Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SPYWARE,TROJAN infection?


  • This topic is locked This topic is locked
43 replies to this topic

#1 zertz07

zertz07

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 08 January 2012 - 08:24 PM

My computer is infected and is not being caught by Malwarebytes' Anti-Malware or my regular security program - have tried running in Safe Mode but it still doesn't pick anything up. One of the user accounts loads veryslowly and then an error message comes up "C:\Documents and Settings\A****\Desktop is not accessible. Access is denied."
I close the message and after a few minutes the Security Services window opens but it isn't the 'real one' as it has extra items on it and showing the Anti-virus is off, and at the top in big red letters it says 'Using Mocked RPS API". If I click on any of the tabs ie. Anti-virus, the securities window goes blank. This only happens on this user account and not the other two.

From the administrator's account (mine), if I go into My Computer > A****'s Documents, I get the same error message, "C:\Documents and Settings\A****\My Documents is not accessible. Access is denied." If I go into My Computer > Documents and Settings > A**** > My Documents, I get the same message that access is denied. It will let me open her other folders though.

A**** put some of her photos in the Shared Pictures folder in Shared Documents and the computer won't let me move them or delete them.

We also had trouble with accessing our Hotmail accounts. We could get to Hotmail to sign in but after we signed in an error message would come up saying something about it being invalid. I used my other computer to sign in and then changed my password.

We have used this computer to access my online banking and recently discovered that 33 transactions over 12 days had occurred (for a $1406.98 loss which I was able to get back after reporting it to the bank. I asked how these transactions could have been possible and they gave me 3 choices - 2 of them weren't possible but the 3rd was having a computer virus.

There have been other random error messages and function issues ie. "Error Copying File or Folder. Cannot create or replace... write protected or make sure disk is not full....".

Thank you for your website!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Lani at 16:08:06 on 2012-01-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1280 [GMT -8:00]
.
AV: TELUS security services Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: TELUS security services Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TELUS\TELUS security services\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\TELUS\TELUS security advisor\ServicepointService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\TELUS security services\rps.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\TELUS\TELUS security advisor\Tsa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [Tsa.exe] "c:\program files\telus\telus security advisor\Tsa.exe" /AUTORUN
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
IE: &Search - ?p=ZJxdm402YYCA
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://equickplace.sd91.bc.ca/qp2.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://costco.pnimedia.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{6FFD4EED-4620-4124-923B-7B276FAC9D37} : DhcpNameServer = 192.168.1.254 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-12-6 25608]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-9-14 54760]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
R2 Radialpoint Security Services;TELUS security services;c:\program files\telus\telus security services\RpsSecurityAwareR.exe [2010-6-2 166944]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\telus\telus security services\avg\identity protection\agent\bin\AVGIDSAgent.exe [2011-12-6 5832712]
R2 ServicepointService;ServicepointService;c:\program files\telus\telus security advisor\ServicepointService.exe [2011-12-6 689464]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2011-12-6 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2011-12-6 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSShim.sys [2011-12-6 25736]
S0 fcxxqew;fcxxqew; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-19 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-19 135664]
S3 NetMate2;CATC USB/Ethernet Link II device driver;c:\windows\system32\drivers\netmate2.sys [2009-3-6 35694]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [2001-11-29 1432836]
.
=============== Created Last 30 ================
.
2011-12-22 01:04:34 -------- d-----w- C:\TELUS
2011-12-22 00:09:36 -------- d--h--w- c:\windows\PIF
2011-12-20 19:02:11 -------- d-----w- c:\program files\iPod
2011-12-20 18:51:20 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2012-01-07 21:12:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 21:58:23 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-12-06 21:16:20 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 16:10:04.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 14 January 2012 - 07:44 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 zertz07

zertz07
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 17 January 2012 - 07:11 PM

Hi,

I did as instucted and here is the report log:

ComboFix 12-01-17.01 - Lani 01/17/2012 15:26:42.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1392 [GMT -8:00]
Running from: c:\documents and settings\Lani\Desktop\ComboFix.exe
AV: TELUS security services Anti-Virus *Disabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: TELUS security services Firewall *Disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Lani\Application Data\706E.D8A
c:\documents and settings\Lani\Application Data\Desktop Security
C:\drvrtmp
c:\program files\LP
c:\program files\LP\112D\12.tmp
c:\program files\LP\112D\1B.tmp
c:\program files\LP\112D\2A.tmp
c:\program files\LP\112D\2B.tmp
c:\program files\LP\112D\D.tmp
c:\program files\LP\112D\E.tmp
c:\program files\LP\3D7D\10.tmp
c:\program files\LP\3D7D\F.tmp
c:\program files\LP\6367\10.tmp
c:\program files\LP\6367\11.tmp
c:\program files\LP\6367\12.tmp
c:\program files\LP\6367\13.tmp
c:\program files\LP\6367\14.tmp
c:\program files\LP\6367\15.tmp
c:\program files\LP\6367\16.tmp
c:\program files\LP\6367\17.tmp
c:\program files\LP\6367\18.tmp
c:\program files\LP\6367\19.tmp
c:\program files\LP\6367\1A.tmp
c:\program files\LP\6367\1B.tmp
c:\program files\LP\6367\1C.tmp
c:\program files\LP\6367\1D.tmp
c:\program files\LP\6367\1E.tmp
c:\program files\LP\6367\1F.tmp
c:\program files\LP\6367\20.tmp
c:\program files\LP\6367\21.tmp
c:\program files\LP\6367\22.tmp
c:\program files\LP\6367\23.tmp
c:\program files\LP\6367\24.tmp
c:\program files\LP\6367\25.tmp
c:\program files\LP\6367\26.tmp
c:\program files\LP\6367\28.tmp
c:\program files\LP\6367\2C.tmp
c:\program files\LP\6367\2D.tmp
c:\program files\LP\6367\3.tmp
c:\program files\LP\6367\34.tmp
c:\program files\LP\6367\3D.tmp
c:\program files\LP\6367\4.tmp
c:\program files\LP\6367\5.tmp
c:\program files\LP\6367\66.tmp
c:\program files\LP\6367\9.tmp
c:\program files\LP\6367\A.tmp
c:\program files\LP\6367\B.tmp
c:\program files\LP\6367\C.tmp
c:\program files\LP\6367\D.tmp
c:\program files\LP\6367\E.tmp
c:\program files\LP\6367\F.tmp
c:\program files\LP\636D\1.tmp
c:\program files\LP\636D\12.tmp
c:\program files\LP\636D\13.tmp
c:\program files\LP\636D\2.tmp
c:\program files\LP\636D\24.tmp
c:\program files\LP\636D\3.tmp
c:\program files\LP\636D\37.tmp
c:\program files\LP\636D\6.tmp
c:\program files\LP\636D\A.tmp
c:\program files\LP\636D\B.tmp
c:\program files\LP\636D\E.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2011-12-22 05:51 . 2011-12-22 05:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-22 01:04 . 2011-12-22 01:05 -------- d-----w- C:\TELUS
2011-12-22 00:09 . 2011-12-22 00:09 -------- d--h--w- c:\windows\PIF
2011-12-20 19:02 . 2011-12-20 19:02 -------- d-----w- c:\program files\iPod
2011-12-20 18:51 . 2011-12-20 18:51 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-07 21:12 . 2011-06-09 14:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2010-08-30 04:09 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 21:58 . 2011-12-06 21:16 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-12-06 21:16 . 2011-12-06 21:16 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-04 12:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-04 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-04 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\asyncmac.sys
.
[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
.
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys
.
[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ntfs.sys
.
[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
.
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\browser.dll
.
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe
.
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\netman.dll
.
[-] 2008-04-14 13:41 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 13:41 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
[-] 2004-08-04 12:00 . 6728270CB7DBB776ED086F5AC4C82310 . 792064 . . [2001.12.4414.258] . . c:\windows\$NtServicePackUninstall$\comres.dll
.
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
.
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
.
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe
.
[-] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
.
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[-] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ipsec.sys
[-] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[-] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-04 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
.
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\cryptsvc.dll
.
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-04-14 13:41 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-04-14 13:41 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2004-08-04 12:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtServicePackUninstall$\es.dll
.
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll
.
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
.
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
.
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lpk.dll
.
[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\$NtServicePackUninstall$\msvcrt.dll
[-] 2004-08-04 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[-] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
.
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\netlogon.dll
.
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll
.
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\scecli.dll
.
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfc.dll
.
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
.
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\user32.dll
.
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
[-] 2004-08-04 . 9BEACB911CA61E5881102188AB7FB431 . 19968 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2help.dll
.
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
[-] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\regedit.exe
[-] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regedit.exe
[-] 2004-08-04 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regedit.exe
.
[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
[-] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
[-] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll
[-] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\ServicePackFiles\i386\usp10.dll
[-] 2004-08-04 . 2EB58F9DCD6AB320B46744A4EA48B2D2 . 406528 . . [1.0420.2600.2180] . . c:\windows\$NtServicePackUninstall$\usp10.dll
.
[-] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\ksuser.dll
[-] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\system32\ksuser.dll
[-] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\system32\dllcache\ksuser.dll
.
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\srsvc.dll
.
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
.
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll
.
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll
.
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll
.
[-] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ipsec.sys
[-] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regsvc.dll
.
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll
.
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ssdpsrv.dll
.
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
[-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\hnetcfg.dll
[-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll
[-] 2004-08-04 . 765B30C776A1780B46B479FE614F707C . 344064 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\hnetcfg.dll
