Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP with suspected ZeroAccess rootkit


  • This topic is locked This topic is locked
18 replies to this topic

#1 utrrrongeeb

utrrrongeeb

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 05 August 2012 - 08:31 AM

A poorly secured Windows XP desktop has recently been running a rootkit, which has redirected Google search results and generated large volumes of clickfraud-style traffic. I don't have any Windows malware removal experience, being more of a GNU/Linux user, so I'm asking for assistance with this.


This computer has suffered a history of slack security practices, and been used by several family members with Administrator accounts. It's been running Windows XP Home Edition [32-bit] for the last seven years. From the factory it had SP2, and it was manually upgraded to SP3 a few years ago. Hardware-wise, it's a Dell with a Pentium 4, and had a graphics-card upgrade to an NVIDIA 9500GT in the last couple years.
Originally it had Norton security software, but that was replaced with Trend Micro after it expired. We disabled parts of Trend Micro due to its detrimental effect on the dial-up internet connection we had at the time. ClamWin virus scanner was installed and used on some file downloads, often alongside Trend Micro's scanner, but neither scanned internet traffic or email. Windows Firewall and Windows Update were disabled early on, but for the past few years it's been behind a LAN router.


In the last few weeks, Google search results have been inconsistently redirected to unrelated ad sites. System slowness had been taken for granted. I investigated the ad redirects with Wireshark, and slowly realized the massive volumes of browser-independent ad-related traffic to fileannex.com and gourmandia.com were signs of a more serious problem then I'd expected.

In an initial attempt to remove the problem, Trend Micro and ClamWin were removed, and the free edition of Avira was installed. It reported that malware "TR/ATRAPS.Gen2" was found in "C:\WINDOWS\Installer\...\80000032.@", but that "Access to this file was denied." Its attempts to remove the file were ambiguously unsuccessful, and its scanner progress crashed occasionally.

I don't know where it came from; as far as I know there's no history of surfing high-risk websites.


Based on searches for the symptoms, I'm assuming it's a rootkit of some sort, providing Google redirects and botnet clickfraud at the very least. I tried TDSSkiller [in non-safe mode], but it didn't seem to detect a problem. I'm strongly suspecting ZeroAccess, but I don't know enough about contemporary malware to prove it; please let me know if you think I should try various vendor's ZeroAccess removers before coming back.


With the network cable unplugged, I've been following the preparation guide.
-Windows XP Firewall could not be enabled -- apparently the Security Center service wasn't running, and oddly enough there was no sign of it in services.msc.
-Defogger seemed to run successfully.
-DDS seemed to run successfully.
-GMER had to run overnight [the hard drive is nearly full; the machine is slated for replacement before long anyway]. Come morning, there was a BSoD -- "*** STOP: 0x0000008E (0xC0000005,0x8057489D,0x961F2AD0,0x00000000)". Upon reboot, the error signature was BCCode: 1000008e, BCP1: C0000005, BCP2: 8057489D, BCP3: 961F2AD0, BCP4: 00000000, OSver: 5_1_2600, SP: 3_0, Product: 768_1.
GMER was partially rerun, before being stopped to avoid wasting time or crashing/getting-killed again. I think Ark.txt has most of the output it had the previous night.



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Chris at 14:43:34 on 2012-08-04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.2039.1532 [GMT -3:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
uDefault_Page_URL = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS03-026_RPC_DCOM_EXPLOIT
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [KeePass 2 PreLoad] "c:\art4\bin\keepass\KeePass.exe" --preload
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\norten~1.lnk - c:\art4\dev\java\progs\MDBugger.jar
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Download all with Free Download Manager - file://c:\art4\bin\fdm\dlall.htm
IE: Download selected with Free Download Manager - file://c:\art4\bin\fdm\dlselected.htm
IE: Download with Free Download Manager - file://c:\art4\bin\fdm\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\zn04asd2.chris\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com/
FF - plugin: c:\mozillafirefox3\plugins\npdeployJava1.dll
FF - plugin: c:\mozillafirefox3\plugins\npqtplugin8.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-7-29 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-7-29 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-7-29 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-7-29 83392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-10-17 10384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-12 2253120]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-20 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-24 250056]
S3 DBGV;DBGV;\??\c:\art4\bin\analysys\sniff-bin-98-1.5\dbgv.sys --> c:\art4\bin\analysys\sniff-bin-98-1.5\DBGV.SYS [?]
S3 Ext2Fsd;Linux ext2 File system driver;c:\windows\system32\drivers\ext2fsd.sys [2005-6-18 610944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-20 136176]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [2010-2-19 27904]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [2010-2-19 1208448]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [2010-2-19 1200768]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 padenum;Enumerador de dispositivos de NTPAD;c:\windows\system32\drivers\padenum.sys --> c:\windows\system32\drivers\padenum.sys [?]
S3 VendorJoystickEnabler;Driver para joystick paralelo de consola;c:\windows\system32\drivers\ntpad.sys --> c:\windows\system32\drivers\ntpad.sys [?]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
.
=============== Created Last 30 ================
.
2012-07-29 14:26:49 -------- d-----w- c:\documents and settings\chris\application data\Avira
2012-07-29 13:53:46 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-29 13:53:46 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-29 13:53:21 -------- d-----w- c:\program files\Avira
2012-07-29 13:53:21 -------- d-----w- c:\documents and settings\all users\application data\Avira
.
==================== Find3M ====================
.
2012-07-27 20:50:16 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-27 20:50:16 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 18:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 18:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 18:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 18:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 18:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2009-04-05 15:39:31 7680 ----a-w- c:\program files\EjectCD.exe
2006-10-22 13:26:43 1663036 ----a-w- c:\program files\LineRider_beta.exe
2006-09-13 09:21:52 2567672 ----a-w- c:\program files\Wimpy FLV Player.exe
2003-08-27 17:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 14:45:03.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 07 August 2012 - 02:53 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 utrrrongeeb

utrrrongeeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 07 August 2012 - 08:58 PM

Gringo,
Thanks for the quick response!

I've followed your instructions as well as I reasonably could. Document backups were updated shortly after the rootkit was discovered. Since the infected machine dual-boots with Debian GNU/Linux, I've had no trouble getting files on or off of it.

Security Check seemed to run successfully, except for one error dialog, titled "netsh.exe - Entry Point Not Found" with the message "The procedure entry point MigrateWinsockConfiguration could not be located in the dynamic link library MSWSOCK.dll".
Its log, checkup.txt, is below:

Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Avira Free Antivirus
`````````Anti-malware/Other Utilities Check:`````````
Java Media Framework 2.1.1e
Java™ 6 Update 31
Java™ SE Runtime Environment 6
Java™ SE Development Kit 6
Java 3D 1.3.1 (OpenGL) SDK
Java version out of Date!
Adobe Flash Player 11.3.300.268
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 13.0.1 Firefox out of Date!
Mozilla Thunderbird (14.0.)
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon!
````````````````````End of Log`````````````````````` s





Avira antivirus was uninstalled from the Add/Remove Programs control panel applet. Combofix was installed successfully. During installation (if I remember correctly), the taskbar/start menu switched to the Windows 95 theme, and disappeared entirely for most of the ComboFix run; I'm assuming that was intentional.
The System Restore Point creation step seemed disproportionately slow, but it did complete.
Windows Recovery Console was not previously installed. After some time fiddling with the connection (turns out it was the router/modem, not Windows or ZeroAccess), it was downloaded and installed successfully.
ComboFix ran for an additional 22 minutes or so, and was uninterrupted. No registry key deletion errors appeared; I'm not sure if that's a good sign.
The ComboFix log, C:\ComboFix.txt, is below:




ComboFix 12-08-07.03 - Chris 07/08/2012 21:53:54.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.2039.1602 [GMT -3:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\All Users\Application Data\DragToDiscUserNameF.txt
c:\documents and settings\Art III\WINDOWS
c:\documents and settings\Art IV\tmp42038.tmp
c:\documents and settings\Art IV\WINDOWS
c:\documents and settings\Chris\WINDOWS
c:\documents and settings\Liese\WINDOWS
c:\documents and settings\Paul\Paul's graphics .dss
c:\documents and settings\Paul\WINDOWS
c:\windows\~GLC0000.TMP
c:\windows\~GLC0001.TMP
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\@
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\L\00000004.@
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\L\1afb2d56
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\L\201d3dde
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\n
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\00000004.@
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\00000008.@
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\000000cb.@
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\80000000.@
c:\windows\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\80000032.@
c:\windows\system32\AcroIEHelper.dll
c:\windows\system32\setb0.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\FUSION.DLL
c:\windows\system32\URTTemp\MSCOREE.DLL
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\MSCORSN.DLL
c:\windows\system32\URTTemp\MSCORWKS.DLL
c:\windows\system32\URTTemp\MSVCR71.DLL
c:\windows\system32\URTTemp\REGTLIB.EXE
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 20:50 . 2012-04-24 17:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-27 20:50 . 2011-05-19 14:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-04 11:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-03-31 18:24 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 11:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 18:19 . 2009-08-06 22:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 18:19 . 2009-08-06 22:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 18:19 . 2004-08-04 11:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 18:19 . 2004-08-04 11:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 18:19 . 2004-08-04 11:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 18:19 . 2009-08-06 22:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 18:19 . 2009-08-06 22:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 18:19 . 2004-08-04 11:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 18:19 . 2004-08-04 11:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 18:19 . 2004-08-04 11:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 18:19 . 2009-08-06 22:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 18:19 . 2004-08-04 11:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 18:19 . 2004-08-04 11:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
2009-04-05 15:39 . 2009-04-05 00:06 7680 ----a-w- c:\program files\EjectCD.exe
2006-10-22 13:26 . 2006-10-22 13:18 1663036 ----a-w- c:\program files\LineRider_beta.exe
2006-09-13 09:21 . 2008-03-27 23:07 2567672 ----a-w- c:\program files\Wimpy FLV Player.exe
2003-08-27 17:19 . 2005-09-29 22:49 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"KeePass 2 PreLoad"="c:\art4\bin\KeePass\KeePass.exe" [2011-01-02 1670656]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\Frank\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [N/A]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
c:\documents and settings\Chris\Start Menu\Programs\Startup\
Norten control.lnk - c:\art4\dev\Java\progs\MDBugger.jar [2005-6-12 1821]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-10-17 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 15:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-03-17 06:14 40960 ----a-w- c:\program files\Dell\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 05:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P3000x_S2P]
2004-10-27 06:44 57344 ------w- c:\program files\Dell\Dell Laser MFP 1600n\PSU\ScanToPc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-03-17 05:59 57393 ----a-w- c:\program files\Dell\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-03-31 23:50 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MySQL"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [17/10/2010 7:17 PM 10384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/05/2011 10:35 PM 2253120]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\SYSTEM32\DRIVERS\LEqdUsb.sys [17/06/2009 1:55 PM 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\SYSTEM32\DRIVERS\LHidEqd.sys [17/06/2009 1:55 PM 10384]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\SYSTEM32\DRIVERS\nvoclock.sys [15/09/2009 2:59 PM 38248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/06/2010 9:04 AM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe [24/04/2012 2:46 PM 250056]
S3 DBGV;DBGV;\??\c:\art4\bin\analySys\sniff-bin-98-1.5\DBGV.SYS --> c:\art4\bin\analySys\sniff-bin-98-1.5\DBGV.SYS [?]
S3 Ext2Fsd;Linux ext2 File system driver;c:\windows\SYSTEM32\DRIVERS\ext2fsd.sys [18/06/2005 6:44 AM 610944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/06/2010 9:04 AM 136176]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\SYSTEM32\DRIVERS\hcw72ADFilter.sys [19/02/2010 8:02 PM 27904]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\SYSTEM32\DRIVERS\hcw72ATV.sys [19/02/2010 8:02 PM 1208448]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\SYSTEM32\DRIVERS\hcw72DTV.sys [19/02/2010 8:02 PM 1200768]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [25/04/2012 8:43 AM 113120]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [06/11/2007 5:22 PM 34064]
S3 padenum;Enumerador de dispositivos de NTPAD;c:\windows\system32\DRIVERS\padenum.sys --> c:\windows\system32\DRIVERS\padenum.sys [?]
S3 VendorJoystickEnabler;Driver para joystick paralelo de consola;c:\windows\system32\drivers\ntpad.sys --> c:\windows\system32\drivers\ntpad.sys [?]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 4:47 AM 98304]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 3:40 AM 118784]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 20:50]
.
2012-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:34]
.
2012-07-28 c:\windows\Tasks\dailystrips-art4.job
- c:\art4\bin\Perl\bin\perl.exe [2004-12-13 12:52]
.
2012-08-08 c:\windows\Tasks\dailystrips-chris.job
- c:\art4\bin\Perl\bin\perl.exe [2004-12-13 12:52]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 12:04]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 12:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS03-026_RPC_DCOM_EXPLOIT
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\art4\bin\FDM\dlall.htm
IE: Download selected with Free Download Manager - file://c:\art4\bin\FDM\dlselected.htm
IE: Download with Free Download Manager - file://c:\art4\bin\FDM\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: Interfaces\{5F07C05B-BD5E-43E4-AA44-0C47C157B253}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\zn04asd2.Chris\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-BackupExecScheduler - BESCH.EXE
MSConfigStartUp-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
MSConfigStartUp-Iomega Automatic Backup Pro - c:\program files\Iomega\Automatic Backup Pro\LiveSystem.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_02\bin\jusched.exe
AddRemove-BZFEdit1.6.5 - c:\art4\bin\BZEdit\uninstall.exe
AddRemove-Ext2Fsd_is1 - c:\art4\bin\ext2drv\unins000.exe
AddRemove-GnuPG - c:\art4\dev\html\projects\knoppix_get\tools\gpg\uninst-gnupg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-07 22:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\art4\bin\MySQL\bin\mysqld MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2012-08-07 22:10:46
ComboFix-quarantined-files.txt 2012-08-08 01:10
.
Pre-Run: 2,616,750,080 bytes free
Post-Run: 10,515,111,936 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 932ED033602CB879D27D15326C0540AB




