Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

etadpug w32 sirefef Hidden rootkit zeroaccess Virus removal and rspndr.sys


  • This topic is locked This topic is locked
44 replies to this topic

#1 gaup 1150

gaup 1150

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 14 October 2013 - 04:21 PM

Hello. I need some help.

etadpug w32 sirefef Hidden rootkit zeroaccess Virus removal and rspndr.sys help on XP Pro. Peculiar windows file search behavior and cmd dir listing.

 

Windows Firewall inaccessible.
Could not install zone alarm and ran antivirus and removal tool.
Avast free, aswmbr, tdsskiller , fixtdss , malwarebytes, combofix.
After 8 hour of combofix i stopped it because it did not even tell me step 1, nothing on the screen except it might take more then 20 minutes. It did create a Qoobox directory with subdirectories.
In the directory Quarantine 2 googleupdate.exe.vir infected with win32 srefef-BTP(drop).
Detected later in qoobox and deleted by avast later.
1 file remain in qoobox\quarantine @.vir

 

Here is what i have done until now.

I have daemon tools so i used deffoger to disable the spdt.sys file that is locked and not readable by the desinfection tools.

Removed and quarantine a few file unsigned or infected with sirefef rootkit.

Avast antivirus partial log:
C:\Windows\assembly\GAC\desktop.ini infected with Win32 Sirefef-pl (rkt) in quarantine
D:\TemporaryInternetFiles\.....\microbase_gr(1).htm infected with JS:HideMe-H (Trj) quarantined and deleted.
D:\TemporaryInternetFiles\.....\844790(1).js infected with HTMl:IFrame-inf Quarantine and deleted.
D:\TemporaryInternetFiles\.....\gpFtJCwR(1).pdf infected with JS:Pdfka-gen (Expl) quarantine and deleted.
C:\System Information \_restore(DDE94948-B8CD-489F-9A4B-C4E7348BD625)\RP6\A0001109.ini infected with Win32 Sirefef.PL (Rkt)

in quarantine.
C:\System Information \_restore(DDE94948-B8CD-489F-9A4B-C4E7348BD625)\RP6\A0001111.ini infected with Win32 Sirefef.PL (Rkt)

in quarantine.

Malwarebytes partial log:
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data:1 -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0)-> Quarantined and repaired successfully.

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) -> Quarantined and deleted successfully.

TDSSKILLER partial log:

00:32:33.0646 3184  rspndr.sys ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
rspndr.sys is unsigned and i did not take any chance.
***** The file is still there in the system32\driver folder, so it did not quarantine.****

12:59:01.0251 2744  [ 0E11B35E972796042044BC27CE13B065 ] rspndr          C:\WINDOWS\system32\DRIVERS\rspndr.sys
12:59:01.0271 2744  rspndr ( UnsignedFile.Multi.Generic ) - warning
12:59:01.0281 2744  rspndr - detected UnsignedFile.Multi.Generic (1)

C:\WINDOWS\system32\drivers>
This is the date of the file 22-07-07  07:16            62 336 rspndr.sys

?etadpug is in red with aswmbr also hidden and tdsskiller says it is ok.
The directory where it was hiding before was:
Service ?etadpug C:\Program Files\Google\Desktop\Install\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\   \   **HIDDEN**
Obviously, after quarantine the deletion did not work.

aswmbr partial log:
14:18:25.596    Service ?etadpug C:\Program **HIDDEN**

Notice ?etadpug C:\Program and not C:\Program File.  I cannot see any folder C:\Program
Should i use the Fixmbr button with aswmbr?

 

Computer behavior:

Windows firewall cannot be made functional at the moment, but enough virus removal permited instalation of zonealarm.

Windows file search is acting weird. If it finds the file it is falling in a loop and add the same file over and over never ending. It is jumping from C: to D: to C: to D: to C: while doing the search, not doing c: then D:.
Maybe that is why combofix ran so slowly ?

Another peculiar thing when i open a window with cmd.exe and do a dir command, the size in bytes look like this:
9-09-13  22:02           145â788 TDSSKiller.2.8.16.0_29.09.2013_21.59.41_log.txt

If i copy and paste it in notebook i get this:
9-09-13  22:02           145 788 TDSSKiller.2.8.16.0_29.09.2013_21.59.41_log.txt

Zone alarm tell me that messenger is trying to access something and it was better to block it, so i did.

I have 8 Windows\SoftwareDistribution\Download file that are corrupted also (Avast scan).

i have a low bandwith connection to internet 56K telephone modem.

 

Here is dds.txt

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.9.2
Run by Administrator at 15:44:20 on 2013-10-14
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.256.64 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: ForceClassicControlPanel = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/CPCViewAX/CpcViewAX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1350965749221
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1350965664129
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/ActiveCGM/Acgm.cab
Handler: asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: ebahn - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: intu-ir2011 - {DFF68B15-A8D3-420b-B32C-E9554E2F5C15} - c:\program files\impotrapide 2011\ic2011pp.dll
Handler: intu-ir2012 - {79E19CC8-7698-4b41-8474-52FA5B207EBF} - c:\program files\impotrapide 2012\ic2012pp.dll
Handler: x-asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: x-cnote - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: x-ebahn - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: x-hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - c:\program files\ebahn\eztoolslib2.dll
Handler: x-zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
Handler: zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\y5fpxnqm.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\npjpi170_09.dll
FF - plugin: c:\program files\java\jre7\bin\npoji610.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF - Ext: avast! Online Security: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-10-5 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-10-5 177864]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-10-5 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-10-5 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-10-5 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-10-5 66336]
.
=============== Created Last 30 ================
.
2013-10-06 14:45:12 -------- d-----w- c:\program files\CheckPoint
2013-10-06 04:44:07 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2013-10-06 04:32:31 -------- d-----w- C:\TDSSKiller_Quarantine
2013-10-06 03:20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-06 03:20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-06 00:44:09 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2013-10-06 00:43:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-10-05 16:14:11 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-10-05 16:14:10 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-10-05 16:14:09 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-10-05 16:14:08 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-10-05 16:12:42 41664 ----a-w- c:\windows\avastSS.scr
2013-09-30 10:10:47 -------- d-s---w- C:\ComboFix
2013-09-28 21:58:56 -------- d-----w- C:\bimage
2013-09-28 20:22:50 -------- d-sh--r- C:\cmdcons
2013-09-28 20:22:48 -------- d-----w- c:\windows\setup.pss
2013-09-28 19:51:34 -------- d-----w- C:\XP
2013-09-25 02:43:43 256000 ----a-w- c:\windows\PEV.exe
2013-09-25 02:43:43 208896 ----a-w- c:\windows\MBR.exe
2013-09-25 02:43:42 98816 ----a-w- c:\windows\sed.exe
.
==================== Find3M  ====================
.
2013-10-14 19:48:03 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
============= FINISH: 15:54:39.15 ===============
 

 



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:31 PM

Posted 14 October 2013 - 04:46 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  • I'll catch you tomorror sinice I need my sleep. :)

 

 

Regards,
Georgi


cXfZ4wS.png


#3 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 14 October 2013 - 07:41 PM

Hello Georgi, my name is Pierre.

I'll post the scans in the next post.  Since there is a big difference in time zone, i don't think we will respond to each other on the same day. I am from Canada. But that is OK, i'm in no hurray.  My normal time for posting around 19:30 P.M., so probably in the middle of the night at your place.  Back in a little while.



