Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem removing rootkit xp sp3


  • This topic is locked This topic is locked
15 replies to this topic

#1 ebouge

ebouge

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 08 November 2012 - 02:52 PM

Hello,

For a few month now I have been having trouble with my laptop. Which is a Toshiba satellite A210-17X, 200GB HDD, 4 GB RAM running Windows XP SP3 (uptodate). The computer is running fine for a few weeks and then starts slowing down and showing signs of malware infections.

Having come across the TechRepublic article "http://www.techrepublic.com/blog/doityourself-it-guy/diy-free-tools-for-removing-malicious-software/115", I have been running Combofix, then Malwarebytes, SpyBot - Search&Destroy, CCLeaner and a full scan with Microsoft security essentials. Those have sometimes reported malware infections, sometime not. Usually my laptop is running much better afterwards.

But the problem comes back a few weeks later. When I run Combofix, it always detects some rootkit activity. However, I do not know how to understand the content of Combofix report and which other actions to take next. I attach a copy of the Combofix report which was produced tonight.

Would it be possible to get some help with this issue?

Cheers
Eric

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:11 PM

Posted 08 November 2012 - 10:54 PM

Hello ebouge and welcome to BC.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.



======================================


:step1: Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.



:step2: Download OTL by OldTimer from one of the links below:

Link 1
Link 2

  • Save it to your desktop.
  • Close all open windows on the Task Bar.
  • Double click the OTL icon to run the program (run as Administrator for Windows Vista/7).
  • Put a check mark on Scan All Users.
  • Click the Run Scan button and let it run uninterrupted.
  • It will create two reports namely OTL.txt (will be opened) and Extras.txt (will be minimized).
  • Post the contents of both reports when you reply.
  • Exit OTL.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 ebouge

ebouge
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 09 November 2012 - 02:43 AM

Hello sempai,

Thank you for your reply.

I ran both software as you requested and you will find the reports here below:

08:14:40.0028 3844 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
08:14:40.0137 3844 ============================================================
08:14:40.0137 3844 Current date / time: 2012/11/09 08:14:40.0137
08:14:40.0137 3844 SystemInfo:
08:14:40.0137 3844
08:14:40.0137 3844 OS Version: 5.1.2600 ServicePack: 3.0
08:14:40.0137 3844 Product type: Workstation
08:14:40.0137 3844 ComputerName: ERICHOME3
08:14:40.0137 3844 UserName: Eric Bougeard
08:14:40.0137 3844 Windows directory: C:\WINDOWS
08:14:40.0137 3844 System windows directory: C:\WINDOWS
08:14:40.0137 3844 Processor architecture: Intel x86
08:14:40.0137 3844 Number of processors: 2
08:14:40.0137 3844 Page size: 0x1000
08:14:40.0137 3844 Boot type: Normal boot
08:14:40.0137 3844 ============================================================
08:14:42.0965 3844 Drive \Device\Harddisk0\DR0 - Size: 0x2E93E36000 (186.31 Gb), SectorSize: 0x200, Cylinders: 0x5F01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:14:43.0012 3844 ============================================================
08:14:43.0012 3844 \Device\Harddisk0\DR0:
08:14:43.0012 3844 MBR partitions:
08:14:43.0012 3844 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A962B1
08:14:43.0028 3844 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x3A9632F, BlocksNum 0xC564915
08:14:43.0075 3844 ============================================================
08:14:43.0090 3844 Initialize success
08:14:43.0090 3844 ============================================================
08:14:49.0747 2056 ============================================================
08:14:49.0747 2056 Scan started
08:14:49.0747 2056 Mode: Manual; SigCheck; TDLFS;
08:14:49.0747 2056 ============================================================
08:14:49.0934 2056 ================ Scan system memory ========================
08:14:50.0950 2056 System memory - ok
08:14:50.0950 2056 ================ Scan services =============================
08:14:50.0965 2056 Abiosdsk - ok
08:14:50.0965 2056 abp480n5 - ok
08:14:50.0981 2056 ACPI - ok
08:14:50.0981 2056 ACPIEC - ok
08:14:50.0981 2056 adatadrv - ok
08:14:50.0997 2056 Adobe LM Service - ok
08:14:50.0997 2056 AdobeFlashPlayerUpdateSvc - ok
08:14:50.0997 2056 adpu160m - ok
08:14:51.0012 2056 aec - ok
08:14:51.0012 2056 AFD - ok
08:14:51.0012 2056 AgereModemAudio - ok
08:14:51.0028 2056 AgereSoftModem - ok
08:14:51.0028 2056 Aha154x - ok
08:14:51.0044 2056 aic78u2 - ok
08:14:51.0044 2056 aic78xx - ok
08:14:51.0044 2056 Alerter - ok
08:14:51.0059 2056 ALG - ok
08:14:51.0059 2056 AliIde - ok
08:14:51.0075 2056 AmdK8 - ok
08:14:51.0075 2056 AmdLLD - ok
08:14:51.0075 2056 AmdPPM - ok
08:14:51.0090 2056 amsint - ok
08:14:51.0090 2056 AppMgmt - ok
08:14:51.0090 2056 Arp1394 - ok
08:14:51.0106 2056 asc - ok
08:14:51.0106 2056 asc3350p - ok
08:14:51.0106 2056 asc3550 - ok
08:14:51.0122 2056 aspnet_state - ok
08:14:51.0137 2056 AsyncMac - ok
08:14:51.0137 2056 atapi - ok
08:14:51.0137 2056 Atdisk - ok
08:14:51.0153 2056 Ati HotKey Poller - ok
08:14:51.0153 2056 ati2mtag - ok
08:14:51.0169 2056 Atmarpc - ok
08:14:51.0169 2056 AudioSrv - ok
08:14:51.0169 2056 audstub - ok
08:14:51.0184 2056 Beep - ok
08:14:51.0184 2056 BITS - ok
08:14:51.0200 2056 Browser - ok
08:14:51.0200 2056 btaudio - ok
08:14:51.0200 2056 BTDriver - ok
08:14:51.0215 2056 BthEnum - ok
08:14:51.0215 2056 BTHMODEM - ok
08:14:51.0215 2056 BthPan - ok
08:14:51.0231 2056 BTHPORT - ok
08:14:51.0231 2056 BthServ - ok
08:14:51.0231 2056 BTHUSB - ok
08:14:51.0247 2056 BTKRNL - ok
08:14:51.0247 2056 btwdins - ok
08:14:51.0247 2056 BTWDNDIS - ok
08:14:51.0262 2056 btwhid - ok
08:14:51.0262 2056 BTWUSB - ok
08:14:51.0262 2056 catchme - ok
08:14:51.0278 2056 cbidf2k - ok
08:14:51.0278 2056 CCDECODE - ok
08:14:51.0294 2056 cd20xrnt - ok
08:14:51.0294 2056 Cdaudio - ok
08:14:51.0294 2056 Cdfs - ok
08:14:51.0309 2056 Cdrom - ok
08:14:51.0309 2056 CFSvcs - ok
08:14:51.0309 2056 Changer - ok
08:14:51.0325 2056 cisvc - ok
08:14:51.0325 2056 ClipSrv - ok
08:14:51.0325 2056 clr_optimization_v2.0.50727_32 - ok
08:14:51.0340 2056 CmBatt - ok
08:14:51.0340 2056 CmdIde - ok
08:14:51.0356 2056 Compbatt - ok
08:14:51.0356 2056 COMSysApp - ok
08:14:51.0372 2056 Cpqarray - ok
08:14:51.0372 2056 Crypkey License - ok
08:14:51.0372 2056 CryptSvc - ok
08:14:51.0387 2056 CTU2K - ok
08:14:51.0387 2056 dac2w2k - ok
08:14:51.0387 2056 dac960nt - ok
08:14:51.0403 2056 DcomLaunch - ok
08:14:51.0403 2056 Dhcp - ok
08:14:51.0403 2056 Disk - ok
08:14:51.0419 2056 dmadmin - ok
08:14:51.0419 2056 dmboot - ok
08:14:51.0419 2056 dmio - ok
08:14:51.0434 2056 dmload - ok
08:14:51.0434 2056 dmserver - ok
08:14:51.0434 2056 DMusic - ok
08:14:51.0450 2056 Dnscache - ok
08:14:51.0450 2056 Dot3svc - ok
08:14:51.0465 2056 dpti2o - ok
08:14:51.0465 2056 drmkaud - ok
08:14:51.0465 2056 dtsoftbus01 - ok
08:14:51.0481 2056 dvd43llh - ok
08:14:51.0481 2056 EapHost - ok
08:14:51.0481 2056 edicusb - ok
08:14:51.0497 2056 ERSvc - ok
08:14:51.0497 2056 Eventlog - ok
08:14:51.0497 2056 EventSystem - ok
08:14:51.0512 2056 Fastfat - ok
08:14:51.0512 2056 FastUserSwitchingCompatibility - ok
08:14:51.0512 2056 Fdc - ok
08:14:51.0528 2056 FileZilla Server - ok
08:14:51.0528 2056 Fips - ok
08:14:51.0528 2056 FLEXnet Licensing Service - ok
08:14:51.0544 2056 Flpydisk - ok
08:14:51.0544 2056 FltMgr - ok
08:14:51.0559 2056 FontCache3.0.0.0 - ok
08:14:51.0559 2056 Fs_Rec - ok
08:14:51.0559 2056 Ftdisk - ok
08:14:51.0575 2056 FwLnk - ok
08:14:51.0575 2056 Gpc - ok
08:14:51.0575 2056 gupdate - ok
08:14:51.0590 2056 gupdatem - ok
08:14:51.0606 2056 Hardlock - ok
08:14:51.0606 2056 HDAudBus - ok
08:14:51.0606 2056 helpsvc - ok
08:14:51.0622 2056 HidServ - ok
08:14:51.0622 2056 hidusb - ok
08:14:51.0622 2056 hkmsvc - ok
08:14:51.0637 2056 hpn - ok
08:14:51.0637 2056 hpt3xx - ok
08:14:51.0653 2056 HPZid412 - ok
08:14:51.0653 2056 HPZipr12 - ok
08:14:51.0653 2056 HPZius12 - ok
08:14:51.0669 2056 HTTP - ok
08:14:51.0747 2056 HTTPFilter - ok
08:14:51.0747 2056 i2omgmt - ok
08:14:51.0747 2056 i2omp - ok
08:14:51.0762 2056 i8042prt - ok
08:14:51.0762 2056 idsvc - ok
08:14:51.0762 2056 Imapi - ok
08:14:51.0778 2056 ImapiService - ok
08:14:51.0778 2056 ini910u - ok
08:14:51.0794 2056 IntcAzAudAddService - ok
08:14:51.0794 2056 IntelIde - ok
08:14:51.0809 2056 ip6fw - ok
08:14:51.0809 2056 IpFilterDriver - ok
08:14:51.0809 2056 IpInIp - ok
08:14:51.0825 2056 IpNat - ok
08:14:51.0825 2056 IPSec - ok
08:14:51.0825 2056 IRENUM - ok
08:14:51.0840 2056 isapnp - ok
08:14:51.0840 2056 ISODrive - ok
08:14:51.0856 2056 JavaQuickStarterService - ok
08:14:51.0856 2056 Kbdclass - ok
08:14:51.0856 2056 kbdhid - ok
08:14:51.0872 2056 kmixer - ok
08:14:51.0872 2056 KSecDD - ok
08:14:51.0872 2056 lanmanserver - ok
08:14:51.0887 2056 lanmanworkstation - ok
08:14:51.0887 2056 LBeepKE - ok
08:14:51.0887 2056 lbrtfdc - ok
08:14:51.0903 2056 LBTServ - ok
08:14:51.0903 2056 LcSvrAdm - ok
08:14:51.0919 2056 LcSvrAuf - ok
08:14:51.0919 2056 LcSvrDba - ok
08:14:51.0919 2056 LcSvrHis - ok
08:14:51.0934 2056 LcSvrPAS - ok
08:14:51.0934 2056 LcSvrSaz - ok
08:14:51.0934 2056 LHidFilt - ok
08:14:51.0950 2056 LightScribeService - ok
08:14:51.0965 2056 LmHosts - ok
08:14:51.0965 2056 LMouFilt - ok
08:14:51.0965 2056 LUsbFilt - ok
08:14:51.0981 2056 MDM - ok
08:14:51.0981 2056 Messenger - ok
08:14:51.0981 2056 mnmdd - ok
08:14:51.0997 2056 mnmsrvc - ok
08:14:51.0997 2056 Modem - ok
08:14:51.0997 2056 Mouclass - ok
08:14:52.0012 2056 mouhid - ok
08:14:52.0012 2056 MountMgr - ok
08:14:52.0012 2056 MozillaMaintenance - ok
08:14:52.0028 2056 MpFilter - ok
08:14:52.0028 2056 MpKsl635add99 - ok
08:14:52.0028 2056 mraid35x - ok
08:14:52.0044 2056 MRxDAV - ok
08:14:52.0044 2056 MRxSmb - ok
08:14:52.0044 2056 MSDTC - ok
08:14:52.0059 2056 Msfs - ok
08:14:52.0059 2056 MSIServer - ok
08:14:52.0075 2056 MSKSSRV - ok
08:14:52.0075 2056 MsMpSvc - ok
08:14:52.0075 2056 MSPCLOCK - ok
08:14:52.0090 2056 MSPQM - ok
08:14:52.0106 2056 mssmbios - ok
08:14:52.0106 2056 MSTEE - ok
08:14:52.0122 2056 Mup - ok
08:14:52.0122 2056 NABTSFEC - ok
08:14:52.0122 2056 napagent - ok
08:14:52.0137 2056 NDIS - ok
08:14:52.0137 2056 NdisIP - ok
08:14:52.0137 2056 NdisTapi - ok
08:14:52.0153 2056 Ndisuio - ok
08:14:52.0153 2056 NdisWan - ok
08:14:52.0153 2056 NDProxy - ok
08:14:52.0169 2056 NetBIOS - ok
08:14:52.0169 2056 NetBT - ok
08:14:52.0169 2056 NetDDE - ok
08:14:52.0184 2056 NetDDEdsdm - ok
08:14:52.0184 2056 Netdevio - ok
08:14:52.0184 2056 Netlogon - ok
08:14:52.0200 2056 Netman - ok
08:14:52.0200 2056 NetTcpPortSharing - ok
08:14:52.0200 2056 NetworkX - ok
08:14:52.0215 2056 NIC1394 - ok
08:14:52.0215 2056 Nla - ok
08:14:52.0231 2056 nm - ok
08:14:52.0231 2056 nosGetPlusHelper - ok
08:14:52.0231 2056 Npfs - ok
08:14:52.0247 2056 NSHE - ok
08:14:52.0247 2056 Ntfs - ok
08:14:52.0247 2056 NtLmSsp - ok
08:14:52.0262 2056 NtmsSvc - ok
08:14:52.0262 2056 Null - ok
08:14:52.0262 2056 NwlnkFlt - ok
08:14:52.0278 2056 NwlnkFwd - ok
08:14:52.0278 2056 Odptdi - ok
08:14:52.0278 2056 ohci1394 - ok
08:14:52.0294 2056 ose - ok
08:14:52.0294 2056 Parport - ok
08:14:52.0294 2056 PartMgr - ok
08:14:52.0325 2056 ParVdm - ok
08:14:52.0325 2056 pccsmcfd - ok
08:14:52.0325 2056 PCI - ok
08:14:52.0340 2056 PCIDump - ok
08:14:52.0340 2056 PCIIde - ok
08:14:52.0340 2056 Pcmcia - ok
08:14:52.0356 2056 PDCOMP - ok
08:14:52.0356 2056 PDFRAME - ok
08:14:52.0356 2056 PDRELI - ok
08:14:52.0372 2056 PDRFRAME - ok
08:14:52.0372 2056 perc2 - ok
08:14:52.0372 2056 perc2hib - ok
08:14:52.0387 2056 pfc - ok
08:14:52.0403 2056 PlugPlay - ok
08:14:52.0403 2056 PolicyAgent - ok
08:14:52.0403 2056 PptpMiniport - ok
08:14:52.0419 2056 Processor - ok
08:14:52.0419 2056 prodrv06 - ok
08:14:52.0419 2056 prohlp02 - ok
08:14:52.0434 2056 prosync1 - ok
08:14:52.0434 2056 ProtectedStorage - ok
08:14:52.0450 2056 PSched - ok
08:14:52.0450 2056 Ptilink - ok
08:14:52.0450 2056 PxHelp20 - ok
08:14:52.0465 2056 ql1080 - ok
08:14:52.0465 2056 Ql10wnt - ok
08:14:52.0465 2056 ql12160 - ok
08:14:52.0481 2056 ql1240 - ok
08:14:52.0481 2056 ql1280 - ok
08:14:52.0481 2056 RasAcd - ok
08:14:52.0497 2056 RasAuto - ok
08:14:52.0497 2056 Rasl2tp - ok
08:14:52.0497 2056 RasMan - ok
08:14:52.0512 2056 RasPppoe - ok
08:14:52.0512 2056 Raspti - ok
08:14:52.0512 2056 Rdbss - ok
08:14:52.0528 2056 RDPCDD - ok
08:14:52.0528 2056 rdpdr - ok
08:14:52.0544 2056 RDPWD - ok
08:14:52.0544 2056 RDSessMgr - ok
08:14:52.0559 2056 redbook - ok
08:14:52.0559 2056 RemoteAccess - ok
08:14:52.0559 2056 RemoteRegistry - ok
08:14:52.0575 2056 RFCOMM - ok
08:14:52.0575 2056 rimmptsk - ok
08:14:52.0575 2056 rimsptsk - ok
08:14:52.0590 2056 rismxdp - ok
08:14:52.0590 2056 ROOTMODEM - ok
08:14:52.0590 2056 RpcLocator - ok
08:14:52.0606 2056 RpcSs - ok
08:14:52.0606 2056 RSVP - ok
08:14:52.0622 2056 RT-USB - ok
08:14:52.0622 2056 rt2870 - ok
08:14:52.0622 2056 RTL8187B - ok
08:14:52.0637 2056 RTLE8023xp - ok
08:14:52.0637 2056 SamSs - ok
08:14:52.0637 2056 SCardSvr - ok
08:14:52.0653 2056 Schedule - ok
08:14:52.0669 2056 sdbus - ok
08:14:52.0731 2056 SeaPort - ok
08:14:52.0731 2056 Secdrv - ok
08:14:52.0747 2056 seclogon - ok
08:14:52.0747 2056 SENS - ok
08:14:52.0747 2056 Sentinel - ok
08:14:52.0762 2056 SentinelKeysServer - ok
08:14:52.0762 2056 SentinelProtectionServer - ok
08:14:52.0762 2056 SentinelSecurityRuntime - ok
08:14:52.0778 2056 Serial - ok
08:14:52.0778 2056 ServiceLayer - ok
08:14:52.0794 2056 sffdisk - ok
08:14:52.0794 2056 sffp_sd - ok
08:14:52.0809 2056 sfhlp01 - ok
08:14:52.0809 2056 Sfloppy - ok
08:14:52.0825 2056 SharedAccess - ok
08:14:52.0825 2056 ShellHWDetection - ok
08:14:52.0825 2056 Simbad - ok
08:14:52.0840 2056 SLIP - ok
08:14:52.0840 2056 SNTNLUSB - ok
08:14:52.0840 2056 Sparrow - ok
08:14:52.0856 2056 splitter - ok
08:14:52.0856 2056 Spooler - ok
08:14:52.0856 2056 sptd - ok
08:14:52.0872 2056 sr - ok
08:14:52.0872 2056 srescan - ok
08:14:52.0887 2056 srservice - ok
08:14:52.0887 2056 Srv - ok
08:14:52.0887 2056 ssadbus - ok
08:14:52.0903 2056 ssadmdfl - ok
08:14:52.0903 2056 ssadmdm - ok
08:14:52.0903 2056 sscdbus - ok
08:14:52.0919 2056 sscdmdfl - ok
08:14:52.0919 2056 sscdmdm - ok
08:14:52.0919 2056 SSDPSRV - ok
08:14:52.0934 2056 StillCam - ok
08:14:52.0934 2056 stisvc - ok
08:14:52.0934 2056 streamip - ok
08:14:52.0950 2056 swenum - ok
08:14:52.0950 2056 swmidi - ok
08:14:52.0950 2056 SwPrv - ok
08:14:52.0965 2056 symc810 - ok
08:14:52.0965 2056 symc8xx - ok
08:14:52.0981 2056 sym_hi - ok
08:14:52.0981 2056 sym_u3 - ok
08:14:52.0981 2056 SynTP - ok
08:14:52.0997 2056 sysaudio - ok
08:14:52.0997 2056 SysmonLog - ok
08:14:52.0997 2056 TapiSrv - ok
08:14:53.0012 2056 TAPPSRV - ok
08:14:53.0012 2056 Tcpip - ok
08:14:53.0012 2056 tdcmdpst - ok
08:14:53.0028 2056 TDPIPE - ok
08:14:53.0028 2056 TDTCP - ok
08:14:53.0028 2056 TermDD - ok
08:14:53.0044 2056 TermService - ok
08:14:53.0044 2056 Themes - ok
08:14:53.0059 2056 TlntSvr - ok
08:14:53.0059 2056 TODDSrv - ok
08:14:53.0059 2056 TosIde - ok
08:14:53.0075 2056 Tosrfcom - ok
08:14:53.0075 2056 TrkWks - ok
08:14:53.0090 2056 Udfs - ok
08:14:53.0090 2056 ultra - ok
08:14:53.0106 2056 Update - ok
08:14:53.0106 2056 upnphost - ok
08:14:53.0106 2056 upperdev - ok
08:14:53.0122 2056 UPS - ok
08:14:53.0122 2056 usbaudio - ok
08:14:53.0122 2056 usbccgp - ok
08:14:53.0137 2056 usbehci - ok
08:14:53.0137 2056 usbhub - ok
08:14:53.0137 2056 usbohci - ok
08:14:53.0153 2056 usbprint - ok
08:14:53.0153 2056 USBSTOR - ok
08:14:53.0169 2056 usbvideo - ok
08:14:53.0169 2056 usb_rndisx - ok
08:14:53.0169 2056 UVCFTR - ok
08:14:53.0184 2056 VgaSave - ok
08:14:53.0184 2056 ViaIde - ok
08:14:53.0184 2056 vmci - ok
08:14:53.0200 2056 VMnetAdapter - ok
08:14:53.0200 2056 VolSnap - ok
08:14:53.0200 2056 VSGate - ok
08:14:53.0215 2056 VSS - ok
08:14:53.0215 2056 W32Time - ok
08:14:53.0231 2056 Wanarp - ok
08:14:53.0231 2056 WDBtnMgrSvc.exe - ok
08:14:53.0231 2056 WDC_SAM - ok
08:14:53.0247 2056 Wdf01000 - ok
08:14:53.0247 2056 WDICA - ok
08:14:53.0247 2056 wdmaud - ok
08:14:53.0262 2056 WebClient - ok
08:14:53.0262 2056 winmgmt - ok
08:14:53.0278 2056 WinUSB - ok
08:14:53.0278 2056 WmdmPmSN - ok
08:14:53.0294 2056 Wmi - ok
08:14:53.0294 2056 WmiApSrv - ok
08:14:53.0309 2056 WMPNetworkSvc - ok
08:14:53.0309 2056 WpdUsb - ok
08:14:53.0309 2056 WS2IFSL - ok
08:14:53.0325 2056 wscsvc - ok
08:14:53.0325 2056 WSTCODEC - ok
08:14:53.0325 2056 wuauserv - ok
08:14:53.0340 2056 WudfPf - ok
08:14:53.0340 2056 WudfRd - ok
08:14:53.0356 2056 WudfSvc - ok
08:14:53.0356 2056 WZCSVC - ok
08:14:53.0356 2056 xmlprov - ok
08:14:53.0387 2056 ================ Scan global ===============================
08:14:53.0387 2056 [Global] - ok
08:14:53.0387 2056 ================ Scan MBR ==================================
08:14:53.0434 2056 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
08:14:53.0903 2056 \Device\Harddisk0\DR0 - ok
08:14:53.0903 2056 ================ Scan VBR ==================================
08:14:53.0903 2056 [ E07334B657436E9C3FE89F9322605828 ] \Device\Harddisk0\DR0\Partition1
08:14:53.0903 2056 \Device\Harddisk0\DR0\Partition1 - ok
08:14:53.0903 2056 [ 2760348AF2BE38E837ECB2ADFCC4277E ] \Device\Harddisk0\DR0\Partition2
08:14:53.0903 2056 \Device\Harddisk0\DR0\Partition2 - ok
08:14:53.0903 2056 ============================================================
08:14:53.0903 2056 Scan finished
08:14:53.0903 2056 ============================================================
08:14:53.0919 2340 Detected object count: 0
08:14:53.0919 2340 Actual detected object count: 0


OTL logfile created on: 09/11/2012 08:19:02 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Eric Bougeard\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.37 Gb Total Physical Memory | 2.86 Gb Available Physical Memory | 84.94% Memory free
6.59 Gb Paging File | 5.88 Gb Available in Paging File | 89.29% Paging File free
Paging file location(s): D:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 2.17 Gb Free Space | 7.41% Space Free | Partition Type: NTFS
Drive D: | 98.70 Gb Total Space | 29.23 Gb Free Space | 29.62% Space Free | Partition Type: NTFS
Drive E: | 29.32 Gb Total Space | 27.96 Gb Free Space | 95.34% Space Free | Partition Type: FAT32
Drive F: | 11.85 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 1.76 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive W: | 1831.58 Gb Total Space | 1046.10 Gb Free Space | 57.11% Space Free | Partition Type: NTFS
Drive Y: | 231.61 Gb Total Space | 82.80 Gb Free Space | 35.75% Space Free | Partition Type: NTFS
Drive Z: | 298.02 Gb Total Space | 22.89 Gb Free Space | 7.68% Space Free | Partition Type: NTFS

Computer Name: ERICHOME3 | User Name: Eric Bougeard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Processes (SafeList) ==========