.
[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
.
[-] 2008-04-14 06:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-14 06:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\dllcache\aec.sys
[-] 2008-04-14 06:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
.
[-] 2008-04-14 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
[-] 2008-04-14 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys
.
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ip6fw.sys
.
[-] 2010-09-18 07:18 . 842900DEDBC8E3E8DBCCCB298FD88F65 . 953856 . . [4.1.6151] . . c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll
[-] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\mfc40u.dll
[-] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\dllcache\mfc40u.dll
[-] 2008-04-14 13:41 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\$NtUninstallKB2387149$\mfc40u.dll
[-] 2008-04-14 13:41 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2004-08-04 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
.
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\msgsvc.dll
.
[-] 2008-04-14 13:42 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2006-10-19 04:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 04:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtServicePackUninstall$\mspmsnsv.dll
.
[-] 2008-04-14 13:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 13:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2004-08-04 12:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\$NtServicePackUninstall$\ntmssvc.dll
.
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\upnphost.dll
.
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\dsound.dll
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
[-] 2004-08-04 . 55E148C01296696588EAFA425782C3E8 . 367616 . . [5.3.2600.2180] . . c:\windows\$NtServicePackUninstall$\dsound.dll
.
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\d3d9.dll
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll
[-] 2004-08-04 . D67BDBBDA86CC9AEEBBAF3217C1717D8 . 1689088 . . [5.03.2600.2180] . . c:\windows\$NtServicePackUninstall$\d3d9.dll
.
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\ddraw.dll
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
[-] 2004-08-04 . 7ED462F353B3D915A418A689FA881F96 . 266240 . . [5.03.2600.2180] . . c:\windows\$NtServicePackUninstall$\ddraw.dll
.
[-] 2008-04-14 13:42 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\olepro32.dll
[-] 2008-04-14 13:42 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
[-] 2004-08-04 12:00 . B48D3193DD1474DCBCC32BF4779AC698 . 83456 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\olepro32.dll
.
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\perfctrs.dll
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
[-] 2004-08-04 . 96492C721C6EA517E2BFD5381FEF55E3 . 39936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\perfctrs.dll
.
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
[-] 2004-08-04 . D38408967BE738D0C1B47005BCE8CEEB . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\version.dll
.
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\srsvc.dll
.
[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\w32time.dll
[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\system32\w32time.dll
[-] 2004-08-04 . 2B281958F5D0CF99ED626E3EF39D5C8D . 174592 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\w32time.dll
.
[-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wiaservc.dll
[-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll
[-] 2004-08-04 . D9F6C4F6B1E188ADAFC42B561D9BC2E6 . 333312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wiaservc.dll
.
[-] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\midimap.dll
[-] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
[-] 2004-08-04 . 3B4702155BB2AE9DC00C06A68834BDFA . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\midimap.dll
.
[-] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rasadhlp.dll
[-] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\system32\rasadhlp.dll
[-] 2004-08-04 . 4CAEC028C1E21C75E17877D4522D3DB4 . 8192 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\rasadhlp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-17 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2010-04-28 647528]
"Tsa.exe"="c:\program files\TELUS\TELUS security advisor\Tsa.exe" [2010-12-16 4318520]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 09:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Lani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\TELUS\\TELUS security advisor\\ServicepointService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [12/6/2011 1:28 PM 25608]
R2 Radialpoint Security Services;TELUS security services;c:\program files\TELUS\TELUS security services\RpsSecurityAwareR.exe [6/2/2010 6:05 PM 166944]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [12/6/2011 1:28 PM 5832712]
R2 ServicepointService;ServicepointService;c:\program files\TELUS\TELUS security advisor\ServicepointService.exe [12/6/2011 12:16 PM 689464]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/18/2009 12:33 PM 47360]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [12/6/2011 1:28 PM 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [12/6/2011 1:28 PM 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [12/6/2011 1:28 PM 25736]
S0 fcxxqew;fcxxqew; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2010 5:56 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2010 5:56 AM 135664]
S3 NetMate2;CATC USB/Ethernet Link II device driver;c:\windows\system32\drivers\netmate2.sys [3/6/2009 6:15 PM 35694]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [11/29/2001 5:10 PM 1432836]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 2DACEFC4
*NewlyCreated* - WS2IFSL
*Deregistered* - 2dacefc4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:57]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-19 13:56]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-19 13:56]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1004Core.job
- c:\documents and settings\Lani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-15 23:29]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1004UA.job
- c:\documents and settings\Lani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-15 23:29]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1007Core.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-10 23:29]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1007UA.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-10 23:29]
.
2009-12-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-03-07 23:31]
.
2012-01-17 c:\windows\Tasks\User_Feed_Synchronization-{B968E50E-1E46-4586-9146-56A9C1664B89}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
AddRemove-HitmanPro35 - c:\program files\Hitman Pro 3.5\HitmanPro35[1].exe
AddRemove-Sibelius Scorch Plugin - c:\program files\Musicnotes\uninstsc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-17 15:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(776)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\TELUS\TELUS security services\Fws.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Live\Family Safety\fsssvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-17 16:00:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-18 00:00
.
Pre-Run: 32,911,826,944 bytes free
Post-Run: 33,211,342,848 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 297282CF6C21390466C862D4813ECD91