#4 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 14 October 2013 - 09:01 PM

Here is FRST.TXT:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by Administrator (administrator) on SHOP on 14-10-2013 20:57:39
Running from C:\Documents and Settings\Administrator\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Nuance Communications, Inc.) C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
(CyberLink) C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastUI.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Microsoft Corporation) C:\Program Files\Messenger\msmsgs.exe
(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SSBkgdUpdate] - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] - C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [29984 2008-07-10] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] - C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [46368 2008-07-10] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] - C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe [328992 2007-08-31] (Nuance Communications, Inc.)
HKLM\...\Run: [BrMfcWnd] - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [1150976 2009-01-19] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] - C:\Program Files\Brother\ControlCenter3\brctrcen.exe [114688 2009-01-09] (Brother Industries, Ltd.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [40368 2009-12-18] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM\...\Run: [CLMLServer] - C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-06-03] (CyberLink)
HKLM\...\Run: [UpdateP2GoShortCut] - C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [RemoteControl8] - C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-04-15] (CyberLink Corp.)
HKLM\...\Run: [PDVD8LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)
HKLM\...\Run: [UpdatePPShortCut] - C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [UpdatePSTShortCut] - C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-09-29] (CyberLink Corp.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-08-30] (AVAST Software)
HKCU\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [1694208 2004-10-13] (Microsoft Corporation)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Policies\Explorer: [NoStartBanner] 1
HKU\Administrator.COMPUTER\...\Run: [ctfmon.exe] - C:\WINDOWS.0\system32\ctfmon.exe
HKU\Default User\...\RunOnce: [nltide_2] - regsvr32 /s /n /i:U shell32
HKU\Default User\...\RunOnce: [nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\Default User\...\RunOnce: [ShowDeskFix] - regsvr32 /s /n /i:u shell32
HKU\Default User\...\RunOnce: [IE7-10] - rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N
HKU\LocalService.NT AUTHORITY\...\RunOnce: [nltide_2] - regsvr32 /s /n /i:U shell32
HKU\LocalService.NT AUTHORITY\...\RunOnce: [nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\LocalService.NT AUTHORITY\...\RunOnce: [ShowDeskFix] - regsvr32 /s /n /i:u shell32
HKU\NetworkService.NT AUTHORITY\...\RunOnce: [nltide_2] - regsvr32 /s /n /i:U shell32
HKU\NetworkService.NT AUTHORITY\...\RunOnce: [nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\NetworkService.NT AUTHORITY\...\RunOnce: [ShowDeskFix] - regsvr32 /s /n /i:u shell32
HKU\User\...\Run: [msnmsgr] - C:\Program Files\MSN Messenger\msnmsgr.exe [ 2007-01-19] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: No Name - {7E853D72-626A-48EC-A868-BA8D5E23E045} -  No File
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU -Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} http://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/CPCViewAX/CpcViewAX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} http://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/ActiveCGM/Acgm.cab
Handler: asp - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: ebahn - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: hsp - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: intu-ir2011 - {DFF68B15-A8D3-420b-B32C-E9554E2F5C15} - C:\Program Files\ImpotRapide 2011\ic2011pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Handler: intu-ir2012 - {79E19CC8-7698-4b41-8474-52FA5B207EBF} - C:\Program Files\ImpotRapide 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: x-asp - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: x-cnote - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: x-ebahn - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: x-hsp - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\Program Files\eBahn\eztoolslib2.dll ()
Handler: x-zip - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
Handler: zip - {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Tcpip\..\Interfaces\{5BB3AB5E-1589-48D3-AD49-18D2B4FC07D8}: [NameServer]207.164.234.129 207.164.234.193

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y5fpxnqm.default
FF user.js: detected! => C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y5fpxnqm.default\user.js
FF Homepage: user_pref("browser.startup.homepage", "");
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin: @java.com/DTPlugin,version=10.9.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.9.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: Yahoo! Toolbar - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y5fpxnqm.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF

========================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [271760 2009-04-15] ()
S3 usnjsvc; C:\Program Files\MSN Messenger\usnsvc.exe [97136 2007-01-19] (Microsoft Corporation)
R3 vsmon; C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [2445304 2013-06-19] (Check Point Software Technologies LTD)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\   \   \???\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-08-30] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [66336 2013-08-30] (AVAST Software)
R1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [49760 2013-08-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-08-30] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-08-30] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-08-30] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-08-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177864 2013-08-30] ()
R3 BlueletAudio; C:\Windows\System32\DRIVERS\blueletaudio.sys [34576 2007-03-05] (IVT Corporation.)
R3 BlueletSCOAudio; C:\Windows\System32\DRIVERS\BlueletSCOAudio.sys [27792 2007-03-05] (IVT Corporation.)
S3 BT; C:\Windows\System32\DRIVERS\btnetdrv.sys [18320 2007-03-05] (IVT Corporation.)
S3 Btcsrusb; C:\Windows\System32\Drivers\btcusb.sys [39184 2007-03-05] (IVT Corporation.)
R0 BTHidEnum; C:\Windows\System32\Drivers\vbtenum.sys [20880 2007-03-05] (IVT Corporation.)
R0 BTHidMgr; C:\Windows\System32\Drivers\BTHidMgr.sys [35600 2007-03-05] (IVT Corporation.)
S3 EL90X; C:\Windows\System32\DRIVERS\el90xnd5.sys [153631 2001-08-17] (3Com Corporation)
R3 HCF_MSFT; C:\Windows\System32\DRIVERS\HCF_MSFT.sys [907456 2001-08-17] (Conexant)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15576 2012-08-20] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10200 2012-08-20] ()
R3 SiS7012; C:\Windows\System32\drivers\sis7012.sys [267136 2004-11-03] (Silicon Integrated Systems Corporation)
S3 SISNIC; C:\Windows\System32\DRIVERS\sisnic.sys [32768 2004-08-03] (SiS Corporation)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [685816 2007-09-05] (Duplex Secure Ltd.)
R3 VComm; C:\Windows\System32\DRIVERS\VComm.sys [34448 2007-03-05] (IVT Corporation.)
R3 VcommMgr; C:\Windows\System32\Drivers\VcommMgr.sys [44304 2007-03-05] (IVT Corporation.)
R1 Vsdatant; C:\Windows\System32\vsdatant.sys [527976 2013-06-19] (Check Point Software Technologies LTD)
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 Sdbus; C:\Windows\System32\Drivers\Sdbus.sys [79232 2008-04-13] (Microsoft Corporation)
U5 Tcpip6; C:\Windows\System32\Drivers\Tcpip6.sys [225856 2008-06-20] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-14 20:56 - 2013-10-14 20:56 - 00000000 ____D C:\FRST
2013-10-14 20:28 - 2013-10-14 20:32 - 01087213 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2013-10-14 15:55 - 2013-10-14 15:55 - 00004182 _____ C:\Documents and Settings\Administrator\Desktop\attach.txt
2013-10-14 15:55 - 2013-10-14 15:54 - 00012828 _____ C:\Documents and Settings\Administrator\Desktop\dds.txt
2013-10-14 12:32 - 2013-10-14 12:33 - 00000648 _____ C:\Documents and Settings\Administrator\Desktop\defogger_disable.log
2013-10-14 12:32 - 2013-10-14 12:33 - 00000020 _____ C:\Documents and Settings\Administrator\defogger_reenable
2013-10-14 12:06 - 2013-10-14 12:06 - 00050477 _____ C:\Documents and Settings\Administrator\Desktop\Defogger.exe
2013-10-14 11:57 - 2013-10-14 12:01 - 00688992 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.com
2013-10-06 16:17 - 2013-10-14 17:04 - 00004424 _____ C:\Documents and Settings\Administrator\Desktop\VirusRemoval.txt
2013-10-06 10:49 - 2013-10-06 10:55 - 00417513 _____ C:\WINDOWS\system32\vsconfig.xml
2013-10-06 10:49 - 2013-10-06 10:49 - 00000539 _____ C:\Documents and Settings\All Users\Desktop\ZoneAlarm Security.lnk
2013-10-06 10:49 - 2013-10-06 10:49 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Check Point
2013-10-06 10:45 - 2013-10-06 10:49 - 00000000 ____D C:\Program Files\CheckPoint
2013-10-06 00:44 - 2013-10-06 00:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CheckPoint
2013-10-06 00:32 - 2013-10-06 00:32 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-10-05 23:53 - 2013-09-23 00:36 - 40062152 _____ (Check Point Software Technologies LTD) C:\Documents and Settings\Administrator\Desktop\zafwSetup_110_768_000.exe
2013-10-05 23:20 - 2013-10-05 23:20 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-05 23:20 - 2013-10-05 23:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-05 23:20 - 2013-10-05 23:20 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-10-05 23:20 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-10-05 21:20 - 2013-10-02 21:36 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.75.0.1300.exe
2013-10-05 20:44 - 2013-10-05 20:44 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2013-10-05 20:43 - 2013-10-05 20:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-10-05 12:14 - 2013-10-14 20:58 - 00000900 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-05 12:14 - 2013-10-14 20:08 - 00000378 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2013-10-05 12:14 - 2013-10-14 20:06 - 00000896 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-05 12:14 - 2013-10-05 12:14 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2013-10-05 12:14 - 2013-10-05 12:14 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
2013-10-05 12:14 - 2013-08-30 03:48 - 00770344 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2013-10-05 12:14 - 2013-08-30 03:48 - 00369584 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2013-10-05 12:14 - 2013-08-30 03:48 - 00177864 _____ C:\WINDOWS\system32\Drivers\aswVmm.sys
2013-10-05 12:14 - 2013-08-30 03:48 - 00066336 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2013-10-05 12:14 - 2013-08-30 03:48 - 00056080 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2013-10-05 12:14 - 2013-08-30 03:48 - 00049760 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2013-10-05 12:14 - 2013-08-30 03:48 - 00049376 _____ C:\WINDOWS\system32\Drivers\aswRvrt.sys
2013-10-05 12:14 - 2013-08-30 03:48 - 00029816 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswFsBlk.sys
2013-10-05 12:14 - 2013-08-30 03:47 - 00229648 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2013-10-05 12:12 - 2013-08-30 03:47 - 00041664 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2013-09-30 06:10 - 2013-09-30 08:29 - 00000000 ___SD C:\ComboFix
2013-09-29 17:40 - 2013-10-05 21:43 - 00002340 _____ C:\Documents and Settings\Administrator\Desktop\SystemLook.txt
2013-09-29 16:04 - 2013-10-06 14:12 - 00003107 _____ C:\Documents and Settings\Administrator\Desktop\FSS.txt
2013-09-29 15:38 - 2013-09-29 17:38 - 00038539 _____ C:\Documents and Settings\Administrator\Desktop\tdss.txt
2013-09-29 15:11 - 2013-10-14 12:53 - 00020589 _____ C:\Documents and Settings\Administrator\Desktop\aswMBR.txt
2013-09-29 15:11 - 2013-10-14 12:53 - 00000512 _____ C:\Documents and Settings\Administrator\Desktop\MBR.dat
2013-09-29 14:34 - 2013-09-24 21:36 - 02237968 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
2013-09-29 14:33 - 2013-09-24 22:05 - 01931088 _____ (Symantec Corporation) C:\Documents and Settings\Administrator\Desktop\FixTDSS.exe
2013-09-29 14:33 - 2013-09-24 21:48 - 00139264 _____ C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
2013-09-29 14:33 - 2013-09-24 21:47 - 00358923 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FSS.exe
2013-09-29 14:33 - 2013-09-24 21:45 - 04745728 _____ (AVAST Software) C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
2013-09-28 17:58 - 2013-09-28 17:58 - 00000000 ____D C:\bimage
2013-09-28 16:22 - 2013-09-28 16:22 - 00000269 _____ C:\WINDOWS\wsdu.log
2013-09-28 16:22 - 2013-09-28 16:22 - 00000264 _____ C:\WINDOWS\UPGRADE.TXT
2013-09-28 16:22 - 2013-09-28 16:22 - 00000000 _RSHD C:\cmdcons
2013-09-28 16:22 - 2013-09-28 16:22 - 00000000 ____D C:\WINDOWS\setup.pss
2013-09-28 16:22 - 2013-08-04 08:31 - 00000211 ___SH C:\BOOT.BAK
2013-09-28 16:22 - 2008-04-14 00:02 - 00260288 __RSH C:\cmldr
2013-09-28 15:51 - 2013-09-28 17:06 - 00000000 ____D C:\XP
2013-09-24 23:13 - 2013-09-25 00:06 - 05130004 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
2013-09-24 23:11 - 2013-09-24 23:11 - 00098304 _____ C:\WINDOWS\Minidump\Mini092413-01.dmp
2013-09-24 22:43 - 2011-06-26 02:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-09-24 22:43 - 2010-11-07 13:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-09-24 22:43 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-09-24 22:43 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-09-24 22:43 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-09-24 22:43 - 2000-08-30 20:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-09-24 22:43 - 2000-08-30 20:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-09-24 22:43 - 2000-08-30 20:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-09-24 22:43 - 2000-08-30 20:00 - 00068096 _____ C:\WINDOWS\zip.exe
2013-09-24 22:39 - 2013-09-24 22:39 - 00000000 ____D C:\WINDOWS\erdnt
2013-09-24 22:39 - 2013-09-24 22:39 - 00000000 ____D C:\Qoobox

