfka-AYW [Expl]" has been found in "http://goodlee.net/forums2/images/c86c54e0066895838721b05fd8021179/8f5fd9599a0589dfc7ca6c69059c9729.pdf" file.
2011-05-09 02:29:53 SYSTEM 1324 Sign of "HTML:CVE-2010-1885-I [Expl]" has been found in "C:\Documents and Settings\Micke\Lokala inställningar\Temporary Internet Files\Content.IE5\U4VWTDFY\c86c54e0066895838721b05fd8021179[1].asx" file.
2011-05-09 02:31:14 SYSTEM 1324 Sign of "Win32:Alureon-PS" has been found in "C:\WINDOWS\system32\drivers\3622C.sys" file.
2011-05-09 03:45:32 Micke 1728 Sign of "Win32:Trojan-gen" has been found in "C:\Documents and Settings\Micke\Lokala inställningar\Temp\0.3631638257091241.swf" file.

What happened was that while I was surfing and pressed a link, Windows Media Player popped up along with warnings from Avast about viruses. Not being sure if it was something to be concerned about, I let Avast put the files in quarantine. I shut down Explorer and then got a warning pop-up message that said "The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system." just as in the explanation for the Windows Restore virus. This kept popping up on it´s own a few times. I didn´t restart however, and launced Avast to make a scan when the Windows Restore "program" came up and started scanning. It might be a case of forgetfullness here, but I think the program was actually called Windows Recovery in my case (not sure though). Anyway, I figured it was a scam and closed it down. I also checked the Windows device manager for any actual hardware problems just to be sure, but there was none. As i closed that down, all of the icons on the desktop disappeared along with most things on the Start-menu. I feared the worst and started checking the rest of the folders in C: but apart from that the files and folders in My Documents had been hidden, which i could just uncheck in properties, everything was still there. Another warning showed up saying something about not being able to write a file to the Win32 folder and asking whether to continue, try again or abort but i didn´t press anything there. Also, as i tried to open the task manager i got a notice saying that it had been locked out by the system administrator.


This is pretty much what happened, i´ll post all the required logs as well. But most importantly, i managed to do a system recovery back to May 7th and now things seem allright again. I´m not overly familiar with the way viruses work and now I just want to make sure that nothing of these remain after the system recovery.

A final question though (if this is the proper forum for it?): my Catalyst Control Center won´t start after the system recovery. I´m getting an error message right after booting and it refuses to start when i try to. I also tried dowloading the latest version again but with no luck. Is it possible that the system recovery caused this problem in any way? Is there anything vitally important that might get damaged or deleted when preforming a recovery like this?

I hope this was a detailed enough description of my issues. Attached is the dds and gmer logs. Thank you in advance for taking the time! :)

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Micke at 0:02:38,98 on 2011-05-10
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2047.1283 [GMT 2:00]
.
AV: avast! antivirus 4.8.1368 [VPS 110509-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Windows Defender\MSASCui.exe
C:\Program\Delade filer\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program\IObit\Advanced SystemCare 4\PMonitor.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\ATKKBService.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program\3\3Connect\AutoUpdateSrv.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program\3\3Connect\Wilog.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Micke\Skrivbord\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.se/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [swg] "c:\program\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background
uRun: [Advanced SystemCare 4] "c:\program\iobit\advanced systemcare 4\ASCTray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avast!] c:\program\alwils~1\avast4\ashDisp.exe
mRun: [Windows Defender] "c:\program\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe"
mRun: [ATICustomerCare] "c:\program\ati\aticustomercare\ATICustomerCare.exe"
mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "c:\program\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\program\delade~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\uppdat~1.lnk - c:\program\3\3connect\AutoUpdateSrv.exe
IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {137E2DAC-9058-428F-919B-B704BF0C3F7C} = 80.251.201.177 80.251.201.178
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\program\wifd1f~1\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-28 114768]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program\iobit\advanced systemcare 4\ASCService.exe [2011-4-28 352656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-28 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program\alwil software\avast4\ashServ.exe [2009-8-28 138680]
R2 WinDefend;Windows Defender;c:\program\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program\alwil software\avast4\ashMaiSv.exe [2009-8-28 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program\alwil software\avast4\ashWebSv.exe [2009-8-28 352920]
S2 gupdate;Tjänsten Google Update (gupdate);c:\program\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2010-2-1 135664]
.
=============== Created Last 30 ================
.
2011-05-09 20:02:42 -------- d-----w- c:\program\AMD APP
2011-05-09 01:11:43 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-09 01:11:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-09 01:11:34 -------- d-----w- c:\program\Digital - A Love Story
2011-05-06 16:44:57 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{7d923d45-95cf-4527-95fb-68713a56698e}\mpengine.dll
2011-04-27 14:03:01 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2011-04-27 14:03:01 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2011-04-27 14:03:01 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-04-27 14:03:01 8192 ----a-w- c:\windows\system32\kbdkor.dll
2011-04-27 14:03:01 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2011-04-27 14:03:01 6144 ----a-w- c:\windows\system32\kbd101c.dll
2011-04-27 14:03:01 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2011-04-27 14:03:01 5632 ----a-w- c:\windows\system32\kbd103.dll
2011-04-27 14:02:59 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2011-04-27 14:02:59 6144 ----a-w- c:\windows\system32\kbd101b.dll
2011-04-27 14:02:58 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-04-27 14:02:58 6144 ----a-w- c:\windows\system32\kbd106.dll
2011-04-19 20:10:32 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-04-19 20:10:02 12385280 ----a-w- c:\windows\system32\amdocl.dll
2011-04-18 21:59:51 -------- d-----w- c:\docume~1\micke\applic~1\RenPy
.
==================== Find3M ====================
.
2011-04-20 02:38:50 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-04-20 02:29:06 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-04-20 02:29:00 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-04-20 02:24:20 5459968 ----a-w- c:\windows\system32\aticaldd.dll
2011-04-20 02:14:04 17743872 ----a-w- c:\windows\system32\atioglxx.dll
2011-04-20 02:04:00 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-04-20 02:02:58 302080 ----a-w- c:\windows\system32\ati2dvag.dll
2011-04-20 02:01:50 4017408 ----a-w- c:\windows\system32\ati3duag.dll
2011-04-20 01:55:20 1115008 ----a-w- c:\windows\system32\ativvamv.dll
2011-04-20 01:45:06 3265920 ----a-w- c:\windows\system32\ativvaxx.dll
2011-04-20 01:44:34 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-04-20 01:44:22 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-04-20 01:44:14 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-04-20 01:44:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-04-20 01:43:54 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-04-20 01:42:40 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-04-20 01:41:22 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-04-20 01:40:08 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-20 01:36:24 651264 ----a-w- c:\windows\system32\atikvmag.dll
2011-04-20 01:34:10 200704 ----a-w- c:\windows\system32\atiadlxx.dll
2011-04-20 01:33:52 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-04-20 01:30:48 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-04-20 01:28:32 851968 ----a-w- c:\windows\system32\ati2cqag.dll
2011-04-20 01:27:32 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-04-20 01:27:32 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-03-07 05:33:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:36:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53:40 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:09:59 1409 ----a-w- c:\windows\system32\tmp177ED.FOT
2011-02-23 23:50:28 1409 ----a-w- c:\windows\system32\tmp6BE59.FOT
2011-02-23 23:50:28 1409 ----a-w- c:\windows\system32\tmp69E59.FOT
2011-02-23 23:50:28 1409 ----a-w- c:\windows\system32\tmp5DE59.FOT
2011-02-22 23:07:46 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:07:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:07:45 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:43:15 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:54:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:54:03 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54:03 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 0:03:01,04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:01 AM

Posted 21 May 2011 - 06:38 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, we need a log from the GMER anti-rootkit scanner, but, first, we need to disable your CD Emulation drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next, please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the GMER log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 21 May 2011 - 11:42 PM

Hi Shannon!

I understand that the forum is busy, but it´s great that this kind of help is available though!

First of all - unhiding all the files made a bunch of them, which i thought were gone due to the system restore, show up on my desktop again. Defogger was already enabled since i ran gmer the first time i posted. After i ran the gmer scan this time, which took at least four hours (!!), certain things stopped responding: the mouse pointer froze and stayed that way even though i re-connected the mouse itself, i couldn´t run task manager or open folders on my desktop, etc. Task manager cited a program error 0xc0000017 as the reason, but i´m not sure what to make of that. I had to restart the computer and now it seems fine at least.

The problem with Catalyst Control Center that i had is still there. I sent a question to ATI support just out of curiosity, since i thought that one of the files in Avast quarantine was used by CCC, and they replied that it seemed more like a corruption in NET Framework which gmer seems to suggest as well. They suggested i reinstall the drivers from my original disk, but i haven´t done that due to my topic here. I´ll just follow one professional at a time... ;)

The last thing i can think of right now, but i´m not 100% sure though, is that the font in my Google toolbar (yes, i have it because i think it´s practical ;)) seems to have changed. It´s different from the one used on google.com but this must have happened in the last few days, because i just noticed it yesterday.

Anyway, I followed the steps in your post and here are the logs:

OTL.txt

OTL logfile created on: 2011-05-22 01:48:15 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Micke\Skrivbord
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 68,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program
Drive C: | 298,08 Gb Total Space | 60,66 Gb Free Space | 20,35% Space Free | Partition Type: NTFS
Drive E: | 21,20 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: MIKAEL-77EF4AA3 | User Name: Micke | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-05-22 01:46:59 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Micke\Skrivbord\OTL.exe
PRC - [2011-04-21 16:54:40 | 000,402,832 | ---- | M] (IObit) -- C:\Program\IObit\Advanced SystemCare 4\ASCTray.exe
PRC - [2011-04-21 16:54:38 | 000,801,680 | ---- | M] (IObit) -- C:\Program\IObit\Advanced SystemCare 4\PMonitor.exe
PRC - [2011-04-21 16:54:38 | 000,352,656 | ---- | M] (IObit) -- C:\Program\IObit\Advanced SystemCare 4\ASCService.exe
PRC - [2010-01-11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program\Delade filer\Java\Java Update\jusched.exe
PRC - [2009-11-25 01:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program\Alwil Software\Avast4\ashDisp.exe
PRC - [2009-11-25 01:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program\Alwil Software\Avast4\ashServ.exe
PRC - [2009-11-25 01:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009-11-25 01:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009-11-25 01:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009-01-22 16:11:02 | 003,934,744 | ---- | M] (Birdstep Technology) -- C:\Program\3\3Connect\Wilog.exe
PRC - [2009-01-22 16:11:02 | 000,670,256 | ---- | M] (Birdstep Technology) -- C:\Program\3\3Connect\AutoUpdateSrv.exe
PRC - [2008-08-29 14:26:20 | 000,262,144 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe
PRC - [2008-04-14 18:05:18 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\savedump.exe
PRC - [2008-04-14 18:05:06 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006-11-03 20:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program\Windows Defender\MSASCui.exe
PRC - [2006-11-03 20:20:06 | 000,293,144 | ---- | M] (Microsoft Corporation) -- C:\Program\Windows Defender\MpCmdRun.exe
PRC - [2006-11-03 20:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program\Windows Defender\MsMpEng.exe