Thank you :)

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 17 January 2012 - 10:44 PM

zertz07:

Please do this next:

Posted Image Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :service
    CryptSvc
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • SystemLook log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 zertz07

zertz07
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 18 January 2012 - 09:09 PM

Thank you for your quick reply!

Here are the report logs generated as instructed:

SystemLook 30.07.11 by jpshortstuff
Log created at 10:55 on 18/01/2012 by Lani
Administrator - Elevation successful

========== service ==========

CryptSvc
CryptSvc
"Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
Current Status: Started
Startup Type: Automatic
Error Control: Severe
Binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
Group: (none)
SafeBoot: Minimal Network
Dependencies:
->RpcSs
Dependant Services:
(none)

-= EOF =-


***************************

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.18.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Lani :: LANI-C42253C1B9 [administrator]

1/18/2012 10:58:08 AM
mbam-log-2012-01-18 (10-58-08).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 340878
Time elapsed: 6 hour(s), 15 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thank you.

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 18 January 2012 - 10:15 PM

zertz07:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version. Press the download button under JRE and follow the prompts. Accept the agreement and choose the Windows x86 offline option.
  • Run the insatller you just downloaded
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 zertz07

zertz07
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 19 January 2012 - 03:37 PM

Hi RPMcMurphy,

I don't think the computer is still running right. Before and after removing Java and after installing the new one, I tried signing in to A****'s user account and it loaded very slowly and seems to have the same issues as it did to start with. I also noticed that when I clicked on her account to open it, the cursor changed and was black filled instead of white and the hourglass was also black filled. I don't know if that is important or not but it doesn't change when I click on my account or the other user account on this computer.