No other problems were reported by ComboFix. After restarting, I looked for any obvious symptoms of the infection. Several Google searches were tried; no redirects were observed [although due to the rootkit's inconsistency, this doesn't guarantee it's gone]. I looked at WireShark fairly carefully, and no suspicious traffic was visible. Windows Firewall was enabled (no Security Center service problems) but not tested.
In summary, the computer looks tentatively disinfected, although further observation must be vigilent, security software needs to be installed, a large amount of junk software and data [visible in the logs] needs to be disabled/deleted, the cleaning tools need to be removed, and I should probably circulate some password-change directives.

The computer will remain out-of-use (Windows, at least) until cleared by your judgment, of course.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 07 August 2012 - 09:17 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 utrrrongeeb

utrrrongeeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 08 August 2012 - 08:50 PM

Thanks for going over this so fast!

I ran TDSSkiller. It seemed to run correctly, and reported no problems. Its log is below:


07:42:03.0125 1564 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
07:42:03.0750 1564 ============================================================
07:42:03.0750 1564 Current date / time: 2012/08/08 07:42:03.0750
07:42:03.0750 1564 SystemInfo:
07:42:03.0750 1564
07:42:03.0750 1564 OS Version: 5.1.2600 ServicePack: 3.0
07:42:03.0750 1564 Product type: Workstation
07:42:03.0750 1564 ComputerName: MAIN
07:42:03.0750 1564 UserName: Chris
07:42:03.0750 1564 Windows directory: C:\WINDOWS
07:42:03.0750 1564 System windows directory: C:\WINDOWS
07:42:03.0750 1564 Processor architecture: Intel x86
07:42:03.0750 1564 Number of processors: 2
07:42:03.0750 1564 Page size: 0x1000
07:42:03.0750 1564 Boot type: Normal boot
07:42:03.0750 1564 ============================================================
07:42:05.0531 1564 Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000 (149.01 Gb), SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
07:42:05.0562 1564 Drive \Device\Harddisk1\DR1 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
07:42:05.0562 1564 Drive \Device\Harddisk3\DR10 - Size: 0x12A1F16200 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
07:42:05.0593 1564 ============================================================
07:42:05.0593 1564 \Device\Harddisk0\DR0:
07:42:05.0593 1564 MBR partitions:
07:42:05.0593 1564 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1B747, BlocksNum 0x122503C5
07:42:05.0593 1564 \Device\Harddisk1\DR1:
07:42:05.0593 1564 MBR partitions:
07:42:05.0593 1564 \Device\Harddisk1\DR1\Partition0: MBR, Type 0xC, StartLBA 0x3C00800, BlocksNum 0xA00000
07:42:05.0593 1564 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x4600800, BlocksNum 0x7450000
07:42:05.0593 1564 \Device\Harddisk3\DR10:
07:42:05.0593 1564 MBR partitions:
07:42:05.0593 1564 \Device\Harddisk3\DR10\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E482
07:42:05.0593 1564 ============================================================
07:42:05.0640 1564 R: <-> \Device\Harddisk3\DR10\Partition0
07:42:05.0718 1564 C: <-> \Device\Harddisk0\DR0\Partition0
07:42:05.0734 1564 L: <-> \Device\Harddisk1\DR1\Partition0
07:42:05.0796 1564 ============================================================
07:42:05.0796 1564 Initialize success
07:42:05.0796 1564 ============================================================
07:42:15.0953 2356 ============================================================
07:42:15.0953 2356 Scan started
07:42:15.0953 2356 Mode: Manual;
07:42:15.0953 2356 ============================================================
07:42:16.0609 2356 6to4 (c07d5197410aab28d0d93f943f59656d) C:\WINDOWS\System32\6to4svc.dll
07:42:16.0625 2356 6to4 - ok
07:42:16.0671 2356 Abiosdsk - ok
07:42:16.0718 2356 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
07:42:16.0718 2356 abp480n5 - ok
07:42:16.0781 2356 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
07:42:16.0781 2356 ACPI - ok
07:42:16.0796 2356 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
07:42:16.0796 2356 ACPIEC - ok
07:42:16.0968 2356 AdobeActiveFileMonitor (e42f7b36b4d8866184e8df9776ca4226) C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
07:42:16.0984 2356 AdobeActiveFileMonitor - ok
07:42:17.0140 2356 AdobeFlashPlayerUpdateSvc (6c40d5ed8951ab7b90d08af655224ee4) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
07:42:17.0171 2356 AdobeFlashPlayerUpdateSvc - ok
07:42:17.0187 2356 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
07:42:17.0187 2356 adpu160m - ok
07:42:17.0250 2356 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
07:42:17.0265 2356 aec - ok
07:42:17.0312 2356 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
07:42:17.0328 2356 AFD - ok
07:42:17.0343 2356 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
07:42:17.0343 2356 agp440 - ok
07:42:17.0359 2356 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
07:42:17.0359 2356 agpCPQ - ok
07:42:17.0390 2356 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
07:42:17.0390 2356 Aha154x - ok
07:42:17.0390 2356 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
07:42:17.0390 2356 aic78u2 - ok
07:42:17.0406 2356 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
07:42:17.0406 2356 aic78xx - ok
07:42:17.0453 2356 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
07:42:17.0453 2356 Alerter - ok
07:42:17.0468 2356 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
07:42:17.0468 2356 ALG - ok
07:42:17.0484 2356 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
07:42:17.0484 2356 AliIde - ok
07:42:17.0500 2356 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
07:42:17.0515 2356 alim1541 - ok
07:42:17.0515 2356 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
07:42:17.0531 2356 amdagp - ok
07:42:17.0546 2356 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
07:42:17.0546 2356 amsint - ok
07:42:17.0687 2356 Apache2 (d21535b2b3e5c2fb35beba49d26bb6b0) C:\art4\bin\apache\apache2\bin\Apache.exe
07:42:17.0703 2356 Apache2 - ok
07:42:17.0843 2356 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
07:42:17.0859 2356 Apple Mobile Device - ok
07:42:17.0859 2356 AppMgmt - ok
07:42:17.0859 2356 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
07:42:17.0875 2356 asc - ok
07:42:17.0890 2356 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
07:42:17.0890 2356 asc3350p - ok
07:42:17.0906 2356 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
07:42:17.0906 2356 asc3550 - ok
07:42:18.0046 2356 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
07:42:18.0109 2356 aspnet_state - ok
07:42:18.0156 2356 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
07:42:18.0156 2356 AsyncMac - ok
07:42:18.0156 2356 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
07:42:18.0156 2356 atapi - ok
07:42:18.0171 2356 Atdisk - ok
07:42:18.0203 2356 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
07:42:18.0218 2356 Atmarpc - ok
07:42:18.0250 2356 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
07:42:18.0250 2356 AudioSrv - ok
07:42:18.0265 2356 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
07:42:18.0265 2356 audstub - ok
07:42:18.0296 2356 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
07:42:18.0296 2356 Beep - ok
07:42:18.0375 2356 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
07:42:18.0375 2356 Bonjour Service - ok
07:42:18.0390 2356 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
07:42:18.0406 2356 Browser - ok
07:42:18.0437 2356 bvrp_pci (c915a416f265149471d74e0815c928b2) C:\WINDOWS\system32\drivers\bvrp_pci.sys
07:42:18.0437 2356 bvrp_pci - ok
07:42:18.0562 2356 catchme - ok
07:42:18.0593 2356 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
07:42:18.0593 2356 cbidf - ok
07:42:18.0593 2356 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
07:42:18.0609 2356 cbidf2k - ok
07:42:18.0671 2356 CCALib8 (359e5a91d26d0439933bef1c29cedef7) C:\Program Files\Canon\CAL\CALMAIN.exe
07:42:18.0671 2356 CCALib8 - ok
07:42:18.0703 2356 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
07:42:18.0703 2356 CCDECODE - ok
07:42:18.0718 2356 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
07:42:18.0718 2356 cd20xrnt - ok
07:42:18.0734 2356 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
07:42:18.0734 2356 Cdaudio - ok
07:42:18.0750 2356 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
07:42:18.0750 2356 Cdfs - ok
07:42:18.0781 2356 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
07:42:18.0781 2356 cdrbsdrv - ok
07:42:18.0796 2356 cdrbsvsd - ok
07:42:18.0812 2356 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
07:42:18.0812 2356 Cdrom - ok
07:42:18.0828 2356 Changer - ok
07:42:18.0859 2356 Cinemsup (f6a0f51706cb4b0d5b8718ff69f831ba) C:\WINDOWS\system32\drivers\Cinemsup.sys
07:42:18.0859 2356 Cinemsup - ok
07:42:18.0906 2356 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
07:42:18.0906 2356 CiSvc - ok
07:42:18.0921 2356 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
07:42:18.0921 2356 ClipSrv - ok
07:42:19.0046 2356 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
07:42:19.0187 2356 clr_optimization_v2.0.50727_32 - ok
07:42:19.0234 2356 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
07:42:19.0234 2356 CmdIde - ok
07:42:19.0312 2356 cmpci (fd40439bb258b9aa9ad314bf5948ef46) C:\WINDOWS\system32\drivers\cmaudio.sys
07:42:19.0328 2356 cmpci - ok
07:42:19.0328 2356 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
07:42:19.0328 2356 Compbatt - ok
07:42:19.0343 2356 COMSysApp - ok
07:42:19.0390 2356 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
07:42:19.0390 2356 Cpqarray - ok
07:42:19.0437 2356 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
07:42:19.0453 2356 CryptSvc - ok
07:42:19.0578 2356 CrystalSysInfo (f054744f67576a01139885173392502b) C:\Art4\bin\mediacoder\SysInfo.sys
07:42:19.0578 2356 CrystalSysInfo - ok
07:42:19.0609 2356 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
07:42:19.0609 2356 dac2w2k - ok
07:42:19.0625 2356 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
07:42:19.0625 2356 dac960nt - ok
07:42:19.0625 2356 DBGV - ok
07:42:19.0671 2356 DCamUSBSQTECH (100ff3d9e16afb3163bd6f9aaaab7c55) C:\WINDOWS\system32\Drivers\SQcaptur.sys
07:42:19.0687 2356 DCamUSBSQTECH - ok
07:42:19.0734 2356 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
07:42:19.0984 2356 DcomLaunch - ok
07:42:20.0000 2356 DgiVecp - ok
07:42:20.0046 2356 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
07:42:20.0062 2356 Dhcp - ok
07:42:20.0078 2356 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
07:42:20.0078 2356 Disk - ok
07:42:20.0093 2356 dmadmin - ok
07:42:20.0156 2356 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
07:42:20.0203 2356 dmboot - ok
07:42:20.0234 2356 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
07:42:20.0250 2356 dmio - ok
07:42:20.0296 2356 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
07:42:20.0296 2356 dmload - ok
07:42:20.0328 2356 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
07:42:20.0343 2356 dmserver - ok
07:42:20.0406 2356 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
07:42:20.0421 2356 DMusic - ok
07:42:20.0453 2356 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
07:42:20.0453 2356 Dnscache - ok
07:42:20.0515 2356 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
07:42:20.0531 2356 Dot3svc - ok
07:42:20.0562 2356 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
07:42:20.0578 2356 dpti2o - ok
07:42:20.0593 2356 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
07:42:20.0593 2356 drmkaud - ok
07:42:20.0625 2356 drvmcdb (7df2e645fbda7cde94fcabba7f0de4c2) C:\WINDOWS\system32\drivers\drvmcdb.sys
07:42:20.0625 2356 drvmcdb - ok
07:42:20.0671 2356 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
07:42:20.0687 2356 drvnddm - ok
07:42:20.0750 2356 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
07:42:20.0750 2356 E100B - ok
07:42:20.0781 2356 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
07:42:20.0796 2356 EapHost - ok
07:42:20.0828 2356 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
07:42:20.0843 2356 ERSvc - ok
07:42:20.0875 2356 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
07:42:20.0890 2356 Eventlog - ok
07:42:20.0937 2356 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
07:42:20.0937 2356 EventSystem - ok
07:42:21.0015 2356 Ext2Fsd (d02546fb04177048ce7f27bfafc09abd) C:\WINDOWS\system32\Drivers\ext2fsd.sys
07:42:21.0046 2356 Ext2Fsd - ok
07:42:21.0078 2356 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
07:42:21.0093 2356 Fastfat - ok
07:42:21.0125 2356 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
07:42:21.0140 2356 FastUserSwitchingCompatibility - ok
07:42:21.0171 2356 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
07:42:21.0171 2356 Fax - ok
07:42:21.0218 2356 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
07:42:21.0218 2356 Fdc - ok
07:42:21.0250 2356 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
07:42:21.0250 2356 FilterService - ok
07:42:21.0281 2356 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
07:42:21.0281 2356 Fips - ok
07:42:21.0296 2356 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
07:42:21.0296 2356 Flpydisk - ok
07:42:21.0312 2356 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
07:42:21.0312 2356 FltMgr - ok
07:42:21.0437 2356 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
07:42:21.0437 2356 FontCache3.0.0.0 - ok
07:42:21.0500 2356 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
07:42:21.0500 2356 Fs_Rec - ok
07:42:21.0546 2356 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
07:42:21.0546 2356 Ftdisk - ok
07:42:21.0609 2356 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
07:42:21.0609 2356 gameenum - ok
07:42:21.0640 2356 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
07:42:21.0640 2356 GEARAspiWDM - ok
07:42:21.0703 2356 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
07:42:21.0703 2356 Gpc - ok