========== Modules (SafeList) ==========

MOD - [2011-05-22 01:46:59 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Micke\Skrivbord\OTL.exe
MOD - [2010-08-23 18:12:54 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011-04-21 16:54:38 | 000,352,656 | ---- | M] (IObit) [Auto | Running] -- C:\Program\IObit\Advanced SystemCare 4\ASCService.exe -- (AdvancedSystemCareService)
SRV - [2009-11-25 01:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009-11-25 01:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009-11-25 01:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009-11-25 01:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008-08-29 14:26:20 | 000,262,144 | ---- | M] (ASUSTeK COMPUTER INC.) [Auto | Running] -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService)
SRV - [2006-11-03 20:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005-04-04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2011-04-20 04:41:56 | 006,537,728 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009-11-25 01:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009-11-25 01:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009-11-25 01:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009-11-25 01:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009-11-25 01:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009-11-25 01:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009-08-31 14:01:43 | 000,721,904 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008-10-31 07:52:16 | 000,093,184 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008-08-29 14:26:24 | 000,012,416 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\asusgsb.sys -- (asusgsb)
DRV - [2008-08-29 14:26:24 | 000,010,752 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Video3D32.sys -- (Video3D)
DRV - [2008-08-29 14:26:20 | 000,011,136 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\atkkbnt.sys -- (asuskbnt)
DRV - [2008-03-26 12:37:26 | 004,713,472 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007-11-17 09:43:56 | 000,022,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2007-11-17 09:43:46 | 000,054,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2007-10-12 09:53:10 | 000,013,312 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007-08-08 12:12:40 | 000,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007-05-28 17:00:22 | 000,010,240 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdvrmng.sys -- (mdvrmng)
DRV - [2007-01-29 17:12:52 | 000,018,432 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AsusVRC.sys -- (ASUSVRC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-602162358-2025429265-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
IE - HKU\S-1-5-21-602162358-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004-08-04 14:00:00 | 000,000,710 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live inloggningshjälpen) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast!] C:\Program\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program\Delade filer\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program\Delade filer\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program\Delade filer\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-602162358-2025429265-839522115-1003..\Run: [Advanced SystemCare 4] C:\Program\IObit\Advanced SystemCare 4\ASCTray.exe (IObit)
O4 - HKU\S-1-5-21-602162358-2025429265-839522115-1003..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe (ASUSTeK Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Uppdateringsagent.lnk = C:\Program\3\3Connect\AutoUpdateSrv.exe (Birdstep Technology)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-2025429265-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} http://simcity.ea.com/update/EARTPX.cab (EARTPatchX Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (MaxisSimCity4PatcherX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Min aktuella startsida) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Micke\Lokala inställningar\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Micke\Lokala inställningar\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-08-27 22:39:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008-04-23 23:44:40 | 000,114,688 | R--- | M] (Huawei Technologies Co., Ltd.) - E:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2008-11-24 15:37:48 | 000,027,750 | R--- | M] () - E:\Autorun.ico -- [ CDFS ]
O32 - AutoRun File - [2007-10-29 14:25:38 | 000,000,047 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{650d238d-9351-11de-9dac-002421374407}\Shell - "" = AutoRun
O33 - MountPoints2\{650d238d-9351-11de-9dac-002421374407}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- [2008-04-23 23:44:40 | 000,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O33 - MountPoints2\{650d238e-9351-11de-9dac-002421374407}\Shell - "" = AutoRun
O33 - MountPoints2\{650d238e-9351-11de-9dac-002421374407}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- [2008-04-23 23:44:40 | 000,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O33 - MountPoints2\{adf34618-b0fb-11de-9de0-002421374407}\Shell - "" = AutoRun
O33 - MountPoints2\{adf34618-b0fb-11de-9de0-002421374407}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- [2008-04-23 23:44:40 | 000,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O33 - MountPoints2\{adf34619-b0fb-11de-9de0-002421374407}\Shell - "" = AutoRun
O33 - MountPoints2\{adf34619-b0fb-11de-9de0-002421374407}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- [2008-04-23 23:44:40 | 000,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011-05-22 01:46:51 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Micke\Skrivbord\OTL.exe
[2011-05-11 04:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011-05-11 02:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ATI
[2011-05-11 02:46:39 | 000,000,000 | ---D | C] -- C:\Program\AMD APP
[2011-05-11 02:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start-meny\Program\Catalyst Control Center
[2011-05-11 02:45:32 | 000,000,000 | ---D | C] -- C:\Program\ATI Technologies
[2011-05-11 02:45:30 | 000,000,000 | ---D | C] -- C:\Program\ATI
[2011-05-11 02:40:05 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Micke\Skrivbord\TFC.exe
[2011-05-11 02:28:50 | 051,487,152 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\Documents and Settings\Micke\Skrivbord\11-5_xp32_dd_ccc_ocl.exe
[2011-05-10 00:07:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Micke\Skrivbord\gmer
[2011-05-09 03:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Micke\Start-meny\Program\Digital - A Love Story
[2011-05-09 03:11:34 | 000,000,000 | ---D | C] -- C:\Program\Digital - A Love Story
[2011-05-09 03:11:29 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Micke\Recent
[2011-04-28 09:53:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start-meny\Program\Advanced SystemCare 4
[2011-04-27 16:03:01 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdjpn.dll
[2011-04-27 16:03:01 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdjpn.dll
[2011-04-27 16:03:01 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkor.dll
[2011-04-27 16:03:01 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdkor.dll
[2011-04-27 16:03:01 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101c.dll
[2011-04-27 16:03:01 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101c.dll
[2011-04-27 16:03:01 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd103.dll
[2011-04-27 16:03:01 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd103.dll
[2011-04-27 16:02:59 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101b.dll
[2011-04-27 16:02:59 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101b.dll
[2011-04-27 16:02:58 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106.dll
[2011-04-27 16:02:58 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106.dll

========== Files - Modified Within 30 Days ==========

[2011-05-22 01:46:59 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Micke\Skrivbord\OTL.exe
[2011-05-22 01:46:25 | 000,000,318 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011-05-22 01:43:39 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011-05-22 01:43:28 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011-05-22 01:43:27 | 000,000,258 | ---- | M] () -- C:\WINDOWS\tasks\ASC4_PerformanceMonitor.job
[2011-05-22 01:43:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011-05-22 01:14:01 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011-05-21 07:06:48 | 000,434,860 | ---- | M] () -- C:\WINDOWS\System32\perfh01D.dat
[2011-05-21 07:06:48 | 000,432,492 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011-05-21 07:06:48 | 000,078,942 | ---- | M] () -- C:\WINDOWS\System32\perfc01D.dat
[2011-05-21 07:06:47 | 000,067,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011-05-11 02:40:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Micke\Skrivbord\TFC.exe
[2011-05-11 02:28:55 | 051,487,152 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\Documents and Settings\Micke\Skrivbord\11-5_xp32_dd_ccc_ocl.exe
[2011-05-10 23:34:38 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\Micke\Skrivbord\Total War Shogun 2.lnk
[2011-05-10 00:06:59 | 000,293,775 | ---- | M] () -- C:\Documents and Settings\Micke\Skrivbord\gmer.zip
[2011-05-10 00:01:49 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Micke\Skrivbord\dds.scr
[2011-05-09 23:05:33 | 000,000,164 | ---- | M] () -- C:\Documents and Settings\Micke\defogger_reenable
[2011-05-09 02:41:20 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20438820
[2011-05-09 02:41:19 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~20438820r
[2011-05-09 02:41:13 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\20438820
[2011-05-02 00:04:48 | 000,051,452 | -H-- | M] () -- C:\Documents and Settings\Micke\Skrivbord\03759d43-0397-4163-b1f8-cd6e2a700244.jpg
[2011-04-29 21:16:16 | 000,138,378 | -H-- | M] () -- C:\Documents and Settings\Micke\Skrivbord\ffffuuuu.jpg
[2011-04-29 21:13:34 | 000,050,574 | -H-- | M] () -- C:\Documents and Settings\Micke\Skrivbord\Clipboard01.jpg
[2011-04-29 21:07:34 | 001,555,254 | -H-- | M] () -- C:\Documents and Settings\Micke\Skrivbord\namnlös.bmp
[2011-04-28 09:53:17 | 000,000,852 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivbord\Quick Care.lnk
[2011-04-28 09:53:16 | 000,000,848 | ---- | M] () -- C:\Documents and Settings\Micke\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced SystemCare 4.lnk
[2011-04-28 09:53:16 | 000,000,830 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivbord\Advanced SystemCare 4.lnk
[2011-04-26 20:35:48 | 000,000,209 | -H-- | M] () -- C:\Documents and Settings\Micke\Skrivbord\Total War SHOGUN 2.url

========== Files Created - No Company Name ==========

[2011-05-11 02:45:48 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011-05-11 02:45:47 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011-05-10 23:33:57 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\Micke\Skrivbord\Total War Shogun 2.lnk
[2011-05-10 00:06:52 | 000,293,775 | ---- | C] () -- C:\Documents and Settings\Micke\Skrivbord\gmer.zip
[2011-05-10 00:01:39 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Micke\Skrivbord\dds.scr
[2011-05-09 23:05:25 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Micke\defogger_reenable
[2011-05-09 02:41:19 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20438820
[2011-05-09 02:41:19 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20438820r
[2011-05-09 02:41:13 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\20438820
[2011-05-02 00:11:25 | 000,051,452 | -H-- | C] () -- C:\Documents and Settings\Micke\Skrivbord\03759d43-0397-4163-b1f8-cd6e2a700244.jpg
[2011-04-29 21:13:34 | 000,050,574 | -H-- | C] () -- C:\Documents and Settings\Micke\Skrivbord\Clipboard01.jpg
[2011-04-29 21:08:19 | 000,138,378 | -H-- | C] () -- C:\Documents and Settings\Micke\Skrivbord\ffffuuuu.jpg
[2011-04-29 21:07:31 | 001,555,254 | -H-- | C] () -- C:\Documents and Settings\Micke\Skrivbord\namnlös.bmp
[2011-04-28 09:53:29 | 000,000,258 | ---- | C] () -- C:\WINDOWS\tasks\ASC4_PerformanceMonitor.job
[2011-04-28 09:53:17 | 000,000,852 | ---- | C] () -- C:\Documents and Settings\All Users\Skrivbord\Quick Care.lnk
[2011-04-28 09:53:16 | 000,000,848 | ---- | C] () -- C:\Documents and Settings\Micke\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced SystemCare 4.lnk
[2011-04-28 09:53:16 | 000,000,830 | ---- | C] () -- C:\Documents and Settings\All Users\Skrivbord\Advanced SystemCare 4.lnk
[2011-04-26 20:35:47 | 000,000,209 | -H-- | C] () -- C:\Documents and Settings\Micke\Skrivbord\Total War SHOGUN 2.url
[2011-04-19 22:10:32 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2010-11-10 19:51:45 | 002,434,856 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_bc2.exe
[2010-03-29 20:15:38 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Micke\Lokala inställningar\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-10-30 18:04:56 | 000,000,532 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2009-10-10 15:54:14 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009-09-25 15:18:07 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009-09-01 02:19:31 | 000,138,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009-09-01 02:19:31 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\Micke\Application Data\PnkBstrK.sys
[2009-09-01 02:19:11 | 000,270,904 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2009-09-01 02:19:10 | 002,250,024 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe
[2009-09-01 02:19:10 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2009-08-27 23:36:27 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\mdvrmng.sys
[2009-08-27 23:35:41 | 000,069,361 | ---- | C] () -- C:\WINDOWS\Huawei ModemsUninstall.exe
[2009-08-27 23:17:19 | 000,196,653 | ---- | C] () -- C:\WINDOWS\System32\drivers\aVivid.bin
[2009-08-27 23:17:19 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\nVivid.bin
[2009-08-27 23:17:19 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\nStandard.bin
[2009-08-27 23:17:19 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\nAsmedia.bin
[2009-08-27 23:17:19 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\nAdvanced.bin
[2009-08-27 23:17:19 | 000,196,582 | ---- | C] () -- C:\WINDOWS\System32\drivers\aStandard.bin
[2009-08-27 23:17:19 | 000,196,582 | ---- | C] () -- C:\WINDOWS\System32\drivers\aAsmedia.bin
[2009-08-27 23:17:18 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\aAdvanced.bin
[2009-08-27 23:17:18 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
[2009-08-27 23:17:17 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-08-27 23:17:17 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009-08-27 23:17:17 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll
[2009-08-27 23:17:17 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll
[2009-08-27 23:17:17 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll
[2009-08-27 23:17:17 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
[2009-08-27 23:17:17 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll
[2009-08-27 23:17:17 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll
[2009-08-27 23:17:17 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll
[2009-08-27 23:17:16 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll
[2009-08-27 23:09:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009-08-27 23:05:04 | 003,107,788 | R--- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2009-08-27 23:05:04 | 000,233,012 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009-08-27 23:00:40 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009-08-27 22:57:44 | 000,003,636 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2009-08-27 22:45:30 | 000,004,293 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009-08-27 22:44:38 | 000,129,296 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009-08-27 22:40:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009-08-27 22:37:00 | 000,021,700 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007-11-26 21:56:28 | 000,151,415 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2007-03-20 17:16:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\ASDR.exe
[2004-10-11 11:19:00 | 000,092,672 | ---- | C] () -- C:\WINDOWS\System32\ASUSASV2.DLL
[2004-08-04 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004-08-04 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004-08-04 14:00:00 | 000,434,860 | ---- | C] () -- C:\WINDOWS\System32\perfh01D.dat
[2004-08-04 14:00:00 | 000,432,492 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004-08-04 14:00:00 | 000,274,932 | ---- | C] () -- C:\WINDOWS\System32\perfi01D.dat
[2004-08-04 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004-08-04 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004-08-04 14:00:00 | 000,078,942 | ---- | C] () -- C:\WINDOWS\System32\perfc01D.dat
[2004-08-04 14:00:00 | 000,067,448 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004-08-04 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004-08-04 14:00:00 | 000,033,234 | ---- | C] () -- C:\WINDOWS\System32\perfd01D.dat
[2004-08-04 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004-08-04 14:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004-08-04 14:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004-08-04 14:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004-08-04 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002-02-27 17:50:00 | 000,197,120 | ---- | C] () -- C:\WINDOWS\System32\patchw32.dll