==================== One Month Modified Files and Folders =======

2013-10-14 20:58 - 2013-10-05 12:14 - 00000900 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-14 20:56 - 2013-10-14 20:56 - 00000000 ____D C:\FRST
2013-10-14 20:32 - 2013-10-14 20:28 - 01087213 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2013-10-14 20:17 - 2007-09-06 14:24 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-14 20:08 - 2013-10-05 12:14 - 00000378 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2013-10-14 20:08 - 2007-09-04 09:20 - 01512423 _____ C:\WINDOWS\WindowsUpdate.log
2013-10-14 20:07 - 2007-09-04 05:09 - 00000259 _____ C:\WINDOWS\wiadebug.log
2013-10-14 20:07 - 2001-08-23 08:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-10-14 20:06 - 2013-10-05 12:14 - 00000896 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-14 20:06 - 2010-10-25 23:18 - 00000000 ____D C:\Documents and Settings\Administrator\Start Menu\Programs\LG Power Tools
2013-10-14 20:06 - 2007-09-04 09:29 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-10-14 20:06 - 2007-09-04 05:09 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-10-14 20:04 - 2007-09-04 09:30 - 00000278 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-10-14 20:04 - 2007-09-04 09:30 - 00000000 ____D C:\Documents and Settings\Administrator
2013-10-14 20:04 - 2007-09-04 09:29 - 00032438 _____ C:\WINDOWS\SchedLgU.Txt
2013-10-14 17:04 - 2013-10-06 16:17 - 00004424 _____ C:\Documents and Settings\Administrator\Desktop\VirusRemoval.txt
2013-10-14 15:55 - 2013-10-14 15:55 - 00004182 _____ C:\Documents and Settings\Administrator\Desktop\attach.txt
2013-10-14 15:54 - 2013-10-14 15:55 - 00012828 _____ C:\Documents and Settings\Administrator\Desktop\dds.txt
2013-10-14 12:53 - 2013-09-29 15:11 - 00020589 _____ C:\Documents and Settings\Administrator\Desktop\aswMBR.txt
2013-10-14 12:53 - 2013-09-29 15:11 - 00000512 _____ C:\Documents and Settings\Administrator\Desktop\MBR.dat
2013-10-14 12:33 - 2013-10-14 12:32 - 00000648 _____ C:\Documents and Settings\Administrator\Desktop\defogger_disable.log
2013-10-14 12:33 - 2013-10-14 12:32 - 00000020 _____ C:\Documents and Settings\Administrator\defogger_reenable
2013-10-14 12:06 - 2013-10-14 12:06 - 00050477 _____ C:\Documents and Settings\Administrator\Desktop\Defogger.exe
2013-10-14 12:01 - 2013-10-14 11:57 - 00688992 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.com
2013-10-14 10:26 - 2010-01-25 20:58 - 00004262 _____ C:\inpierre.txt
2013-10-13 19:46 - 2007-09-04 04:57 - 00000000 ____D C:\WINDOWS\Help
2013-10-13 17:58 - 2007-09-06 14:32 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB936021$
2013-10-07 23:08 - 2007-09-04 05:02 - 00000282 ___SH C:\boot.ini
2013-10-07 20:17 - 2008-03-14 12:26 - 00000268 ____H C:\sqmdata12.sqm
2013-10-07 20:17 - 2008-03-14 12:26 - 00000244 ____H C:\sqmnoopt12.sqm
2013-10-06 14:12 - 2013-09-29 16:04 - 00003107 _____ C:\Documents and Settings\Administrator\Desktop\FSS.txt
2013-10-06 10:55 - 2013-10-06 10:49 - 00417513 _____ C:\WINDOWS\system32\vsconfig.xml
2013-10-06 10:49 - 2013-10-06 10:49 - 00000539 _____ C:\Documents and Settings\All Users\Desktop\ZoneAlarm Security.lnk
2013-10-06 10:49 - 2013-10-06 10:49 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Check Point
2013-10-06 10:49 - 2013-10-06 10:45 - 00000000 ____D C:\Program Files\CheckPoint
2013-10-06 00:44 - 2013-10-06 00:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CheckPoint
2013-10-06 00:32 - 2013-10-06 00:32 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-10-05 23:20 - 2013-10-05 23:20 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-05 23:20 - 2013-10-05 23:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-05 23:20 - 2013-10-05 23:20 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-10-05 23:05 - 2007-09-04 05:04 - 00880088 _____ C:\WINDOWS\setupapi.log
2013-10-05 21:43 - 2013-09-29 17:40 - 00002340 _____ C:\Documents and Settings\Administrator\Desktop\SystemLook.txt
2013-10-05 20:44 - 2013-10-05 20:44 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2013-10-05 20:43 - 2013-10-05 20:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-10-05 19:57 - 2010-10-31 19:10 - 00001713 _____ C:\Documents and Settings\Administrator\Desktop\LG Burning Tool.lnk
2013-10-05 12:14 - 2013-10-05 12:14 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2013-10-05 12:14 - 2013-10-05 12:14 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
2013-10-05 12:14 - 2008-07-21 12:34 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2013-10-05 12:14 - 2008-07-21 12:33 - 00000000 ____D C:\Program Files\Google
2013-10-05 12:14 - 2007-09-04 09:22 - 00002577 _____ C:\WINDOWS\system32\CONFIG.NT
2013-10-05 12:11 - 2011-10-11 20:58 - 00000000 ____D C:\Program Files\AVAST Software
2013-10-05 12:11 - 2011-10-11 20:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2013-10-02 21:36 - 2013-10-05 21:20 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.75.0.1300.exe
2013-09-30 08:29 - 2013-09-30 06:10 - 00000000 ___SD C:\ComboFix
2013-09-29 17:38 - 2013-09-29 15:38 - 00038539 _____ C:\Documents and Settings\Administrator\Desktop\tdss.txt
2013-09-28 17:58 - 2013-09-28 17:58 - 00000000 ____D C:\bimage
2013-09-28 17:06 - 2013-09-28 15:51 - 00000000 ____D C:\XP
2013-09-28 16:23 - 2007-09-04 05:03 - 00189107 _____ C:\WINDOWS\setupact.log
2013-09-28 16:22 - 2013-09-28 16:22 - 00000269 _____ C:\WINDOWS\wsdu.log
2013-09-28 16:22 - 2013-09-28 16:22 - 00000264 _____ C:\WINDOWS\UPGRADE.TXT
2013-09-28 16:22 - 2013-09-28 16:22 - 00000000 _RSHD C:\cmdcons
2013-09-28 16:22 - 2013-09-28 16:22 - 00000000 ____D C:\WINDOWS\setup.pss
2013-09-28 16:22 - 2011-10-11 21:27 - 00015120 _____ C:\WINDOWS\WINNT32.LOG
2013-09-28 16:22 - 2011-10-11 21:27 - 00000356 _____ C:\WINDOWS\DHCPUPG.LOG
2013-09-25 00:06 - 2013-09-24 23:13 - 05130004 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
2013-09-24 23:18 - 2007-09-04 05:06 - 00925213 _____ C:\WINDOWS\iis6.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00746994 _____ C:\WINDOWS\FaxSetup.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00491227 _____ C:\WINDOWS\ocgen.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00367680 _____ C:\WINDOWS\tsoc.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00232925 _____ C:\WINDOWS\comsetup.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00147270 _____ C:\WINDOWS\ntdtcsetup.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00055658 _____ C:\WINDOWS\MedCtrOC.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00039438 _____ C:\WINDOWS\msgsocm.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00038565 _____ C:\WINDOWS\ocmsn.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00035929 _____ C:\WINDOWS\tabletoc.log
2013-09-24 23:18 - 2007-09-04 05:06 - 00004566 _____ C:\WINDOWS\imsins.log
2013-09-24 23:17 - 2007-09-04 05:06 - 00355636 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-09-24 23:17 - 2007-09-04 05:06 - 00239476 _____ C:\WINDOWS\msmqinst.log
2013-09-24 23:17 - 2007-09-04 05:06 - 00134055 _____ C:\WINDOWS\netfxocm.log
2013-09-24 23:12 - 2007-09-04 09:18 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-09-24 23:11 - 2013-09-24 23:11 - 00098304 _____ C:\WINDOWS\Minidump\Mini092413-01.dmp
2013-09-24 23:11 - 2007-09-06 12:35 - 00000000 ____D C:\WINDOWS\Minidump
2013-09-24 22:39 - 2013-09-24 22:39 - 00000000 ____D C:\WINDOWS\erdnt
2013-09-24 22:39 - 2013-09-24 22:39 - 00000000 ____D C:\Qoobox
2013-09-24 22:05 - 2013-09-29 14:33 - 01931088 _____ (Symantec Corporation) C:\Documents and Settings\Administrator\Desktop\FixTDSS.exe
2013-09-24 21:48 - 2013-09-29 14:33 - 00139264 _____ C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
2013-09-24 21:47 - 2013-09-29 14:33 - 00358923 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FSS.exe
2013-09-24 21:45 - 2013-09-29 14:33 - 04745728 _____ (AVAST Software) C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
2013-09-24 21:36 - 2013-09-29 14:34 - 02237968 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
2013-09-23 20:27 - 2010-04-29 20:13 - 00002311 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
2013-09-23 00:36 - 2013-10-05 23:53 - 40062152 _____ (Check Point Software Technologies LTD) C:\Documents and Settings\Administrator\Desktop\zafwSetup_110_768_000.exe
2013-09-21 22:20 - 2001-08-23 08:00 - 00000227 _____ C:\WINDOWS\system.ini
2013-09-15 01:24 - 2010-01-26 20:57 - 00135680 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Files to move or delete:
====================
ZeroAccess:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\12115.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\AdobeUpdater12345.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Install_WLMessenger.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jre-6u11-windows-i586-p-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jre-7u9-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ytb.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\_is25.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\_is62.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\{BAEBDE9F-FE0B-4E56-AC5A-15BD615C0A21}-GoogleUpdateSetup.exe
C:\Documents and Settings\Administrator.COMPUTER\Local Settings\Temp\_isF1.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2004-08-03 19:56] - [2008-04-13 20:12] - 0108544 ____A (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Attached Files



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:31 PM

Posted 15 October 2013 - 11:18 AM

Hi Pierre,

 

Nice to meet you. I am sorry about the delay. I had very busy day at the office today.