07:42:21.0750 2356 grmnusb (cd007d03a9284bfe67d49c01213132bf) C:\WINDOWS\system32\drivers\grmnusb.sys
07:42:21.0781 2356 grmnusb - ok
07:42:21.0906 2356 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
07:42:21.0906 2356 gupdate - ok
07:42:21.0921 2356 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
07:42:21.0921 2356 gupdatem - ok
07:42:21.0984 2356 hcw72ADFilter (856a27fd46cac23fb48eac03ac8573eb) C:\WINDOWS\system32\DRIVERS\hcw72ADFilter.sys
07:42:21.0984 2356 hcw72ADFilter - ok
07:42:22.0078 2356 hcw72ATV (19172c17e19e65f485ff22bd4d7d2351) C:\WINDOWS\system32\DRIVERS\hcw72ATV.sys
07:42:22.0125 2356 hcw72ATV - ok
07:42:22.0203 2356 hcw72DTV (574c18496b9da37c925251daa60e3001) C:\WINDOWS\system32\DRIVERS\hcw72DTV.sys
07:42:22.0250 2356 hcw72DTV - ok
07:42:22.0328 2356 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
07:42:22.0343 2356 helpsvc - ok
07:42:22.0390 2356 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
07:42:22.0390 2356 HidBatt - ok
07:42:22.0421 2356 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
07:42:22.0437 2356 HidServ - ok
07:42:22.0437 2356 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
07:42:22.0453 2356 HidUsb - ok
07:42:22.0515 2356 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
07:42:22.0546 2356 hkmsvc - ok
07:42:22.0593 2356 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
07:42:22.0609 2356 hpn - ok
07:42:22.0671 2356 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
07:42:22.0687 2356 HTTP - ok
07:42:22.0750 2356 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
07:42:22.0750 2356 HTTPFilter - ok
07:42:22.0796 2356 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
07:42:22.0796 2356 i2omgmt - ok
07:42:22.0796 2356 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
07:42:22.0796 2356 i2omp - ok
07:42:22.0859 2356 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
07:42:22.0875 2356 i8042prt - ok
07:42:22.0953 2356 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
07:42:23.0015 2356 ialm - ok
07:42:23.0171 2356 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
07:42:23.0187 2356 IDriverT - ok
07:42:23.0406 2356 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
07:42:23.0500 2356 idsvc - ok
07:42:23.0656 2356 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
07:42:23.0671 2356 Imapi - ok
07:42:23.0718 2356 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
07:42:23.0718 2356 ImapiService - ok
07:42:23.0765 2356 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
07:42:23.0765 2356 ini910u - ok
07:42:23.0859 2356 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
07:42:23.0859 2356 IntelC51 - ok
07:42:23.0921 2356 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
07:42:23.0921 2356 IntelC52 - ok
07:42:23.0937 2356 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
07:42:23.0937 2356 IntelC53 - ok
07:42:23.0953 2356 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
07:42:23.0953 2356 IntelIde - ok
07:42:23.0984 2356 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
07:42:24.0000 2356 intelppm - ok
07:42:24.0015 2356 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
07:42:24.0015 2356 Ip6Fw - ok
07:42:24.0062 2356 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
07:42:24.0078 2356 IpFilterDriver - ok
07:42:24.0093 2356 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
07:42:24.0093 2356 IpInIp - ok
07:42:24.0125 2356 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
07:42:24.0140 2356 IpNat - ok
07:42:24.0250 2356 iPod Service (178fe38b7740f598391eb2f51ae4ccac) C:\Program Files\iPod\bin\iPodService.exe
07:42:24.0265 2356 iPod Service - ok
07:42:24.0281 2356 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
07:42:24.0281 2356 IPSec - ok
07:42:24.0296 2356 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
07:42:24.0296 2356 IRENUM - ok
07:42:24.0328 2356 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
07:42:24.0328 2356 isapnp - ok
07:42:24.0437 2356 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
07:42:24.0453 2356 JavaQuickStarterService - ok
07:42:24.0484 2356 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
07:42:24.0484 2356 Kbdclass - ok
07:42:24.0500 2356 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
07:42:24.0500 2356 kbdhid - ok
07:42:24.0531 2356 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
07:42:24.0546 2356 kmixer - ok
07:42:24.0578 2356 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
07:42:24.0593 2356 KSecDD - ok
07:42:24.0593 2356 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
07:42:24.0593 2356 L8042Kbd - ok
07:42:24.0609 2356 L8042mou (8a5993705add14352c9a279fa8338334) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
07:42:24.0625 2356 L8042mou - ok
07:42:24.0656 2356 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
07:42:24.0671 2356 lanmanserver - ok
07:42:24.0703 2356 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
07:42:24.0718 2356 lanmanworkstation - ok
07:42:24.0765 2356 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys
07:42:24.0765 2356 LBeepKE - ok
07:42:24.0765 2356 lbrtfdc - ok
07:42:24.0890 2356 LBTServ (3af6b73a3ad1fc37c5933441f66ceb91) C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
07:42:24.0890 2356 LBTServ - ok
07:42:24.0921 2356 LEqdUsb (70035567754bed4e6ad353ca3f175127) C:\WINDOWS\system32\Drivers\LEqdUsb.Sys
07:42:24.0921 2356 LEqdUsb - ok
07:42:24.0968 2356 LexBceS (e19c8550b4c6c67fabffd998eacf440a) C:\WINDOWS\system32\LEXBCES.EXE
07:42:24.0984 2356 LexBceS - ok
07:42:24.0984 2356 LHidEqd (32491b6bae0afad1d7a62c0ef0af4321) C:\WINDOWS\system32\Drivers\LHidEqd.Sys
07:42:24.0984 2356 LHidEqd - ok
07:42:25.0000 2356 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
07:42:25.0000 2356 LHidFilt - ok
07:42:25.0046 2356 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
07:42:25.0046 2356 LmHosts - ok
07:42:25.0046 2356 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
07:42:25.0062 2356 LMouFilt - ok
07:42:25.0093 2356 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
07:42:25.0093 2356 LMouKE - ok
07:42:25.0125 2356 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
07:42:25.0140 2356 lvpopflt - ok
07:42:25.0171 2356 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
07:42:25.0171 2356 LVPr2Mon - ok
07:42:25.0203 2356 LVPrcSrv (0ddfdcaa92c7f553328db06ba599bea9) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
07:42:25.0218 2356 LVPrcSrv - ok
07:42:25.0265 2356 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
07:42:25.0265 2356 LVRS - ok
07:42:25.0562 2356 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
07:42:25.0593 2356 LVUVC - ok
07:42:25.0734 2356 MDM (0efee4f2d23ba2d8b27fba942106e0e1) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
07:42:25.0750 2356 MDM - ok
07:42:25.0875 2356 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
07:42:25.0890 2356 Messenger - ok
07:42:25.0968 2356 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
07:42:25.0968 2356 mnmdd - ok
07:42:26.0015 2356 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
07:42:26.0031 2356 mnmsrvc - ok
07:42:26.0062 2356 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
07:42:26.0062 2356 Modem - ok
07:42:26.0093 2356 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
07:42:26.0093 2356 MODEMCSA - ok
07:42:26.0125 2356 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
07:42:26.0125 2356 mohfilt - ok
07:42:26.0171 2356 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
07:42:26.0171 2356 Mouclass - ok
07:42:26.0203 2356 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
07:42:26.0203 2356 mouhid - ok
07:42:26.0234 2356 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
07:42:26.0234 2356 MountMgr - ok
07:42:26.0281 2356 MozillaMaintenance (15d5398eed42c2504bb3d4fc875c15d1) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
07:42:26.0281 2356 MozillaMaintenance - ok
07:42:26.0328 2356 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
07:42:26.0328 2356 MPE - ok
07:42:26.0343 2356 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
07:42:26.0343 2356 mraid35x - ok
07:42:26.0359 2356 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
07:42:26.0375 2356 MRxDAV - ok
07:42:26.0453 2356 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
07:42:26.0468 2356 MRxSmb - ok
07:42:26.0515 2356 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
07:42:26.0515 2356 MSDTC - ok
07:42:26.0562 2356 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
07:42:26.0578 2356 Msfs - ok
07:42:26.0593 2356 MSIServer - ok
07:42:26.0609 2356 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
07:42:26.0609 2356 MSKSSRV - ok
07:42:26.0625 2356 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
07:42:26.0625 2356 MSPCLOCK - ok
07:42:26.0640 2356 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
07:42:26.0640 2356 MSPQM - ok
07:42:26.0656 2356 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
07:42:26.0656 2356 mssmbios - ok
07:42:26.0687 2356 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
07:42:26.0687 2356 MSTEE - ok
07:42:26.0718 2356 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
07:42:26.0718 2356 Mup - ok
07:42:26.0875 2356 MySQL - ok
07:42:26.0921 2356 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
07:42:26.0921 2356 NABTSFEC - ok
07:42:27.0031 2356 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
07:42:27.0093 2356 napagent - ok
07:42:27.0156 2356 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
07:42:27.0171 2356 NDIS - ok
07:42:27.0187 2356 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
07:42:27.0187 2356 NdisIP - ok
07:42:27.0250 2356 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
07:42:27.0250 2356 NdisTapi - ok
07:42:27.0250 2356 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
07:42:27.0250 2356 Ndisuio - ok
07:42:27.0281 2356 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
07:42:27.0281 2356 NdisWan - ok
07:42:27.0312 2356 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
07:42:27.0312 2356 NDProxy - ok
07:42:27.0328 2356 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
07:42:27.0343 2356 NetBIOS - ok
07:42:27.0359 2356 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
07:42:27.0375 2356 NetBT - ok
07:42:27.0421 2356 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
07:42:27.0437 2356 NetDDE - ok
07:42:27.0437 2356 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
07:42:27.0453 2356 NetDDEdsdm - ok
07:42:27.0484 2356 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:42:27.0484 2356 Netlogon - ok
07:42:27.0515 2356 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
07:42:27.0531 2356 Netman - ok
07:42:27.0703 2356 NetSvc (02d0798f376fcbd0210eda58476d0b1b) C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
07:42:27.0718 2356 NetSvc - ok
07:42:27.0843 2356 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
07:42:27.0843 2356 NetTcpPortSharing - ok
07:42:27.0906 2356 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
07:42:27.0921 2356 Nla - ok
07:42:27.0937 2356 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
07:42:27.0953 2356 nm - ok
07:42:27.0984 2356 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
07:42:28.0000 2356 NPF - ok
07:42:28.0015 2356 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
07:42:28.0015 2356 Npfs - ok
07:42:28.0078 2356 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
07:42:28.0109 2356 Ntfs - ok
07:42:28.0156 2356 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:42:28.0156 2356 NtLmSsp - ok
07:42:28.0265 2356 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
07:42:28.0343 2356 NtmsSvc - ok
07:42:28.0484 2356 nTuneService - ok
07:42:28.0515 2356 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
07:42:28.0531 2356 Null - ok
07:42:29.0093 2356 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
07:42:29.0406 2356 nv - ok
07:42:29.0515 2356 nvoclock (96c5900331bd17344f338d006888bae5) C:\WINDOWS\system32\DRIVERS\nvoclock.sys
07:42:29.0515 2356 nvoclock - ok
07:42:29.0562 2356 NVSvc (0573c75a2895d973ea6ef2495620ba49) C:\WINDOWS\system32\nvsvc32.exe
07:42:29.0578 2356 NVSvc - ok
07:42:29.0734 2356 nvUpdatusService (9c84945feee40ea42d3bca5c22250d47) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
07:42:29.0796 2356 nvUpdatusService - ok
07:42:29.0859 2356 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
07:42:29.0859 2356 NwlnkFlt - ok
07:42:29.0875 2356 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
07:42:29.0875 2356 NwlnkFwd - ok
07:42:29.0890 2356 padenum - ok
07:42:29.0906 2356 PalmUSBD - ok
07:42:29.0937 2356 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
07:42:29.0953 2356 Parport - ok
07:42:29.0968 2356 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
07:42:29.0968 2356 PartMgr - ok
07:42:29.0984 2356 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
07:42:29.0984 2356 ParVdm - ok
07:42:29.0984 2356 PCASp50 - ok
07:42:30.0015 2356 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
07:42:30.0015 2356 PCI - ok
07:42:30.0031 2356 PCIDump - ok
07:42:30.0078 2356 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
07:42:30.0078 2356 PCIIde - ok
07:42:30.0093 2356 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
07:42:30.0093 2356 Pcmcia - ok
07:42:30.0109 2356 PDCOMP - ok
07:42:30.0109 2356 PDFRAME - ok
07:42:30.0125 2356 PDRELI - ok
07:42:30.0156 2356 PDRFRAME - ok
07:42:30.0171 2356 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
07:42:30.0171 2356 perc2 - ok
07:42:30.0187 2356 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
07:42:30.0187 2356 perc2hib - ok
07:42:30.0406 2356 PhotoshopElementsDeviceConnect (d0f9f362023bf94cf58a1c3cdbbebe06) C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
07:42:30.0421 2356 PhotoshopElementsDeviceConnect - ok
07:42:30.0468 2356 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
07:42:30.0468 2356 PlugPlay - ok
07:42:30.0500 2356 Point32 (3b6973d60bde757c53bb76842d31318e) C:\WINDOWS\system32\DRIVERS\point32.sys
07:42:30.0500 2356 Point32 - ok
07:42:30.0531 2356 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:42:30.0546 2356 PolicyAgent - ok