< End of report >

Extras.txt

OTL Extras logfile created on: 2011-05-22 01:48:15 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Micke\Skrivbord
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 68,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program
Drive C: | 298,08 Gb Total Space | 60,66 Gb Free Space | 20,35% Space Free | Partition Type: NTFS
Drive E: | 21,20 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: MIKAEL-77EF4AA3 | User Name: Micke | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program\uTorrent\uTorrent.exe" = C:\Program\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Documents and Settings\Micke\Games\Company of Heroes\RelicCOH.exe" = C:\Documents and Settings\Micke\Games\Company of Heroes\RelicCOH.exe:*:Enabled:Company_of_Heroes -- (THQ Canada Inc.)
"C:\Program\Ubisoft\Far Cry 2\bin\FarCry2.exe" = C:\Program\Ubisoft\Far Cry 2\bin\FarCry2.exe:*:Enabled:Far Cry 2 -- (Ubisoft Entertainment)
"C:\Program\Ubisoft\Far Cry 2\bin\FC2Launcher.exe" = C:\Program\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater -- (Ubisoft)
"C:\Program\Ubisoft\Far Cry 2\bin\FC2Editor.exe" = C:\Program\Ubisoft\Far Cry 2\bin\FC2Editor.exe:*:Enabled:Editor -- (Ubisoft Entertainment)
"C:\Program\Anno.1404.DOD\tools\Anno4Web.exe" = C:\Program\Anno.1404.DOD\tools\Anno4Web.exe:*:Enabled:Anno4Web -- ()
"C:\Program\Java\jre6\bin\java.exe" = C:\Program\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program\S.W.A.T. 4\ContentExpansion\System\Swat4X.exe" = C:\Program\S.W.A.T. 4\ContentExpansion\System\Swat4X.exe:*:Enabled:SWAT 4 - The Stetchkov Syndicate -- (Sierra Entertainment, Inc.)
"C:\Program\S.W.A.T. 4\ContentExpansion\System\Swat4XDedicatedServer.exe" = C:\Program\S.W.A.T. 4\ContentExpansion\System\Swat4XDedicatedServer.exe:*:Enabled:SWAT 4 - The Stetchkov Syndicate Dedicated Server -- (Sierra Entertainment, Inc.)
"C:\Program\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" = C:\Program\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"C:\Program\Steam\steamapps\common\empire total war\Empire.exe" = C:\Program\Steam\steamapps\common\empire total war\Empire.exe:*:Enabled:Empire: Total War -- (The Creative Assembly Ltd)
"C:\Program\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe" = C:\Program\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe:*:Enabled:Ubisoft Game Launcher -- ()
"C:\Ubisoft\Silent Hunter 5\data\Browser\UPlayBrowser.exe" = C:\Ubisoft\Silent Hunter 5\data\Browser\UPlayBrowser.exe:*:Enabled:UPlayBrowser Application -- (Ubisoft Entertainment)
"C:\Program\Electronic Arts\Battlefield Bad Company 2\BFBC2Updater.exe" = C:\Program\Electronic Arts\Battlefield Bad Company 2\BFBC2Updater.exe:*:Enabled:Battlefield: Bad Company™ 2 -- (EA Digital Illusions CE AB)
"C:\Program\Electronic Arts\Battlefield Bad Company 2\BFBC2Game.exe" = C:\Program\Electronic Arts\Battlefield Bad Company 2\BFBC2Game.exe:*:Enabled:Battlefield: Bad Company™ 2 -- (EA Digital Illusions CE AB)
"C:\Program\CCP\EVE\bin\ExeFile.exe" = C:\Program\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile -- (CCP hf.)
"C:\Program\Steam\steam.exe" = C:\Program\Steam\steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Bohemia Interactive\ArmA 2\arma2.exe" = C:\Program Files\Bohemia Interactive\ArmA 2\arma2.exe:*:Enabled:ArmA 2 -- (Bohemia Interactive)
"C:\Ubisoft\Silent Hunter 5\sh5.exe" = C:\Ubisoft\Silent Hunter 5\sh5.exe:*:Enabled:Silent Hunter 5 -- (Ubisoft)
"C:\Program\Steam\steamapps\common\amnesia the dark descent\Launcher.exe" = C:\Program\Steam\steamapps\common\amnesia the dark descent\Launcher.exe:*:Enabled:Amnesia: The Dark Descent -- ()
"C:\Program\Steam\steamapps\common\total war shogun 2\Shogun2.exe" = C:\Program\Steam\steamapps\common\total war shogun 2\Shogun2.exe:*:Enabled:Total War: SHOGUN 2 -- (The Creative Assembly Ltd)
"C:\Program\Steam\steamapps\common\total war shogun 2\data\encyclopedia\how_to_play.html" = C:\Program\Steam\steamapps\common\total war shogun 2\data\encyclopedia\how_to_play.html:*:Enabled:Total War: SHOGUN 2 -- ()
"C:\Program\Steam\steamapps\common\total war shogun 2\benchmarks\benchmark_current_settings.bat" = C:\Program\Steam\steamapps\common\total war shogun 2\benchmarks\benchmark_current_settings.bat:*:Enabled:Total War: SHOGUN 2 -- ()
"C:\Program\Steam\steamapps\common\total war shogun 2\benchmarks\benchmark_specify_properties.bat" = C:\Program\Steam\steamapps\common\total war shogun 2\benchmarks\benchmark_specify_properties.bat:*:Enabled:Total War: SHOGUN 2 -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0A5DAE9E-DD2A-40D1-9AEB-06F31133A9DE}" = OpenOffice.org 3.2
"{0E93710D-31E5-477C-8A4B-5032B484BE74}" = Windows Live inloggningsassistenten
"{12453E04-9738-4D16-8408-D726532C2C69}" = ASUS VGA Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19A492A0-888F-44A0-9B21-D91700763F62}" = Catalyst Control Center - Branding
"{1BA7B068-4719-42A3-B553-D4ED97434F92}" = ASUS Utilities
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C941d-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3A1AB8E6-748E-4B95-AA2D-FE9952EB3106}" = OLYMPUS Master 2
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3F0D0ABE-CDAF-431A-00BC-CBBE018EA74E}" = SimCity 4 Deluxe
"{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5C9A7E65-5B71-4C7F-876A-8C6AF9E9E23D}" = The Saboteur™
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6C9EF6DE-391E-665A-92F2-2BF72DF53E61}" = Catalyst Control Center
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7A529246-912F-4C40-A82A-E608DB702FD7}" = ASUS VideoSecurity Online
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}" = Microsoft Games for Windows - LIVE Redistributable
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{97E12F84-C033-4DA2-97D2-F540C3E292EA}" = Installer
"{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D71329D-95A5-4297-8F79-DCDBD156420A}" = Windows Live Essentials
"{9D7F058F-C711-412B-A2D3-ECE86215D675}" = ASUS Smart Doctor
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1A30F3A-642A-46ae-B325-163B92FAC037}_is1" = «Achtung Panzer - Kharkov 1943»
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A724605D-B399-4304-B8C7-33B3EF7D4677}" = Bully Scholarship Edition
"{A899DA1F-D626-401C-8651-F2921E3B4CB3}" = 3Connect
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC61C594-5F86-4BE9-ABAF-763C6A8E2302}" = Silent Hunter 5
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{AFBF90DF-9FBE-002F-E8F4-2EC713678BD7}" = Catalyst Control Center InstallProxy
"{BB85B4D1-FE48-9AC2-ACF3-5833D539C606}" = ATI Catalyst Install Manager
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C85C8CE6-CA92-7CDC-75C3-AA9C22E7FD75}" = ccc-utility
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D0106CC2-E34B-4FA3-B6B6-91F0ACEA2CC3}" = Hearts of Iron III
"{D41DA7B0-DE4C-20A5-FC4C-F00327548F0D}" = CCC Help English
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F13225E2-6533-4923-A657-083A151E667E}" = Windows Live Messenger
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2835483-37F2-4123-B4FE-0E77D58447F2}" = Far Cry 2
"{F90D9C89-7918-7994-66CC-513C4A92D3A6}" = Catalyst Control Center Graphics Previews Common
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{THEGUILDREN-0010-2010-300520102330}_is1" = The Guild 2 - Renaissance
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 4_is1" = Advanced SystemCare 4
"ArmA 2" = ArmA 2 Uninstall
"avast!" = avast! Antivirus
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"Digital - A Love Story" = Digital - A Love Story 1.1
"DivX Setup.divx.com" = DivX Setup
"Emergency 2012" = Emergency 2012
"EVE" = EVE Online (remove only)
"Fraps" = Fraps
"Huawei Modems" = Huawei Modems
"ie8" = Windows Internet Explorer 8
"InstallShield_{7A529246-912F-4C40-A82A-E608DB702FD7}" = ASUS VideoSecurity Online
"InstallShield_{97E12F84-C033-4DA2-97D2-F540C3E292EA}" = SWAT 4 - The Stetchkov Syndicate
"InstallShield_{9D7F058F-C711-412B-A2D3-ECE86215D675}" = ASUS Smart Doctor
"InstallShield_{A724605D-B399-4304-B8C7-33B3EF7D4677}" = Bully Scholarship Edition
"IrfanView" = IrfanView (remove only)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mount&Blade Warband" = Mount&Blade Warband
"NVIDIA Drivers" = NVIDIA Drivers
"Polis 2" = Polis 2
"Polis 3" = Polis 3
"PunkBusterSvc" = PunkBuster Services
"S.W.A.T. 4_is1" = S.W.A.T. 4
"Steam App 10500" = Empire: Total War
"Steam App 34330" = Total War: SHOGUN 2
"Steam App 57300" = Amnesia: The Dark Descent
"Take Command - 2nd Manassas" = Take Command - 2nd Manassas
"Tropico3" = Tropico 3 1.00
"uTorrent" = µTorrent
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Vision Park" = Vision Park
"VLC media player" = VLC media player 1.0.2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-602162358-2025429265-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 2009-11-05 11:13:19 | Computer Name = MIKAEL-77EF4AA3 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.se/complete/search?hl=sv&q=myfreepaysite&cp=13 failed, 0000A413.


Error - 2011-05-09 10:01:43 | Computer Name = MIKAEL-77EF4AA3 | Source = avast! | ID = 33554522
Description = Error in aswChestS: chest s_NewFile Error 112.

Error - 2011-05-09 10:01:43 | Computer Name = MIKAEL-77EF4AA3 | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 112.

[ Application Events ]
Error - 2011-05-19 06:38:20 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-19 06:39:00 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-19 12:42:56 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-19 12:43:34 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-20 11:33:50 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-20 11:34:27 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-21 10:33:05 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-21 10:33:44 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-21 19:43:44 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.

Error - 2011-05-21 19:44:35 | Computer Name = MIKAEL-77EF4AA3 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 4c90e454, P4 mscorlib,
P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10
NIL.


< End of report >

-Gmer log in next post-

Edited by Micke87, 21 May 2011 - 11:49 PM.