PRC - [2012/11/09 08:08:17 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Bougeard\Desktop\OTL.exe
PRC - [2012/09/24 22:12:59 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 16:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/04/11 10:54:22 | 003,672,384 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2012/02/26 15:42:52 | 001,044,992 | ---- | M] (FileZilla Project) -- C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
PRC - [2012/02/26 15:42:28 | 000,632,320 | ---- | M] (FileZilla Project) -- C:\Program Files\FileZilla Server\FileZilla server.exe
PRC - [2011/12/06 16:10:44 | 000,240,640 | ---- | M] (Volkswagen AG) -- d:\Program Files\ElsaWin\bin\LcSvrAdm.exe
PRC - [2011/12/06 16:08:58 | 000,335,360 | ---- | M] (Volkswagen AG) -- d:\Program Files\ElsaWin\bin\LcSvrHis.exe
PRC - [2011/12/06 16:08:16 | 000,373,248 | ---- | M] (Volkswagen AG) -- d:\Program Files\ElsaWin\bin\LcSvrSaz.exe
PRC - [2011/12/06 16:07:28 | 001,321,472 | ---- | M] (Volkswagen AG) -- d:\Program Files\ElsaWin\bin\LcSvrAuf.exe
PRC - [2011/12/06 16:04:48 | 000,477,696 | ---- | M] (Volkswagen AG) -- d:\Program Files\ElsaWin\bin\LcSvrPas.exe
PRC - [2011/12/06 16:03:38 | 000,392,704 | ---- | M] (Volkswagen AG) -- d:\Program Files\ElsaWin\bin\LcSvrDba.exe
PRC - [2011/10/21 22:34:44 | 001,327,104 | ---- | M] (PcWinTech.com) -- C:\Program Files\CleanMem\Mini_Monitor.exe
PRC - [2011/09/22 06:06:06 | 001,259,040 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
PRC - [2011/09/22 00:03:02 | 000,374,304 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
PRC - [2011/09/22 00:00:00 | 000,292,384 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
PRC - [2011/07/29 00:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/07/04 12:37:58 | 000,081,920 | ---- | M] (Volkswagen AG) -- D:\Program Files\ElsaWin\bin\VSGate.exe
PRC - [2010/12/09 18:27:44 | 000,636,256 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2009/10/23 18:34:36 | 000,827,904 | ---- | M] () -- C:\Program Files\dvd43\DVD43_Tray.exe
PRC - [2009/03/05 15:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/08/14 10:14:20 | 000,200,704 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/13 20:20:46 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/12/11 16:59:28 | 000,974,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2007/12/11 16:59:26 | 000,798,720 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
PRC - [2007/12/11 16:50:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2007/11/21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2007/08/28 14:22:10 | 000,356,352 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe
PRC - [2007/06/22 10:24:30 | 004,763,648 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
PRC - [2007/05/22 10:50:02 | 000,413,696 | ---- | M] (Chicony) -- C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
PRC - [2007/04/10 08:45:20 | 000,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2006/05/08 17:52:04 | 000,204,800 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
PRC - [2005/04/11 10:26:06 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/08 14:41:12 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2011/11/03 16:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/07/29 00:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/29 00:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/12/09 18:27:54 | 002,860,384 | ---- | M] () -- C:\WINDOWS\system32\btwicons.dll
MOD - [2009/10/23 18:34:36 | 000,827,904 | ---- | M] () -- C:\Program Files\dvd43\DVD43_Tray.exe
MOD - [2008/07/05 11:26:26 | 002,494,464 | ---- | M] () -- C:\WINDOWS\system32\ffdshow.ax
MOD - [2008/06/30 15:47:50 | 000,421,888 | ---- | M] () -- C:\WINDOWS\system32\ac3filter.acm
MOD - [2008/04/14 01:12:03 | 000,192,512 | ---- | M] () -- C:\WINDOWS\system32\qcap.dll
MOD - [2008/04/14 01:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 01:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2008/03/25 05:50:40 | 000,355,112 | ---- | M] () -- C:\WINDOWS\system32\msjetoledb40.dll
MOD - [2007/06/22 10:24:30 | 004,763,648 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
MOD - [2007/04/03 18:21:34 | 000,049,152 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TouchPad_ONOFF.dll
MOD - [2002/11/26 13:43:18 | 000,106,496 | ---- | M] () -- C:\WINDOWS\system32\BrMuSNMP.dll
MOD - [2001/08/23 13:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2000/12/22 07:51:00 | 000,028,672 | ---- | M] () -- C:\WINDOWS\system32\NavLogon.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)
SRV - [2012/10/29 02:50:56 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/10/09 10:36:25 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/24 22:12:59 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/02/26 15:42:28 | 000,632,320 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files\FileZilla Server\FileZilla server.exe -- (FileZilla Server)
SRV - [2011/12/06 16:10:44 | 000,240,640 | ---- | M] (Volkswagen AG) [Auto | Running] -- d:\Program Files\ElsaWin\bin\LcSvrAdm.exe -- (LcSvrAdm)
SRV - [2011/12/06 16:08:58 | 000,335,360 | ---- | M] (Volkswagen AG) [Auto | Running] -- d:\Program Files\ElsaWin\bin\LcSvrHis.exe -- (LcSvrHis)
SRV - [2011/12/06 16:08:16 | 000,373,248 | ---- | M] (Volkswagen AG) [Auto | Running] -- d:\Program Files\ElsaWin\bin\LcSvrSaz.exe -- (LcSvrSaz)
SRV - [2011/12/06 16:07:28 | 001,321,472 | ---- | M] (Volkswagen AG) [On_Demand | Running] -- d:\Program Files\ElsaWin\bin\LcSvrAuf.exe -- (LcSvrAuf)
SRV - [2011/12/06 16:04:48 | 000,477,696 | ---- | M] (Volkswagen AG) [Auto | Running] -- d:\Program Files\ElsaWin\bin\LcSvrPas.exe -- (LcSvrPAS)
SRV - [2011/12/06 16:03:38 | 000,392,704 | ---- | M] (Volkswagen AG) [Auto | Running] -- d:\Program Files\ElsaWin\bin\LcSvrDba.exe -- (LcSvrDba)
SRV - [2011/09/22 06:06:06 | 001,259,040 | ---- | M] (SafeNet, Inc) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer)
SRV - [2011/09/22 00:03:02 | 000,374,304 | ---- | M] (SafeNet, Inc.) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe -- (SentinelKeysServer)
SRV - [2011/09/22 00:00:00 | 000,292,384 | ---- | M] (SafeNet, Inc.) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe -- (SentinelSecurityRuntime)
SRV - [2011/07/04 12:37:58 | 000,081,920 | ---- | M] (Volkswagen AG) [Auto | Running] -- D:\Program Files\ElsaWin\bin\VSGate.exe -- (VSGate)
SRV - [2010/12/08 14:31:06 | 000,628,736 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2010/10/28 11:13:30 | 000,293,456 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2010/09/01 14:52:56 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper)
SRV - [2009/09/25 03:26:17 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/08 00:29:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Stopped] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)
SRV - [2008/02/19 02:15:38 | 000,106,496 | ---- | M] (WDC) [On_Demand | Stopped] -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- (WDBtnMgrSvc.exe)
SRV - [2007/12/13 10:02:14 | 000,009,216 | ---- | M] (Agere Systems) [Disabled | Stopped] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/12/11 16:50:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2007/11/21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/04/10 08:45:20 | 000,035,840 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vmnetadapter.sys -- (VMnetAdapter)
DRV - File not found [Kernel | Boot | Stopped] -- system32\DRIVERS\vmci.sys -- (vmci)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\usbser_lowerflt.sys -- (upperdev)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Tosrfcom)
DRV - File not found [Kernel | Boot | Stopped] -- system32\ZoneLabs\srescan.sys -- (srescan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\rt2870.sys -- (rt2870)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\AmdPPM.sys -- (AmdPPM)
DRV - [2012/11/09 00:08:17 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B5423318-F5FB-40F2-BB4C-381E92CFFF91}\MpKsl635add99.sys -- (MpKsl635add99)
DRV - [2012/04/18 02:50:48 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2011/11/25 20:12:36 | 000,443,448 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2011/09/22 06:05:08 | 000,041,896 | ---- | M] (SafeNet, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (SNTNLUSB)
DRV - [2011/03/14 09:14:34 | 000,029,520 | ---- | M] (Softing AG, D-85540 Haar/Munich, http://www.softing.com) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\edicusb.sys -- (edicusb)
DRV - [2011/02/19 15:39:45 | 000,933,416 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2011/02/19 15:39:45 | 000,556,200 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2011/02/19 15:39:45 | 000,118,440 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2011/02/19 15:39:45 | 000,059,688 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2011/02/19 15:39:45 | 000,051,752 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2011/02/19 15:39:45 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2011/01/03 09:38:36 | 000,136,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2011/01/03 09:38:36 | 000,121,192 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus)
DRV - [2011/01/03 09:38:36 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl)
DRV - [2010/12/21 06:55:02 | 000,132,424 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2010/12/21 06:55:02 | 000,104,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus)
DRV - [2010/12/21 06:55:02 | 000,014,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2010/08/24 18:31:18 | 000,028,624 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2010/08/24 18:31:02 | 000,037,328 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2010/08/24 18:30:52 | 000,038,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2010/08/24 18:30:18 | 000,010,448 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2010/01/29 11:40:04 | 000,082,320 | ---- | M] (EZB Systems, Inc.) [File_System | System | Running] -- C:\Program Files\UltraISO\drivers\ISODrive.sys -- (ISODrive)
DRV - [2009/09/17 06:05:02 | 000,092,712 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\sentinel.sys -- (Sentinel)
DRV - [2009/07/13 15:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2009/07/01 15:43:06 | 000,762,112 | R--- | M] (none) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\adatadrv.sys -- (adatadrv)
DRV - [2009/06/10 13:53:48 | 000,341,376 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2009/05/21 21:04:58 | 000,058,880 | ---- | M] (Ross-Tech LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RT-USB.SYS -- (RT-USB)
DRV - [2008/11/23 10:23:06 | 000,097,792 | ---- | M] (T0r0 2008) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NSHE.SYS -- (NSHE)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/08/22 21:14:45 | 000,021,638 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\Ckldrv.sys -- (NetworkX)
DRV - [2008/05/06 15:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/13 19:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/12/13 11:20:10 | 004,611,072 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2007/12/13 11:14:13 | 000,098,944 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/12/13 11:12:00 | 002,371,584 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/12/13 10:02:14 | 001,161,888 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2007/12/12 15:33:12 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2007/06/29 14:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/04/16 19:19:10 | 000,011,776 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/04/04 08:56:48 | 000,005,888 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2007/03/21 22:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/02/24 14:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/22 15:10:30 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/01/23 16:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/22 09:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2006/08/03 12:53:18 | 000,031,232 | ---- | M] (Aventail Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\odptdi.sys -- (Odptdi)
DRV - [2006/07/01 22:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/03/29 08:49:26 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2004/08/09 12:33:26 | 000,114,016 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2004/08/09 12:29:28 | 000,053,920 | ---- | M] (Protection Technology) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2004/07/19 15:49:54 | 000,007,040 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\prosync1.sys -- (prosync1)
DRV - [2003/12/01 16:20:52 | 000,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/01/24 09:13:06 | 000,024,197 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTU2K.sys -- (CTU2K)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D [binary data]
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D [binary data]
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D [binary data]
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{5F970FDE-702B-4ef9-920C-5F2848A5AF26}: "URL" = http://www.daemon-search.com/search/web?q={searchTerms}
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2925418
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://fr.search.yahoo.com/search?p={searchTerms}&fr=chr-divx
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{EDCE670C-229F-4C21-BF70-C3919745CE39}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ie8
IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledAddons: DeviceDetection@logitech.com:1.23.0.5
FF - prefs.js..extensions.enabledAddons: en-GB@dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledAddons: fr-classique@dictionaries.addons.mozilla.org:4.3
FF - prefs.js..extensions.enabledAddons: freerecord@disruptive-innovations.com:5.0
FF - prefs.js..extensions.enabledAddons: toolbar@monachatmalinmae:2.1
FF - prefs.js..extensions.enabledAddons: {4093c4de-454a-4329-8aff-c6b0b123c386}:0.8.11
FF - prefs.js..extensions.enabledAddons: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:4.1.3.1
FF - prefs.js..extensions.enabledAddons: {d37dc5d0-431d-44e5-8c91-49419370caa1}:3.1.26
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {4093c4de-454a-4329-8aff-c6b0b123c386}:0.8.8
FF - prefs.js..extensions.enabledItems: {6336b6dd-19e1-430f-a907-49d2b641e99c}:1.0
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.5.152.14
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.736
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.91
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: toolbar@monachatmalinmae:1.0.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}:7.3.4.51
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {71328583-3CA7-4809-B4BA-570A85818FBB}:0.6.3
FF - prefs.js..extensions.enabledItems: DeviceDetection@logitech.com:1.21.0.11


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.91: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2011/02/19 16:00:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2011/02/19 17:58:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/12/21 12:34:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/29 02:50:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/10/29 02:49:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2011/02/19 16:00:35 | 000,000,000 | ---D | M]