07:42:30.0578 2356 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
07:42:30.0593 2356 PptpMiniport - ok
07:42:30.0593 2356 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:42:30.0593 2356 ProtectedStorage - ok
07:42:30.0609 2356 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
07:42:30.0625 2356 PSched - ok
07:42:30.0671 2356 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
07:42:30.0671 2356 Ptilink - ok
07:42:30.0703 2356 PxHelp20 (183ef96bcc2ec3d5294cb2c2c0ecbcd1) C:\WINDOWS\system32\Drivers\PxHelp20.sys
07:42:30.0718 2356 PxHelp20 - ok
07:42:30.0734 2356 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
07:42:30.0734 2356 ql1080 - ok
07:42:30.0765 2356 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
07:42:30.0765 2356 Ql10wnt - ok
07:42:30.0781 2356 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
07:42:30.0781 2356 ql12160 - ok
07:42:30.0796 2356 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
07:42:30.0812 2356 ql1240 - ok
07:42:30.0812 2356 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
07:42:30.0812 2356 ql1280 - ok
07:42:30.0828 2356 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
07:42:30.0828 2356 RasAcd - ok
07:42:30.0906 2356 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
07:42:30.0953 2356 RasAuto - ok
07:42:30.0984 2356 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
07:42:31.0015 2356 Rasl2tp - ok
07:42:31.0046 2356 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
07:42:31.0062 2356 RasMan - ok
07:42:31.0093 2356 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
07:42:31.0109 2356 RasPppoe - ok
07:42:31.0109 2356 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
07:42:31.0109 2356 Raspti - ok
07:42:31.0156 2356 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
07:42:31.0171 2356 Rdbss - ok
07:42:31.0218 2356 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
07:42:31.0218 2356 RDPCDD - ok
07:42:31.0265 2356 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
07:42:31.0281 2356 rdpdr - ok
07:42:31.0343 2356 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
07:42:31.0359 2356 RDPWD - ok
07:42:31.0406 2356 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
07:42:31.0421 2356 RDSessMgr - ok
07:42:31.0468 2356 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
07:42:31.0484 2356 redbook - ok
07:42:31.0531 2356 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
07:42:31.0546 2356 RemoteAccess - ok
07:42:31.0734 2356 RichVideo (bd517c7fb119997effbe39d5e4b37b05) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
07:42:31.0734 2356 RichVideo - ok
07:42:31.0812 2356 rpcapd (e51a8d02b4bd33eba1f7a5b76c3766ed) C:\Program Files\WinPcap\rpcapd.exe
07:42:31.0828 2356 rpcapd - ok
07:42:31.0843 2356 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
07:42:31.0843 2356 RpcLocator - ok
07:42:31.0906 2356 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
07:42:31.0906 2356 RpcSs - ok
07:42:31.0968 2356 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
07:42:31.0984 2356 RSVP - ok
07:42:32.0031 2356 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:42:32.0031 2356 SamSs - ok
07:42:32.0062 2356 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
07:42:32.0078 2356 SCardSvr - ok
07:42:32.0125 2356 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
07:42:32.0140 2356 Schedule - ok
07:42:32.0187 2356 SDDMI2 - ok
07:42:32.0250 2356 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
07:42:32.0250 2356 Secdrv - ok
07:42:32.0265 2356 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
07:42:32.0265 2356 seclogon - ok
07:42:32.0343 2356 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
07:42:32.0359 2356 senfilt - ok
07:42:32.0421 2356 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
07:42:32.0421 2356 SENS - ok
07:42:32.0421 2356 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
07:42:32.0421 2356 serenum - ok
07:42:32.0437 2356 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
07:42:32.0437 2356 Serial - ok
07:42:32.0484 2356 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
07:42:32.0484 2356 Sfloppy - ok
07:42:32.0562 2356 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
07:42:32.0578 2356 SharedAccess - ok
07:42:32.0609 2356 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
07:42:32.0609 2356 ShellHWDetection - ok
07:42:32.0609 2356 Simbad - ok
07:42:32.0687 2356 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
07:42:32.0703 2356 sisagp - ok
07:42:32.0718 2356 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
07:42:32.0718 2356 SLIP - ok
07:42:32.0781 2356 smwdm (86c4d93b7b7818d066c52fdb03c6c921) C:\WINDOWS\system32\drivers\smwdm.sys
07:42:32.0781 2356 smwdm - ok
07:42:32.0843 2356 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
07:42:32.0843 2356 SONYPVU1 - ok
07:42:32.0890 2356 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
07:42:32.0890 2356 Sparrow - ok
07:42:32.0906 2356 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
07:42:32.0906 2356 splitter - ok
07:42:32.0937 2356 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
07:42:32.0953 2356 Spooler - ok
07:42:32.0968 2356 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
07:42:32.0968 2356 sr - ok
07:42:33.0031 2356 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
07:42:33.0031 2356 srservice - ok
07:42:33.0062 2356 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
07:42:33.0062 2356 Srv - ok
07:42:33.0109 2356 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
07:42:33.0125 2356 sscdbhk5 - ok
07:42:33.0125 2356 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
07:42:33.0140 2356 SSDPSRV - ok
07:42:33.0140 2356 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
07:42:33.0140 2356 ssrtln - ok
07:42:33.0187 2356 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
07:42:33.0187 2356 StillCam - ok
07:42:33.0234 2356 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
07:42:33.0250 2356 stisvc - ok
07:42:33.0281 2356 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
07:42:33.0281 2356 streamip - ok
07:42:33.0296 2356 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
07:42:33.0296 2356 swenum - ok
07:42:33.0328 2356 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
07:42:33.0328 2356 swmidi - ok
07:42:33.0328 2356 SwPrv - ok
07:42:33.0406 2356 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
07:42:33.0406 2356 symc810 - ok
07:42:33.0406 2356 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
07:42:33.0406 2356 symc8xx - ok
07:42:33.0421 2356 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
07:42:33.0421 2356 sym_hi - ok
07:42:33.0437 2356 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
07:42:33.0437 2356 sym_u3 - ok
07:42:33.0453 2356 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
07:42:33.0453 2356 sysaudio - ok
07:42:33.0500 2356 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
07:42:33.0515 2356 SysmonLog - ok
07:42:33.0562 2356 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
07:42:33.0578 2356 TapiSrv - ok
07:42:33.0625 2356 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
07:42:33.0625 2356 Tcpip - ok
07:42:33.0671 2356 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
07:42:33.0687 2356 Tcpip6 - ok
07:42:33.0703 2356 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
07:42:33.0703 2356 TDPIPE - ok
07:42:33.0718 2356 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
07:42:33.0718 2356 TDTCP - ok
07:42:33.0734 2356 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
07:42:33.0750 2356 TermDD - ok
07:42:33.0765 2356 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
07:42:33.0781 2356 TermService - ok
07:42:33.0828 2356 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
07:42:33.0843 2356 tfsnboio - ok
07:42:33.0890 2356 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
07:42:33.0890 2356 tfsncofs - ok
07:42:33.0906 2356 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
07:42:33.0906 2356 tfsndrct - ok
07:42:33.0921 2356 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
07:42:33.0921 2356 tfsndres - ok
07:42:33.0937 2356 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
07:42:33.0937 2356 tfsnifs - ok
07:42:33.0953 2356 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
07:42:33.0953 2356 tfsnopio - ok
07:42:33.0968 2356 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
07:42:33.0968 2356 tfsnpool - ok
07:42:34.0000 2356 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
07:42:34.0000 2356 tfsnudf - ok
07:42:34.0015 2356 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
07:42:34.0015 2356 tfsnudfa - ok
07:42:34.0046 2356 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
07:42:34.0062 2356 Themes - ok
07:42:34.0109 2356 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
07:42:34.0109 2356 TosIde - ok
07:42:34.0125 2356 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
07:42:34.0140 2356 TrkWks - ok
07:42:34.0171 2356 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
07:42:34.0187 2356 tunmp - ok
07:42:34.0218 2356 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
07:42:34.0218 2356 Udfs - ok
07:42:34.0234 2356 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
07:42:34.0234 2356 ultra - ok
07:42:34.0296 2356 UMWdf (c81b8635dee0d3ef5f64b3dd643023a5) C:\WINDOWS\system32\wdfmgr.exe
07:42:34.0296 2356 UMWdf - ok
07:42:34.0328 2356 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
07:42:34.0343 2356 Update - ok
07:42:34.0390 2356 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
07:42:34.0421 2356 upnphost - ok
07:42:34.0453 2356 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
07:42:34.0453 2356 UPS - ok
07:42:34.0515 2356 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
07:42:34.0531 2356 USBAAPL - ok
07:42:34.0562 2356 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
07:42:34.0578 2356 usbaudio - ok
07:42:34.0625 2356 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
07:42:34.0625 2356 usbccgp - ok
07:42:34.0656 2356 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
07:42:34.0656 2356 usbehci - ok
07:42:34.0687 2356 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
07:42:34.0687 2356 usbhub - ok
07:42:34.0718 2356 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
07:42:34.0718 2356 usbprint - ok
07:42:34.0750 2356 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
07:42:34.0750 2356 usbscan - ok
07:42:34.0765 2356 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
07:42:34.0828 2356 USBSTOR - ok
07:42:34.0828 2356 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
07:42:34.0828 2356 usbuhci - ok
07:42:34.0859 2356 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
07:42:34.0859 2356 usbvideo - ok
07:42:34.0875 2356 VendorJoystickEnabler - ok
07:42:34.0890 2356 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
07:42:34.0906 2356 VgaSave - ok
07:42:34.0921 2356 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
07:42:34.0921 2356 viaagp - ok
07:42:34.0968 2356 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
07:42:34.0968 2356 ViaIde - ok
07:42:34.0968 2356 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
07:42:34.0984 2356 VolSnap - ok
07:42:35.0078 2356 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
07:42:35.0093 2356 VSS - ok
07:42:35.0156 2356 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
07:42:35.0171 2356 w32time - ok
07:42:35.0187 2356 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
07:42:35.0187 2356 Wanarp - ok
07:42:35.0187 2356 wanatw - ok
07:42:35.0265 2356 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
07:42:35.0265 2356 Wdf01000 - ok
07:42:35.0265 2356 WDICA - ok
07:42:35.0296 2356 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
07:42:35.0312 2356 wdmaud - ok
07:42:35.0359 2356 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
07:42:35.0359 2356 WebClient - ok
07:42:35.0468 2356 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
07:42:35.0468 2356 winmgmt - ok
07:42:35.0515 2356 WmdmPmSN (a477391b7a8b0a0daabadb17cf533a4b) C:\WINDOWS\system32\MsPMSNSv.dll
07:42:35.0531 2356 WmdmPmSN - ok
07:42:35.0578 2356 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
07:42:35.0593 2356 WmiApSrv - ok
07:42:35.0593 2356 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
07:42:35.0593 2356 WS2IFSL - ok
07:42:35.0640 2356 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
07:42:35.0656 2356 wscsvc - ok
07:42:35.0671 2356 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
07:42:35.0671 2356 WSTCODEC - ok
07:42:35.0687 2356 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
07:42:35.0765 2356 wuauserv - ok
07:42:35.0812 2356 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
07:42:35.0828 2356 WZCSVC - ok
07:42:35.0906 2356 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
07:42:36.0015 2356 xmlprov - ok
07:42:36.0078 2356 MBR (0x1B8) (f66980c7886020be81eb56db48a09740) \Device\Harddisk0\DR0
07:42:36.0140 2356 \Device\Harddisk0\DR0 - ok
07:42:36.0156 2356 MBR (0x1B8) (8b242728720b047098b428f3f4e1018e) \Device\Harddisk1\DR1
07:42:36.0171 2356 \Device\Harddisk1\DR1 - ok
07:42:36.0171 2356 MBR (0x1B8) (512d77ca8645b6c54bb6ce426e8ae0be) \Device\Harddisk3\DR10
07:42:37.0968 2356 \Device\Harddisk3\DR10 - ok
07:42:37.0968 2356 Boot (0x1200) (931c8813452486c988fa2e4254e70992) \Device\Harddisk0\DR0\Partition0
07:42:37.0968 2356 \Device\Harddisk0\DR0\Partition0 - ok
07:42:37.0984 2356 Boot (0x1200) (26ba97daacb38ee32a534f08ba45c82d) \Device\Harddisk1\DR1\Partition0
07:42:37.0984 2356 \Device\Harddisk1\DR1\Partition0 - ok
07:42:38.0015 2356 Boot (0x1200) (b96fac79e549149eb6cb69a315b426b0) \Device\Harddisk1\DR1\Partition1
07:42:38.0031 2356 \Device\Harddisk1\DR1\Partition1 - ok
07:42:38.0031 2356 Boot (0x1200) (a4b3cd6e3a7ac701f2f21dbfce4d4617) \Device\Harddisk3\DR10\Partition0
07:42:38.0031 2356 \Device\Harddisk3\DR10\Partition0 - ok
07:42:38.0031 2356 ============================================================
07:42:38.0031 2356 Scan finished
07:42:38.0031 2356 ============================================================
07:42:38.0062 2364 Detected object count: 0
07:42:38.0062 2364 Actual detected object count: 0