Here is the report from the ESET scan:

C:\Documents and Settings\Autumn\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application
C:\Documents and Settings\Lani\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application
C:\Documents and Settings\Luke\Application Data\FrostWire\.AppSpecialShare\frostwire-5.0.8.windows.exe Win32/OpenCandy application
C:\Documents and Settings\Luke\Application Data\OpenCandy\OpenCandy_36A69B95BD9E40FFBA303526A32759F3\DLMgr_3_1.6.87.exe Win32/OpenCandy application
C:\Documents and Settings\Luke\Application Data\OpenCandy\OpenCandy_36A69B95BD9E40FFBA303526A32759F3\PPIRegistryReviverSetup.exe a variant of Win32/SlowPCfighter application
C:\Documents and Settings\Luke\Application Data\OpenCandy\OpenCandy_36A69B95BD9E40FFBA303526A32759F3\PPIRegistryReviver_p21v1.exe a variant of Win32/SlowPCfighter application
C:\System Volume Information\_restore{EB9994A5-7FF3-43E6-87E9-17A5F8A0106C}\RP923\A0127374.exe Win32/OpenCandy application
C:\System Volume Information\_restore{EB9994A5-7FF3-43E6-87E9-17A5F8A0106C}\RP923\A0127389.exe Win32/OpenCandy application
C:\System Volume Information\_restore{EB9994A5-7FF3-43E6-87E9-17A5F8A0106C}\RP923\A0127404.exe Win32/OpenCandy application


I also restarted the computer after running the ESET scan and we still have all the original issues concerning A****'s account.

Thank you!
zertz07

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 20 January 2012 - 08:35 PM

Hi,

Are you able to boot into that account now at all?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 zertz07

zertz07
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 21 January 2012 - 03:27 PM

I'm not sure what you mean by 'boot into that account'.

This is still what happens:

There are three accounts on this computer - Mine (administrator), A****'s account, and one other user account. If I start the computer and click on A****'s account, it loads very slowly (cursor and hourglass turn black) and when it opens there is an error message "C:\Documents and Settings\A****\Desktop is not accessible. Access is denied."
I close the message and then I can access her files, etc. and after a few minutes the Security Services window opens but it isn't the 'real one' as it has extra items/options on it, also showing the Anti-virus is off, and at the top in big red letters it says 'Using Mocked RPS API". Everything goes VERY slowly when using this account.

The other two user accounts seem to load and work okay. We have not been using A****'s account other than to check to see if it is fixed. She has been using my account since posting with you and says that when she uses Google Chrome to go to Hotmail, after entering her password, she gets this message "Bad Request - Invalid Verb....HTTP Error 400 the request is invalid". We used my other computer to change her password and we are able to access her email on that computer so then we tried it on this computer again but still got the same error message. If we use Internet Explorer, we get the same thing "HTTP Error 400" - "This webpage cannot be found". (Her's doesn't work but mine does.)

I also noticed that it is deleting my browsing history - it only shows 'today' even though in Internet Options my history settings are set at: Days to keep pages in history for 20 days.

Hope this info was helpful in some way.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 21 January 2012 - 03:48 PM

zertz07:

Thanks, that answered my question. Is your ISP by any chance Virgin Broadband? Please run this for me:

Posted Image Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start > Run or press the Windows key + r Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Please include the following in your next post:
  • Junction log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 zertz07

zertz07
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 21 January 2012 - 04:51 PM

Hi,

Our ISP is Telus Communications.

Here is the Junction Log:


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

.
Failed to open \\?\c:\\Documents and Settings\Autumn\My Documents: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\NetHood: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\NTUSER.DAT: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\NTUSER.DAT.LOG: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\ntuser.ini: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\PrintHood: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\PrivacIE: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Recent: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\SendTo: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Start Menu: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Templates: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Tracing: Access is denied.


..

...

...

...

...

...

..
Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Apps: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\desktop.ini: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\History: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Temp: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Temporary Internet Files: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\IconCache.db: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Identities: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Microsoft: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Microsoft Help: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Skype: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Temp: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Unity: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\CrashReports: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Custom Buttons: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Toolbar: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Toolbar DNS data: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Update: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\User Data: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\Dictionaries: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\First Run: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\master_preferences: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\old_chrome.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\chrome_launcher.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\d3dcompiler_43.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\d3dx9_43.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\default_apps: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Extensions: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\flashplayercplapp.cpl: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\gcswf32.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\icudt.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Installer: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\libegl.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\libglesv2.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Locales: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl64.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl_irt_x86_32.nexe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl_irt_x86_64.nexe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\npchrome_frame.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\pdf.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\plugin.vch: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\ppgooglenaclpluginchrome.dll: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\resources.pak: Access is denied.


.

...

...

...

...