[2009/03/11 00:13:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Extensions
[2009/03/11 00:13:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2012/10/23 02:02:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions
[2012/10/11 21:13:57 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/12/02 11:43:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}-trash
[2012/09/22 12:43:50 | 000,000,000 | ---D | M] (FoxClocks) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
[2011/08/10 12:11:41 | 000,000,000 | ---D | M] (Разпознаване на устройство Logitech) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\DeviceDetection@logitech.com
[2011/08/20 18:41:40 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2011/10/08 11:55:48 | 000,000,000 | ---D | M] (Dictionnaire français «Classique») -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\fr-classique@dictionaries.addons.mozilla.org
[2011/04/15 20:28:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\nostmp
[2011/11/10 15:27:31 | 000,107,633 | ---- | M] () (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\freerecord@disruptive-innovations.com.xpi
[2012/05/14 21:28:50 | 000,074,522 | ---- | M] () (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\toolbar@monachatmalinmae.xpi
[2012/06/10 13:19:55 | 000,135,517 | ---- | M] () (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\{4093c4de-454a-4329-8aff-c6b0b123c386}.xpi
[2012/07/25 20:39:14 | 000,741,958 | ---- | M] () (No name found) -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/01/03 23:48:37 | 000,002,059 | ---- | M] () -- C:\Documents and Settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\searchplugins\absearch-search.xml
[2012/10/29 02:48:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/29 02:50:58 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/10/11 02:05:38 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/11 02:05:38 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/10/26 18:56:46 | 000,443,910 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15273 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (TBSB02902 Class) - {57B23DC7-72DF-4608-8A02-3FABA57F90F6} - C:\Program Files\Mon Achat Malin MAE\tbcore3.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Mon Achat Malin MAE) - {17742D34-6B6A-4527-B7E5-F628B0232DEC} - C:\Program Files\Mon Achat Malin MAE\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\Toolbar\WebBrowser: (Mon Achat Malin MAE) - {17742D34-6B6A-4527-B7E5-F628B0232DEC} - C:\Program Files\Mon Achat Malin MAE\tbcore3.dll ()
O3 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobePro8LngSwitch] wscript.exe //B //T:15 "C:\Program Files\Adobe\Acrobat 8.0\AdobePro8LangSwitch.vbs" File not found
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient File not found
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [dvd43] C:\Program Files\dvd43\DVD43_Tray.exe ()
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Program Files\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [THotkey] C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe (WDC)
O4 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003..\Run: [CleanMem Mini Monitor] C:\Program Files\CleanMem\Mini_Monitor.exe (PcWinTech.com)
O4 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Mon Achat Malin MAE - {17742D34-6B6A-4527-B7E5-F628B0232DEC} - C:\Program Files\Mon Achat Malin MAE\tbcore3.dll ()
O9 - Extra 'Tools' menuitem : Mon Achat Malin MAE - {17742D34-6B6A-4527-B7E5-F628B0232DEC} - C:\Program Files\Mon Achat Malin MAE\tbcore3.dll ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} https://parici.sopragroup.com/postauthI/epi.cab (Aventail Installer )
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199506056546 (WUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} https://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP-1.1.cab (AdSignerLCContrl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{082C7047-1869-4E8C-B6A3-49A184095D0B}: DhcpNameServer = 192.168.0.254
O18 - Protocol\Handler\vw-wi {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - d:\Program Files\ElsaWin\bin\wiprot.dll (TODO: <Company name>)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll ()
O22 - SharedTaskScheduler: {1984DD45-52CF-49cd-AB77-18F378FEA264} - FencesShellExt - C:\Program Files\Stardock\Fences\FencesMenu.dll (Stardock)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/05 12:42:02 | 000,000,045 | R--- | M] () - F:\Autorun.inf -- [ CDFS ]
O32 - Unable to obtain root file information for disk Z:\
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 60 Days ==========

[2012/11/09 08:17:09 | 001,754,528 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Eric Bougeard\Desktop\rkill.com
[2012/11/09 08:17:09 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eric Bougeard\Desktop\OTL.exe
[2012/11/09 00:03:53 | 001,754,528 | ---- | C] (Bleeping Computer, LLC) -- C:\rkill.com
[2012/11/08 19:40:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/11/06 01:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FileZilla Server
[2012/11/06 01:17:15 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla Server
[2012/11/01 00:40:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Application Data\Toolbar4
[2012/10/31 09:13:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eric Bougeard\Recent
[2012/10/30 20:25:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/10/29 02:48:30 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/10/24 23:32:10 | 000,000,000 | ---D | C] -- D:\My Stuff\My Documents\Evc
[2012/10/24 23:31:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinOLS Testversion
[2012/10/24 10:36:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Start Menu\Programs\VAGME7 Flasher
[2012/10/24 07:52:13 | 000,160,768 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\CTU2KUN.exe
[2012/10/24 07:52:13 | 000,035,840 | ---- | C] (FTDI Ltd) -- C:\WINDOWS\System32\CTU2K.dll
[2012/10/24 07:52:13 | 000,024,197 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\CTU2K.sys
[2012/10/24 00:14:50 | 000,000,000 | ---D | C] -- C:\RooT
[2012/10/21 02:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2012/10/21 02:09:17 | 000,041,896 | ---- | C] (SafeNet, Inc.) -- C:\WINDOWS\System32\drivers\SNTNLUSB.SYS
[2012/10/21 02:09:13 | 000,000,000 | ---D | C] -- C:\Program Files\SafeNet Sentinel
[2012/10/21 02:09:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SafeNet Sentinel
[2012/10/21 02:05:42 | 000,000,000 | ---D | C] -- D:\My Stuff\My Documents\Downloaded Installations
[2012/10/20 16:38:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\.android
[2012/10/20 15:55:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Start Menu\Programs\Android SDK Tools
[2012/10/20 15:54:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Local Settings\Application Data\Android
[2012/10/19 17:01:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes
[2012/10/19 17:01:52 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/10/19 17:01:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/10/18 07:15:18 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/10/18 07:15:18 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/10/18 07:15:18 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/10/15 23:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Application Data\PingPlotter
[2012/10/15 23:26:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Application Data\Downloaded Installations
[2012/10/11 20:59:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/10/11 20:57:26 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/10/09 12:03:26 | 004,998,107 | R--- | C] (Swearware) -- C:\combofix.exe
[2012/10/03 07:58:21 | 000,000,000 | ---D | C] -- D:\My Stuff\My Documents\Mipony
[2012/10/03 07:34:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Application Data\Mipony
[2012/09/15 14:11:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Bougeard\Application Data\TeamViewer
[2012/09/15 14:10:46 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer
[2012/09/10 20:07:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McDonald's Fairies
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files - Modified Within 60 Days ==========

[2012/11/09 08:21:01 | 000,000,258 | ---- | M] () -- C:\WINDOWS\tasks\Clean System Memory.job
[2012/11/09 08:08:17 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Bougeard\Desktop\OTL.exe
[2012/11/09 07:36:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/11/09 07:33:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/09 02:33:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/08 21:04:19 | 001,754,528 | ---- | M] (Bleeping Computer, LLC) -- C:\rkill.com
[2012/11/08 21:04:19 | 001,754,528 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Eric Bougeard\Desktop\rkill.com
[2012/11/08 20:39:51 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/11/08 20:28:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/08 20:09:56 | 000,443,226 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/08 20:09:56 | 000,072,892 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/08 20:05:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/08 19:07:59 | 004,998,107 | R--- | M] (Swearware) -- C:\combofix.exe
[2012/11/08 18:44:20 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/11/08 00:45:53 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/11/06 01:17:30 | 000,001,746 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FileZilla Server Interface.lnk
[2012/10/30 20:25:58 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2012/10/26 18:56:46 | 000,443,910 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/10/24 23:31:08 | 000,000,618 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinOLS Testversion.lnk
[2012/10/24 10:36:29 | 000,159,140 | ---- | M] () -- C:\WINDOWS\VAGME7 Flasher Uninstaller.exe
[2012/10/24 10:36:28 | 000,000,646 | ---- | M] () -- C:\Documents and Settings\Eric Bougeard\Desktop\VAGME7 Flasher.lnk
[2012/10/21 17:01:23 | 000,152,752 | ---- | M] () -- D:\My Stuff\My Documents\MyFreeMobileCecile-Bienvenue chez FREE.pdf
[2012/10/19 17:01:56 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/19 16:52:32 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/10/16 00:47:54 | 018,997,248 | ---- | M] () -- D:\My Stuff\My Documents\ERIC2011-Money2002FIle.mny
[2012/10/16 00:47:54 | 003,647,172 | R--- | M] () -- D:\My Stuff\My Documents\ERIC2011-Money2002File Backup 20120110-0009_2012-10-16_014739.mbf
[2012/10/14 16:43:47 | 003,731,322 | R--- | M] () -- D:\My Stuff\My Documents\ERIC2011-Money2002File Backup 20120110-0009_2012-10-14_174333.mbf
[2012/10/11 20:57:57 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/10/11 20:57:56 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/10/11 20:38:23 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/10/10 21:10:18 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/10 07:21:46 | 000,443,614 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20121026-195646.backup
[2012/10/09 12:31:04 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20121010-082145.backup
[2012/10/09 10:36:23 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/09 10:36:22 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/10/02 13:31:46 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/10/01 21:07:43 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/09/30 11:55:30 | 000,000,104 | ---- | M] () -- C:\WINDOWS\HWEDIC.INI
[2012/09/30 11:55:30 | 000,000,047 | ---- | M] () -- C:\WINDOWS\NETEDIC.INI
[2012/09/30 09:59:20 | 000,009,904 | ---- | M] () -- C:\cc_20120930_105834.reg
[2012/09/29 18:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/24 22:16:36 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/09/24 22:08:27 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/09/24 22:07:57 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/09/24 17:45:26 | 000,091,883 | ---- | M] () -- D:\My Stuff\My Documents\Full page fax print.pdf
[2012/09/24 00:13:08 | 000,000,038 | ---- | M] () -- C:\WINDOWS\AviSplitter.INI
[2012/09/23 10:00:20 | 000,000,459 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2012/09/22 12:37:57 | 000,167,504 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/09/20 21:29:57 | 000,053,748 | ---- | M] () -- D:\My Stuff\My Documents\FengShuiThierryROUSSET.pdf
[2012/09/16 22:05:30 | 000,000,056 | ---- | M] () -- C:\WINDOWS\Acroread.ini
[2012/09/10 20:07:25 | 000,000,766 | ---- | M] () -- C:\Documents and Settings\Eric Bougeard\Desktop\Fairies.lnk
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/06 01:17:30 | 000,001,746 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FileZilla Server Interface.lnk
[2012/10/30 20:25:58 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2012/10/24 23:31:08 | 000,000,618 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinOLS Testversion.lnk
[2012/10/24 10:36:28 | 000,159,140 | ---- | C] () -- C:\WINDOWS\VAGME7 Flasher Uninstaller.exe
[2012/10/24 10:36:28 | 000,000,646 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\Desktop\VAGME7 Flasher.lnk
[2012/10/21 17:01:23 | 000,152,752 | ---- | C] () -- D:\My Stuff\My Documents\MyFreeMobileCecile-Bienvenue chez FREE.pdf
[2012/10/19 17:01:56 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/16 00:47:54 | 003,647,172 | R--- | C] () -- D:\My Stuff\My Documents\ERIC2011-Money2002File Backup 20120110-0009_2012-10-16_014739.mbf
[2012/10/14 16:43:47 | 003,731,322 | R--- | C] () -- D:\My Stuff\My Documents\ERIC2011-Money2002File Backup 20120110-0009_2012-10-14_174333.mbf
[2012/10/11 20:38:23 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/10/11 20:38:22 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/10/01 21:17:34 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/30 09:58:38 | 000,009,904 | ---- | C] () -- C:\cc_20120930_105834.reg
[2012/09/24 17:45:26 | 000,091,883 | ---- | C] () -- D:\My Stuff\My Documents\Full page fax print.pdf
[2012/09/22 12:36:32 | 000,362,704 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/09/20 21:29:57 | 000,053,748 | ---- | C] () -- D:\My Stuff\My Documents\FengShuiThierryROUSSET.pdf
[2012/09/10 20:07:25 | 000,000,766 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\Desktop\Fairies.lnk
[2012/07/24 20:03:20 | 000,000,037 | ---- | C] () -- C:\WINDOWS\System32\conmansrv.ini
[2012/07/24 19:59:31 | 000,000,365 | ---- | C] () -- C:\WINDOWS\System32\softingedicdriver.ini
[2012/07/24 19:52:30 | 000,000,104 | ---- | C] () -- C:\WINDOWS\HWEDIC.INI
[2012/07/24 19:52:30 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NETEDIC.INI
[2012/07/13 07:59:35 | 000,000,050 | ---- | C] () -- C:\WINDOWS\BRQIKMON.INI
[2012/02/22 22:40:10 | 000,000,056 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2012/02/22 22:40:02 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
[2012/02/22 22:40:02 | 000,021,638 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2012/02/22 22:40:02 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2012/02/22 22:40:02 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
[2012/02/15 08:16:52 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/26 22:34:36 | 000,000,040 | RH-- | C] () -- C:\WINDOWS\ssystda.dat
[2012/01/08 23:24:20 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\.recently-used.xbel
[2012/01/02 22:08:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/02 22:08:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/02 22:08:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/02 22:08:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/02 22:08:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/14 22:16:57 | 000,000,022 | ---- | C] () -- C:\WINDOWS\cmm.dat
[2011/12/08 22:23:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ToDisc.INI
[2011/11/09 16:01:07 | 000,000,228 | ---- | C] () -- C:\WINDOWS\Vwkat.ini
[2011/07/28 18:06:51 | 000,025,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\VSPE.sys
[2011/05/23 21:27:32 | 000,000,056 | ---- | C] () -- C:\WINDOWS\Acroread.ini
[2011/05/22 22:44:02 | 000,436,736 | R--- | C] () -- C:\WINDOWS\System32\Autoserv.exe
[2011/05/17 14:32:27 | 000,557,232 | ---- | C] () -- C:\WINDOWS\etvaun.EXE
[2011/05/17 14:14:47 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\hlduinst.exe
[2011/05/17 10:21:43 | 000,000,272 | ---- | C] () -- C:\WINDOWS\ETKINST.INI
[2011/01/29 17:00:22 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/01/29 17:00:22 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/01/29 17:00:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/01/29 17:00:22 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2011/01/11 02:23:42 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\CleanMem.ini
[2010/12/09 18:27:54 | 002,860,384 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2010/06/20 22:24:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\settings.dat
[2009/05/30 12:57:53 | 000,000,697 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\PCTuneUp.config
[2008/03/21 14:19:13 | 010,896,316 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate
[2008/03/13 23:02:37 | 000,000,095 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\default.pls
[2008/02/02 03:37:21 | 000,000,044 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\IsConfig.ini
[2008/01/05 15:33:54 | 000,079,360 | ---- | C] () -- C:\Documents and Settings\Eric Bougeard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2008/01/28 01:23:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >


OTL Extras logfile created on: 09/11/2012 08:19:02 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Eric Bougeard\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.37 Gb Total Physical Memory | 2.86 Gb Available Physical Memory | 84.94% Memory free
6.59 Gb Paging File | 5.88 Gb Available in Paging File | 89.29% Paging File free
Paging file location(s): D:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 2.17 Gb Free Space | 7.41% Space Free | Partition Type: NTFS
Drive D: | 98.70 Gb Total Space | 29.23 Gb Free Space | 29.62% Space Free | Partition Type: NTFS
Drive E: | 29.32 Gb Total Space | 27.96 Gb Free Space | 95.34% Space Free | Partition Type: FAT32
Drive F: | 11.85 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 1.76 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive W: | 1831.58 Gb Total Space | 1046.10 Gb Free Space | 57.11% Space Free | Partition Type: NTFS
Drive Y: | 231.61 Gb Total Space | 82.80 Gb Free Space | 35.75% Space Free | Partition Type: NTFS
Drive Z: | 298.02 Gb Total Space | 22.89 Gb Free Space | 7.68% Space Free | Partition Type: NTFS

Computer Name: ERICHOME3 | User Name: Eric Bougeard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1229272821-1659004503-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"2799:UDP" = 2799:UDP:*:Enabled:Altova License Metering Port (UDP)
"2799:TCP" = 2799:TCP:*:Enabled:Altova License Metering Port (TCP)
"2121:TCP" = 2121:TCP:*:Enabled:2121

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\gnucash\bin\gnucash.exe" = C:\Program Files\gnucash\bin\gnucash.exe:*:Enabled:GnuCash Free Finance Manager -- ()
"C:\Program Files\gnucash\bin\gconfd-2.exe" = C:\Program Files\gnucash\bin\gconfd-2.exe:*:Enabled:GConf Settings Manager -- ()
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:Torrent -- (BitTorrent, Inc.)
"C:\Program Files\Java\jre7\bin\javaw.exe" = C:\Program Files\Java\jre7\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Oracle Corporation)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player 2.0.1 -- (VideoLAN)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe" = C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Enabled:Sentinel Protection Server -- (SafeNet, Inc)
"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" = C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe:*:Enabled:Sentinel Keys Server -- (SafeNet, Inc.)
"C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" = C:\Program Files\FileZilla Server\FileZilla Server Interface.exe:LocalSubNet:Enabled:FileZilla Server Interface -- (FileZilla Project)
"C:\Program Files\FileZilla FTP Client\filezilla.exe" = C:\Program Files\FileZilla FTP Client\filezilla.exe:*:Enabled:FileZilla -- (FileZilla Project)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{02FD32B8-3F7F-F57B-7C65-A922211B539E}" = ccc-utility
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{08600005-5228-4BF6-845E-E9A957AFDCB4}" = OviMPlatform
"{08AEE1E0-20C4-AD0E-0342-170960727C0B}" = Catalyst Control Center Graphics Full Existing
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0C01AADF-0827-30F9-3F6D-E9DB920931B2}" = Catalyst Control Center Localization Chinese Traditional
"{0D4B35DB-2B77-89AD-88EC-C9BF9609EFE1}" = Catalyst Control Center Localization Korean
"{0DB6B006-A7C1-4785-83CB-BB7B65FC3C43}" = TOSHIBA Utilities
"{0E194CFB-7FB4-F5B5-94F4-01D65F8D4494}" = Catalyst Control Center Graphics Full New
"{0E55AF2F-595A-6BDD-124C-F22EBA89F902}" = Catalyst Control Center Localization Chinese Standard
"{0F4F4815-76AD-4B26-8763-72F3344041C2}" = TOSHIBA Manuals
"{0FB630AB-7BD8-40AE-B223-60397D57C3C9}" = Realtek WLAN Driver
"{10CD364B-FFCC-48BE-B469-B9622A033075}" = Fences
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{12661A78-6C54-B106-E9B9-C91012CBA2AA}" = CCC Help Thai
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{17BD85F9-3B88-4C85-BB47-4AB8DD68F8BB}" = Nokia Software Updater
"{1AD75B44-F9AE-78E4-B79D-534739A3E215}" = CCC Help Greek
"{1DE24E25-7D36-7E94-7B0E-691219B6C9E8}" = CCC Help Portuguese
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{2187F4F6-4011-8904-8500-D60822AA7626}" = Skins
"{22543949-70E8-45D0-A938-F38143EB8BF8}" = Catalyst Control Center - Branding
"{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 9
"{28191B83-1D60-44B6-9B08-E854EF6632D5}" = Ovi Desktop Sync Engine
"{28E82311-8616-11E1-BEB0-B8AC6F97B88E}" = Google Earth
"{29B22401-5F1B-8277-1B8E-2D04B2909427}" = Catalyst Control Center Localization Japanese
"{2A232B31-2BF2-1E40-A05C-F6E533EE62EA}" = Catalyst Control Center Localization Polish
"{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"{32A3A4F4-B792-11D6-A78A-00B0D0170090}" = Java SE Development Kit 7 Update 9
"{32EA2270-B723-4B6A-B21D-400582073524}_is1" = WinOLS 2.14.03
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3553E875-F00E-4031-BDEC-75FB1DFEB093}" = Nokia Ovi Suite Software Updater
"{369F58A1-2D8E-4F3B-9520-2E055A1DDAD8}" = Flash Drive Tester v1.12
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{3AFDD2C6-8663-46B5-B195-6CEB00D44768}" = adsl TV
"{3C34B0D0-064B-57F2-83CA-321C248032A0}" = CCC Help Hungarian
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{3FC42713-B6E7-49AA-A553-A224FE9828A8}" = Nokia Ovi Suite
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4216D328-0FE8-48B8-85B8-BD300E6F080F}" = Nokia Connectivity Cable Driver
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{437306A8-313F-F70F-DBA1-A81F8F9DB0C9}" = Catalyst Control Center Localization Norwegian
"{43D3CB03-B85F-DE7A-11B9-E759940C6993}" = CCC Help Turkish
"{47BAE500-B56A-E32A-2E80-1E7C192853A5}" = CCC Help Russian
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C6028C5-2EB3-CEF2-22E5-ACF3D1AAF4ED}" = CCC Help Italian
"{4CA7F010-9561-7688-E0CD-AAF1292F9090}" = CCC Help Polish
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DB93D06-CE1A-B7E0-A701-3E81A2F184EE}" = Catalyst Control Center Localization Spanish
"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10
"{595E9201-522A-A823-A2EC-9F1676C7C2B0}" = Catalyst Control Center Localization Dutch
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{600A9225-4E51-BCDD-4277-4B2B8956EE8E}" = ccc-core-static
"{689EF96A-6984-6269-0307-23295D67036D}" = Catalyst Control Center Core Implementation
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ADA8FD6-810D-3E2F-CF24-0F0936E55AA4}" = Catalyst Control Center Localization Finnish
"{6CCD5CD2-2C94-20FE-ED6B-61A338C20FFD}" = CCC Help Chinese Traditional
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{742F3559-6BFD-6660-329D-8E8CF6C1FCEA}" = CCC Help German
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" =
"{7E092D91-B074-CFBE-FD2E-972652ADE785}" = CCC Help French
"{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries
"{7F2F3F8B-2D57-48A3-99D0-1AC23D594C89}" = LightScribe 1.4.56.1
"{80C3019B-3BA4-4674-AC90-A0B402593BA5}_is1" = WMP Tag Plus 1.2
"{8398B542-3CC4-44D9-83DF-696CCE70124B}" = Windows Support Tools
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8AD22528-C6FC-7A5F-8DB7-721C0E04FC78}" = CCC Help Norwegian
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File (1.0) EN
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{94C8F73A-D337-C7C5-46A7-8229433B16C1}" = Catalyst Control Center Localization Turkish
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9839F88B-7C4C-4351-BF1E-40615E66F543}" = FinalizeInstallAcrobatProfessional
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}" = Brother MFL-Pro Suite
"{9B1F5692-9B61-42E0-0EAE-B75ED8F84CD4}" = Catalyst Control Center Localization Czech
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D8F3651-D49A-4498-A44B-2225A88B8A6E}" = Lexibase Pro Francais Anglais (6.1.2.2) ML
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4E46644-984C-F411-0949-19AA3E37FD1A}" = Catalyst Control Center Localization German
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{A8231944-DA75-2993-359D-3FB44AB196E5}" = CCC Help Czech
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9B2784F-15F2-4A4D-6761-3BB4F03113D8}" = Catalyst Control Center Localization Italian
"{AB4F5387-46C9-9022-5279-10ABA788A270}" = Catalyst Control Center Localization Portuguese
"{AC76BA86-1033-F400-7760-000000000003}" = Acrobat Professional (8.1.2) ML
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AE666A5A-8759-29B7-C9E8-98EA1E7F8565}" = Catalyst Control Center Localization French
"{AE756B8A-54F9-588E-B1F9-3B0132647136}" = Catalyst Control Center Localization Hungarian
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1F3EDAC-F0A2-4615-A4E1-AAF4358B0157}_is1" = AutoData version 3.38
"{B3FF9271-1C6C-0E30-8CCB-8708CC33A8CB}" = ccc-core-preinstall
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4E0B4B8-027A-D78E-0D96-201B634CE4C7}" = CCC Help English
"{B622BDB3-7A67-F509-AAEA-65BA9CF89001}" = Catalyst Control Center Localization Swedish
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C1893EC1-836D-170C-8382-CA7ADB7D3EA7}" = CCC Help Chinese Standard
"{C1A545BA-E2F3-7DC9-45F7-0DE949A24A81}" = CCC Help Swedish
"{C4AC672B-C8A2-4EAC-845A-35D0392E5BC2}" = VAS-PC Car Diagnostic System
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CA6CE470-76E0-3EAE-62D5-5E7AB01B158A}" = CCC Help Korean
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D08DF594-B159-48BB-B64E-2221A05AB4A7}" = CCC Help Spanish
"{D2D7FBE2-5407-369D-18D6-ECA0B430A383}" = Catalyst Control Center Localization Danish
"{D4576E0D-2295-4B8E-B663-B68086B00EE5}" = Sonic CinePlayer DVD Pack
"{D4AEC53C-1720-41D9-B6D7-6A60DE62D444}" = PC Connectivity Solution
"{D6E0F772-8A27-8962-F258-40B434726D13}" = CCC Help Danish
"{D8A50F0B-791E-43E6-8F22-AEC2D3FBEB84}" = PingPlotter Standard 3.40.2s
"{DE09967A-E9E2-4562-A58D-989CA70FA65E}" = Sentinel Protection Installer 7.6.5
"{DFFFF14F-BE57-98C0-3698-33E57E7C9C42}" = CCC Help Dutch
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E293619D-0D39-4A3D-9F9F-418B7E95BB58}" = TOSHIBA Hotkey Utility
"{E84C3D56-7B4A-4853-BB4D-DA1B25A1E3FD}" = AltovaXML 2006
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center (1.0) EN
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EF6735B9-2EC3-D203-8BEF-6208CB39DD2A}" = Catalyst Control Center Graphics Light
"{EF91EDB8-7BFC-D470-EF9D-F90012D50DCF}" = CCC Help Finnish
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2E6CAF1-D651-4A74-8CC6-D92FE81FDBCC}" = WD Drive Manager (x86)
"{F38FD0E4-B991-462B-873D-F2115EADD093}" = Nokia PC Suite
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F48BE301-EC78-4686-B580-EE4934558798}" = WIDCOMM Bluetooth Software
"{F5AFD604-C7A0-4FEC-F500-5F4B9514C591}" = Catalyst Control Center Localization Greek
"{F829ECA5-CC14-45C0-FA39-5A2C2F36E318}" = CCC Help Japanese
"{F876BF67-BD4D-DCF4-4429-486516A6FDFF}" = Catalyst Control Center Localization Thai
"{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}" = Windows Resource Kit Tools
"{FA70BFFB-2A4A-4169-BAF3-71FF2716FB16}" = Lexibase Pro Thesaurus-English (6.1.2.2) ML
"{FF3D660E-E5CC-47FD-8050-1B4DE3BA81A9}" = Dual-Core Optimizer
"{FFF9A193-90C1-C0D8-8DD0-4F2B645FB8AE}" = Catalyst Control Center Localization Russian
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"6DA48AFDE796708D5A4C9121A83E7617A63A9A15" = Windows Driver Package - Nokia Modem (10/07/2010 4.6)
"7-Zip" = 7-Zip 9.20
"9CD348AE9C64C4B939B624E8E24F3903EFDFC82B" = Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
"Acrobat Professional (8.1.2) ML_816" = Adobe Acrobat 8.1.6 - CPSID_49167
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"All ATI Software" = ATI - Utilitaire de dsinstallation du logiciel
"Astroburn Lite" = Astroburn Lite
"ATI Display Driver" = ATI Display Driver
"B406677FA530D213D0B10B080DCD1080AE866D39" = Windows Driver Package - Ross-Tech USB Driver Package (05/21/2009 2.04.18)
"C5A76DC11BABDA0A881E7BE8DDEB641365A77FFD" = Windows Driver Package - Nokia Modem (05/22/2008 3.8)
"CCleaner" = CCleaner
"CleanMem" = CleanMem
"CTU2K" = Serial To Kline Interface
"DAEMON Tools Lite" = DAEMON Tools Lite
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup" = DivX Setup
"D-PDU API V1.10.033 D-PDU API for VOLKSWAGEN" = D-PDU API V1.10.033 D-PDU API for VOLKSWAGEN
"DTS V7.71.095" = DTS V7.71.095
"DVD43_is1" = DVD43 v4.6.0
"E5372C32E8562C76C24DBA6525002B1031495F34" = Windows Driver Package - Nokia Modem (06/09/2010 7.01.0.8)
"ElsaWin" = ElsaWin
"ETKA7.3_International_2011" = ETKA7.3 International 2011
"Fences" = Fences
"FileZilla Client" = FileZilla Client 3.5.3
"FileZilla Server" = FileZilla Server
"HashTab" = HashTab 4.0.0.2
"ie7" = Windows Internet Explorer 7
"ImgBurn" = ImgBurn
"InstallShield_{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"JDownloader" = JDownloader
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"MaxiCompte 3.07_is1" = MaxiCompte
"McDonald's Fairies " = McDonald's Fairies
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mon Achat Malin MAE" = Mon Achat Malin MAE
"Money2008b" = Microsoft Money Plus
"Mozilla Firefox 16.0.2 (x86 en-US)" = Mozilla Firefox 16.0.2 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NeroMultiInstaller!UninstallKey" = Nero Suite
"Nokia Ovi Suite" = Nokia Ovi Suite
"Nokia PC Suite" = Nokia PC Suite
"Notepad++" = Notepad++
"Open Codecs" = Xiph.Org Open Codecs 0.85.17777
"sp6" = Logitech SetPoint 6.20
"ST5UNST #1" = FengShui
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Tweak UI 2.10" = Tweak UI
"UltraISO_is1" = UltraISO Premium V9.36
"uTorrent" = Torrent
"VAGME7 Flasher" = VAGME7 Flasher
"VAS505x-2 v9.10.003 Application" = VAS505x-2 v9.10.003 Application
"VAS-PC-2 BaseSystem" = VAS-PC-2 Diagnostic Base System
"VCDS 908.2" = VCDS 908.2
"Vivid WorkshopData ATI" = Vivid WorkshopData ATI
"VLC media player" = VLC media player 2.0.4
"WBFS Manager 3.0" = WBFS Manager 3.0
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR 4.01 (32-bit)
"winusb0200" = Microsoft WinUsb 2.0
"XP Codec Pack" = XP Codec Pack
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1229272821-1659004503-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 27/07/2012 16:08:52 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 16:09:05 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 16:22:03 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 16:22:16 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 17:32:49 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 17:33:02 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 18:21:56 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 18:22:10 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 18:48:32 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