aswMBR downloaded a fairly large virus definition database, and seemed to run successfully, although the virus scan component took some time. I should have clarified earlier -- because this machine dual-boots Windows XP and Debian GNU/Linux, its MBR loads the GRUB2 bootloader; I'm assuming that's the reason for the "unknown MBR code" line. (The GRUB installation was mishandled due to a basic misunderstanding of mine many years ago. So far it works.)
The avast virus scan detected an infected file, similar to others I've seen reported on this forum following ZeroAccess infections. [Maybe ComboFix needs an upgrade?] Please explain if it should be removed in any particular way.
Its log is below:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-08 07:43:45
-----------------------------
07:43:45.718 OS Version: Windows 5.1.2600 Service Pack 3
07:43:45.718 Number of processors: 2 586 0x401
07:43:45.718 ComputerName: MAIN UserName:
07:43:46.500 Initialize success
07:46:55.593 AVAST engine defs: 12080800
07:47:19.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
07:47:19.171 Disk 0 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 152587MB BusType: 3
07:47:19.171 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
07:47:19.171 Disk 1 Vendor: Maxtor_6L100P0 BAJ41G10 Size: 95396MB BusType: 3
07:47:19.187 Disk 0 MBR read successfully
07:47:19.187 Disk 0 MBR scan
07:47:19.234 Disk 0 unknown MBR code
07:47:19.234 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 54 MB offset 63
07:47:19.265 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 148640 MB offset 112455
07:47:19.296 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 3890 MB offset 304528140
07:47:19.312 Disk 0 scanning sectors +312496380
07:47:19.390 Disk 0 scanning C:\WINDOWS\system32\drivers
07:47:30.390 Service scanning
07:47:50.296 Modules scanning
07:47:56.750 Disk 0 trace - called modules:
07:47:56.765 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
07:47:56.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8af8e0]
07:47:56.765 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a8ffd98]
07:47:57.640 AVAST engine scan C:\WINDOWS
07:48:23.921 AVAST engine scan C:\WINDOWS\system32
07:51:10.406 File: C:\WINDOWS\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
07:52:27.890 AVAST engine scan C:\WINDOWS\system32\drivers
07:52:54.359 AVAST engine scan C:\Documents and Settings\Chris
08:15:40.031 AVAST engine scan C:\Documents and Settings\All Users
08:20:10.468 Scan finished successfully
18:17:14.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
18:17:14.390 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"