 

 

Download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#6 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 15 October 2013 - 07:34 PM

Hello Georgi.  There was no delay, i log in after you.

Did a reboot of the machine and things are getting better now. The 2 Googleupdate process that was running before, are'nt there any more. Also there was a constant access to the net while i used IE8 that is not there anymore.

Here is the fixlog.txt.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013
Ran by Administrator at 2013-10-15 20:04:58 Run:1
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
BHO: No Name - {7E853D72-626A-48EC-A868-BA8D5E23E045} -  No File
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\   \   \???\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Documents and Settings\Administrator\Local Settings\Temp
AlternateDataStreams: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe:SummaryInformation
AlternateDataStreams: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\12103779.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\49196718.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\51648771.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\56791452.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\12103779.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\49196718.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\51648771.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\56791452.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
end

*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} => Key deleted successfully.
HKCR\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045} => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Value deleted successfully.
HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll

=========  netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.

========= End of CMD: =========

*etadpug => Service deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp => Moved successfully.
"C:\Documents and Settings\Administrator\Desktop\ComboFix.exe" => ":SummaryInformation" ADS not found.
"C:\Documents and Settings\Administrator\Desktop\ComboFix.exe" => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS not found.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\12103779.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\49196718.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\51648771.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\56791452.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\12103779.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\49196718.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\51648771.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\56791452.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vsmon => Key deleted successfully.

==== End of Fixlog ====



#7 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 15 October 2013 - 08:18 PM

Argh!!!!
Talked to soon, 2 iexplorer process with 2 different PID number running at the same time while i have only 1 window open. Waiting for the next step. The constant access to the net was there for a short time. Probably related to antivirus and firewall looking for something.

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:31 PM

Posted 16 October 2013 - 12:42 AM

Hi Pierre,

 

 

Let's take a deeper look:

 

 

 

  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the otlDesktopIcon.png icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the customFix.png textbox.
  • Don't copy the word "Quote"

     

     

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\*.
    %USERPROFILE%\*.*
    %USERPROFILE%\*.
    %USERPROFILE%\*.exe /s
    %USERPROFILE%\My Documents\*.*
    %USERPROFILE%\Application Data\*.*
    %USERPROFILE%\Application Data\*.
    %USERPROFILE%\Local Settings\*.*
    %USERPROFILE%\Local Settings\*.
    %USERPROFILE%\Local Settings\Application Data\*.*
    %USERPROFILE%\Local Settings\Application Data\*.
    %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\*.*
    %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\*.
    %AllUsersProfile%\*.
    %AllUsersProfile%\*.exe /s
    %AllUsersProfile%\DRM\*.tmp
    %AllUsersProfile%\Application Data\*.*
    %AllUsersProfile%\Application Data\*.
    %AllUsersProfile%\Documents\*.exe /s
    %CommonProgramFiles%\*.exe
    %CommonProgramFiles%\ComObjects\*.*
    %PROGRAMFILES%\*.*
    %PROGRAMFILES%\*.
    %systemroot%\system32\config\systemprofile\*.*
    %systemroot%\system32\config\systemprofile\*.
    %systemroot%\system32\config\systemprofile\*.exe /s
    %systemroot%\system32\config\systemprofile\Application Data\*.*
    %systemroot%\system32\config\systemprofile\Application Data\*.
    %systemroot%\system32\config\systemprofile\Local Settings\*.*
    %systemroot%\system32\config\systemprofile\Local Settings\*.
    %systemroot%\system32\config\systemprofile\Local Settings\Application Data\*.*
    %systemroot%\system32\config\systemprofile\Local Settings\Application Data\*.
    C:\Documents and Settings\Default User\*.exe /s
    C:\Documents and Settings\Default User\Application Data\*.*
    C:\Documents and Settings\Default User\Application Data\*.
    C:\Documents and Settings\Default User\Local Settings\*.*
    C:\Documents and Settings\Default User\Local Settings\*.
    C:\Documents and Settings\Default User\Local Settings\Application Data\*.*
    C:\Documents and Settings\Default User\Local Settings\Application Data\*.
    C:\Documents and Settings\LocalService\*.exe /s
    C:\Documents and Settings\LocalService\*.*
    C:\Documents and Settings\LocalService\Application Data\*.*
    C:\Documents and Settings\LocalService\Application Data\*.
    C:\Documents and Settings\LocalService\Local Settings\*.*
    C:\Documents and Settings\LocalService\Local Settings\*.
    C:\Documents and Settings\LocalService\Local Settings\Application Data\*.*
    C:\Documents and Settings\LocalService\Local Settings\Application Data\*.
    C:\Documents and Settings\LocalService\Local Settings\temp\*.tlb
    C:\Documents and Settings\NetworkService\*.exe /s
    C:\Documents and Settings\NetworkService\*.*
    C:\Documents and Settings\NetworkService\Application Data\*.*
    C:\Documents and Settings\NetworkService\Application Data\*.
    C:\Documents and Settings\NetworkService\Local Settings\*.*
    C:\Documents and Settings\NetworkService\Local Settings\*.
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.*
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.
    C:\Documents and Settings\NetworkService\Local Settings\temp\*.tlb
    C:\Documents and Settings\Guest Access\*.exe /s
    C:\Documents and Settings\Guest Access\*.*
    C:\Documents and Settings\Guest Access\Application Data\*.*
    C:\Documents and Settings\Guest Access\Application Data\*.
    C:\Documents and Settings\Guest Access\Local Settings\*.*
    C:\Documents and Settings\Guest Access\Local Settings\*.
    C:\Documents and Settings\Guest Access\Local Settings\Application Data\*.*
    C:\Documents and Settings\Guest Access\Local Settings\Application Data\*.
    %windir%\temp\*.exe /s
    %windir%\*.
    %windir%\AppPatch\*.exe
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s
    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CLASSES_ROOT\Directory\Shellex\CopyHookHandlers\MSCopy /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    winlogon.exe
    userinit.exe
    smss.exe
    imapi.sys
    fastfat.sys
    atapi.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    tcpip.sys
    ipsec.sys
    kbdclass.sys
    mouclass.sys
    mouhid.sys
    hlp.dat
    str.sys
    crexv.ocx
    crexvx.ocx
    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll
    intel.exe
    /md5stop
  • Push the runscanbutton.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 16 October 2013 - 12:44 AM.

cXfZ4wS.png


#9 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 16 October 2013 - 07:41 PM

Hello Georgi.
Today there is only 1 iexplorer running. But when i noticed i was infected was at the end of the month of august.
I have trouble downloading from that link. I'll try from the download section.
It is 20:39 -5 GMT. post in a little while.

#10 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 16 October 2013 - 09:48 PM

Hello again georgi.
There was 2 GoogleUpdate running and then they were replaced by 2 iexplorer.
I also looked in the Zonealarm Firewall permission, and there is inbound and outbound permission for 2 gooleupdate and some other related to googleupdate temp something (sorry to be vague about te temp one).
Any popup window on the bleepingcomputer site (i am a member). When i was tring to download from the link in the reply, i accepted a popup in hope the download would work.
Also the version of OTL was in french, If i choose English in the Language Bar, will OTL be in English?