#4 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 21 May 2011 - 11:45 PM

gmer.log

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-22 05:57:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD3200AAKS-00L9A0 rev.01.03E01
Running: 9c7wo9iy.exe; Driver: C:\DOCUME~1\Micke\LOKALA~1\Temp\ffdcraod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAE1066B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAE106574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAE106A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAE10614C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAE10664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAE10608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAE1060F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAE10676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAE10672E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAE1068AE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6B8D000, 0x2A1A98, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0x6E 0x77 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x08 0x73 0x54 0x01 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFF 0x55 0x60 0x97 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0x6E 0x77 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x08 0x73 0x54 0x01 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFF 0x55 0x60 0x97 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB961371-v2$\fontsub.dll 80896 bytes executable
File C:\WINDOWS\$NtUninstallKB961371-v2$\kb961371-v2.cat 10782 bytes
File C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst 0 bytes
File C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe 232824 bytes executable
File C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.inf 6270 bytes
File C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.txt 410 bytes
File C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\updspapi.dll 392568 bytes executable
File C:\WINDOWS\$NtUninstallKB961371-v2$\t2embed.dll 117760 bytes executable
File C:\WINDOWS\Media\Windows XP - ding.wav 17132 bytes
File C:\WINDOWS\Media\chimes.wav 55776 bytes
File C:\WINDOWS\Media\chord.wav 97016 bytes
File C:\WINDOWS\Media\ding.wav 80856 bytes
File C:\WINDOWS\Media\flourish.mid 24253 bytes
File C:\WINDOWS\Media\notify.wav 119384 bytes
File C:\WINDOWS\Media\onestop.mid 40075 bytes
File C:\WINDOWS\Media\recycle.wav 25434 bytes
File C:\WINDOWS\Media\ringin.wav 10026 bytes
File C:\WINDOWS\Media\ringout.wav 5212 bytes
File C:\WINDOWS\Media\start.wav 1192 bytes
File C:\WINDOWS\Media\tada.wav 171100 bytes
File C:\WINDOWS\Media\town.mid 22097 bytes
File C:\WINDOWS\Media\Windows XP - ett popup-fönster blockerades.wav 29444 bytes
File C:\WINDOWS\Media\Windows XP - fel.wav 44136 bytes
File C:\WINDOWS\Media\Windows XP - Informationsfältet.wav 20336 bytes
File C:\WINDOWS\Media\Windows XP - inkommande samtal.wav 38930 bytes
File C:\WINDOWS\Media\Windows XP - inloggningsljud.wav 190208 bytes
File C:\WINDOWS\Media\Windows XP - kritisk energinivå.wav 36910 bytes
File C:\WINDOWS\Media\Windows XP - kritiskt stopp.wav 39382 bytes
File C:\WINDOWS\Media\Windows XP - låg energinivå.wav 53864 bytes
File C:\WINDOWS\Media\Windows XP - maskinvara läggs till.wav 36636 bytes
File C:\WINDOWS\Media\Windows XP - maskinvara tas bort.wav 36538 bytes
File C:\WINDOWS\Media\Windows XP - maskinvarufel.wav 36614 bytes
File C:\WINDOWS\Media\Windows XP - meddela.wav 48988 bytes
File C:\WINDOWS\Media\Windows XP - menykommando.wav 1404 bytes
File C:\WINDOWS\Media\Windows XP - minimera.wav 22580 bytes
File C:\WINDOWS\Media\Windows XP - pratbubbla.wav 6400 bytes
File C:\WINDOWS\Media\Windows XP - standard.wav 24530 bytes
File C:\WINDOWS\Media\Windows XP - start.wav 2202 bytes
File C:\WINDOWS\Media\Windows XP - uppstart.wav 424644 bytes
File C:\WINDOWS\Media\Windows XP - utgående samtal.wav 22070 bytes
File C:\WINDOWS\Media\Windows XP - utloggningsljud.wav 179704 bytes
File C:\WINDOWS\Media\Windows XP - utropstecken.wav 42576 bytes
File C:\WINDOWS\Media\Windows XP - utskrift har utförts.wav 43762 bytes
File C:\WINDOWS\Media\Windows XP - återställ.wav 19458 bytes
File C:\WINDOWS\Media\Windows XP - återvinn.wav 22816 bytes
File C:\WINDOWS\Media\Windows Feed Discovered.wav 19884 bytes
File C:\WINDOWS\Media\Windows Information Bar.wav 23308 bytes
File C:\WINDOWS\Media\Windows Navigation Start.wav 11340 bytes
File C:\WINDOWS\Media\Windows Pop-up Blocked.wav 85548 bytes
File C:\WINDOWS\Media\Windows XP - avsluta.wav 282608 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.dll 159232 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.AudioVideoPlayback.dll 53248 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.AudioVideoPlayback.xml 33914 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Diagnostics.dll 12800 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Diagnostics.xml 10439 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll 473600 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.xml 849122 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.dll 2676224 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.xml 1391750 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.dll 145920 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.xml 755962 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.xml 345509 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectPlay.dll 364544 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectPlay.xml 1252798 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll 178176 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.xml 348085 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.dll 223232 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.xml 265390 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2903.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.dll 2846720 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.xml 1413982 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2904.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.dll 563712 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.xml 1413060 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2905.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.dll 567296 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.xml 1417833 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2906.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2906.0\Microsoft.DirectX.Direct3DX.dll 576000 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2906.0\Microsoft.DirectX.Direct3DX.xml 1437695 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2907.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll 577024 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.xml 1437695 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2908.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2908.0\Microsoft.DirectX.Direct3DX.dll 577536 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2908.0\Microsoft.DirectX.Direct3DX.xml 1437695 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2909.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2909.0\Microsoft.DirectX.Direct3DX.dll 577536 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2909.0\Microsoft.DirectX.Direct3DX.xml 1437695 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2910.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.dll 578560 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.xml 1437695 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2911.0 0 bytes
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll 578560 bytes executable
File C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.xml 1437695 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config 353 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.cfg 5201 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll 96768 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config 351 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif 328 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif 952 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg 22500 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif 121 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif 2030 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg 8260 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif 61 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif 914 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif 90 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif 90 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg 1409 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif 1420 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif 162 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif 586 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif 124 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg 49 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif 49 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif 65 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif 65 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg 8683 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif 65 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif 65 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif 880 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx 8100 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\AppSetting.ascx 3733 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.resx 3806 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx 1367 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.resx 1539 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx 2829 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.resx 2457 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\EditAppSetting.aspx.resx 1110 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ManageAppSettings.aspx.resx 3097 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx 3351 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx 3669 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx 12253 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx 18173 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx 2304 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx 15196 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx 17787 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ApplicationConfigurationPage.cs 949 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\NavigationBar.cs 886 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\PasswordValueTextBox.cs 1188 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs 4977 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs 2677 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs 48637 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\WizardPage.cs 825 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.resx 2095 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.resx 1366 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.resx 1204 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.resx 859 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home2.aspx.resx 1169 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.resx 827 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx 11802 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.resx 22286 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.resx 6345 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.resx 10532 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.resx 18221 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.resx 1559 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.resx 1412 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.resx 2320 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx 1011 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx 2462 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx 12595 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx 9713 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx 9089 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.resx 3736 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.resx 1383 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx 1696 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx 2292 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.resx 2665 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx 11000 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx 21603 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.resx 2132 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx 2034 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx 7206 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx 9526 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx 10094 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx 1447 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx 2564 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx 5300 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.resx 1539 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx 3276 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.resx 1988 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.resx 3549 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\editUser.aspx 12006 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx 7979 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx 15187 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.resx 775 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizard.aspx.resx 2070 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.resx 1175 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAuthentication.ascx.resx 1867 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.resx 2298 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardFinish.ascx.resx 917 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardInit.ascx.resx 1550 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.resx 3645 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.resx 1157 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\confirmation.ascx 2367 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx 10930 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardAddUser.ascx 1682 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardAuthentication.ascx 2668 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardCreateRoles.ascx 7720 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx 271 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx 491 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardPermission.ascx 25124 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx 1714 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\avantgo.browser 5763 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\cassio.browser 4097 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\Default.browser 12848 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\docomo.browser 62790 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\ericsson.browser 30330 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\EZWap.browser 2299 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\gateway.browser 9761 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\generic.browser 801 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\goAmerica.browser 16742 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\ie.browser 18396 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\Jataayu.browser 3636 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\jphone.browser 21509 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\legend.browser 2888 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\MME.browser 15311 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\mozilla.browser 13262 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\netscape.browser 6408 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\nokia.browser 63449 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\openwave.browser 154500 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\opera.browser 13328 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\palm.browser 26371 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\panasonic.browser 7274 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\pie.browser 25919 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\webtv.browser 2719 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\winwap.browser 3321 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\xiino.browser 3140 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe 168968 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe 881664 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll 397312 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.Dtc.dll 163840 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\MUI 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\MUI\0409 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\MUI\0409\ServiceModelEvents.dll.mui 27136 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModel.mof 84985 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModel.mof.uninstall 896 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll 11280 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui 27136 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe 156688 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceMonikerSupport.dll 20504 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_SMSvcHostPerfCounters.h 702 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_SMSvcHostPerfCounters.ini 132292 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_SMSvcHostPerfCounters.reg 3779 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_SMSvcHostPerfCounters.vrg 3777 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_TransactionBridgePerfCounters.h 705 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_TransactionBridgePerfCounters.ini 131728 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_TransactionBridgePerfCounters.reg 3275 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_TransactionBridgePerfCounters.vrg 3273 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll 110592 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe 132096 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config 1951 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll 970752 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll 5967872 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.Install.dll 73728 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.WasHosting.dll 32768 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe 152576 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.h 1122 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.ini 315320 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.reg 4817 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.vrg 4815 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelOperationPerfCounters.h 894 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelOperationPerfCounters.ini 244898 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelOperationPerfCounters.reg 3609 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelOperationPerfCounters.vrg 3607 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelServicePerfCounters.h 1838 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelServicePerfCounters.ini 559494 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelServicePerfCounters.reg 8261 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelServicePerfCounters.vrg 8259 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Logic.sql 23900 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Schema.sql 4296 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Logic.sql 381604 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Schema.sql 50798 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\en-US 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\en-US\PresentationHostDLL.dll.mui 69632 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\NaturalLanguage6.dll 806928 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\NlsData0009.dll 4883464 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\NlsLexicons0009.dll 2637840 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PenIMC.dll 71160 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationCFFRasterizer.dll 32768 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.cat 9510 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 46104 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe.config 161 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll 130408 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationUI.dll 864256 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\wpfgfx_v0300.dll 1736528 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe 78856 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.VisualBasic.targets 9606 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\1033 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\1033\cscompui.dll 168448 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\1033\vbc7ui.dll 233976 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess.exe 41992 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess.exe.config 158 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess32.exe 41992 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess32.exe.config 158 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInUtil.exe 41984 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInUtil.exe.config 158 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\csc.exe 1548280 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\csc.exe.config 221 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\csc.rsp 1326 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config 156 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\default.win32manifest 490 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\EdmGen.exe 95224 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\EdmGen.exe.config 156 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\baseline.dat 225490 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\deffactory.dat 796 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\DeleteTemp.exe 97280 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\dlmgr.dll 276984 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1025.rtf 46893 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1028.rtf 53519 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1029.rtf 43814 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1031.rtf 41798 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1032.rtf 53977 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1033.rtf 110130 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1035.rtf 43216 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1036.rtf 42457 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1037.rtf 77913 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1038.rtf 44918 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1040.rtf 41708 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1041.rtf 61595 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1042.rtf 127418 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1043.rtf 40763 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1044.rtf 40854 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1045.rtf 45015 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1046.rtf 40995 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1049.rtf 74626 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1053.rtf 41314 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1055.rtf 46870 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.2070.rtf 43434 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.3082.rtf 41495 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\gencomp.dll 1064448 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\HtmlLite.dll 177152 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1025.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1028.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1029.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1030.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1031.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1032.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1035.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1036.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1037.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1038.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1040.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1041.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1042.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1043.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.1030.rtf 41822 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\eula.2052.rtf 51680 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1044.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1044.dll 121856 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1028.dll 89592 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1045.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1046.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1049.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1053.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.1055.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.2052.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.2070.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.3082.