Thanks again! I'll leave Windows as is until you think it's clear.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 08 August 2012 - 08:56 PM

Greetings

I'm assuming that's the reason for the "unknown MBR code" line. - yes that is the reason it is showing in your case - just because it shows as unknown does not mean it is bad

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
C:\WINDOWS\assembly\GAC\Desktop.ini

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 11 August 2012 - 12:36 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 utrrrongeeb

utrrrongeeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 August 2012 - 10:29 AM

Sorry for the late response, and thanks for the quick reply to my last post.

ComboFix did not seem to have any problems running the script. It asked to update itself, which I approved. The log is below:


ComboFix 12-08-09.01 - Chris 10/08/2012 6:48.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.2039.1550 [GMT -3:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-10 to 2012-08-10 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-08 11:49 . 2012-04-24 17:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-08 11:49 . 2011-05-19 14:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-04 11:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-03-31 18:24 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 11:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 18:19 . 2009-08-06 22:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 18:19 . 2009-08-06 22:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 18:19 . 2004-08-04 11:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 18:19 . 2004-08-04 11:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 18:19 . 2004-08-04 11:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 18:19 . 2009-08-06 22:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 18:19 . 2009-08-06 22:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 18:19 . 2004-08-04 11:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 18:19 . 2004-08-04 11:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 18:19 . 2004-08-04 11:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 18:19 . 2009-08-06 22:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 18:19 . 2004-08-04 11:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 18:19 . 2004-08-04 11:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2009-04-05 15:39 . 2009-04-05 00:06 7680 ----a-w- c:\program files\EjectCD.exe
2006-10-22 13:26 . 2006-10-22 13:18 1663036 ----a-w- c:\program files\LineRider_beta.exe
2006-09-13 09:21 . 2008-03-27 23:07 2567672 ----a-w- c:\program files\Wimpy FLV Player.exe
2003-08-27 17:19 . 2005-09-29 22:49 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-08_01.08.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-10 10:03 . 2012-08-10 10:03 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat
+ 2012-08-10 10:03 . 2012-08-10 10:03 16384 c:\windows\Temp\Perflib_Perfdata_220.dat
+ 2012-08-08 11:49 . 2012-08-08 11:49 686792 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil32_11_3_300_270_Plugin.exe
+ 2012-08-08 10:49 . 2012-08-08 10:49 686792 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
+ 2012-08-08 10:49 . 2012-08-08 10:49 466632 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.dll
+ 2012-04-24 17:46 . 2012-08-08 11:49 250056 c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe
- 2012-04-24 17:46 . 2012-07-27 20:50 250056 c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-08-08 11:49 . 2012-08-08 11:49 9465032 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_11_3_300_270.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"KeePass 2 PreLoad"="c:\art4\bin\KeePass\KeePass.exe" [2011-01-02 1670656]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\Frank\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [N/A]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
c:\documents and settings\Chris\Start Menu\Programs\Startup\
Norten control.lnk - c:\art4\dev\Java\progs\MDBugger.jar [2005-6-12 1821]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-10-17 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 15:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-03-17 06:14 40960 ----a-w- c:\program files\Dell\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 05:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P3000x_S2P]
2004-10-27 06:44 57344 ------w- c:\program files\Dell\Dell Laser MFP 1600n\PSU\ScanToPc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-03-17 05:59 57393 ----a-w- c:\program files\Dell\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-03-31 23:50 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MySQL"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [17/10/2010 7:17 PM 10384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/05/2011 10:35 PM 2253120]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\SYSTEM32\DRIVERS\LEqdUsb.sys [17/06/2009 1:55 PM 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\SYSTEM32\DRIVERS\LHidEqd.sys [17/06/2009 1:55 PM 10384]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\SYSTEM32\DRIVERS\nvoclock.sys [15/09/2009 2:59 PM 38248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/06/2010 9:04 AM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe [24/04/2012 2:46 PM 250056]
S3 DBGV;DBGV;\??\c:\art4\bin\analySys\sniff-bin-98-1.5\DBGV.SYS --> c:\art4\bin\analySys\sniff-bin-98-1.5\DBGV.SYS [?]
S3 Ext2Fsd;Linux ext2 File system driver;c:\windows\SYSTEM32\DRIVERS\ext2fsd.sys [18/06/2005 6:44 AM 610944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/06/2010 9:04 AM 136176]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\SYSTEM32\DRIVERS\hcw72ADFilter.sys [19/02/2010 8:02 PM 27904]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\SYSTEM32\DRIVERS\hcw72ATV.sys [19/02/2010 8:02 PM 1208448]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\SYSTEM32\DRIVERS\hcw72DTV.sys [19/02/2010 8:02 PM 1200768]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [25/04/2012 8:43 AM 113120]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [06/11/2007 5:22 PM 34064]
S3 padenum;Enumerador de dispositivos de NTPAD;c:\windows\system32\DRIVERS\padenum.sys --> c:\windows\system32\DRIVERS\padenum.sys [?]
S3 VendorJoystickEnabler;Driver para joystick paralelo de consola;c:\windows\system32\drivers\ntpad.sys --> c:\windows\system32\drivers\ntpad.sys [?]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 4:47 AM 98304]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 3:40 AM 118784]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 11:49]
.
2012-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:34]
.
2012-07-28 c:\windows\Tasks\dailystrips-art4.job
- c:\art4\bin\Perl\bin\perl.exe [2004-12-13 12:52]
.
2012-08-10 c:\windows\Tasks\dailystrips-chris.job
- c:\art4\bin\Perl\bin\perl.exe [2004-12-13 12:52]
.
2012-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 12:04]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 12:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS03-026_RPC_DCOM_EXPLOIT
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\art4\bin\FDM\dlall.htm
IE: Download selected with Free Download Manager - file://c:\art4\bin\FDM\dlselected.htm
IE: Download with Free Download Manager - file://c:\art4\bin\FDM\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\zn04asd2.Chris\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-10 07:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\art4\bin\MySQL\bin\mysqld MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(4856)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\Mixer.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2012-08-10 07:10:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-10 10:10
.
Pre-Run: 10,253,934,592 bytes free
Post-Run: 10,369,208,320 bytes free
.
- - End Of File - - 1F9D27B674CD2ABBC9B8EA026B0F3ACB





I tested the computer again. There were no signs of Google search-result redirects, nor any suspicious network traffic in Wireshark. The lack of clickfraud/spamming overhead may be letting to run better -- some video streaming at least worked when it hadn't before. Windows Firewall is still enabled.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 11 August 2012 - 11:36 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.5.1
Java Media Framework 2.1.1e
Java™ 6 Update 31
Java™ SE Development Kit 6
Java™ SE Runtime Environment 6
Mozilla Firefox 13.0.1 (x86 en-US)
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 utrrrongeeb

utrrrongeeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 12 August 2012 - 07:57 PM

I used Revo Uninstaller to remove the software you listed. Several registry keys and nonessential files were flagged for deletion and deleted.
I also tried using it on "PCI Audio Driver," an old driver for a C-Media/Hercules sound card, which refused to uninstall after the hardware had been removed.

May I ask why you specified Firefox 13 for removal as well? It had auto-updated fairly reliably in the past; presumably the rootkit's network congestion and the fact it's been mostly offline for a few weeks had prevented it from upgrading to 14.



Adobe Reader X installed successfully. Prior to the download, Google (toolbar?) options were unchecked. No Photoshop Gallery options were visible.

Oracle JRE installed successfully. On future updates, to previous versions have to be manually removed, or is that only for major-version updates (ie, when 1.8 is released)?



CCleaner installed successfully. The toolbar it asked to install was Google, not Yahoo (this was denied).
CCleaner ran successfully, although I deviated from your instructions in one place -- Firefox history, form suggestions, passwords, and session, and Thunderbird forms and passwords, were NOT checked for removal. We use the Firefox "Awesome Bar" extensively, which depends on browsing history; if you deem it necessary, I could rerun CCleaner with changed configuration.



MBAM installed successfully. When scanning, (following your instructions), it found two infections, Trojan.0access and Trojan.FakeAlert, as you'll see in the log below:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.12.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Chris :: MAIN [administrator]

12/08/2012 7:10:28 PM
mbam-log-2012-08-12 (19-10-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 412101
Time elapsed: 33 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\ASSEMBLY\GAC\Desktop.ini (Trojan.0access) -> Quarantined and deleted successfully.
C:\WINDOWS\AcroIEHelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

After clicking Remove, it asked to restart, which I approved. After restarting, its Quarantine tab still listed Trojan.FakeAlert, despite the log saying it had been deleted. A quick look at the filesystem did not show the file in C:\WINDOWS, though.



The version of HijackThis which I downloaded didn't try to install -- it launched as if it had been installed [standalone executable?]. It ran quickly, with no apparent problems. Its log is below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:08:35 PM, on 12/08/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS03-026_RPC_DCOM_EXPLOIT
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\art4\bin\KeePass\KeePass.exe" --preload
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4171087168-3783684803-269067309-1014\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'UpdatusUser')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\art4\bin\FDM\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\art4\bin\FDM\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\art4\bin\FDM\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: intu-tt2010 - {97A0575E-2309-4E75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\art4\bin\apache\apache2\bin\Apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MySQL - Unknown owner - C:\Art4\bin\MySQL\bin\mysqld.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9301 bytes





The computer still has no signs of Google redirecting [tested in Internet Explorer 8 this time] or botnet traffic.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 13 August 2012 - 12:00 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
      O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
      O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
      O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
      O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
      O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
      O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
      O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-21-4171087168-3783684803-269067309-1014\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'UpdatusUser')
      O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 utrrrongeeb

utrrrongeeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 14 August 2012 - 08:48 PM

I ran HijackThis as you said, and had it "Fix" most of the services you'd listed. I made exceptions, as you said I might, for the keyboard hotkey daemon, the NVIDIA driver applets, and the Adobe Reader and Java update daemons. No errors were reported.