Wendsday 22:44 -5 GMT

Here is otl.txt:

OTL logfile created on: 16-10-13 21:32:11 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: dd-MM-yy

255.53 Mb Total Physical Memory | 124.43 Mb Available Physical Memory | 48.69% Memory free
619.40 Mb Paging File | 342.25 Mb Available in Paging File | 55.26% Paging File free
Paging file location(s): D:\pagefile.sys 2 1000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 17.30 Gb Total Space | 7.60 Gb Free Space | 43.96% Space Free | Partition Type: NTFS
Drive D: | 19.97 Gb Total Space | 16.74 Gb Free Space | 83.84% Space Free | Partition Type: NTFS

Computer Name: SHOP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2013-10-16 20:57:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2013-08-30 03:47:34 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2013-08-30 03:47:33 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2013-06-19 23:13:16 | 002,445,304 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2013-06-19 22:41:38 | 000,073,832 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2013-04-04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012-10-22 23:08:07 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2009-06-03 20:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009-04-15 23:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2008-04-13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2013-09-02 02:24:45 | 002,098,176 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\13090200\algo.dll
MOD - [2009-06-03 20:59:14 | 000,013,096 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009-06-03 20:59:02 | 000,619,816 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2009-01-09 18:10:52 | 000,139,264 | ---- | M] () -- C:\Program Files\Brother\BrUtilities\BrLogAPI.dll
MOD - [2002-11-26 14:43:18 | 000,106,496 | ---- | M] () -- C:\WINDOWS\system32\BrMuSNMP.dll


========== Services (SafeList) ==========

SRV - [2013-08-30 03:47:33 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2013-06-19 23:13:16 | 002,445,304 | ---- | M] (Check Point Software Technologies LTD) [On_Demand | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2013-04-04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013-04-04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012-10-22 23:08:07 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013-08-30 03:48:13 | 000,369,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2013-08-30 03:48:13 | 000,177,864 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013-08-30 03:48:13 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013-08-30 03:48:12 | 000,770,344 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013-08-30 03:48:12 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2013-08-30 03:48:12 | 000,049,376 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013-08-30 03:48:11 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013-08-30 03:48:11 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2013-06-19 22:41:38 | 000,527,976 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2013-04-04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012-08-20 16:48:44 | 000,015,576 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdrvio.sys -- (pwdrvio)
DRV - [2012-08-20 16:48:44 | 000,010,200 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdspio.sys -- (pwdspio)
DRV - [2008-04-13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007-09-05 11:00:08 | 000,685,816 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2007-03-05 21:01:18 | 000,039,184 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2007-03-05 21:00:04 | 000,027,792 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)
DRV - [2007-03-05 20:59:04 | 000,018,320 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btnetdrv.sys -- (BT)
DRV - [2007-03-05 20:56:18 | 000,035,600 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2007-03-05 20:55:12 | 000,020,880 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2007-03-05 20:53:18 | 000,044,304 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2007-03-05 20:52:18 | 000,034,448 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2007-03-05 20:51:24 | 000,034,576 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2004-11-03 14:14:26 | 000,267,136 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sis7012.sys -- (SiS7012)
DRV - [2004-08-03 18:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2001-08-17 14:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001-08-17 13:11:02 | 000,153,631 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xnd5.sys -- (EL90X)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\SearchScopes,DefaultScope = {28B6BA2B-307F-42F5-9FBE-0F4D9EE53D00}
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\SearchScopes\{28B6BA2B-307F-42F5-9FBE-0F4D9EE53D00}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35
FF - prefs.js..extensions.enabledItems: wrc@avast.com:8.0.1497
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.19


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-10-05 12:13:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013-01-02 15:58:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013-05-19 13:12:38 | 000,000,000 | ---D | M]

[2008-09-03 13:43:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2008-09-03 13:43:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2013-10-06 20:45:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y5fpxnqm.default\extensions
[2010-01-16 21:14:33 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y5fpxnqm.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2013-10-06 20:45:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013-01-02 15:58:55 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007-09-06 19:03:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007-11-01 17:55:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008-04-01 14:42:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008-08-13 07:11:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008-12-01 16:04:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2008-12-29 08:20:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2012-09-27 21:45:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
[2013-10-05 12:13:10 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2013-01-02 15:58:36 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2013-01-02 15:58:37 | 000,134,616 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007-02-05 00:02:56 | 001,642,496 | ---- | M] (LizardTech) -- C:\Program Files\mozilla firefox\plugins\npdjvu.dll
[2007-12-19 08:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
[2013-01-02 15:58:44 | 000,065,496 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009-12-18 02:43:52 | 000,095,672 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2013-01-02 15:58:47 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2013-01-02 15:58:47 | 000,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2013-01-02 15:58:47 | 000,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2013-01-02 15:58:47 | 000,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2013-01-02 15:58:47 | 000,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2013-01-02 15:58:47 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2013-01-02 15:58:47 | 000,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2001-08-23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe (CyberLink Corp.)
O4 - HKLM..\Run: [PPort11reminder] C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePPShortCut] C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found
O4 - HKU\.DEFAULT..\RunOnce: [nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 File not found
O4 - HKU\S-1-5-18..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found
O4 - HKU\S-1-5-18..\RunOnce: [nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..Trusted Domains: desjardins.com ([accesd] https in Trusted sites)
O15 - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..Trusted Domains: gouv.qc.ca ([www.registrefoncier] http in Trusted sites)
O16 - DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} http://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/CPCViewAX/CpcViewAX.cab (CPC View ax Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1350965749221 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1350965664129 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} http://www.registrefoncier.gouv.qc.ca/Sirf/Script/14_05_04/ActiveCGM/Acgm.cab (ActiveCGM Control)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\asp {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\ebahn {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\hsp {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\intu-ir2011 {DFF68B15-A8D3-420b-B32C-E9554E2F5C15} - C:\Program Files\ImpotRapide 2011\ic2011pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-ir2012 {79E19CC8-7698-4b41-8474-52FA5B207EBF} - C:\Program Files\ImpotRapide 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Handler\x-asp {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\x-cnote {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\x-ebahn {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\x-hsp {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\x-mem3 {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\Program Files\eBahn\eztoolslib2.dll ()
O18 - Protocol\Handler\x-zip {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Handler\zip {8D32BA61-D15B-11d4-894B-000000000000} - C:\Program Files\eBahn\hsppp.dll (EzTools Software)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - (%SystemRoot%\System32\dimsntfy.dll) - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007-09-04 09:22:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 90 Days ==========