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\locdata.ini 16978 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\logo.bmp 5208 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\Logs 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\Logs\dd_dotnetfx35error.txt 2 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\Logs\dd_dotnetfx35install.txt 245146 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe 269304 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.sdb 76356 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1025.dll 113152 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1028.dll 84992 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1029.dll 125440 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1030.dll 126464 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1031.dll 130048 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1032.dll 137728 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1035.dll 122368 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1036.dll 133120 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1037.dll 111104 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1038.dll 132096 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1040.dll 128512 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1041.dll 97792 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1042.dll 94720 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1043.dll 129024 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1045.dll 128512 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1046.dll 122880 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1049.dll 123904 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1053.dll 121344 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1055.dll 121344 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.2052.dll 84480 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.2070.dll 131072 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.3082.dll 131584 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.dll 110080 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\SITSetup.dll 1364992 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs70uimgr.dll 632320 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vsbasereqs.dll 413184 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vsscenario.dll 689152 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.cab 7929057 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.dll 1054208 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi 652800 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.pdi 21744 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1025.dll 102904 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1029.dll 108536 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1030.dll 108536 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1031.dll 111608 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1032.dll 113656 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1035.dll 106488 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1036.dll 112120 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1037.dll 101368 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1038.dll 111096 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1040.dll 110072 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1041.dll 95224 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1042.dll 92664 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1043.dll 108536 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1044.dll 106488 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1045.dll 109048 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1046.dll 107512 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1049.dll 107000 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1053.dll 105976 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1055.dll 106488 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.2052.dll 89080 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.2070.dll 110072 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.3082.dll 111096 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.dll 107512 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapUI.dll 984056 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Build.Tasks.v3.5.dll 802816 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Build.xsd 2358 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Common.targets 200688 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Common.Tasks 11588 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.CSharp.targets 8927 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Data.Entity.Build.Tasks.dll 40960 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Data.Entity.targets 1767 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.dll 41984 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.WinFx.targets 42784 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MOF 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MOF\ServiceModel35.mof 12702 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MOF\ServiceModel35.mof.uninstall 684 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MSBuild 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MSBuild\Microsoft.Build.Commontypes.xsd 126940 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MSBuild\Microsoft.Build.Core.xsd 26976 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MSBuild.exe 91136 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\msbuild.exe.config 1581 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\MSBuild.rsp 732 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Sentinel.v3.5Client.dll 5632 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\SQL 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\SQL\EN 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql 2400 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\SQL\EN\DropSqlPersistenceProviderSchema.sql 1320 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\SQL\EN\SqlPersistenceProviderLogic.sql 13490 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\SQL\EN\SqlPersistenceProviderSchema.sql 2144 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\SqlServer.targets 2277 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.exe 1720824 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.exe.config 221 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.rsp 1489 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\WFServicesReg.exe 196104 bytes executable
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome\chrome.jar 10010 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome.manifest 1762 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\defaults 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\defaults\preferences 0 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\defaults\preferences\defaults.js 10351 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\install.rdf 1071 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\MicrosoftDotNetFrameworkAssistant.xpi 19153 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll 70648 bytes executable
File C:\WINDOWS\Minidump\Mini012111-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini012711-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini012811-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini021111-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini021611-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini022011-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini031011-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini040311-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini041911-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini042311-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini052211-01.dmp 94208 bytes
File C:\WINDOWS\Minidump\Mini101009-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini101009-02.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini121810-01.dmp 102400 bytes
File C:\WINDOWS\Minidump\Mini122910-01.dmp 102400 bytes
File C:\WINDOWS\msagent\intl\agt0404.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0405.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0406.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0407.dll 21504 bytes executable
File C:\WINDOWS\msagent\intl\agt0408.dll 22016 bytes executable
File C:\WINDOWS\msagent\intl\agt0409.dll 19968 bytes executable
File C:\WINDOWS\msagent\intl\agt040b.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt040c.dll 21504 bytes executable
File C:\WINDOWS\msagent\intl\agt040e.dll 19968 bytes executable
File C:\WINDOWS\msagent\intl\agt0410.dll 20992 bytes executable
File C:\WINDOWS\msagent\intl\agt0411.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0412.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0413.dll 20992 bytes executable
File C:\WINDOWS\msagent\intl\agt0414.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0415.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0416.dll 20480 bytes executable
File C:\WINDOWS\msagent\intl\agt0419.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt041d.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt041f.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0804.dll 19456 bytes executable
File C:\WINDOWS\msagent\intl\agt0816.dll 20992 bytes executable
File C:\WINDOWS\msagent\intl\agt0c0a.dll 20480 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\ntkrnlmp.exe 2146304 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\ntkrnlpa.exe 2024960 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\ntkrnlpa.exe.000 2066816 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\ntkrpamp.exe 2024960 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe 2146304 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe.000 2189952 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\spuninst 0 bytes
File C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe 232824 bytes executable
File C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.inf 11089 bytes
File C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.txt 1348 bytes
File C:\WINDOWS\$NtUninstallKB977165$\spuninst\updspapi.dll 392568 bytes executable
File C:\WINDOWS\$NtUninstallKB977914$\avifil32.dll 85504 bytes executable
File C:\WINDOWS\$NtUninstallKB977914$\iyuv_32.dll 47616 bytes executable
File C:\WINDOWS\$NtUninstallKB977914$\msrle32.dll 11264 bytes executable
File C:\WINDOWS\$NtUninstallKB977914$\msvidc32.dll 25600 bytes executable
File C:\WINDOWS\$NtUninstallKB977914$\spuninst 0 bytes
File C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe 232824 bytes executable
File C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.inf 10956 bytes
File C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.txt 1341 bytes
File C:\WINDOWS\$NtUninstallKB977914$\spuninst\updspapi.dll 392568 bytes executable
File C:\WINDOWS\$NtUninstallKB977914$\tsbyuv.dll 8192 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\ntkrnlmp.exe 2146304 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\ntkrnlpa.exe 2024960 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\ntkrnlpa.exe.000 2066816 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\ntkrpamp.exe 2024960 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\ntoskrnl.exe 2146304 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\ntoskrnl.exe.000 2189952 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\spuninst 0 bytes
File C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe 232824 bytes executable
File C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.inf 12237 bytes
File C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.txt 1405 bytes
File C:\WINDOWS\$NtUninstallKB979683$\spuninst\updspapi.dll 392568 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\ntkrnlmp.exe 2147328 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\ntkrnlpa.exe 2025472 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\ntkrnlpa.exe.000 2067584 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\ntkrpamp.exe 2025472 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\ntoskrnl.exe 2147328 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\ntoskrnl.exe.000 2190720 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\spuninst 0 bytes
File C:\WINDOWS\$NtUninstallKB981852$\spuninst\spuninst.exe 232824 bytes executable
File C:\WINDOWS\$NtUninstallKB981852$\spuninst\spuninst.inf 13524 bytes
File C:\WINDOWS\$NtUninstallKB981852$\spuninst\spuninst.txt 1405 bytes
File C:\WINDOWS\$NtUninstallKB981852$\spuninst\updspapi.dll 392568 bytes executable
File C:\WINDOWS\l2schemas\eaptlsconnectionpropertiesv1.xsd 3192 bytes
File C:\WINDOWS\l2schemas\baseeapconnectionpropertiesv1.xsd 1066 bytes
File C:\WINDOWS\l2schemas\baseeapmethodconfig.xsd 612 bytes
File C:\WINDOWS\l2schemas\baseeapmethodusercredentials.xsd 648 bytes
File C:\WINDOWS\l2schemas\baseeapuserpropertiesv1.xsd 1116 bytes
File C:\WINDOWS\l2schemas\eapcommon.xsd 752 bytes
File C:\WINDOWS\l2schemas\eapconnectionpropertiesv1.xsd 1159 bytes
File C:\WINDOWS\l2schemas\eaphostconfig.xsd 1115 bytes
File C:\WINDOWS\l2schemas\eaphostusercredentials.xsd 1193 bytes
File C:\WINDOWS\l2schemas\eaptlsuserpropertiesv1.xsd 1329 bytes
File C:\WINDOWS\l2schemas\eapuserpropertiesv1.xsd 789 bytes
File C:\WINDOWS\l2schemas\lan_policy_v1.xsd 2687 bytes
File C:\WINDOWS\l2schemas\lan_profile_v1.xsd 2241 bytes
File C:\WINDOWS\l2schemas\mschapv2connectionpropertiesv1.xsd 1271 bytes
File C:\WINDOWS\l2schemas\mschapv2userpropertiesv1.xsd 1410 bytes
File C:\WINDOWS\l2schemas\mspeapconnectionpropertiesv1.xsd 2843 bytes
File C:\WINDOWS\l2schemas\mspeapuserpropertiesv1.xsd 1484 bytes
File C:\WINDOWS\l2schemas\onex_v1.xsd 5957 bytes
File C:\WINDOWS\l2schemas\wlan_profile_v1.xsd 15263 bytes
File C:\WINDOWS\$NtUninstallKB2393802$\ntdll.dll 719360 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\ntkrnlmp.exe 2147328 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\ntkrnlpa.exe 2025472 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\ntkrnlpa.exe.000 2067584 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\ntkrpamp.exe 2025472 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\ntoskrnl.exe 2147328 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\ntoskrnl.exe.000 2190720 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\spuninst 0 bytes
File C:\WINDOWS\$NtUninstallKB2393802$\spuninst\spuninst.exe 232824 bytes executable
File C:\WINDOWS\$NtUninstallKB2393802$\spuninst\spuninst.inf 15885 bytes
File C:\WINDOWS\$NtUninstallKB2393802$\spuninst\spuninst.txt 1658 bytes
File C:\WINDOWS\$NtUninstallKB2393802$\spuninst\updspapi.dll 392568 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msadco.dll 143360 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msado15.dll 536576 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msado20.tlb 61440 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msado21.tlb 61440 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msado25.tlb 81920 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msado26.tlb 81920 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msado27.tlb 81920 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msadomd.dll 180224 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msadox.dll 200704 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\msjro.dll 102400 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\odbc32.dll 249856 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\spuninst 0 bytes
File C:\WINDOWS\$NtUninstallKB2419632$\spuninst\spuninst.exe 232824 bytes executable
File C:\WINDOWS\$NtUninstallKB2419632$\spuninst\spuninst.inf 17072 bytes
File C:\WINDOWS\$NtUninstallKB2419632$\spuninst\spuninst.txt 2412 bytes
File C:\WINDOWS\$NtUninstallKB2419632$\spuninst\updspapi.dll 392568 bytes executable
File C:\WINDOWS\Cursors\3dgarro.cur 766 bytes
File C:\WINDOWS\Cursors\3dgmove.cur 766 bytes
File C:\WINDOWS\Cursors\3dgnesw.cur 766 bytes
File C:\WINDOWS\Cursors\3dgno.cur 766 bytes
File C:\WINDOWS\Cursors\3dgns.cur 766 bytes
File C:\WINDOWS\Cursors\3dgnwse.cur 766 bytes
File C:\WINDOWS\Cursors\3dgwe.cur 766 bytes
File C:\WINDOWS\Cursors\3dsmove.cur 766 bytes
File C:\WINDOWS\Cursors\3dsns.cur 766 bytes
File C:\WINDOWS\Cursors\3dsnwse.cur 766 bytes
File C:\WINDOWS\Cursors\3dwarro.cur 766 bytes
File C:\WINDOWS\Cursors\3dwmove.cur 766 bytes
File C:\WINDOWS\Cursors\3dwnesw.cur 766 bytes
File C:\WINDOWS\Cursors\3dwno.cur 766 bytes
File C:\WINDOWS\Cursors\3dwns.cur 766 bytes
File C:\WINDOWS\Cursors\3dwnwse.cur 766 bytes
File C:\WINDOWS\Cursors\3dwwe.cur 766 bytes
File C:\WINDOWS\Cursors\appstar2.ani 7962 bytes
File C:\WINDOWS\Cursors\appstar3.ani 7856 bytes
File C:\WINDOWS\Cursors\handnwse.ani 1700 bytes
File C:\WINDOWS\Cursors\handwait.ani 7530 bytes
File C:\WINDOWS\Cursors\handwe.ani 1698 bytes
File C:\WINDOWS\Cursors\harrow.cur 766 bytes
File C:\WINDOWS\Cursors\hcross.cur 766 bytes
File C:\WINDOWS\Cursors\help_i.cur 326 bytes
File C:\WINDOWS\Cursors\help_il.cur 766 bytes
File C:\WINDOWS\Cursors\help_im.cur 766 bytes
File C:\WINDOWS\Cursors\help_l.cur 766 bytes
File C:\WINDOWS\Cursors\help_m.cur 766 bytes
File C:\WINDOWS\Cursors\help_r.cur 326 bytes
File C:\WINDOWS\Cursors\help_rl.cur 766 bytes
File C:\WINDOWS\Cursors\help_rm.cur 766 bytes
File C:\WINDOWS\Cursors\hibeam.cur 766 bytes
File C:\WINDOWS\Cursors\hmove.cur 766 bytes
File C:\WINDOWS\Cursors\hnesw.cur 766 bytes
File C:\WINDOWS\Cursors\hnodrop.cur 766 bytes
File C:\WINDOWS\Cursors\hns.cur 766 bytes
File C:\WINDOWS\Cursors\hnwse.cur 766 bytes
File C:\WINDOWS\Cursors\horse.ani 18722 bytes
File C:\WINDOWS\Cursors\hourgla2.ani 11832 bytes
File C:\WINDOWS\Cursors\hourgla3.ani 11830 bytes
File C:\WINDOWS\Cursors\hourglas.ani 11824 bytes
File C:\WINDOWS\Cursors\hwe.cur 766 bytes
File C:\WINDOWS\Cursors\lappstrt.cur 766 bytes
File C:\WINDOWS\Cursors\larrow.cur 766 bytes
File C:\WINDOWS\Cursors\libeam.cur 766 bytes
File C:\WINDOWS\Cursors\lmove.cur 766 bytes
File C:\WINDOWS\Cursors\lnesw.cur 766 bytes
File C:\WINDOWS\Cursors\lnodrop.cur 766 bytes
File C:\WINDOWS\Cursors\lns.cur 766 bytes
File C:\WINDOWS\Cursors\lnwse.cur 766 bytes
File C:\WINDOWS\Cursors\lwait.cur 766 bytes
File C:\WINDOWS\Cursors\lwe.cur 766 bytes
File C:\WINDOWS\Cursors\metronom.ani 5674 bytes
File C:\WINDOWS\Cursors\move_i.cur 326 bytes
File C:\WINDOWS\Cursors\move_il.cur 766 bytes
File C:\WINDOWS\Cursors\move_im.cur 766 bytes
File C:\WINDOWS\Cursors\move_l.cur 766 bytes
File C:\WINDOWS\Cursors\move_m.cur 766 bytes
File C:\WINDOWS\Cursors\move_r.cur 326 bytes
File C:\WINDOWS\Cursors\move_rl.cur 766 bytes
File C:\WINDOWS\Cursors\move_rm.cur 766 bytes
File C:\WINDOWS\Cursors\no_i.cur 326 bytes
File C:\WINDOWS\Cursors\no_il.cur 766 bytes
File C:\WINDOWS\Cursors\no_im.cur 766 bytes
File C:\WINDOWS\Cursors\no_l.cur 766 bytes
File C:\WINDOWS\Cursors\no_m.cur 766 bytes
File C:\WINDOWS\Cursors\no_r.cur 326 bytes
File C:\WINDOWS\Cursors\no_rl.cur 766 bytes
File C:\WINDOWS\Cursors\no_rm.cur 766 bytes
File C:\WINDOWS\Cursors\pen_i.cur 326 bytes
File C:\WINDOWS\Cursors\pen_il.cur 766 bytes
File C:\WINDOWS\Cursors\pen_im.cur 766 bytes
File C:\WINDOWS\Cursors\pen_l.cur 766 bytes
File C:\WINDOWS\Cursors\pen_m.cur 766 bytes
File C:\WINDOWS\Cursors\pen_r.cur 326 bytes
File C:\WINDOWS\Cursors\pen_rl.cur 766 bytes
File C:\WINDOWS\Cursors\pen_rm.cur 766 bytes
File C:\WINDOWS\Cursors\piano.ani 4100 bytes
File C:\WINDOWS\Cursors\arrow_i.cur 326 bytes
File C:\WINDOWS\Cursors\arrow_il.cur 766 bytes
File C:\WINDOWS\Cursors\arrow_im.cur 766 bytes
File C:\WINDOWS\Cursors\arrow_l.cur 766 bytes
File C:\WINDOWS\Cursors\arrow_m.cur 766 bytes
File C:\WINDOWS\Cursors\arrow_r.cur 326 bytes
File C:\WINDOWS\Cursors\arrow_rl.cur 766 bytes
File C:\WINDOWS\Cursors\arrow_rm.cur 766 bytes
File C:\WINDOWS\Cursors\banana.ani 11904 bytes
File C:\WINDOWS\Cursors\barber.ani 8660 bytes
File C:\WINDOWS\Cursors\beam_i.cur 326 bytes
File C:\WINDOWS\Cursors\beam_il.cur 766 bytes
File C:\WINDOWS\Cursors\beam_im.cur 766 bytes
File C:\WINDOWS\Cursors\beam_l.cur 766 bytes
File C:\WINDOWS\Cursors\beam_m.cur 766 bytes
File C:\WINDOWS\Cursors\beam_r.cur 326 bytes
File C:\WINDOWS\Cursors\beam_rl.cur 766 bytes
File C:\WINDOWS\Cursors\beam_rm.cur 766 bytes
File C:\WINDOWS\Cursors\busy_i.cur 326 bytes
File C:\WINDOWS\Cursors\busy_il.cur 766 bytes
File C:\WINDOWS\Cursors\busy_im.cur 766 bytes
File C:\WINDOWS\Cursors\busy_l.cur 766 bytes
File C:\WINDOWS\Cursors\busy_m.cur 766 bytes
File C:\WINDOWS\Cursors\busy_r.cur 326 bytes
File C:\WINDOWS\Cursors\raindrop.ani 4826 bytes
File C:\WINDOWS\Cursors\size1_i.cur 326 bytes
File C:\WINDOWS\Cursors\size1_il.cur 766 bytes
File C:\WINDOWS\Cursors\size1_im.cur 766 bytes
File C:\WINDOWS\Cursors\size1_l.cur 766 bytes
File C:\WINDOWS\Cursors\size1_m.cur 766 bytes
File C:\WINDOWS\Cursors\size1_r.cur 326 bytes
File C:\WINDOWS\Cursors\size1_rl.cur 766 bytes
File C:\WINDOWS\Cursors\size1_rm.cur 766 bytes
File C:\WINDOWS\Cursors\size2_i.cur 326 bytes
File C:\WINDOWS\Cursors\size2_il.cur 766 bytes
File C:\WINDOWS\Cursors\size2_im.cur 766 bytes
File C:\WINDOWS\Cursors\size2_l.cur 766 bytes
File C:\WINDOWS\Cursors\size2_m.cur 766 bytes
File C:\WINDOWS\Cursors\size2_r.cur 326 bytes
File C:\WINDOWS\Cursors\size2_rl.cur 766 bytes
File C:\WINDOWS\Cursors\size2_rm.cur 766 bytes
File C:\WINDOWS\Cursors\size3_i.cur 326 bytes
File C:\WINDOWS\Cursors\size3_il.cur 766 bytes
File C:\WINDOWS\Cursors\size3_im.cur 766 bytes
File C:\WINDOWS\Cursors\size3_l.cur 766 bytes
File C:\WINDOWS\Cursors\size3_m.cur 766 bytes
File C:\WINDOWS\Cursors\size3_r.cur 326 bytes
File C:\WINDOWS\Cursors\size3_rl.cur 766 bytes
File C:\WINDOWS\Cursors\size4_i.cur 326 bytes
File C:\WINDOWS\Cursors\size4_il.cur 766 bytes
File C:\WINDOWS\Cursors\size4_im.cur 766 bytes
File C:\WINDOWS\Cursors\size4_l.cur 766 bytes
File C:\WINDOWS\Cursors\size4_m.cur 766 bytes
File C:\WINDOWS\Cursors\size4_r.cur 326 bytes
File C:\WINDOWS\Cursors\size4_rl.cur 766 bytes
File C:\WINDOWS\Cursors\size4_rm.cur 766 bytes
File C:\WINDOWS\Cursors\sizenesw.ani 818 bytes
File C:\WINDOWS\Cursors\sizens.ani 818 bytes
File C:\WINDOWS\Cursors\sizenwse.ani 818 bytes
File C:\WINDOWS\Cursors\sizewe.ani 818 bytes
File C:\WINDOWS\Cursors\stopwtch.ani 6712 bytes
File C:\WINDOWS\Cursors\up_i.cur 326 bytes
File C:\WINDOWS\Cursors\up_il.cur 326 bytes
File C:\WINDOWS\Cursors\up_im.cur 326 bytes
File C:\WINDOWS\Cursors\up_l.cur 766 bytes
File C:\WINDOWS\Cursors\up_m.cur 766 bytes
File C:\WINDOWS\Cursors\up_r.cur 326 bytes
File C:\WINDOWS\Cursors\up_rl.cur 326 bytes
File C:\WINDOWS\Cursors\up_rm.cur 326 bytes
File C:\WINDOWS\Cursors\vanisher.ani 1894 bytes
File C:\WINDOWS\Cursors\wagtail.ani 2548 bytes
File C:\WINDOWS\Cursors\wait_i.cur 326 bytes
File C:\WINDOWS\Cursors\wait_il.cur 766 bytes
File C:\WINDOWS\Cursors\wait_im.cur 766 bytes
File C:\WINDOWS\Cursors\wait_l.cur 766 bytes
File C:\WINDOWS\Cursors\wait_m.cur 766 bytes
File C:\WINDOWS\Cursors\wait_r.cur 326 bytes
File C:\WINDOWS\Cursors\wait_rl.cur 766 bytes
File C:\WINDOWS\Cursors\wait_rm.cur 766 bytes
File C:\WINDOWS\Cursors\appstart.ani 7954 bytes
File C:\WINDOWS\Cursors\busy_rl.cur 766 bytes
File C:\WINDOWS\Cursors\handns.ani 1698 bytes
File C:\WINDOWS\Cursors\lcross.cur 766 bytes
File C:\WINDOWS\Cursors\rainbow.ani 9824 bytes
File C:\WINDOWS\Cursors\size3_rm.cur 766 bytes
File C:\WINDOWS\Cursors\busy_rm.cur 766 bytes
File C:\WINDOWS\Cursors\coin.ani 7114 bytes
File C:\WINDOWS\Cursors\counter.ani 6832 bytes
File C:\WINDOWS\Cursors\cross.cur 766 bytes
File C:\WINDOWS\Cursors\cross_i.cur 326 bytes
File C:\WINDOWS\Cursors\cross_il.cur 766 bytes
File C:\WINDOWS\Cursors\cross_im.cur 766 bytes
File C:\WINDOWS\Cursors\cross_l.cur 766 bytes
File C:\WINDOWS\Cursors\cross_m.cur 766 bytes
File C:\WINDOWS\Cursors\cross_r.cur 326 bytes
File C:\WINDOWS\Cursors\cross_rl.cur 766 bytes
File C:\WINDOWS\Cursors\cross_rm.cur 766 bytes
File C:\WINDOWS\Cursors\dinosau2.ani 4804 bytes
File C:\WINDOWS\Cursors\dinosaur.ani 4804 bytes
File C:\WINDOWS\Cursors\drum.ani 3240 bytes
File C:\WINDOWS\Cursors\fillitup.ani 14936 bytes
File C:\WINDOWS\Cursors\hand.ani 3292 bytes
File C:\WINDOWS\Cursors\handapst.ani 6356 bytes
File C:\WINDOWS\Cursors\handnesw.ani 1700 bytes
File C:\WINDOWS\Cursors\handno.ani 4066 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud1.wav 354468 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud2.wav 86180 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud3.wav 172196 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud4.wav 86180 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud5.wav 86196 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud6.wav 343204 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud7.wav 343204 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud8.wav 172196 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud9.wav 172196 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn 0 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\bktr.gif 1005 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\bktrh.gif 999 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\cloapp.gif 717 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\cloapph.gif 760 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\cnt.gif 773 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\cntd.gif 772 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\cnth.gif 773 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\taoff.gif 1380 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\taoffh.gif 1367 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\taon.gif 1398 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\taonh.gif 1380 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\tpause.gif 2450 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\tpauseh.gif 2371 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\tplay.gif 2469 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\tplayh.gif 2375 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\mplogo.gif 2545 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\mplogoh.gif 2778 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\tourbg.gif 23829 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\videobg.gif 17489 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\vidsamp.gif 5290 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks 0 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm1.gif 5789 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm2.gif 7636 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm3.gif 6241 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm4.gif 7369 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm5.gif 2477 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm6.gif 6060 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm7.gif 8677 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm8.gif 4193 bytes
File C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm9.gif 7892 bytes