..
Failed to open \\?\c:\\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Google\GoogleToolbarNotifier\swg-5.6.5612.1312\SearchWithGoogleUpdate.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Windows Live\Family Safety\HistoryStore: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

:)

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 21 January 2012 - 07:08 PM

zertz07:

Please do this now:

Posted Image Please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:

    c:\\Documents and Settings\Autumn\My Documents
    c:\\Documents and Settings\Autumn\NetHood
    c:\\Documents and Settings\Autumn\NTUSER.DAT
    c:\\Documents and Settings\Autumn\NTUSER.DAT.LOG
    c:\\Documents and Settings\Autumn\ntuser.ini
    c:\\Documents and Settings\Autumn\PrintHood
    c:\\Documents and Settings\Autumn\PrivacIE
    c:\\Documents and Settings\Autumn\Recent
    c:\\Documents and Settings\Autumn\SendTo
    c:\\Documents and Settings\Autumn\Start Menu
    c:\\Documents and Settings\Autumn\Templates
    c:\\Documents and Settings\Autumn\Tracing
    c:\\Documents and Settings\Autumn\Local Settings\Apps
    c:\\Documents and Settings\Autumn\Local Settings\desktop.ini
    c:\\Documents and Settings\Autumn\Local Settings\History
    c:\\Documents and Settings\Autumn\Local Settings\Temp
    c:\\Documents and Settings\Autumn\Local Settings\Temporary Internet Files
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\IconCache.db
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Identities
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Microsoft
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Microsoft Help
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Skype
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Temp
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Unity
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\CrashReports
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Custom Buttons
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Toolbar
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Toolbar DNS data
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Update
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\User Data
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\Dictionaries
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\First Run
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\master_preferences
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\old_chrome.exe
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\chrome_launcher.exe
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\d3dcompiler_43.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\d3dx9_43.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\default_apps
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Extensions
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\flashplayercplapp.cpl
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\gcswf32.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\icudt.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Installer
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\libegl.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\libglesv2.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Locales
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl64.exe
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl_irt_x86_32.nexe
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl_irt_x86_64.nexe
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\npchrome_frame.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\pdf.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\plugin.vch
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\ppgooglenaclpluginchrome.dll
    c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\resources.pak
    c:\\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db
    c:\\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow
    c:\\Program Files\Google\GoogleToolbarNotifier\swg-5.6.5612.1312\SearchWithGoogleUpdate.exe
    c:\\Program Files\Windows Live\Family Safety\HistoryStore
  • Click Unlock. When it is done click "OK".
  • Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Once that is done, reboot and let me know if A**'s account is behaving any better.
Please include the following in your next post:
  • GrantPerms log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 zertz07

zertz07
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 21 January 2012 - 08:07 PM

Okay, I have rebooted and her account is not behaving any better. Still getting the message that her desktop is not accessible and the fake security services window. It is very disfunctional - takes over 5 minutes before it will open IE.

However, I can now access her documents from my account through My Computer. :)

Here is the Perm log you requested:



GrantPerms by Farbar
Ran by Lani (administrator) at 2012-01-21 16:39:26

===============================================
\\?\c:\\Documents and Settings\Autumn\My Documents

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\NetHood

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\NTUSER.DAT

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\NTUSER.DAT.LOG

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\ntuser.ini

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\PrintHood

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\PrivacIE

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Recent

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\SendTo

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Start Menu

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Templates

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Tracing

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Apps

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\desktop.ini

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\History

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Temp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Temporary Internet Files

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\IconCache.db

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Identities

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Microsoft

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Microsoft Help

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Skype

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Temp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Unity

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\CrashReports

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Custom Buttons

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Toolbar

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Toolbar DNS data

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Update

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\User Data

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\Dictionaries

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\First Run

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\master_preferences

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\old_chrome.exe

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\chrome_launcher.exe

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\d3dcompiler_43.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\d3dx9_43.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\default_apps

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Extensions

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\flashplayercplapp.cpl

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\gcswf32.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\icudt.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Installer

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\libegl.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\libglesv2.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\Locales

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl64.exe

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl_irt_x86_32.nexe

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\nacl_irt_x86_64.nexe

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\npchrome_frame.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\pdf.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\plugin.vch

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\ppgooglenaclpluginchrome.dll

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Autumn\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\resources.pak

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)


\\?\c:\\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Google\GoogleToolbarNotifier\swg-5.6.5612.1312\SearchWithGoogleUpdate.exe

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)


\\?\c:\\Program Files\Windows Live\Family Safety\HistoryStore

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
Everyone READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)


:)

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 21 January 2012 - 08:42 PM

zertz07:

Please do this now:

Posted Image Please run GrantPerms.zip again.
  • Copy and paste the following in the edit box:

    c:\\Documents and Settings\Autumn\Desktop
  • Click Unlock. When it is done click "OK".
  • Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Once that is done, reboot and let me know if A**'s desktop will load

Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the "Scan All Users" option near the top of the page
  • Click the Quick Scan button. Do not change any other settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of the OTL.txt file into your next post.
Please include the following in your next post:
  • GrantPerms log
  • OTL.txt log (I don't need the Extras.txt log)

Edited by RPMcMurphy, 21 January 2012 - 08:43 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 zertz07

zertz07
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 21 January 2012 - 10:03 PM

Hello again,

I ran GrantPerms again as instructed and then rebooted computer. Her account loaded much quicker with not message about access. Shortcuts also reappeared on the desktop. It still takes 5+ minutes for IE to open and there is still the fake securities window. Yay for more improvement!