Error - 27/07/2012 18:48:45 | Computer Name = ERICHOME3 | Source = VSGATE | ID = 1
Description =

[ System Events ]
Error - 08/11/2012 14:24:57 | Computer Name = ERICHOME3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 08/11/2012 14:25:59 | Computer Name = ERICHOME3 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK8 Fips MpFilter NetworkX prodrv06

Error - 08/11/2012 15:00:29 | Computer Name = ERICHOME3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 08/11/2012 15:05:46 | Computer Name = ERICHOME3 | Source = Print | ID = 23
Description = Printer Microsoft XPS Document Writer failed to initialize because
a suitable Microsoft XPS Document Writer driver could not be found.

Error - 08/11/2012 15:05:46 | Computer Name = ERICHOME3 | Source = Print | ID = 23
Description = Printer PaperPort Black & White Image failed to initialize because
a suitable PaperPort Mono Printer Driver driver could not be found.

Error - 08/11/2012 15:05:46 | Computer Name = ERICHOME3 | Source = Print | ID = 23
Description = Printer PaperPort Color Image failed to initialize because a suitable
PaperPort Color Printer Driver driver could not be found.

Error - 08/11/2012 16:27:51 | Computer Name = ERICHOME3 | Source = Service Control Manager | ID = 7034
Description = The Crypkey License service terminated unexpectedly. It has done
this 1 time(s).

Error - 08/11/2012 19:07:06 | Computer Name = ERICHOME3 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 08/11/2012 19:07:28 | Computer Name = ERICHOME3 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 08/11/2012 19:08:16 | Computer Name = ERICHOME3 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >


While awaiting an answer, I ran RKill (report attached) and Microsoft Security Essential full scan which detected and removed a java exploit: Exploit: Java/CVE-2012-0507.AUS

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/08/2012 09:27:47 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\system32\crypserv.exe (PID: 156) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com

20 out of 15296 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 11/08/2012 09:28:43 PM
Execution time: 0 hours(s), 0 minute(s), and 56 seconds(s)


Attached File  MSE-Exploit-20121109-0800.png   29.68KB   5 downloads

I understand the risk of running Combofix by myself. It seemed to have solved my problems in the past. I will take your warning into account in the future.

Cheers
Eric

Edited by ebouge, 09 November 2012 - 06:04 PM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:11 PM

Posted 09 November 2012 - 08:10 AM

Hi ebouge,

Please do not attach logs unless instructed, posting them directly makes the log more readable.


:step1: Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    C:\WINDOWS\HWEDIC.INI
    C:\WINDOWS\NETEDIC.INI

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


:step2: Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D  [binary data]
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D  [binary data]
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D  [binary data]
    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 80 B9 01 57 E3 E0 4E 8F A0 44 1E 4C 92 02 0D  [binary data]
    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{5F970FDE-702B-4ef9-920C-5F2848A5AF26}: "URL" = http://www.daemon-search.com/search/web?q={searchTerms}
    IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2925418
    IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://fr.search.yahoo.com/search?p={searchTerms}&fr=chr-divx
    IE - HKU\S-1-5-21-1229272821-1659004503-839522115-1003\..\SearchScopes\{EDCE670C-229F-4C21-BF70-C3919745CE39}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ie8
    FF - prefs.js..extensions.enabledItems: {6336b6dd-19e1-430f-a907-49d2b641e99c}:1.0
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
    O4 - HKLM..\Run: [AdobePro8LngSwitch] wscript.exe //B //T:15 "C:\Program Files\Adobe\Acrobat 8.0\AdobePro8LangSwitch.vbs" File not found
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [EmptyJava]
    [EMPTYTEMP] 
    [CREATERESTOREPOINT] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 ebouge

ebouge
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 09 November 2012 - 01:36 PM

Hi sempai,

It would have been better for me to post first the results from virscan.org, then run OTL with your fix code and then post the result. OTL forces Windows to reboot, so I lost every thing I started to post!?!

Anyway, here is the result from virsucan.org:

VirSCAN.org Scanned Report :
Scanned time : 2012/11/09 18:54:43 (CET)
Scanner results: Scanners did not find malware!
File Name : HWEDIC.INI
File Size : 104 byte
File Type : ASCII text, with CRLF line terminators
MD5 : 46a15d773ca4081187a526e7deda2cce
SHA1 : 6b4b230772afaa9c8212fa77d938e2fee14deb4e
Online report : http://r.virscan.org/738e66ca9d006cd1362c700984713200

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20121109183203 2012-11-09 12.10 -
AhnLab V3 2012.11.08.02 2012.11.08 2012-11-08 3.03 -
AntiVir 8.2.10.150 7.11.41.132 2012-09-01 0.17 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.30 -
Arcavir 2011 201211030005 2012-11-03 3.34 -
Authentium 5.1.1 201209090949 2012-09-09 1.43 -
AVAST! 4.7.4 121108-1 2012-11-08 0.17 -
AVG 12.0.1794 2441/5383 2012-11-08 0.24 -
BitDefender 7.90123.7879251 7.43955 2012-11-10 4.46 -
ClamAV 0.97.5 15557 2012-11-09 0.18 -
Comodo 5.1 14147 2012-11-09 2.55 -
CP Secure 1.3.0.5 2012.11.10 2012-11-10 0.17 -
Dr.Web 7.0.4.9250 2012.11.09 2012-11-09 16.48 -
F-Prot 4.6.2.117 20121108 2012-11-08 0.86 -
F-Secure 7.02.73807 2012.11.09.03 2012-11-09 0.19 -
Fortinet 4.3.392 16.549 2012-11-10 0.15 -
GData 22.6651 20121109 2012-11-09 7.38 -
ViRobot 20121109 2012.11.09 2012-11-09 0.38 -
Ikarus T3.1.32.20.0 ..1.32.20.0. --1.32.20.0 0.97 -
JiangMin 13.0.900 2012.11.07 2012-11-07 2.88 -
Kaspersky 5.5.10 2012.10.16 2012-10-16 0.22 -
KingSoft 2009.2.5.15 2012.11.9.9 2012-11-09 1.13 -
McAfee 5400.1158 6890 2012-11-08 9.53 -
Microsoft 1.8904 2012.11.08 2012-11-08 5.08 -
NOD32 3.0.21 7677 2012-11-09 0.18 -
Norman 6.8.3 201208311030 2012-08-31 0.00 -
Panda 9.05.01 2012.11.09 2012-11-09 3.83 -
Trend Micro 9.500-1005 9.516.05 2012-11-09 0.19 -
Quick Heal 11.00 2012.11.09 2012-11-09 1.16 -
Rising 20.0 24.35.03.03 2012-11-08 0.28 -
Sophos 3.35.1 4.81 2012-11-09 6.04 -
Sunbelt 3.9.2552.2 13900 2012-11-09 0.94 -
Symantec 1.3.0.24 20121108.002 2012-11-08 0.51 -
nProtect 20121108.02 12486524 2012-11-08 1.83 -
The Hacker 6.8.0.0 v00126 2012-11-09 0.75 -
VBA32 3.12.18.3 20121109.0532 2012-11-09 3.68 -
VirusBuster 5.5.2.13 15.0.250.0/102241322012-11-07 0.17 -


VirSCAN.org Scanned Report :
Scanned time : 2012/11/09 18:58:36 (CET)
Scanner results: Scanners did not find malware!
File Name : NETEDIC.INI
File Size : 47 byte
File Type : ASCII text, with CRLF line terminators
MD5 : 2601566a71eeccc21d5bb8e0dfda567b
SHA1 : 33c2dbf0ca0da7abf0a7a401117fa3b581570af4
Online report : http://r.virscan.org/504e64d6d9c2b6fa76e484241c9ff068

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20121109183203 2012-11-09 11.55 -
AhnLab V3 2012.11.08.02 2012.11.08 2012-11-08 3.19 -
AntiVir 8.2.10.150 7.11.41.132 2012-09-01 0.18 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.29 -
Arcavir 2011 201211030005 2012-11-03 3.12 -
Authentium 5.1.1 201209090949 2012-09-09 1.45 -
AVAST! 4.7.4 121108-1 2012-11-08 0.18 -
AVG 12.0.1794 2441/5383 2012-11-08 0.24 -
BitDefender 7.90123.7879251 7.43955 2012-11-10 4.39 -
ClamAV 0.97.5 15557 2012-11-09 0.17 -
Comodo 5.1 14147 2012-11-09 2.54 -
CP Secure 1.3.0.5 2012.11.10 2012-11-10 0.17 -
Dr.Web 7.0.4.9250 2012.11.09 2012-11-09 14.30 -
F-Prot 4.6.2.117 20121108 2012-11-08 0.83 -
F-Secure 7.02.73807 2012.11.09.03 2012-11-09 0.20 -
Fortinet 4.3.392 16.549 2012-11-10 0.14 -
GData 22.6651 20121109 2012-11-09 7.71 -
ViRobot 20121109 2012.11.09 2012-11-09 0.38 -
Ikarus T3.1.32.20.0 ..1.32.20.0. --1.32.20.0 0.95 -
JiangMin 13.0.900 2012.11.07 2012-11-07 3.18 -
Kaspersky 5.5.10 2012.10.16 2012-10-16 0.22 -
KingSoft 2009.2.5.15 2012.11.9.9 2012-11-09 1.23 -
McAfee 5400.1158 6890 2012-11-08 9.16 -
Microsoft 1.8904 2012.11.08 2012-11-08 4.84 -
NOD32 3.0.21 7677 2012-11-09 0.17 -
Norman 6.8.3 201208311030 2012-08-31 0.00 -
Panda 9.05.01 2012.11.09 2012-11-09 2.75 -
Trend Micro 9.500-1005 9.516.05 2012-11-09 0.21 -
Quick Heal 11.00 2012.11.09 2012-11-09 1.23 -
Rising 20.0 24.35.03.03 2012-11-08 0.29 -
Sophos 3.35.1 4.81 2012-11-09 4.90 -
Sunbelt 3.9.2552.2 13900 2012-11-09 1.54 -
Symantec 1.3.0.24 20121108.002 2012-11-08 0.55 -
nProtect 20121108.02 12486524 2012-11-08 2.03 -
The Hacker 6.8.0.0 v00126 2012-11-09 0.82 -
VBA32 3.12.18.3 20121109.0532 2012-11-09 3.80 -
VirusBuster 5.5.2.13 15.0.250.0/102241322012-11-07 0.33 -