[2013-10-16 20:57:29 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013-10-14 20:56:15 | 000,000,000 | ---D | C] -- C:\FRST
[2013-10-14 20:28:07 | 001,087,213 | ---- | C] (Farbar) -- C:\Documents and Settings\Administrator\Desktop\FRST.exe
[2013-10-14 11:57:00 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.com
[2013-10-06 10:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Check Point
[2013-10-06 10:45:12 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2013-10-06 00:44:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2013-10-06 00:32:31 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2013-10-05 23:53:40 | 040,062,152 | ---- | C] (Check Point Software Technologies LTD) -- C:\Documents and Settings\Administrator\Desktop\zafwSetup_110_768_000.exe
[2013-10-05 23:20:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013-10-05 23:20:50 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013-10-05 23:20:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013-10-05 21:20:25 | 010,285,040 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.75.0.1300.exe
[2013-10-05 20:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2013-10-05 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013-10-05 12:33:14 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013-10-05 12:14:16 | 000,029,816 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2013-10-05 12:14:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2013-10-05 12:14:15 | 000,369,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2013-10-05 12:14:14 | 000,049,760 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2013-10-05 12:14:12 | 000,056,080 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2013-10-05 12:14:11 | 000,770,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2013-10-05 12:14:08 | 000,066,336 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswMonFlt.sys
[2013-10-05 12:14:07 | 000,229,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2013-10-05 12:12:42 | 000,041,664 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2013-09-30 06:10:47 | 000,000,000 | --SD | C] -- C:\ComboFix
[2013-09-29 14:34:08 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2013-09-29 14:33:39 | 000,358,923 | ---- | C] (Farbar) -- C:\Documents and Settings\Administrator\Desktop\FSS.exe
[2013-09-29 14:33:28 | 001,931,088 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\FixTDSS.exe
[2013-09-29 14:33:15 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2013-09-28 17:58:56 | 000,000,000 | ---D | C] -- C:\bimage
[2013-09-28 16:22:50 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013-09-28 16:22:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2013-09-28 15:51:34 | 000,000,000 | ---D | C] -- C:\XP
[2013-09-24 23:13:56 | 005,130,004 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2013-09-24 22:43:43 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013-09-24 22:43:43 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013-09-24 22:43:42 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013-09-24 22:43:42 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013-09-24 22:39:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013-09-24 22:39:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013-07-31 01:16:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\assembly
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2013-10-16 21:08:18 | 000,000,378 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013-10-16 21:07:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013-10-16 21:07:05 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013-10-16 21:06:30 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013-10-16 21:06:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013-10-16 20:57:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013-10-14 21:27:02 | 000,003,713 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Addition.zip
[2013-10-14 20:32:54 | 001,087,213 | ---- | M] (Farbar) -- C:\Documents and Settings\Administrator\Desktop\FRST.exe
[2013-10-14 12:53:13 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2013-10-14 12:33:00 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2013-10-14 12:06:20 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2013-10-14 12:01:47 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.com
[2013-10-07 23:08:47 | 000,000,282 | -HS- | M] () -- C:\boot.ini
[2013-10-07 20:17:38 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2013-10-07 20:17:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2013-10-06 10:55:04 | 000,417,513 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2013-10-06 10:49:17 | 000,000,539 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoneAlarm Security.lnk
[2013-10-05 23:20:55 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013-10-05 19:57:09 | 000,001,713 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\LG Burning Tool.lnk
[2013-10-05 12:14:17 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2013-10-05 12:14:08 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2013-10-02 21:36:44 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.75.0.1300.exe
[2013-09-25 00:06:07 | 005,130,004 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2013-09-24 23:17:58 | 000,311,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013-09-24 23:17:58 | 000,040,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013-09-24 22:05:47 | 001,931,088 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\FixTDSS.exe
[2013-09-24 21:48:43 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
[2013-09-24 21:47:40 | 000,358,923 | ---- | M] (Farbar) -- C:\Documents and Settings\Administrator\Desktop\FSS.exe
[2013-09-24 21:45:53 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2013-09-24 21:36:49 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2013-09-23 00:36:26 | 040,062,152 | ---- | M] (Check Point Software Technologies LTD) -- C:\Documents and Settings\Administrator\Desktop\zafwSetup_110_768_000.exe
[2013-09-15 01:24:49 | 000,135,680 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013-08-30 03:48:13 | 000,369,584 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2013-08-30 03:48:13 | 000,177,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013-08-30 03:48:13 | 000,056,080 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2013-08-30 03:48:12 | 000,770,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2013-08-30 03:48:12 | 000,049,760 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2013-08-30 03:48:12 | 000,049,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013-08-30 03:48:11 | 000,066,336 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswMonFlt.sys
[2013-08-30 03:48:11 | 000,029,816 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2013-08-30 03:47:40 | 000,041,664 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2013-08-30 03:47:32 | 000,229,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2013-08-04 08:31:26 | 000,000,211 | -HS- | M] () -- C:\BOOT.BAK
[2013-08-03 20:10:29 | 000,001,891 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013-10-14 21:27:02 | 000,003,713 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Addition.zip
[2013-10-14 12:32:38 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2013-10-14 12:06:19 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2013-10-06 10:49:31 | 000,417,513 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2013-10-06 10:49:17 | 000,000,539 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ZoneAlarm Security.lnk
[2013-10-05 23:20:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013-10-05 12:14:49 | 000,000,900 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013-10-05 12:14:49 | 000,000,896 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013-10-05 12:14:17 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2013-10-05 12:14:11 | 000,000,378 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013-10-05 12:14:10 | 000,177,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013-10-05 12:14:09 | 000,049,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013-09-29 15:11:42 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2013-09-29 14:33:55 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
[2013-09-28 16:22:54 | 000,000,211 | -HS- | C] () -- C:\BOOT.BAK
[2013-09-28 16:22:52 | 000,260,288 | RHS- | C] () -- C:\cmldr
[2013-09-24 22:43:43 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013-09-24 22:43:43 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013-09-24 22:43:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013-09-24 22:43:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013-09-24 22:43:42 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013-01-05 03:34:49 | 002,872,000 | ---- | C] () -- C:\WINDOWS\System32\pwNative.exe
[2013-01-05 03:34:46 | 000,015,576 | ---- | C] () -- C:\WINDOWS\System32\pwdrvio.sys
[2013-01-05 03:34:45 | 000,010,200 | ---- | C] () -- C:\WINDOWS\System32\pwdspio.sys
[2010-01-26 20:57:13 | 000,135,680 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-01-25 22:18:19 | 000,020,928 | -H-- | C] () -- C:\Program Files\WINPM-32.GID
[2010-01-25 21:44:04 | 000,000,512 | ---- | C] () -- C:\Program Files\PMAIL.CFG

========== ZeroAccess Check ==========

[2013-07-31 01:15:47 | 000,000,000 | ---D | M] -- C:\recycler\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\L
[2013-09-24 22:40:44 | 000,000,000 | ---D | M] -- C:\recycler\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\U

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008-04-13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2008-04-13 20:11:53 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008-04-13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2010-03-24 22:11:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GrabIt
[2008-05-01 07:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LimeWire
[2010-02-17 22:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC-FAX TX
[2010-02-19 23:19:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ScanSoft
[2010-02-19 23:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Zeon
[2010-10-03 20:31:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.COMPUTER\Application Data\PC-FAX TX
[2010-10-03 20:46:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.COMPUTER\Application Data\ScanSoft
[2010-10-03 20:51:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.COMPUTER\Application Data\Zeon
[2013-10-05 12:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2008-03-30 10:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bluetooth
[2013-10-06 00:44:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2010-02-19 23:26:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2010-10-31 16:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2010-02-19 23:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zeon