---- Services - GMER 1.0.15 ----

Service c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Windows CardSpace/Microsoft Corporation) [MANUAL] idsvc <-- ROOTKIT !!!
Service c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (SMSvcHost.exe/Microsoft Corporation) [DISABLED] NetTcpPortSharing <-- ROOTKIT !!!
Service c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (PresentationFontCache.exe/Microsoft Corporation) [MANUAL] FontCache3.0.0.0 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#5 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 21 May 2011 - 11:59 PM

I noticed some things in the logs are in Swedish by the way, but just let me know if you need a translation of anything specific. :)

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:01 AM

Posted 22 May 2011 - 07:42 PM

Hi-

Sorry for the delay in responding- just got back in town. Give me a chance to look at the logs and I will get back with you.
Shannon

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:01 AM

Posted 22 May 2011 - 08:36 PM

Hi-

Let's do some more looking -

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Next, please download Malwarebytes' Anti-Malware (MBAM) from HERE.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

In your reply, please copy in the contents of the RKU and MBAM reports.
Shannon

#8 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 23 May 2011 - 05:00 AM

Right, i´ve preformed both scans sucessfully and am posting the logs here.

A note on the MBAM scan though: when the program detected the first infection, Avast reacted with a warning and options for deletion. I moved the first file to quarantine through Avast, but thought just as i did it that i probably should let MBAM handle all the files. I removed the remaining 3 in MBAM, and then deleted the one that got sent to Avast quarantine through that program. The infection was called Win32:Zbot-NCO, a trojan, and the complete name of the file is:
C:\System Volume Information\_restore{48256E81-1721-4998-9475-57DA090D11CB}\RP503\A0079779.exe