And the results from OTL:

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default| /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default| /E : value set successfully!
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default| /E : value set successfully!
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-1229272821-1659004503-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{5F970FDE-702B-4ef9-920C-5F2848A5AF26}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5F970FDE-702B-4ef9-920C-5F2848A5AF26}\ not found.
Registry key HKEY_USERS\S-1-5-21-1229272821-1659004503-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry key HKEY_USERS\S-1-5-21-1229272821-1659004503-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\ not found.
Registry key HKEY_USERS\S-1-5-21-1229272821-1659004503-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{EDCE670C-229F-4C21-BF70-C3919745CE39}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDCE670C-229F-4C21-BF70-C3919745CE39}\ not found.
Prefs.js: {6336b6dd-19e1-430f-a907-49d2b641e99c}:1.0 removed from extensions.enabledItems
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AdobePro8LngSwitch deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Eric Bougeard\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Eric Bougeard\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Arissara

User: Default User

User: Eric Bougeard
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 38094 bytes
->FireFox cache emptied: 38344224 bytes
->Flash cache emptied: 492 bytes

User: All Users

User: Arissara
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: Eric Bougeard
->Temp folder emptied: 65524110 bytes
->Temporary Internet Files folder emptied: 3218399 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 99955563 bytes
->Flash cache emptied: 46771 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 7996 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8433058 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 206.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 11092012_190140

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\BtwEventTrace_5_6_0_6500.etl scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Would you please be so kind as to explain me what I have been doing and why? What did you spot in the previous reports that prompted you to use this solution rather than another one?

Cheers
Eric

Edited by ebouge, 09 November 2012 - 05:57 PM.


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:11 PM

Posted 09 November 2012 - 08:49 PM

Hi,

We just restore some IE settings to their defaults, changes that are cause or done by malware.


Please delete (do not uninstall) any copy of Combofix that you have and then download and run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


Edited by sempai, 09 November 2012 - 08:52 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 ebouge

ebouge
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 09 November 2012 - 10:23 PM

Hi sempai,

Thank you again for your help. Here is the content of C:\ComboFix.txt:

ComboFix 12-11-09.02 - Eric Bougeard 10/11/2012 3:58.13.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2978 [GMT 1:00]
Running from: c:\documents and settings\Eric Bougeard\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric Bougeard\Application Data\Toolbar4
.
.
((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))
.
.
2012-11-09 18:01 . 2012-11-09 18:01 -------- d-----w- C:\_OTL
2012-11-08 23:03 . 2012-11-08 20:04 1754528 ----a-w- C:\rkill.com
2012-11-08 19:43 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B5423318-F5FB-40F2-BB4C-381E92CFFF91}\mpengine.dll
2012-11-08 18:52 . 2012-11-08 18:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Notepad++
2012-11-07 18:33 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-06 00:17 . 2012-11-06 00:17 -------- d-----w- c:\program files\FileZilla Server
2012-10-24 16:37 . 2012-10-24 16:38 -------- d-----w- c:\documents and settings\Arissara
2012-10-24 09:36 . 2012-10-24 09:36 159140 ----a-w- c:\windows\VAGME7 Flasher Uninstaller.exe
2012-10-24 06:52 . 2003-07-24 14:49 35840 ----a-w- c:\windows\system32\CTU2K.dll
2012-10-24 06:52 . 2003-01-24 08:13 24197 ----a-w- c:\windows\system32\drivers\CTU2K.sys
2012-10-24 06:52 . 2001-09-21 16:49 160768 ----a-w- c:\windows\system32\CTU2KUN.exe
2012-10-23 23:14 . 2012-10-24 00:07 -------- d-----w- C:\RooT
2012-10-21 01:09 . 2012-10-21 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel
2012-10-21 01:09 . 2011-09-22 05:05 41896 ----a-w- c:\windows\system32\drivers\SNTNLUSB.SYS
2012-10-21 01:09 . 2012-10-21 01:09 -------- d-----w- c:\program files\SafeNet Sentinel
2012-10-21 01:09 . 2012-10-21 01:09 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
2012-10-20 15:38 . 2012-10-21 00:06 -------- d-----w- c:\documents and settings\Eric Bougeard\.android
2012-10-20 14:54 . 2012-10-20 14:54 -------- d-----w- c:\documents and settings\Eric Bougeard\Local Settings\Application Data\Android
2012-10-19 16:01 . 2012-10-19 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-19 16:01 . 2012-09-29 17:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-18 06:15 . 2012-09-24 21:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-15 22:28 . 2012-10-14 10:28 44 ---h--w- c:\program files\52919ec2.tmp
2012-10-15 22:28 . 2012-10-15 22:28 -------- d-----w- c:\documents and settings\Eric Bougeard\Application Data\PingPlotter
2012-10-15 22:26 . 2012-10-15 22:26 -------- d-----w- c:\documents and settings\Eric Bougeard\Application Data\Downloaded Installations
2012-10-15 20:45 . 2012-10-15 20:45 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-11 19:59 . 2012-10-11 19:59 -------- d-----w- c:\program files\Common Files\Java
2012-10-11 19:57 . 2012-10-20 14:46 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-11 19:57 . 2012-02-18 10:44 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-11 19:57 . 2010-04-22 06:20 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-09 09:36 . 2012-04-11 11:09 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 09:36 . 2011-05-20 21:32 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-30 08:59 . 2012-09-30 08:58 9904 ----a-w- C:\cc_20120930_105834.reg
2012-08-30 20:03 . 2012-03-20 18:44 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2001-08-23 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2001-08-23 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2001-08-23 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2001-08-17 13:48 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-29 01:50 . 2012-10-29 01:48 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-01-21 23:28 203776 --sh--w- c:\windows\system32\unrar.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57B23DC7-72DF-4608-8A02-3FABA57F90F6}]
2010-07-23 10:20 2620416 ------w- c:\program files\Mon Achat Malin MAE\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{17742D34-6B6A-4527-B7E5-F628B0232DEC}"= "c:\program files\Mon Achat Malin MAE\tbcore3.dll" [2010-07-23 2620416]
.
[HKEY_CLASSES_ROOT\clsid\{17742d34-6b6a-4527-b7e5-f628b0232dec}]
[HKEY_CLASSES_ROOT\TBSB02902.TBSB02902.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB02902.TBSB02902]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{17742D34-6B6A-4527-B7E5-F628B0232DEC}"= "c:\program files\Mon Achat Malin MAE\tbcore3.dll" [2010-07-23 2620416]
.
[HKEY_CLASSES_ROOT\clsid\{17742d34-6b6a-4527-b7e5-f628b0232dec}]
[HKEY_CLASSES_ROOT\TBSB02902.TBSB02902.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB02902.TBSB02902]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CleanMem Mini Monitor"="c:\program files\CleanMem\Mini_Monitor.exe" [2011-10-21 1327104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-04-11 3672384]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2007-08-28 356352]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-12-13 102400]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-13 16841216]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"NDSTray.exe"="NDSTray.exe" [BU]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2012-02-26 1044992]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
c:\documents and settings\Eric Bougeard\Start Menu\Programs\Startup\
Windows Task Manager.lnk - c:\windows\system32\taskmgr.exe [2001-8-23 135680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-12-9 636256]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"2121:TCP"= 2121:TCP:2121
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [18/04/2012 02:50 242240]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [15/09/2008 20:18 31232]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [15/04/2011 08:37 10448]
R2 LcSvrAdm;ELSA Administration Service;d:\program files\ElsaWin\bin\LcSvrAdm.exe [06/12/2011 16:10 240640]
R2 LcSvrDba;ELSA DBA Server;d:\program files\ElsaWin\bin\LcSvrDba.exe [06/12/2011 16:03 392704]
R2 LcSvrHis;ELSA Historie Server;d:\program files\ElsaWin\bin\LcSvrHis.exe [06/12/2011 16:08 335360]
R2 LcSvrPAS;ELSA PASS Server;d:\program files\ElsaWin\bin\LcSvrPas.exe [06/12/2011 16:04 477696]
R2 LcSvrSaz;ELSA APOSpro Server;d:\program files\ElsaWin\bin\LcSvrSaz.exe [06/12/2011 16:08 373248]
R2 NSHE;Guardant Emulator Driver;c:\windows\system32\drivers\NSHE.SYS [17/05/2011 16:12 97792]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [22/09/2011 00:03 374304]
R2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [22/09/2011 292384]
R2 VSGate;ELSA Vaudis Service;d:\progra~1\ElsaWin\bin\VSgate.exe [26/06/2011 19:17 81920]
R3 adatadrv;Autodata Protection Service;c:\windows\system32\drivers\adatadrv.sys [22/05/2011 22:53 762112]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [05/01/2008 16:28 5888]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;d:\program files\ElsaWin\bin\LcSvrAuf.exe [06/12/2011 16:07 1321472]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys --> c:\windows\system32\DRIVERS\vmci.sys [?]
S3 CTU2K;CTU2K.SYS CTU2K device driver;c:\windows\system32\drivers\CTU2K.sys [24/10/2012 07:52 24197]
S3 edicusb;Softing EDIC USB Communication Driver;c:\windows\system32\drivers\edicusb.sys [24/07/2012 19:59 29520]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [23/08/2001 13:00 14336]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [20/05/2011 08:50 58880]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [11/12/2007 06:18 341376]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [23/02/2011 21:13 121192]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [23/02/2011 21:13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [23/02/2011 21:13 136680]
S3 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [19/02/2008 02:15 106496]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 15:06 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 09:36]
.
2012-11-10 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2009-04-01 20:54]
.
2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 15:12]
.
2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 15:12]
.
2012-11-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{17742D34-6B6A-4527-B7E5-F628B0232DEC} - {17742D34-6B6A-4527-B7E5-F628B0232DEC} - c:\program files\Mon Achat Malin MAE\tbcore3.dll
TCP: DhcpNameServer = 192.168.0.254
DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} - hxxps://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP-1.1.cab
FF - ProfilePath - c:\documents and settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - ExtSQL: 2012-10-11 22:13; {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}; c:\documents and settings\Eric Bougeard\Application Data\Mozilla\Firefox\Profiles\x6fpmnxv.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\NavLogon.dll
.
Completion time: 2012-11-10 04:18:25
ComboFix-quarantined-files.txt 2012-11-10 03:18
ComboFix2.txt 2012-11-08 18:40
ComboFix3.txt 2012-10-26 06:44
ComboFix4.txt 2012-10-21 01:41
ComboFix5.txt 2012-11-10 02:50
.
Pre-Run: 2,593,009,664 bytes free
Post-Run: 2,598,223,872 bytes free
.
- - End Of File - - 8606B117937BC8A56D6E1052E77F07C5


Cheers
Eric

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:11 PM

Posted 09 November 2012 - 11:38 PM

Hi Eric,

Log looks OK, how's the computer running?


:step1: Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\windows\system32\CleanMem.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


:step2: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 ebouge

ebouge
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 10 November 2012 - 04:27 AM

Hi sempai,

The computer is running much "bleeping" faster thank you!

However, the online scan at virscan.org has been hanging for nearly half an hour. When uploading the file c:\windows\system32\CleanMem.exe, I am told that it was already scanned, so I click on Re-scan and nothing happens.

Would you have any suggestion?

And when should I restart my antivirus and antimalware services? Will SecurityCheck guide me through that?

Cheers
Eric

Edited by ebouge, 10 November 2012 - 06:29 AM.