After checking her user account, I then ran the OTL scan. Here are the logs:

GrantPerms by Farbar
Ran by Lani (administrator) at 2012-01-21 18:14:47

===============================================
\\?\c:\\Documents and Settings\Autumn\Desktop

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)

****************


OTL logfile created on: 1/21/2012 6:37:57 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Lani\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.30 Gb Available Physical Memory | 65.46% Memory free
3.84 Gb Paging File | 3.17 Gb Available in Paging File | 82.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 30.69 Gb Free Space | 41.19% Space Free | Partition Type: NTFS

Computer Name: LANI-C42253C1B9 | User Name: Lani | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/21 18:37:29 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lani\Desktop\OTL.exe
PRC - [2012/01/19 10:41:51 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2010/12/15 18:20:28 | 000,689,464 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\TELUS\TELUS security advisor\ServicepointService.exe
PRC - [2010/12/15 18:20:22 | 004,318,520 | ---- | M] (TELUS) -- C:\Program Files\TELUS\TELUS security advisor\Tsa.exe
PRC - [2010/12/15 18:20:22 | 000,488,760 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
PRC - [2010/06/02 18:05:48 | 000,166,944 | ---- | M] (TELUS) -- C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
PRC - [2010/06/02 18:05:46 | 000,650,008 | ---- | M] (TELUS) -- C:\Program Files\TELUS\TELUS security services\RPS.exe
PRC - [2010/06/02 18:04:48 | 000,382,208 | ---- | M] (TELUS) -- C:\Program Files\TELUS\TELUS security services\Fws.exe
PRC - [2009/11/02 16:26:48 | 005,832,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/08 23:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2001/11/29 17:10:28 | 000,045,056 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/06 14:29:52 | 000,056,224 | ---- | M] () -- \\?\C:\Program Files\TELUS\TELUS security services\BitDefender\BDCoreEngines\BDCoreSet2\avxdisk.dll
MOD - [2011/11/01 23:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/11/01 23:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/12/15 18:11:34 | 000,158,208 | ---- | M] () -- C:\Program Files\TELUS\TELUS security advisor\Windows7Features.dll
MOD - [2009/11/06 12:53:08 | 000,202,752 | ---- | M] () -- C:\Program Files\TELUS\TELUS security services\BitDefender\smartscn.dll
MOD - [2009/11/02 16:26:48 | 000,077,824 | ---- | M] () -- C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\bin\boost_log-vc71-mt-1_32.dll
MOD - [2009/11/02 16:26:48 | 000,057,344 | ---- | M] () -- C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\bin\boost_thread-vc71-mt-1_32.dll
MOD - [2009/10/23 14:25:54 | 000,225,280 | ---- | M] () -- C:\Program Files\TELUS\TELUS security services\BitDefender\bdfltlib.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012/01/19 10:41:51 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/12/06 14:15:37 | 000,315,392 | ---- | M] (S.C. BitDefender S.R.L) [On_Demand | Stopped] -- C:\Program Files\TELUS\TELUS security services\BitDefender\scan.dll -- (scan)
SRV - [2010/12/15 18:20:28 | 000,689,464 | ---- | M] (Radialpoint Inc.) [Auto | Running] -- C:\Program Files\TELUS\TELUS security advisor\ServicepointService.exe -- (ServicepointService)
SRV - [2010/06/02 18:05:48 | 000,166,944 | ---- | M] (TELUS) [Auto | Running] -- C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe -- (Radialpoint Security Services)
SRV - [2010/06/02 18:04:48 | 000,382,208 | ---- | M] (TELUS) [Auto | Running] -- C:\Program Files\TELUS\TELUS security services\Fws.exe -- (RP_FWS)
SRV - [2009/11/02 16:26:48 | 005,832,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe -- (RadialpointIDSAgent)
SRV - [2009/06/08 12:07:50 | 001,033,480 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe -- (PDEngine)
SRV - [2009/06/08 12:07:48 | 000,931,080 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe -- (PDAgent)
SRV - [2007/08/08 23:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2001/11/29 17:10:28 | 000,045,056 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)


========== Driver Services (SafeList) ==========

DRV - [2011/12/06 13:58:23 | 000,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2010/06/03 20:30:46 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/06/03 20:30:40 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/04/28 06:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/11/26 10:50:32 | 000,039,808 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Running] -- C:\Program Files\TELUS\TELUS security services\BitDefender\trufos.sys -- (Trufos)
DRV - [2009/11/26 10:50:32 | 000,014,720 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Running] -- C:\Program Files\TELUS\TELUS security services\BitDefender\profos.sys -- (Profos)
DRV - [2009/11/02 16:27:02 | 000,122,376 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys -- (RadialpointIDSDriver)
DRV - [2009/11/02 16:27:02 | 000,030,216 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys -- (RadialpointIDSFilter)
DRV - [2009/11/02 16:27:02 | 000,025,736 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys -- (RadialpointIDSShim)
DRV - [2009/11/02 16:27:02 | 000,025,608 | ---- | M] (AVG Technologies ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys -- (RadialpointIDSEH)
DRV - [2009/10/23 14:25:54 | 000,285,704 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\bdfsfltr.sys -- (bdfsfltr)
DRV - [2009/06/08 10:00:56 | 000,071,696 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/12/05 15:48:12 | 000,322,948 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr)
DRV - [2001/11/29 17:10:32 | 001,432,836 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\v90drv.sys -- (V90drv)
DRV - [2001/11/29 17:10:28 | 000,033,028 | ---- | M] (Vireo Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2001/11/29 17:10:26 | 000,175,160 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2001/11/29 17:10:20 | 000,607,732 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)
DRV - [2001/11/29 17:10:18 | 002,383,460 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)
DRV - [2001/11/29 17:10:14 | 000,172,708 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2000/04/24 22:01:16 | 000,035,694 | ---- | M] (CATC (Computer Access Technology Corp.)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\netmate2.sys -- (NetMate2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1644491937-963894560-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1644491937-963894560-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1644491937-963894560-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9E FE 99 C9 9C 91 CA 01 [binary data]
IE - HKU\S-1-5-21-1644491937-963894560-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1644491937-963894560-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@radialpoint.com/SPA,version=1: C:\Program Files\TELUS\TELUS security advisor\nprpspa.dll (TELUS)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Lani\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{B54EF6F1-8089-4FBD-8E80-D84A6507F4D2}: C:\Documents and Settings\Lani\Local Settings\Application Data\{B54EF6F1-8089-4FBD-8E80-D84A6507F4D2} [2010/08/14 17:45:06 | 000,000,000 | ---D | M]