The ESET online scan ran without errors, although it identified several infected files -- guess the computer isn't clear yet. The log is below:

C:\Art4\doc\downloads\eicar.com Eicar test file
C:\Art4\doc\downloads\Install_Temp\upnpc-exe-win32-20091210\upnpc-static.exe a variant of Win32/MiniUPnP.A application
C:\Art4\lib\electroverse\EICAR.txt Eicar test file
C:\Art4\lib\electroverse\VirusScannerChecking.txt Eicar test file
C:\Documents and Settings\Paul\Local Settings\Application Data\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\n Win32/Sirefef.EV trojan
C:\Documents and Settings\Paul\Local Settings\Temp\jar_cache6310110670420706574.tmp Java/Exploit.CVE-2012-1723.J trojan
C:\Documents and Settings\Paul\Local Settings\Temp\plugtmp-5\plugin-xHcfdf9065V03003f36002R3e79efa9102T83c73bc4Q000002fe901801F0035010aJ14000601l0409317 JS/Exploit.Pdfka.OBA trojan
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\iphone_gourmandia_com[1].htm JS/Kryptik.QN trojan
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\n.vir Win32/Sirefef.EV trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\00000004.@.vir Win32/Conedex.D trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\000000cb.@.vir Win32/Conedex.E trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2185\A0556899.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2185\A0556930.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2186\A0557058.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2186\A0557092.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2187\A0557140.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2188\A0557268.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2189\A0557358.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2190\A0557429.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2191\A0557476.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2192\A0557542.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2193\A0557606.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2193\A0557675.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2194\A0557748.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2195\A0557799.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2196\A0557874.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2197\A0558003.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2198\A0558197.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2198\A0558246.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2198\A0558274.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2198\A0559274.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2198\A0559285.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2198\A0559490.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2198\A0559524.exe Win32/OpenCandy application
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE Win32/Adware.DSSAgent application



I'm aware of my EICAR test file collection, and the UPNP thing is something I downloaded but didn't use -- I would've thought it harmless, but nothing will break if it's removed.
It appears that ZeroAccess/Sirefef is well represented in System Restore -- but I assume you expected that.
I also don't know which application made the quarantine-folder-looking Qoobox\Quarantine section.

However, I don't know much about DSSAgent and GTDownDE_87.ocx.
I also was unaware of the worrisome traces in the one user account's temp folders.
Your advice is appreciated!

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 14 August 2012 - 09:35 PM

Greetings

There are somethings in the online scan I want to remove so run this scrript for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3
C:\Documents and Settings\Paul\Local Settings\Application Data\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}

File::
C:\Documents and Settings\Paul\Local Settings\Temp\jar_cache6310110670420706574.tmp
C:\Documents and Settings\Paul\Local Settings\Temp\plugtmp-5\plugin-xHcfdf9065V03003f36002R3e79efa9102T83c73bc4Q000002fe901801F0035010aJ14000601l0409317
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer



"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:02 AM

Posted 17 August 2012 - 10:31 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 utrrrongeeb

utrrrongeeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 18 August 2012 - 04:01 PM

Sorry about the delay -- I thought I posted this Thursday night, but it seems there must've been a technical problem.


ComboFix ran successfully, after updating itself again. The log is below:


ComboFix 12-08-16.01 - Chris 16/08/2012 7:19.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.2039.1573 [GMT -3:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFscript2.txt
* Created a new restore point
.
FILE ::
"c:\documents and settings\Paul\Local Settings\Temp\jar_cache6310110670420706574.tmp"
"c:\documents and settings\Paul\Local Settings\Temp\plugtmp-5\plugin-xHcfdf9065V03003f36002R3e79efa9102T83c73bc4Q000002fe901801F0035010aJ14000601l0409317"
"c:\windows\BBSTORE\DSS\DSSAGENT.EXE"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Paul\Local Settings\Application Data\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}
c:\documents and settings\Paul\Local Settings\Application Data\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\@
c:\documents and settings\Paul\Local Settings\Application Data\{f2324cda-bd98-2ee5-b762-b3b44ac420f8}\n
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\0cf3b673a6f61ef0e4c8640c4f9e1e6b[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\10bestdressedtca2012-main[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\11681-Budget-CSG-728x90[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\15[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\177w100h[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\177w100h[2].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\177w100h[3].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\177w100h[4].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\187288_100002884085979_513373510_q[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\1e5d065281afad6491ccca6378885d65[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\2-eharmony_now_160x600_40k_work_noloop[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\2-EN_300x250_ING_BrandEvolution[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\20120620145501_0.460120570366916_RplLoader_as2_clicktag_fix_24fps[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\239129_Black_and_White23_fa_thumb_medium[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\243315_me_and_camera_fa_thumb_bigwide[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\247438586_3[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\284063980_3[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\298156174_3[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\30943[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\321222647_5[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\372035_100002592185249_2030739881_q[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\372223_100002112622164_1522143267_q[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\3e4fa42904d95da19239d4abe87cae31[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\48b4d5c00258ce280da921c3fc79c460[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517211109_c[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517211137_10[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517211754_c[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517211783_c[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517325713_c[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517331352_c[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517421113_c_140_105[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\517423019_c[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\521377_fa_thumb_medium[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\5556b132e6ec8c830fa91709aa9f0e66[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\63260668_30_CANADA_MOIST_30FPS_EDIT_SF03_H264_MEDIUM_PreRoll_512k_640x360_16-9[1].flv
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\72012blackwhitecolorcombotrend-main[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\7209C_12SummerClearance25D_CA[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\728x90_Aquisition_coupon_en[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\7761[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\7W6yq7QJRwq[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\800px-Afghan_children_smile_at_GIs_-a_fa_thumb_medium[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\8236287e39d41f51d4cacab8961d8e97[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\856ed71c43dd5440ee4db11371a130f3[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\8b01971da8f5d748d77b1f9c22ffae93[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\acudeo[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ad[1]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ad[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ad[2]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ad[3]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ad[4]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ad[5]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\AdaptvAdserverVastVideo[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\adaptvInfo[2].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\adc_autism_closer_1in88_180x150[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\add[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\AdManager[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ADTECH;referring_url=http%3A%2F%2Fwww.filmannex[1].com%2F;number=1343179063125;time=1343179063125
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\adview[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\all[1].json
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\amexccg_grc_dr2xtravel_EN_728x90_20120129[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\aolon[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\api[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\api[2].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\api[4].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\api[5].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\api[7].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\api[8].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\appstore[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\arrow_left[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\b2189e7b437c5962a0f9c005d81d7d1c[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\b28cb2a6e617faa168c1333761c7ef3a[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\b9c1d0d62d518dcfc834f761f1f4446b[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\backcookie[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\banner_468_60[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\base[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\base[2].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\BCAC5[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\bdfe0ba953a8f408ff8f9824a4a832fc[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\beacons[10].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\beacons[7].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\beacons[8].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\beacons[9].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\blank[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\BLVP7QNBT5BM7M2J4VHX6D[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\box_77_top-right[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\brs1024[1]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\brs1024[2]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\c04r06AVC_5[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\c06r03512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\c45ae81bf4dd60cd4060e974f908ec0b[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ca729f1995e2169312417582c656045e[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\candiceswanepoel-71312-main[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\carousel_skin[1].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\cc[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\celebspin[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ckavPPppqqJ[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\close_off[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\comment_icon[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\config[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\config[2].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\content_30047_1__fa_converted_lq[1].mp4
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\content_30080_1__fa_converted_lq[1].mp4
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\count[1].json
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\count[2].json
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\count[3].json
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\counter[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[1].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[10].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[2].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[3].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[4].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[5].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[7].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\crossdomain[9].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ctools[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\d15107459da43288affa082afecf6941[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\dcil[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ddfc878f7c9de2b92c814ae68a132ef1[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\debug_1336489573[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[10].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[11].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[2].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[3].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[4].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[5].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[6].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[7].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[8].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default[9].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\default_183929-7[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCA0TOM1X.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCA5GBV87.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCA83O11Z.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCABAZJ5E.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAD9TRYR.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAGWCVOC.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAJXY6HL.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAK9H8RZ.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAKZ9DTP.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAMHXJBD.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAMK7RIT.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAMZ7H1Z.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAN1EIMV.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAR6RBO0.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCARE9LPX.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAT2SZ2N.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCATWU06H.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAU6VIEE.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAV0YZQU.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAWEY1FB.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaultCAX1XGIY.jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\defaults[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\dependent[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\dependent[2].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\desktop.ini
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\displayAd[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\diy_tv[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\dnserrordiagoff_webOC[1]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\doa_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\down[1]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\DR_JEKYLL_AND_MR_HYDE21_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\drupal[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\dunst-032612-%20(3)[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ebBanner_2_5_3_12[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ELLEMAG596x104[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\emma-rooney-021612-11[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\emma-rooney-021612-14[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\emma-rooney-021612-3[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\emma-rooney-021612-7[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\emma-stone-021612-%20(4)[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\emma-watson-041112aa-%20(4)[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\emma-watson-041112aa-%20(8)[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\EN_Rose_300x250_Backup[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ep1-1t[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ep5_t[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ep8_t[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\errorPageStrings[1]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\event[1].flow
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\event16[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ExtLibButtons_190[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ExtLibGadgetsLayerSkin3_190[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ExtLibReportSystemGA_190[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ExtLibScrollBarSkin3_190[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ExtLibToolTipsSkin3_190[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ExtLibVideoControlDisplaySkin3_190[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\fa_auto_poster_el_compromis_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\fa_player[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\fa5[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\feed-img[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\fieldgroup[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\filmannex_fv[1].xml
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\flashwrite_1_2[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\flowplayer-3.2.6.min[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\flowplayer.controls-air[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\flowplayer[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\fr[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\front[3].asp
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\getjs[2].aspx
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\gl[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\GoodNites_EN_300x250_Fla-Bnr_062812_r01_fh[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\google_ads_gpt[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\Gourmet_25[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\Gourmet_45[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\Gourmet_5[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\GStyle_160x24_wht[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\header[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\header[2].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\html-elements[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\HwLxJY_uFma[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\i[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\iconMovie[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ie[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\iframe1[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\im_slideshow[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\IMG_0103_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\indentbg[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\index[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\InstreamAdBroker_2012_07_19_21_48[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\iphone_gourmandia_com[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\itxt_1341243300[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jcarouselite[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jKEcVPZFk-2[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jp[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jquery.bgiframe.min[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jquery.cycle.all.min[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jquery.iframe-auto-height[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jquery.min[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jsadimp[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jsadimp[2].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jsadimp[3].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\jump1[1].do
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\leftnav_bullet_199[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\leftnav_bullet_over99[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\lhVwUeJLv5E[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\li-bing-bing-gucci-042412sp[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\likesystem[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\loader-bg[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\loading_background[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCA074TJ9.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCA2U4EKT.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCA3KA0RL.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCA6X9FDH.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCADHV7GT.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCAMRDVJX.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCAN2YILL.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCAPL21SA.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCAT7VCHO.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCAV3HQQ5.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCAXFXZWC.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\logCAYE8GIA.txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\mariah-video-072412[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\meld128[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\music16[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\Nnr-ClhwknZ[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\node[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\optionbox[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ova[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_18941_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_21304_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_21838_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_22794_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_23107_thumb[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_23257_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_23258_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_23260_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_23595_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_23814_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_24020_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_24213_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_25681_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_25813_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_26039_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_26810_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_28199_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_28375_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_28380_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_28693_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_29466_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_29673_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_29753_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_29896_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30052_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30080_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30307_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30368_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30429_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30445_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30535_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30807_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30809_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30815_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30818_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30829_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30897_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30937_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30962_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30970_thumb[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30973_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_30990_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_31025_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p_31037_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p5067r1343179000151[1].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p5067r1343179037568[1].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p5067r1343179086195[1].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\p5067r1343179140089[1].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\picad_4801[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\picad_overlay_3.3.03[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\piwik[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\Pix-1x1[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\pixel[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\PK0085_1_300x250_broad[1].flv
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\player[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\player[2].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\pliag15[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\print[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\promo_tn2[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\PRScript[1].txt
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\px[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ql9vukDCc4R[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\read_more[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc17r04512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc20r03512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc21r06512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc23r01512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc24r01512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc31r05512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc46r01512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc46r05512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc48r13512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc61r01512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc62r02512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc62r03512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recette_encodesc65r01512K_[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\recipes4[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\rome[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\Sans_titre___1_copie_2[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\Sans_titre___1_copie_3[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screen_shot_2012-07-19_at_9.46.26_am[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_01_jul._09_10.12[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_01_jul._16_10.44_0[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_05_dec._19_15.41[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_08_mar._20_13.21[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_104_feb._29_12.44[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_106_mar._01_11.26[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\ScreenHunter_12%20Jul.%2024%2014.57[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_278_may._15_11.20[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_279_may._15_11.25[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_44_jun._06_11.48[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_48_dec._29_14.32[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\screenhunter_94_jun._14_16.16[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\SD_AQ_ENCA_EVG_BluePunch_728x90Z_062712_MSMMN[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCA2YDUOM.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCA3UIODB.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCA6JIXQK.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCA8M1CNU.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCA9J98NH.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAFQ0W3F.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAHK4BPE.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAINSSJC.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAKU7ODH.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCALUH1QI.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAMKGUDY.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAN9SK9E.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAOSY46A.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAQHG5CR.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\serviceCAV5RL88.htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\set_page_meta[1].php
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\sftouchscreen[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\shadow[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\shadow[2].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\share[3]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\share[4]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\spacer[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\spanish[1]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\spanish[2]
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\sprites_h_v2[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\sprites_v5[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\style[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\styles_home[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\superfish[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\sync[2].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\tap[6].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\telemetry_player_vpaid_as3[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\thumbnail[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\tools_print[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\tracking[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\tweet[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\twinbrook1_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\uat_19521[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\user[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\UStwighlight_large_128_72[1].jpg
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\VideoAdRenderer[1].swf
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\videoscript[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\videoscript[2].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\watermark_bg2[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\webtvs[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\what_on[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\wireframes[1].css
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\xd_arbiter[1].php
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\xd_arbiter[2].php
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\yt-no-image[1].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\yt-no-image[2].gif
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\zh[1].png
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\zm5jXlpEqWp[1].js
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\zpu[1].htm
c:\documents and settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YNBV8DA3\zrX0GPmU-jH[1].js
.
.
((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 )))))))))))))))))))))))))))))))
.
.
2012-08-16 10:12 . 2012-08-16 10:12 -------- d-----w- c:\windows\LastGood
2012-08-13 23:41 . 2012-08-13 23:41 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Sun
2012-08-12 21:00 . 2012-08-12 21:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2012-08-12 21:00 . 2012-08-12 21:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-12 21:00 . 2012-08-12 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-12 21:00 . 2012-07-03 16:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-12 19:50 . 2012-08-12 19:50 -------- d-----w- c:\program files\CCleaner
2012-08-12 19:45 . 2012-08-12 19:45 -------- d-----w- c:\program files\Oracle
2012-08-12 19:45 . 2012-08-12 19:45 -------- d-----w- c:\documents and settings\Chris\Application Data\Oracle
2012-08-12 19:45 . 2012-07-06 01:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-12 16:45 . 2012-08-12 16:45 -------- d-----w- c:\program files\VS Revo Group
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-08 11:49 . 2012-04-24 17:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-08 11:49 . 2011-05-19 14:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 01:07 . 2007-02-23 00:15 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-06 01:06 . 2010-04-15 21:03 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-13 13:19 . 2004-08-04 11:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-03-31 18:24 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 11:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 18:19 . 2009-08-06 22:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 18:19 . 2009-08-06 22:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 18:19 . 2004-08-04 11:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 18:19 . 2004-08-04 11:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 18:19 . 2004-08-04 11:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 18:19 . 2009-08-06 22:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 18:19 . 2009-08-06 22:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 18:19 . 2004-08-04 11:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 18:19 . 2004-08-04 11:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 18:19 . 2004-08-04 11:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 18:19 . 2009-08-06 22:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 18:19 . 2004-08-04 11:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 18:19 . 2004-08-04 11:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2009-04-05 15:39 . 2009-04-05 00:06 7680 ----a-w- c:\program files\EjectCD.exe
2006-10-22 13:26 . 2006-10-22 13:18 1663036 ----a-w- c:\program files\LineRider_beta.exe
2006-09-13 09:21 . 2008-03-27 23:07 2567672 ----a-w- c:\program files\Wimpy FLV Player.exe
2003-08-27 17:19 . 2005-09-29 22:49 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-08_01.08.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-16 10:10 . 2012-08-16 10:10 16384 c:\windows\Temp\Perflib_Perfdata_780.dat
+ 2012-08-16 10:10 . 2012-08-16 10:10 16384 c:\windows\Temp\Perflib_Perfdata_444.dat
+ 2011-06-06 15:55 . 2011-06-06 15:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2012-08-08 11:49 . 2012-08-08 11:49 686792 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil32_11_3_300_270_Plugin.exe
+ 2012-08-08 10:49 . 2012-08-08 10:49 686792 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
+ 2012-08-08 10:49 . 2012-08-08 10:49 466632 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.dll
+ 2012-04-24 17:46 . 2012-08-08 11:49 250056 c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe
- 2012-04-24 17:46 . 2012-07-27 20:50 250056 c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-08-12 19:45 . 2012-07-06 01:06 227760 c:\windows\SYSTEM32\javaws.exe
+ 2012-04-07 11:47 . 2012-08-12 19:44 174064 c:\windows\SYSTEM32\javaw.exe
+ 2012-04-07 11:47 . 2012-08-12 19:44 174064 c:\windows\SYSTEM32\java.exe
+ 2012-08-12 19:49 . 2012-08-12 19:49 176128 c:\windows\Installer\ae8d7d.msi
+ 2012-08-12 19:45 . 2012-08-12 19:45 457216 c:\windows\Installer\ae8d76.msi
+ 2012-08-12 19:44 . 2012-08-12 19:44 863744 c:\windows\Installer\ae8d72.msi
+ 2011-06-06 15:55 . 2011-06-06 15:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2012-08-08 11:49 . 2012-08-08 11:49 9465032 c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_11_3_300_270.dll
+ 2012-08-12 19:28 . 2012-08-12 19:28 2295808 c:\windows\Installer\9ece0c.msi
+ 2011-06-06 15:55 . 2011-06-06 15:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
+ 2011-06-06 15:55 . 2011-06-06 15:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 15:55 . 2011-06-06 15:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 15:55 . 2011-06-06 15:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2012-04-04 11:17 . 2012-04-04 11:17 16613376 c:\windows\Installer\9ece0d.msp
+ 2011-06-06 15:55 . 2011-06-06 15:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"KeePass 2 PreLoad"="c:\art4\bin\KeePass\KeePass.exe" [2011-01-02 1670656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\Frank\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [N/A]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-10-17 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 15:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-03-17 06:14 40960 ----a-w- c:\program files\Dell\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 05:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P3000x_S2P]
2004-10-27 06:44 57344 ------w- c:\program files\Dell\Dell Laser MFP 1600n\PSU\ScanToPc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-03-17 05:59 57393 ----a-w- c:\program files\Dell\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-03-31 23:50 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MySQL"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [17/10/2010 7:17 PM 10384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/05/2011 10:35 PM 2253120]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\SYSTEM32\DRIVERS\LEqdUsb.sys [17/06/2009 1:55 PM 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\SYSTEM32\DRIVERS\LHidEqd.sys [17/06/2009 1:55 PM 10384]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\SYSTEM32\DRIVERS\nvoclock.sys [15/09/2009 2:59 PM 38248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/06/2010 9:04 AM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe [24/04/2012 2:46 PM 250056]
S3 DBGV;DBGV;\??\c:\art4\bin\analySys\sniff-bin-98-1.5\DBGV.SYS --> c:\art4\bin\analySys\sniff-bin-98-1.5\DBGV.SYS [?]
S3 Ext2Fsd;Linux ext2 File system driver;c:\windows\SYSTEM32\DRIVERS\ext2fsd.sys [18/06/2005 6:44 AM 610944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/06/2010 9:04 AM 136176]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\SYSTEM32\DRIVERS\hcw72ADFilter.sys [19/02/2010 8:02 PM 27904]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\SYSTEM32\DRIVERS\hcw72ATV.sys [19/02/2010 8:02 PM 1208448]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\SYSTEM32\DRIVERS\hcw72DTV.sys [19/02/2010 8:02 PM 1200768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [06/11/2007 5:22 PM 34064]
S3 padenum;Enumerador de dispositivos de NTPAD;c:\windows\system32\DRIVERS\padenum.sys --> c:\windows\system32\DRIVERS\padenum.sys [?]
S3 VendorJoystickEnabler;Driver para joystick paralelo de consola;c:\windows\system32\drivers\ntpad.sys --> c:\windows\system32\drivers\ntpad.sys [?]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 4:47 AM 98304]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 3:40 AM 118784]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 11:49]
.
2012-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:34]
.
2012-07-28 c:\windows\Tasks\dailystrips-art4.job
- c:\art4\bin\Perl\bin\perl.exe [2004-12-13 12:52]
.
2012-08-16 c:\windows\Tasks\dailystrips-chris.job
- c:\art4\bin\Perl\bin\perl.exe [2004-12-13 12:52]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 12:04]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 12:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS03-026_RPC_DCOM_EXPLOIT
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\art4\bin\FDM\dlall.htm
IE: Download selected with Free Download Manager - file://c:\art4\bin\FDM\dlselected.htm
IE: Download with Free Download Manager - file://c:\art4\bin\FDM\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-16 07:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\art4\bin\MySQL\bin\mysqld MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(820)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2012-08-16 07:34:18
ComboFix-quarantined-files.txt 2012-08-16 10:34
ComboFix2.txt 2012-08-10 10:10
.
Pre-Run: 11,806,220,288 bytes free
Post-Run: 11,808,874,496 bytes free
.
- - End Of File - - E35046AEEF61865B953E8612422E1910



I re-did the Google search test; there were no redirections. Wireshark showed no suspicious network traffic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users