Rootkit Unhooker:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF6AAE000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 6868992 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xAE306000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4882432 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF292000 C:\WINDOWS\System32\ati3duag.dll 4018176 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF9C6000 C:\WINDOWS\System32\ativvaxx.dll 3268608 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT:s kernel och system)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Win32-drivrutin för flera användare)
0xF6990000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 946176 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xBF093000 C:\WINDOWS\System32\ati2cqag.dll 851968 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF163000 C:\WINDOWS\System32\atikvmag.dll 716800 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF72F4000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF212000 C:\WINDOWS\System32\atiok3x2.dll 524288 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)
0xAE11F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF68DA000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAE252000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAA8AB000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF045000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF667000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAA522000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF012000 C:\WINDOWS\System32\atkdisp.dll 196608 bytes (ASUSTeK Computer Inc., ASUS Windows 2000/XP Display Driver)
0xF6938000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7438000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI-drivrutin för NT)
0xAAD3C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF72C7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAA367000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAE18F000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF713B000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAE1DC000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF73E2000 dmio.sys 155648 bytes (Microsoft Corporation, Veritas Software, I/O-drivrutin för NT-diskhanterare)
0xAE22C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF6721000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7163000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6A77000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAE1BA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAE0FE000 C:\WINDOWS\System32\Drivers\aswSP.SYS 135168 bytes (ALWIL Software, avast! self protection module)
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73AA000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7408000 ftdisk.sys 126976 bytes (Microsoft Corporation, Drivrutin för FT Disk)
0xF6745000 C:\WINDOWS\system32\drivers\AtiHdmi.sys 110592 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)
0xF72AD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xADFB3000 C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys 102400 bytes (Huawei Technologies Co., Ltd., USB Modem/Serial Device Driver)
0xF73CA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAE005000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7381000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6979000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAB309000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 90112 bytes (ALWIL Software, avast! File System Filter Driver for Windows XP)
0xAACEB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xAB40F000 C:\WINDOWS\system32\drivers\mdvrmng.sys 81920 bytes (-, SmartRoaming Client)
0xF6A9A000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAE2AB000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7398000 sr.sys 73728 bytes (Microsoft Corporation, Filterdrivrutin för Systemåterställning)
0xF7427000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI-uppräknare)
0xF6968000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7697000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7517000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF74F7000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Seriell drivrutin)
0xF75F7000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7527000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Drivrutin för Redbook-ljudfilter)
0xAB141000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF75E7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF75B7000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 57344 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xF74C7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7567000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74A7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Drivrutin för ögonblicksbilder av volymer)
0xF7587000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7677000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, Drivrutin för FIPS-krypto)
0xF7507000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7497000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7577000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7647000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (ALWIL Software, avast! TDI Filter Driver)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 40960 bytes (Microsoft Corporation, Drivrutin för processor)
0xF7487000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bussdrivrutin)
0xF75C7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7537000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 40960 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF75A7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF74B7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7597000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7667000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAB219000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7657000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 32768 bytes (ALWIL Software, avast! File System Access Blocking Driver)
0xF7797000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem-drivrutin)
0xF787F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\nvsmu.sys 32768 bytes (NVIDIA Corporation, NVIDIA® nForce™ SMU Microcontroller Driver)
0xF788F000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF780F000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF77F7000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7867000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF783F000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 28672 bytes (Microsoft Corporation, Tangentbordsklassdrivrutin)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF779F000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7847000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Musklassdrivrutin)
0xF786F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7887000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 20480 bytes (ALWIL Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF781F000 C:\WINDOWS\system32\DRIVERS\AsusVRC.sys 20480 bytes (ASUSTeK COMPUTER INC., AsusVRC)
0xF784F000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7877000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF782F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7837000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7827000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7807000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF774F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7269000 C:\WINDOWS\system32\drivers\asusgsb.sys 16384 bytes (ASUSTeK Computer Inc., ASUS Virtual Video Capture Device Driver)
0xAA663000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 16384 bytes (ALWIL Software, avast! TDI RDR Driver)
0xAA3CA000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xAE2F2000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, Filterdrivrutin för HID-mus)
0xF7933000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAB487000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7973000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF727D000 C:\WINDOWS\system32\drivers\atkkbnt.sys 12288 bytes (ASUSTeK COMPUTER INC., ASUS Help driver For Keyboard Service.)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAE2EE000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF68C2000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF68B2000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, Filterdrivrutin för HID-mus)
0xF7917000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF797B000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7271000 C:\WINDOWS\System32\Drivers\Video3D32.sys 12288 bytes (ASUSTeK COMPUTER INC., ASUS Video3D driver)
0xF7281000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF79ED000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79FD000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79EB000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79EF000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79F1000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79D1000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79D3000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7AB2000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BDD000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7B22000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE-bussdrivrutin)
==============================================
>Stealth
==============================================


Nothing detected :(

And the MBAM log here:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6647

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011-05-23 11:35:41
mbam-log-2011-05-23 (11-35-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 382441
Time elapsed: 1 hour(s), 32 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Micke\mina dokument\downloads\anno.1404.dawn.of.discovery.eng.rip-tptb\d3drm.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{48256e81-1721-4998-9475-57da090d11cb}\rp503\a0079779.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{48256e81-1721-4998-9475-57da090d11cb}\RP503\A0079780.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.

#9 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 23 May 2011 - 05:21 AM

I also have some files left in the Avast quarantine from the original infection, but i´m not sure what to do with those? Some apparently are system files but i´m not sure whether they´re actually infected, and if so, whether i should remove them or not. I´ll post the scan results of the quarantined files in Avast here, in case they might help you further in determining the extent of my infection. Again, some of it´s in Swedish but the results are there anyway. Some files are much older as you´ll see, and not part of this particular infection, but i thought it would be better if i posted the full log:

Skanning av valda filer

Funktionen slutfördes!

Virus har hittats!
Filnamn: AppletPanel.class
FilID: 10
Virusförklaring: Java:Jade-C [Heur]

Virus har hittats!
Filnamn: jar_cache6529236155996653407.tmp
FilID: 11
Virusförklaring: Java:Agent-N [Trj]

Virus har hittats!
Filnamn: c86c54e0066895838721b05fd8021179[1].asx
FilID: 12
Virusförklaring: HTML:CVE-2010-1885-I [Expl]

Virus har hittats!
Filnamn: 3622C.sys
FilID: 13
Virusförklaring: Win32:Crypt-JGW [Trj]

Virus har hittats!
Filnamn: 3622C.sys
FilID: 13
Virusförklaring: Win32:Crypt-JGW [Trj]

Virus har hittats!
Filnamn: 0.3631638257091241.swf
FilID: 14
Virusförklaring: Win32:Trojan-gen

Virus har hittats!
Filnamn: Exex.class
FilID: 15
Virusförklaring: Java:Agent-FB [Expl]

Virus har hittats!
Filnamn: Start.class
FilID: 16
Virusförklaring: Java:Agent-HN [Expl]

Virus har hittats!
Filnamn: wscsvc32.exe
FilID: 7
Virusförklaring: Win32:MalOb-T [Cryp]

Virus har hittats!
Filnamn: wscsvc32.exe
FilID: 7
Virusförklaring: Win32:Alureon-AS [Trj]

Virus har hittats!
Filnamn: AppletPanel.class
FilID: 8
Virusförklaring: Java:Jade-C [Heur]

Virus har hittats!
Filnamn: jar_cache6120832591378224543.tmp
FilID: 9
Virusförklaring: Java:Agent-N [Trj]

Detailed information:

Skanning av valda filer
------------------------------------------------------------------------------------------
Programmet kommer försöka skanna 16 valda filer i karantän

Flytta filer till temporär mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp
FilID: 0000000014 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temp\0.3631638257091241.swf Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\14.swf
FilID: 0000000013 Ursprungligt filnamn: C:\WINDOWS\system32\drivers\3622C.sys Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\13.sys
FilID: 0000000008 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temp\jar_cache6120832591378224543.tmp\AppletPanel.class Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\8.class
FilID: 0000000010 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temp\jar_cache6529236155996653407.tmp\AppletPanel.class Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\10.class
FilID: 0000000012 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temporary Internet Files\Content.IE5\U4VWTDFY\c86c54e0066895838721b05fd8021179[1].asx Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\12.asx
FilID: 0000000015 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temp\jar_cache8572511386933910705.tmp\browse\Exex.class Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\15.class
FilID: 0000000009 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temp\jar_cache6120832591378224543.tmp Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\9.tmp
FilID: 0000000011 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temp\jar_cache6529236155996653407.tmp Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\11.tmp
FilID: 0000000001 Ursprungligt filnamn: C:\WINDOWS\system32\kernel32.dll Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\1.dll
FilID: 0000000004 Ursprungligt filnamn: C:\WINDOWS\system32\kernel32.dll Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\4.dll
FilID: 0000000005 Ursprungligt filnamn: C:\WINDOWS\system32\kernel32.dll Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\5.dll
FilID: 0000000016 Ursprungligt filnamn: C:\Documents and Settings\Micke\Lokala inställningar\Temp\jar_cache8572511386933910705.tmp\browse\Start.class Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\16.class
FilID: 0000000002 Ursprungligt filnamn: C:\WINDOWS\system32\winsock.dll Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\2.dll
FilID: 0000000007 Ursprungligt filnamn: C:\DOCUME~1\Micke\LOKALA~1\Temp\wscsvc32.exe Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\7.exe
FilID: 0000000003 Ursprungligt filnamn: C:\WINDOWS\system32\wsock32.dll Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\3.dll
FilID: 0000000006 Ursprungligt filnamn: C:\WINDOWS\system32\wsock32.dll Ny Mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\6.dll

Skanna filer i temporär mapp: C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\1.dll -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\10.class Java:Jade-C [Heur]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\11.tmp\Main.class Java:Agent-N [Trj]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\11.tmp -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\12.asx HTML:CVE-2010-1885-I [Expl]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\13.sys\[Embedded_I#08818] Win32:Crypt-JGW [Trj]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\13.sys\[Embedded_I#13d38] -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\13.sys Win32:Crypt-JGW [Trj]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\14.swf Win32:Trojan-gen
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\15.class Java:Agent-FB [Expl]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\16.class Java:Agent-HN [Expl]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\2.dll -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\3.dll -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\4.dll -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\5.dll -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\6.dll -- inga virus --
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\7.exe\[Embedded_R#9de34] Win32:MalOb-T [Cryp]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\7.exe Win32:Alureon-AS [Trj]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\8.class Java:Jade-C [Heur]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\9.tmp\Main.class Java:Agent-N [Trj]
C:\DOCUME~1\Micke\LOKALA~1\Temp\_avast4_\unp157211363.tmp\9.tmp -- inga virus --
------------------------------------------------------------------------------------------
Funktionen slutfördes!

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:01 AM

Posted 23 May 2011 - 10:56 AM

Hi-

Thank you for the reports and the Avast output. I am putting Google Translate to good use.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Shannon

#11 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 23 May 2011 - 12:55 PM

Ok, i ran ComboFix without any problems:

ComboFix 11-05-22.02 - Micke 2011-05-23 19:28:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2047.1392 [GMT 2:00]
Körs från: c:\documents and settings\Micke\Skrivbord\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 110523-0] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\text.txt
.
.
(((((((((((((((((((((((( Filer Skapade från 2011-04-23 till 2011-05-23 ))))))))))))))))))))))))))))))
.
.
2011-05-23 07:54 . 2011-05-23 07:54 -------- d-----w- c:\documents and settings\Micke\Application Data\Malwarebytes
2011-05-23 07:53 . 2011-05-23 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-23 07:53 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-23 07:53 . 2011-05-23 07:53 -------- d-----w- c:\program\Malwarebytes' Anti-Malware
2011-05-23 07:53 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-20 15:41 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{66444E0B-47F0-4D10-B3E1-CD1C4A42C423}\mpengine.dll
2011-05-11 02:59 . 2011-05-11 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-11 00:48 . 2011-05-11 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2011-05-11 00:46 . 2011-05-11 00:46 -------- d-----w- c:\program\AMD APP
2011-05-11 00:45 . 2011-05-11 00:46 -------- d-----w- c:\program\ATI Technologies
2011-05-11 00:45 . 2011-05-11 00:45 -------- d-----w- c:\program\ATI
2011-05-09 01:11 . 2011-05-09 01:11 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-09 01:11 . 2011-05-09 01:11 -------- d-----w- c:\program\Digital - A Love Story
2011-04-27 14:03 . 2001-08-18 04:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2011-04-27 14:03 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2011-04-27 14:03 . 2001-08-18 04:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-04-27 14:03 . 2001-08-18 04:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2011-04-27 14:03 . 2001-08-17 20:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2011-04-27 14:03 . 2001-08-17 20:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2011-04-27 14:03 . 2001-08-17 20:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2011-04-27 14:03 . 2001-08-17 20:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2011-04-27 14:02 . 2001-08-17 20:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2011-04-27 14:02 . 2001-08-17 20:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2011-04-27 14:02 . 2008-04-14 16:03 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-04-27 14:02 . 2008-04-14 16:03 6144 ----a-w- c:\windows\system32\kbd106.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-20 02:41 . 2008-12-01 09:13 6537728 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-04-20 02:38 . 2009-08-27 21:05 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-04-20 02:29 . 2009-08-14 01:21 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-04-20 02:29 . 2009-08-14 01:20 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-04-20 02:24 . 2009-08-14 01:19 5459968 ----a-w- c:\windows\system32\aticaldd.dll
2011-04-20 02:14 . 2008-12-01 07:46 17743872 ----a-w- c:\windows\system32\atioglxx.dll
2011-04-20 02:04 . 2009-08-27 21:05 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-04-20 02:02 . 2008-12-01 07:51 302080 ----a-w- c:\windows\system32\ati2dvag.dll
2011-04-20 02:01 . 2008-12-01 07:27 4017408 ----a-w- c:\windows\system32\ati3duag.dll
2011-04-20 01:55 . 2011-02-11 13:15 1115008 ----a-w- c:\windows\system32\ativvamv.dll
2011-04-20 01:45 . 2008-12-01 07:11 3265920 ----a-w- c:\windows\system32\ativvaxx.dll
2011-04-20 01:44 . 2008-12-01 07:41 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-04-20 01:44 . 2008-12-01 07:40 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-04-20 01:44 . 2008-12-01 07:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-04-20 01:44 . 2008-12-01 07:40 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-04-20 01:43 . 2008-12-01 07:40 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-04-20 01:42 . 2008-12-01 07:38 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-04-20 01:41 . 2008-12-01 07:37 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-04-20 01:40 . 2011-02-11 13:15 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-20 01:36 . 2008-12-01 06:53 651264 ----a-w- c:\windows\system32\atikvmag.dll
2011-04-20 01:34 . 2008-12-01 06:52 200704 ----a-w- c:\windows\system32\atiadlxx.dll
2011-04-20 01:33 . 2008-12-01 06:52 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-04-20 01:30 . 2008-12-01 06:50 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-04-20 01:28 . 2008-12-01 06:45 851968 ----a-w- c:\windows\system32\ati2cqag.dll
2011-04-20 01:27 . 2009-08-14 01:25 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-04-20 01:27 . 2008-12-01 06:57 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-04-20 01:26 . 2008-12-01 06:51 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-04-19 20:10 . 2011-04-19 20:10 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-04-19 20:10 . 2011-04-19 20:10 12385280 ----a-w- c:\windows\system32\amdocl.dll
2011-04-11 07:04 . 2009-11-04 14:18 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2009-08-27 20:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:36 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:09 . 2011-02-24 05:09 1409 ----a-w- c:\windows\system32\tmp177ED.FOT
2011-02-23 23:50 . 2011-02-23 23:50 1409 ----a-w- c:\windows\system32\tmp6BE59.FOT
2011-02-23 23:50 . 2011-02-23 23:50 1409 ----a-w- c:\windows\system32\tmp69E59.FOT
2011-02-23 23:50 . 2011-02-23 23:50 1409 ----a-w- c:\windows\system32\tmp5DE59.FOT
2011-02-22 23:07 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:07 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:07 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-12-18 1175552]
"swg"="c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-18 39408]
"Advanced SystemCare 4"="c:\program\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-04-21 402832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 16859136]
"avast!"="c:\program\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2010-03-17 421888]
"StartCCC"="c:\program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-19 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\program\DELADE~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
c:\documents and settings\All Users\Start-meny\Program\Autostart\
Uppdateringsagent.lnk - c:\program\3\3Connect\AutoUpdateSrv.exe [2008-10-23 670256]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Micke\\Games\\Company of Heroes\\RelicCOH.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program\\Anno.1404.DOD\\tools\\Anno4Web.exe"=
"c:\\Program\\Java\\jre6\\bin\\java.exe"=
"c:\\Program\\S.W.A.T. 4\\ContentExpansion\\System\\Swat4X.exe"=
"c:\\Program\\S.W.A.T. 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"c:\\Program\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\data\\Browser\\UPlayBrowser.exe"=
"c:\\Program\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\Program\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=
"c:\\Program\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program\\Steam\\steam.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bohemia Interactive\\ArmA 2\\arma2.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program\\Steam\\steamapps\\common\\amnesia the dark descent\\Launcher.exe"=
"c:\\Program\\Steam\\steamapps\\common\\total war shogun 2\\Shogun2.exe"=
"c:\\Program\\Steam\\steamapps\\common\\total war shogun 2\\data\\encyclopedia\\how_to_play.html"=
"c:\\Program\\Steam\\steamapps\\common\\total war shogun 2\\benchmarks\\benchmark_current_settings.bat"=
"c:\\Program\\Steam\\steamapps\\common\\total war shogun 2\\benchmarks\\benchmark_specify_properties.bat"=
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-08-28 114768]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program\IObit\Advanced SystemCare 4\ASCService.exe [2011-04-28 352656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-08-28 20560]
S2 gupdate;Tjänsten Google Update (gupdate);c:\program\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
S2 WinDefend;Windows Defender;c:\program\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-08-31 721904]
.
Innehållet i mappen 'Schemalagda aktiviteter':
.
2011-05-23 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program\IObit\Advanced SystemCare 4\PMonitor.exe [2011-04-28 14:54]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program\Google\Update\GoogleUpdate.exe [2010-02-01 21:49]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program\Google\Update\GoogleUpdate.exe [2010-02-01 21:49]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.se/
IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: {137E2DAC-9058-428F-919B-B704BF0C3F7C} = 80.251.201.177 80.251.201.178
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 19:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Sluttid: 2011-05-23 19:35:32
ComboFix-quarantined-files.txt 2011-05-23 17:35
.
Före genomsökningen: 64 827 629 568 byte ledigt
Efter genomsökningen: 66 066 948 096 byte ledigt
.
WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C7D704932572DDB15B64FD01C0E02102

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:01 AM

Posted 23 May 2011 - 07:43 PM

Hi-

ComboFix didn't find much wrong so let's keep looking.

First, before we start, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following files in turn and click the Submit file button within Jotti.

c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll


If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
To scan the next file, click on the Next File button.
Please post back the results of the scan in your next post. You can just post the links to the reports.
If Jotti is busy, try the same at Virustotal

Next, please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it.
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.
In your reply, please let me know the results of the Jotti uploads. You can just include the links to the reports. Also, please copy in the contents of the MBRCheck report.
Shannon

#13 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 24 May 2011 - 08:16 AM

I´ve made all the hidden files visible and followed your steps. The online scan didn´t seem to find anything though:

infocard.exe
http://virusscan.jotti.org/en/scanresult/924a316fdd7d5beb4a28bf1ef15fc5743a32c0c5

SMSvcHost.exe
http://virusscan.jotti.org/en/scanresult/d3b659bb34a9cf55d76e2f21fd8fbd88ae30e16e

PresentationFontCache.exe
http://virusscan.jotti.org/en/scanresult/1b301aa01b801a23bc7b87f16e7186439099395d

Direct3D.dll
http://virusscan.jotti.org/en/scanresult/0935cf450582f2b6796d687ef0160ec62127f729

And theMBRCheck report:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7438000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7427000 pci.sys
0xF7487000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7497000 MountMgr.sys
0xF7408000 ftdisk.sys
0xF798B000 dmload.sys
0xF73E2000 dmio.sys
0xF770F000 PartMgr.sys
0xF74A7000 VolSnap.sys
0xF73CA000 atapi.sys
0xF74B7000 disk.sys
0xF74C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73AA000 fltmgr.sys
0xF7398000 sr.sys
0xF7381000 KSecDD.sys
0xF72F4000 Ntfs.sys
0xF72C7000 NDIS.sys
0xF72AD000 Mup.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF795B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7807000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0xF780F000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF7241000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7817000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7219000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6B8C000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6B78000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF74F7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7507000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7517000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6B55000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7527000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF6A6E000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF7973000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7977000 \SystemRoot\system32\drivers\atkkbnt.sys
0xF797B000 \SystemRoot\System32\Drivers\Video3D32.sys
0xF797F000 \SystemRoot\system32\drivers\asusgsb.sys
0xF7827000 \SystemRoot\system32\DRIVERS\AsusVRC.sys
0xF7AB3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7537000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7983000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6A57000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7547000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7557000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF782F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6A1E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7567000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7837000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF783F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF69EE000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7577000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7847000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF784F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79C9000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6990000 \SystemRoot\system32\DRIVERS\update.sys
0xF7271000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7587000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF7597000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF75B7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79CB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF67FB000 \SystemRoot\system32\drivers\AtiHdmi.sys
0xF67D7000 \SystemRoot\system32\drivers\portcls.sys
0xF75C7000 \SystemRoot\system32\drivers\drmk.sys
0xAE306000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF7857000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF79E1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B18000 \SystemRoot\System32\Drivers\Null.SYS
0xF79E3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7867000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF786F000 \SystemRoot\System32\drivers\vga.sys
0xF79E5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79E7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7877000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF787F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6A4B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAE2AB000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE252000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF7637000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAE22C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7647000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAE1DC000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAE1BA000 \SystemRoot\System32\drivers\afd.sys
0xF7657000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAE18F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAE11F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7667000 \SystemRoot\System32\Drivers\Fips.SYS
0xAE0FE000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF7887000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF7687000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF771F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF696C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7697000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAE2FA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAE005000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79FB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAE2EA000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7757000 \SystemRoot\System32\watchdog.sys
0xAE2E2000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BC6000 \SystemRoot\System32\drivers\dxgthk.sys
0xADFB3000 \SystemRoot\system32\DRIVERS\ewusbmdm.sys
0xF778F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7797000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBF012000 \SystemRoot\System32\atkdisp.dll
0xBF045000 \SystemRoot\System32\ati2dvag.dll
0xBF093000 \SystemRoot\System32\ati2cqag.dll
0xBF163000 \SystemRoot\System32\atikvmag.dll
0xBF212000 \SystemRoot\System32\atiok3x2.dll
0xBF292000 \SystemRoot\System32\ati3duag.dll
0xBF9C6000 \SystemRoot\System32\ativvaxx.dll
0xBF667000 \SystemRoot\System32\ATMFD.DLL
0xF77DF000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
0xAB3E7000 \??\C:\WINDOWS\system32\drivers\mdvrmng.sys
0xAB487000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAB309000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xAAE7C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAAD77000 \SystemRoot\system32\drivers\wdmaud.sys
0xAB289000 \SystemRoot\system32\drivers\sysaudio.sys
0xAA9D7000 \SystemRoot\system32\DRIVERS\srv.sys
0xAA5FE000 \SystemRoot\System32\Drivers\HTTP.sys
0xAA747000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xAA59E000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA9F90000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
596 C:\WINDOWS\system32\smss.exe
652 csrss.exe
712 C:\WINDOWS\system32\winlogon.exe
756 C:\WINDOWS\system32\services.exe
768 C:\WINDOWS\system32\lsass.exe
936 C:\WINDOWS\system32\ati2evxx.exe
956 C:\WINDOWS\system32\svchost.exe
1004 svchost.exe
1100 C:\WINDOWS\system32\svchost.exe
1188 svchost.exe
1216 svchost.exe
1252 C:\Program\Alwil Software\Avast4\aswUpdSv.exe
1300 C:\Program\Alwil Software\Avast4\ashServ.exe
1408 C:\WINDOWS\system32\ati2evxx.exe
1624 C:\WINDOWS\explorer.exe
1788 C:\WINDOWS\RTHDCPL.exe
1796 C:\Program\ALWILS~1\Avast4\ashDisp.exe
1804 C:\Program\Delade filer\Java\Java Update\jusched.exe
288 C:\WINDOWS\system32\spoolsv.exe
420 svchost.exe
468 C:\Program\IObit\Advanced SystemCare 4\ASCService.exe
656 C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
1452 C:\Program\IObit\Advanced SystemCare 4\ASCTray.exe
1560 C:\WINDOWS\system32\ctfmon.exe
1548 C:\WINDOWS\ATKKBService.exe
1756 C:\Program\Java\jre6\bin\jqs.exe
2052 C:\Program\3\3Connect\AutoUpdateSrv.exe
2112 C:\WINDOWS\system32\PnkBstrA.exe
3052 alg.exe
3380 C:\Program\3\3Connect\Wilog.exe
1772 C:\WINDOWS\system32\wscntfy.exe
1688 wmiprvse.exe
2880 C:\Documents and Settings\Micke\Skrivbord\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-00L9A0, Rev: 01.03E01

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: EEC098E77D0529BD75F64F7B26552C1BA4417B73


Done!

#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:01 AM

Posted 24 May 2011 - 01:43 PM

Hi-

I thought maybe that GMER had flagged those first three .Net Framework files as infected by mistake. Let's go after the corrupted .Net Framework.

  • You will have to remove all versions of .net with a special tool.
  • Once removed, you will need reinstall .net framework v2 thru v3.5
  • Here is the tool to remove it and the tool's documentation.

    .NET Framework Cleanup Tool

  • Once all copies are removed, see this Mcrosoft document on the software to reinstall.

    http://support.microsoft.com/kb/923100

Let me know how the de-install and re-install goes, and give me an update on the computer's status.
Shannon

#15 Micke87

Micke87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:02:01 PM

Posted 24 May 2011 - 04:42 PM

Ok, both un-installing and re-installing seems to have gone without problems. The error log generated by the cleanup tool had a few entries of services that it was unable to open, but in the end still gave a return value 0 for success upon completion. I also reebooted after re-installing all .NET Framework versions to see if Catalyst Control Center would launch, since ATI support suggested that the problem had to do with .NET Framework files being corrupted, but CCC still won´t start.

Otherwise there seems to be no real problems so far, but i wouldn´t know what to look for really. If you need them, i´ll be happy to post any logs, but everything was apparently completed without problems. I thought that, if any, maybe the entries below were worth noticing though.

Here is the error log from the .NET Framework cleanup tool in full anyway:

======================================================================
[05/24/11,22:25:18] Beginning of new cleanup utility session
[05/24/11,22:25:41] Failed to open the service 'msftpsvc'
[05/24/11,22:25:41] Failed to open the service 'nntpsvc'
[05/24/11,22:25:41] Failed to open the service 'smtpsvc'
[05/24/11,22:25:41] Failed to open the service 'w3svc'
[05/24/11,22:25:41] Failed to open the service 'iisadmin'
[05/24/11,22:32:41] Cleanup utility exiting with return value 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users