[2009/10/23 12:12:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lani\Application Data\Mozilla\Extensions
[2009/10/23 12:12:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lani\Application Data\Mozilla\Extensions\mozswing@mozswing.org

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.210.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U21 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\iTunes\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\iTunes\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\iTunes\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\iTunes\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\iTunes\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\iTunes\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\iTunes\plugins\npqtplugin7.dll
CHR - plugin: Facebook Plugin (Enabled) = C:\Documents and Settings\Lani\Application Data\Facebook\npfbplugin_1_0_3.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: TELUS security advisor (Enabled) = C:\Program Files\TELUS\TELUS security advisor\nprpspa.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Documents and Settings\Lani\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/01/19 13:57:44 | 000,439,213 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 15127 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-1644491937-963894560-682003330-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Tsa.exe] C:\Program Files\TELUS\TELUS security advisor\Tsa.exe (TELUS)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1644491937-963894560-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1644491937-963894560-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1644491937-963894560-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1644491937-963894560-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} http://equickplace.sd91.bc.ca/qp2.cab (QuickPlace Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} http://www.acclaim.com/cabs/acclaim_v5.cab (GameLauncher Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} http://costco.pnimedia.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} https://secure.gopetslive.com/dev/GoPetsWeb.cab (GoPetsWeb Control)
O16 - DPF: CabBuilder http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6FFD4EED-4620-4124-923B-7B276FAC9D37}: DhcpNameServer = 192.168.1.254 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lani\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/06 17:25:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe)
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/21 18:37:25 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lani\Desktop\OTL.exe
[2012/01/19 12:17:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lani\Local Settings\Application Data\Sun
[2012/01/19 10:46:47 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/19 10:42:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/01/19 10:29:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Sun
[2012/01/17 17:47:40 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/01/17 15:21:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/01/17 15:16:54 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/17 15:16:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/17 15:16:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/17 15:16:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/17 15:16:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/17 15:16:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/17 15:14:16 | 004,386,439 | R--- | C] (Swearware) -- C:\Documents and Settings\Lani\Desktop\ComboFix.exe
[2012/01/13 13:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lani\Desktop\Bleeping Computer files
[2012/01/07 16:08:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Lani\My Documents\My Videos
[2012/01/07 13:40:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\pics
[2009/05/18 12:33:12 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Lani\Application Data\pcouffin.sys
[2009/03/06 17:51:52 | 000,045,056 | ---- | C] ( ) -- C:\WINDOWS\System32\slserv.exe
[2009/03/06 17:40:29 | 000,175,160 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2001/11/29 17:10:32 | 001,432,836 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\v90drv.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/21 18:37:29 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lani\Desktop\OTL.exe
[2012/01/21 18:34:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/21 18:33:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1007UA.job
[2012/01/21 18:33:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1007Core.job
[2012/01/21 18:32:36 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/21 18:29:33 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1004UA.job
[2012/01/21 18:29:33 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-963894560-682003330-1004Core.job
[2012/01/21 18:17:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/21 16:41:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/01/21 15:49:47 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B968E50E-1E46-4586-9146-56A9C1664B89}.job
[2012/01/21 13:37:44 | 000,150,392 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
[2012/01/21 08:44:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/19 13:57:44 | 000,439,213 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/01/17 15:45:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120119-135744.backup
[2012/01/17 15:21:25 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/01/17 15:14:33 | 004,386,439 | R--- | M] (Swearware) -- C:\Documents and Settings\Lani\Desktop\ComboFix.exe
[2012/01/12 16:01:53 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/12 15:54:29 | 000,444,674 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/12 15:54:29 | 000,072,756 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/07 16:01:58 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Lani\defogger_reenable
[2012/01/06 18:31:39 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Lani\Desktop\Google Chrome.lnk
[2012/01/06 18:31:39 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Lani\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/17 15:21:25 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/01/17 15:21:22 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/01/17 15:16:54 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/17 15:16:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/17 15:16:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/17 15:16:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/17 15:16:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/07 16:01:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Lani\defogger_reenable
[2011/12/21 22:11:56 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/11/22 22:32:33 | 000,194,512 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/11/08 20:52:13 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/08/31 07:03:38 | 000,611,840 | ---- | C] () -- C:\WINDOWS\System32\DVD43.dll
[2010/11/11 17:01:22 | 000,112,897 | ---- | C] () -- C:\WINDOWS\hpoins07.dat
[2010/11/11 17:01:22 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat
[2010/11/05 20:18:24 | 000,003,900 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2010/08/31 07:32:17 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/10 11:33:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Isitu.bin
[2010/08/10 11:33:50 | 000,001,098 | ---- | C] () -- C:\WINDOWS\Rpalaga.dat
[2010/05/25 14:57:54 | 000,000,096 | ---- | C] () -- C:\WINDOWS\Simply.ini
[2010/04/30 10:46:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2010/04/22 19:58:24 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2010/04/07 20:22:03 | 000,069,480 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/22 11:33:55 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/12/17 21:21:13 | 000,002,825 | ---- | C] () -- C:\WINDOWS\RBuilder.ini
[2009/12/09 13:40:20 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/10/21 14:20:08 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen_x86.sys
[2009/05/18 13:33:51 | 000,004,473 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/05/18 12:33:12 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Lani\Application Data\inst.exe
[2009/05/18 12:33:12 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Lani\Application Data\pcouffin.cat
[2009/05/18 12:33:12 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Lani\Application Data\pcouffin.inf
[2009/05/06 12:13:42 | 000,000,352 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2009/04/11 15:47:04 | 000,001,100 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/11 15:40:25 | 000,044,918 | ---- | C] () -- C:\Documents and Settings\Lani\Application Data\wklnhst.dat
[2009/03/13 05:59:24 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/10 18:27:23 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Lani\Local Settings\Application Data\fusioncache.dat
[2009/03/10 18:25:50 | 000,112,824 | ---- | C] () -- C:\WINDOWS\hpoins07.dat.temp
[2009/03/10 18:25:49 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat.temp
[2009/03/10 18:20:53 | 000,071,216 | ---- | C] () -- C:\WINDOWS\hpqins09.dat
[2009/03/10 18:20:38 | 000,070,789 | ---- | C] () -- C:\WINDOWS\hpqins05.dat
[2009/03/10 18:20:07 | 000,070,721 | ---- | C] () -- C:\WINDOWS\hpqins01.dat
[2009/03/10 17:52:12 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/03/10 17:44:09 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2009/03/06 19:11:58 | 000,086,528 | ---- | C] () -- C:\Documents and Settings\Lani\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/06 18:25:09 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2009/03/06 18:07:18 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/03/06 17:51:52 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2009/03/06 17:40:33 | 000,172,708 | ---- | C] () -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2009/03/06 17:40:32 | 002,383,460 | ---- | C] () -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2009/03/06 17:40:31 | 000,607,732 | ---- | C] () -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2009/03/06 17:40:29 | 000,322,948 | ---- | C] () -- C:\WINDOWS\System32\drivers\slntamr.sys
[2009/03/06 17:27:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/03/06 17:23:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/03/06 09:18:17 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/06 09:16:48 | 000,324,320 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/09/11 10:41:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\form133RegionData.dat
[2005/03/22 12:48:43 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 12:48:43 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 04:00:00 | 000,444,674 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 04:00:00 | 000,072,756 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/11/29 17:10:36 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\amr_cpl.dll
[2001/11/29 17:10:30 | 000,073,728 | ---- | C] () -- C:\WINDOWS\smcfg.exe
[2001/11/29 17:10:26 | 000,425,984 | ---- | C] () -- C:\WINDOWS\sllights.exe
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/10/11 20:04:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2009/12/22 11:33:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2010/09/15 11:17:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fighters
[2010/08/31 08:18:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2009/05/18 14:59:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/04/15 08:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2011/10/24 14:28:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Radialpoint
[2010/12/16 19:59:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ReviverSoft
[2009/12/22 11:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
[2011/12/06 13:13:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TELUS
[2009/07/19 08:38:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2009/03/13 13:31:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/12/05 13:22:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/21 09:11:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/11 10:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
[2009/05/07 18:22:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/12/19 13:43:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Autumn\Application Data\705CE
[2011/11/04 17:13:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Autumn\Application Data\A706E
[2011/12/20 09:01:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Autumn\Application Data\CE698
[2011/12/19 13:50:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Autumn\Application Data\DD8A7
[2011/05/31 07:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Autumn\Application Data\FrostWire
[2011/12/06 19:04:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Autumn\Application Data\TELUS
[2011/12/10 20:18:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Autumn\Application Data\Unity
[2010/08/30 00:56:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\1E571B0725C282B6C78F95297A3F2AB3
[2011/12/09 13:36:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\705CE
[2009/10/11 20:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\Azureus
[2011/12/06 14:40:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\DD8A7
[2010/03/09 14:46:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\Facebook
[2011/11/05 17:52:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\FrostWire
[2011/12/08 12:49:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\Image Zone Express
[2010/01/09 18:17:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\MSNInstaller
[2009/08/01 12:53:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\SpinTop Games
[2011/12/06 13:44:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\TELUS
[2010/12/01 14:44:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lani\Application Data\Vso
[2011/12/06 15:15:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\705CE
[2011/12/06 15:15:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\A706E
[2011/12/06 15:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\CE698
[2011/12/06 15:20:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\DD8A7
[2011/07/28 10:29:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\FrostWire
[2011/08/03 16:23:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Image Zone Express
[2010/12/16 19:58:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\OpenCandy
[2011/12/09 17:34:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\TELUS
[2012/01/21 15:49:47 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B968E50E-1E46-4586-9146-56A9C1664B89}.job

========== Purity Check ==========



< End of report >

:)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users