#10 ebouge

ebouge
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 10 November 2012 - 06:50 AM

HI sempai,

Still no luck with virscan.org, so here is the result they've got in their database:

VirSCAN.org Scanned Report :
Scanned time : 2011/11/24 15:41:57 (CET)
Scanner results: Scanners did not find malware!
File Name : CleanMem.exe
File Size : 61440 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 34ff8a7e6270c7a00d16091068f29b6a
SHA1 : cc736f3fd1c2135132ebd99b51ddd3f47aaae5e5
Online report : http://r.virscan.org/5edf7cde4dfd51bc8d291f9c5623ff77

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20111124194738 2011-11-24 0.30 -
AhnLab V3 2011.11.24.00 2011.11.24 2011-11-24 2.48 -
AntiVir 8.2.6.116 7.11.18.55 2011-11-24 0.27 -
Antiy 2.0.18 20111123.14409901 2011-11-23 0.02 -
Arcavir 2011 201111231514 2011-11-23 3.10 -
Authentium 5.1.1 201111232334 2011-11-23 1.49 -
AVAST! 4.7.4 111123-2 2011-11-23 0.01 -
AVG 10.0.1405 2090/4036 2011-11-24 0.19 -
BitDefender 7.90123.8678088 7.39936 2011-11-24 4.33 -
ClamAV 0.97.1 13983 2011-11-24 0.03 -
Comodo 5.1 10786 2011-11-24 1.99 -
CP Secure 1.3.0.5 2011.11.24 2011-11-24 0.06 -
Dr.Web 5.0.2.3300 2011.11.24 2011-11-24 15.68 -
F-Prot 4.6.2.117 20111123 2011-11-23 0.85 -
F-Secure 7.02.73807 2011.11.24.03 2011-11-24 0.96 -
Fortinet 4.2.257 14.391 2011-11-23 0.10 -
GData 22.2861 20111124 2011-11-24 5.57 -
ViRobot 20111124 2011.11.24 2011-11-24 0.38 -
Ikarus T3.1.32.20.0 2011.11.24.79867 2011-11-24 4.87 -
JiangMin 13.0.900 2011.11.24 2011-11-24 1.92 -
Kaspersky 5.5.10 2011.11.24 2011-11-24 0.20 -
KingSoft 2009.2.5.15 2011.11.24.14 2011-11-24 0.82 -
McAfee 5400.1158 6539 2011-11-23 10.86 -
Microsoft 1.7801 2011.11.24 2011-11-24 7.67 -
NOD32 3.0.21 6654 2011-11-23 0.02 -
Norman 6.07.11 6.07.00 2011-09-17 16.02 -
Panda 9.05.01 2011.11.23 2011-11-23 2.05 -
Trend Micro 9.500-1005 8.598.03 2011-11-24 0.06 -
Quick Heal 11.00 2011.11.23 2011-11-23 0.96 -
Rising 20.0 23.85.03.02 2011-11-24 2.27 -
Sophos 3.25.1 4.71 2011-11-24 4.32 -
Sunbelt 3.9.2515.2 11134 2011-11-24 0.68 -
Symantec 1.3.0.24 20111123.003 2011-11-23 0.05 -
nProtect 20111121.02 12850232 2011-11-21 1.18 -
The Hacker 6.7.0.1 v00347 2011-11-23 0.51 -
VBA32 3.12.16.4 20111124.1034 2011-11-24 4.70 -
VirusBuster 5.4.0.10 14.1.82.0/6894523 2011-11-24 0.01 -


Here is the result from Security Check:

Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
JavaFX 2.1.1
Java™ 6 Update 29
Java 7 Update 9
Java SE Development Kit 7 Update 9
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 20% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


OK so I will re-enable my MS Security Essentials "On Access scanning" and defrag my disk!

What about SpyBot Teatimer, should I take it that I do not need to have it running?

Cheers
Eric

Edited by ebouge, 10 November 2012 - 07:16 AM.


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:11 PM

Posted 10 November 2012 - 09:57 AM

Hi Eric,

You can re enable all your security protections except for Spybot teatimer, we will re enable it later on. :)


However, the online scan at virscan.org has been hanging for nearly half an hour.

You can try Jotti instead, we need to be sure that sorry.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    c:\windows\system32\CleanMem.exe

  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 ebouge

ebouge
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 10 November 2012 - 12:09 PM

Hi sempai,

Here is the result of the defrag on C:

Volume (C:)
Volume size = 29.29 GB
Cluster size = 4 KB
Used space = 23.97 GB
Free space = 5.32 GB
Percent free space = 18 %

Volume fragmentation
Total fragmentation = 6 %
File fragmentation = 12 %
Free space fragmentation = 0 %

File fragmentation
Total files = 320,149
Average file size = 150 KB
Total fragmented files = 18
Total excess fragments = 11,930
Average fragments per file = 1.03

Pagefile fragmentation
Pagefile size = 0 bytes
Total fragments = 0

Folder fragmentation
Total folders = 17,080
Fragmented folders = 1
Excess folder fragments = 0

Master File Table (MFT) fragmentation
Total MFT size = 411 MB
MFT record count = 337,935
Percent MFT in use = 80 %
Total MFT fragments = 41

--------------------------------------------------------------------------------
Fragments File Size Files that cannot be defragmented
1,632 102 MB \System Volume Information\catalog.wci\00000002.ps2
2,614 254 MB \Documents and Settings\Eric Bougeard\Local Settings\Application Data\Android\android-sdk\system-images\android-16\x86\system.img
3,157 292 MB \Documents and Settings\Eric Bougeard\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst


And the virus scan on c:\windows\system32\CleanMem.exe

Jotti's malware scan
Filename: CleanMem.exe Status: Scan finished. 0 out of 19 scanners reported malware. Scan taken on: Sat 10 Nov 2012 16:42:02 (CET) Permalink




Additional info
File size: 61440 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 34ff8a7e6270c7a00d16091068f29b6a SHA1: cc736f3fd1c2135132ebd99b51ddd3f47aaae5e5




Scanners
Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-09 Found nothing Posted Image 2012-11-09 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-09 Found nothing Posted Image 2012-11-10 Found nothing Posted Image 2012-11-09 Found nothing Posted Image 2012-11-09 Found nothing


Posted Image SHA256: 18c226600203bdfbc6e463464c66b258d3c7ab3f07a7327b0de29740444a236b SHA1: cc736f3fd1c2135132ebd99b51ddd3f47aaae5e5 MD5: 34ff8a7e6270c7a00d16091068f29b6a File size: 60.0 KB ( 61440 bytes ) File name: CleanMem.exe File type: Win32 EXE Detection ratio: 0 / 41 Analysis date: 2012-11-10 15:45:16 UTC ( 1 minute ago )Antivirus Result Update Agnitum - 20121109 AntiVir - 20121110 Antiy-AVL - 20121110 Avast - 20121110 AVG - 20121110 BitDefender - 20121110 CAT-QuickHeal - 20121110 ClamAV - 20121110 Commtouch - 20121110 Comodo - 20121110 DrWeb - 20121110 Emsisoft - 20121110 ESET-NOD32 - 20121110 F-Prot - 20121110 F-Secure - 20121110 Fortinet - 20121110 GData - 20121110 Ikarus - 20121110 Jiangmin - 20121110 K7AntiVirus - 20121110 Kaspersky - 20121110 Kingsoft - 20121105 McAfee - 20121110 McAfee-GW-Edition - 20121110 Microsoft - 20121110 MicroWorld-eScan - 20121110 Norman - 20121110 nProtect - 20121110 Panda - 20121110 PCTools - 20121110 Rising - 20121109 Sophos - 20121110 SUPERAntiSpyware - 20121110 Symantec - 20121110 TheHacker - 20121110 TotalDefense - 20121109 TrendMicro - 20121110 TrendMicro-HouseCall - 20121110 VBA32 - 20121109 VIPRE - 20121110 ViRobot - 20121110

ssdeep
384:QKZ/JhyRpEy0op9EAqInuPmAsachrBRkl6s+ZJQhUZGr6PHQfCW2Dqh95Iwy0RU3:V7GpqsEAXucw29stUqIhRDF6rSp
TrID
Win32 Executable Microsoft Visual Basic 6 (86.2%)
Win32 Executable Generic (5.8%)
Win32 Dynamic Link Library (generic) (5.1%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)

ExifTool
SubsystemVersion.........: 4.0 Comments.................: By PcWinTech.com InitializedDataSize......: 12288 ImageVersion.............: 2.3 ProductName..............: CleanMem By PcWinTech.com FileVersionNumber........: 2.3.0.1 UninitializedDataSize....: 0 LanguageCode.............: English (U.S.) FileFlagsMask............: 0x0000 CharacterSet.............: Unicode LinkerVersion............: 6.0 OriginalFilename.........: CleanMem.exe MIMEType.................: application/octet-stream Subsystem................: Windows GUI FileVersion..............: 2.03.0001 TimeStamp................: 2011:10:21 20:54:13+01:00 FileType.................: Win32 EXE PEType...................: PE32 InternalName.............: CleanMem ProductVersion...........: 2.03.0001 FileDescription..........: CleanMem By PcWinTech.com OSVersion................: 4.0 FileOS...................: Win32 LegalCopyright...........: Copyright 1999-2011. All rights reserved. MachineType..............: Intel 386 or later, and compatibles CompanyName..............: PcWinTech.com CodeSize.................: 45056 FileSubtype..............: 0 ProductVersionNumber.....: 2.3.0.1 EntryPoint...............: 0x1a28 ObjectFileType...........: Executable application
Sigcheck
publisher................: PcWinTech.com product..................: CleanMem By PcWinTech.com internal name............: CleanMem copyright................: Copyright © 1999-2011. All rights reserved. original name............: CleanMem.exe comments.................: By PcWinTech.com file version.............: 2.03.0001 description..............: CleanMem By PcWinTech.com
Portable Executable structural information
Compilation timedatestamp.....: 2011-10-21 19:54:13 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x00001A28 PE Sections...................: Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 4096 41644 45056 5.37 ebf5c9f43b61a2ee989811c11ce9f15c .data 49152 3320 4096 0.00 620f0b67a91f7f74151bc5be745b7110 .rsrc 53248 7674 8192 4.89 ed5ee61a34c729eedcd5b1950a676739 PE Imports....................: [[MSVBVM60.DLL]] _adj_fdivr_m64, __vbaGenerateBoundsError, __vbaStrFixstr, _allmul, _adj_fprem, __vbaObjVar, __vbaNextEachCollAd, __vbaVarAnd, __vbaCopyBytes, _adj_fdiv_r, __vbaRecAnsiToUni, __vbaObjSetAddref, Ord(517), __vbaHresultCheckObj, _CIlog, __vbaVarMul, Ord(616), _adj_fptan, __vbaFileClose, __vbaRecUniToAnsi, __vbaFreeVar, __vbaFreeStr, __vbaStrI4, __vbaFreeStrList, __vbaI2I4, _adj_fdiv_m16i, EVENT_SINK_QueryInterface, Ord(607), __vbaLenBstr, Ord(525), Ord(617), __vbaStrToUnicode, _adj_fdiv_m32i, __vbaExceptHandler, __vbaSetSystemError, DllFunctionCall, __vbaUbound, Ord(608), __vbaBoolVarNull, __vbaVargVarMove, __vbaFileOpen, Ord(711), EVENT_SINK_Release, Ord(610), __vbaOnError, _adj_fdivr_m32i, __vbaStrCat, __vbaVarDup, __vbaChkstk, __vbaPrintFile, __vbaStrCmp, __vbaAryCopy, __vbaVarCmpGe, __vbaStrVarCopy, Ord(650), __vbaFreeVarList, __vbaStrVarMove, Ord(626), __vbaLateMemCallLd, __vbaVarTstGe, __vbaFreeObj, _adj_fdivr_m32, _CIcos, __vbaVarMove, __vbaErrorOverflow, __vbaNew2, __vbaAryDestruct, __vbaStrMove, _adj_fprem1, _adj_fdiv_m64, _adj_fdiv_m32, __vbaEnd, Ord(685), _adj_fpatan, EVENT_SINK_AddRef, __vbaVarVargNofree, Ord(612), __vbaFPException, __vbaAryVar, _adj_fdivr_m16i, Ord(100), Ord(519), _CIsin, _CIsqrt, __vbaStrCopy, __vbaBoolStr, _CIatan, __vbaVarDiv, __vbaObjSet, __vbaVarCmpLt, Ord(644), __vbaVarCat, __vbaForEachCollAd, _CIexp, __vbaStrToAnsi, _CItan, Ord(598) PE Resources..................: Resource type Number of resources RT_ICON 2 RT_VERSION 1 RT_GROUP_ICON 1 Resource language Number of resources NEUTRAL 3 ENGLISH US 1
First seen by VirusTotal
2011-10-22 15:18:17 UTC ( 1 year ago )
Last seen by VirusTotal
2012-11-10 15:45:16 UTC ( 1 hour, 20 minutes ago )
File names (max. 25)

  • file-3169597_exe
  • smona_18c226600203bdfbc6e463464c66b258d3c7ab3f07a7327b0de29740444a236b.bin
  • CleanMem.exe
  • 34FF8A7E6270C7A00D16091068F29B6A
  • F885C9020011B23BF0BB001C5B102F004D694B3E.exe
  • CleanMem
  • cc736f3fd1c2135132ebd99b51ddd3f47aaae5e5
  • smona132573242742956255227
  • smona132104110540507722645
  • smona131956416415017493163
  • smona131976276099313485124


Cheers
Eric

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:11 PM

Posted 11 November 2012 - 01:49 AM

Hi,

Logs are clean, you're good to go. :)


Uninstall:

1. ComboFix

  • Click Start > Run > copy-paste the following bolded text into the Run box and click OK:

    ComboFix /Uninstall


Delete:

1. DDS
2. Rkill
3. TDSSKiller
4. Security check



Clean-up with OTL:
  • Run OTL
  • Click on the CleanUp! button.
  • Reboot when ask.



Your log is clean, take the time to read below to secure your machine and take the necessary steps to keep it Clean :)

How to prevent malware

How to increase PC speed


Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 ebouge

ebouge
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LFBO
  • Local time:04:11 PM

Posted 11 November 2012 - 05:44 AM

Hi sempai;

Thank you ever so much for your support and your professionalism :thumbup2:

I did also re-enable TeaTimer from SpyBot - Search & Destroy.

Have a good day

Cheers
Eric

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:11 PM

Posted 11 November 2012 - 08:11 AM

You're welcome, glad we could help.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users