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2007-09-04 09:22:47 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2013-08-04 08:31:26 | 000,000,211 | -HS- | M] () -- C:\BOOT.BAK
[2013-10-07 23:08:47 | 000,000,282 | -HS- | M] () -- C:\boot.ini
[2008-04-14 00:02:08 | 000,260,288 | RHS- | M] () -- C:\cmldr
[2007-09-04 09:22:47 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010-08-07 11:42:31 | 000,797,031 | ---- | M] () -- C:\inpie.prn
[2006-12-23 00:02:24 | 000,013,312 | ---- | M] () -- C:\inpierre.doc
[2013-10-14 10:26:49 | 000,004,262 | ---- | M] () -- C:\inpierre.txt
[2007-09-04 09:22:47 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007-09-04 09:22:47 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008-04-13 22:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008-04-14 00:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2013-10-16 21:06:10 | 401,915,904 | -HS- | M] () -- C:\pagefile.sys
[2008-10-01 10:10:24 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008-10-08 11:45:07 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008-10-08 12:07:01 | 000,000,172 | -H-- | M] () -- C:\sqmdata02.sqm
[2008-10-30 09:26:14 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2008-11-14 14:46:52 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2008-11-14 14:54:05 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2008-11-27 15:48:48 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2013-07-02 18:43:17 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2013-07-02 18:55:27 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2013-07-02 19:10:27 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2013-07-02 19:15:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2013-07-02 19:18:36 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2013-10-07 20:17:38 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2008-04-14 11:04:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008-08-21 04:13:07 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2008-08-21 04:13:14 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2008-08-21 04:13:15 | 000,000,172 | -H-- | M] () -- C:\sqmdata16.sqm
[2008-09-08 15:35:55 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2008-09-30 15:56:07 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2008-10-01 09:12:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2008-10-01 10:10:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008-10-08 11:45:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008-10-08 12:07:01 | 000,000,172 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008-10-30 09:26:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008-11-14 14:46:52 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2008-11-14 14:54:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2008-11-27 15:48:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2013-07-02 18:43:17 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2013-07-02 18:55:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2013-07-02 19:10:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2013-07-02 19:15:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2013-07-02 19:18:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2013-10-07 20:17:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008-04-14 11:04:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008-08-21 04:13:07 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008-08-21 04:13:14 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2008-08-21 04:13:15 | 000,000,172 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008-09-08 15:35:55 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2008-09-30 15:56:07 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2008-10-01 09:12:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2007-09-10 10:19:35 | 000,919,550 | ---- | M] () -- C:\TB.log
[2013-10-06 00:33:21 | 000,265,068 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_06.10.2013_00.22.31_log.txt
[2013-10-13 18:32:23 | 000,079,504 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_13.10.2013_18.29.27_log.txt
[2013-10-13 18:43:21 | 000,217,784 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_13.10.2013_18.34.06_log.txt
[2013-10-14 12:54:21 | 000,003,742 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_14.10.2013_12.54.06_log.txt
[2013-10-14 13:08:11 | 000,260,466 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_14.10.2013_12.56.08_log.txt
[2013-09-29 15:36:30 | 000,077,156 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_29.09.2013_15.26.09_log.txt
[2013-09-29 22:02:16 | 000,145,788 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_29.09.2013_21.59.41_log.txt
[2013-09-29 22:09:10 | 000,288,448 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_29.09.2013_22.04.50_log.txt

< %SYSTEMDRIVE%\*. >
[2013-09-28 17:58:56 | 000,000,000 | ---D | M] -- C:\bimage
[2013-09-28 16:22:54 | 000,000,000 | RHSD | M] -- C:\cmdcons
[2013-09-30 08:29:27 | 000,000,000 | --SD | M] -- C:\ComboFix
[2011-10-15 21:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings
[2013-10-14 20:56:15 | 000,000,000 | ---D | M] -- C:\FRST
[2013-07-09 21:55:47 | 000,000,000 | ---D | M] -- C:\PerfLogs
[2013-10-06 11:54:14 | 000,000,000 | R--D | M] -- C:\Program Files
[2013-09-24 22:39:54 | 000,000,000 | ---D | M] -- C:\Qoobox
[2013-10-05 12:33:14 | 000,000,000 | -HSD | M] -- C:\RECYCLER
[2013-09-24 23:12:01 | 000,000,000 | -HSD | M] -- C:\System Volume Information
[2013-10-06 00:32:32 | 000,000,000 | ---D | M] -- C:\TDSSKiller_Quarantine
[2013-03-09 11:20:11 | 000,000,000 | ---D | M] -- C:\TEMP
[2011-10-10 23:15:03 | 000,000,000 | ---D | M] -- C:\WINDO.0
[2011-10-10 20:42:02 | 000,000,000 | ---D | M] -- C:\WINDO.1
[2013-10-14 20:59:35 | 000,000,000 | ---D | M] -- C:\WINDOWS
[2013-09-28 17:06:27 | 000,000,000 | ---D | M] -- C:\XP

< %USERPROFILE%\*.* >
[2013-10-14 12:33:00 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2013-10-16 21:05:08 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2013-10-16 21:32:16 | 000,001,024 | -H-- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2013-10-16 21:04:52 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

< %USERPROFILE%\*. >
[2013-10-12 22:57:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2008-08-21 04:13:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Contacts
[2013-10-16 21:25:40 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\Cookies
[2013-10-16 20:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Desktop
[2013-07-27 23:14:32 | 000,000,000 | R--D | M] -- C:\Documents and Settings\Administrator\Favorites
[2012-10-23 06:12:57 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\IECompatCache
[2012-10-23 06:07:25 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\IETldCache
[2011-10-10 23:13:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Incomplete
[2013-10-15 20:10:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Local Settings
[2013-10-16 21:23:50 | 000,000,000 | R--D | M] -- C:\Documents and Settings\Administrator\My Documents
[2011-10-16 15:57:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\NetHood
[2007-09-04 05:05:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\PrintHood
[2012-10-23 06:13:42 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\PrivacIE
[2013-10-16 21:31:09 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Recent
[2010-01-25 22:22:24 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\SendTo
[2011-10-10 23:11:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Shared
[2007-09-04 05:05:37 | 000,000,000 | R--D | M] -- C:\Documents and Settings\Administrator\Start Menu
[2007-09-04 09:16:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Templates

< %USERPROFILE%\*.exe /s >
[2013-09-24 21:45:53 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2013-09-25 00:06:07 | 005,130,004 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2013-10-14 12:06:20 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2013-09-24 22:05:47 | 001,931,088 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\FixTDSS.exe
[2013-10-14 20:32:54 | 001,087,213 | ---- | M] (Farbar) -- C:\Documents and Settings\Administrator\Desktop\FRST.exe
[2013-09-24 21:47:40 | 000,358,923 | ---- | M] (Farbar) -- C:\Documents and Settings\Administrator\Desktop\FSS.exe
[2013-10-02 21:36:44 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.75.0.1300.exe
[2013-10-16 20:57:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013-09-24 21:48:43 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
[2013-09-24 21:36:49 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2013-09-23 00:36:26 | 040,062,152 | ---- | M] (Check Point Software Technologies LTD) -- C:\Documents and Settings\Administrator\Desktop\zafwSetup_110_768_000.exe
[2013-10-16 21:05:14 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Temp\{146F1089-E26C-4D08-A704-39C118F64B91}-GoogleUpdateSetup.exe
[3 C:\Documents and Settings\Administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\Temp\*.tmp -> ]
[2007-09-06 14:15:27 | 006,018,096 | ---- | M] (Mozilla) -- C:\Documents and Settings\Administrator\My Documents\Firefox Setup 2.0.0.6.exe
[2001-06-04 19:59:08 | 000,228,352 | ---- | M] (Alex Mina) -- C:\Documents and Settings\Administrator\My Documents\APCI\APciInfo.exe
[2005-10-12 22:12:38 | 000,110,080 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\APCI\pci32\PCI32.EXE
[2007-05-17 14:12:50 | 014,203,678 | ---- | M] (WORLDPAC ) -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\speedDIALInstall.exe
[2011-06-01 21:20:32 | 000,781,949 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\Bront\BrMain440.exe
[2000-03-14 11:11:48 | 000,156,160 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\CRACK\a1ex211.exe
[1992-09-28 15:38:40 | 000,467,459 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\DIVERS\ESPAGNOL\SPANASST.EXE
[1992-09-28 15:39:04 | 000,212,136 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\DIVERS\ESPAGNOL\SPANTOOL.EXE
[1997-04-14 23:40:56 | 000,646,277 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\ELECTRON\HRDWARE\USED\Manuel_MB\AOPEN\AP5T\AP5T_R2\ap5tp.exe
[1997-11-24 14:41:30 | 000,438,234 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\ELECTRON\HRDWARE\USED\Manuel_MB\AOPEN\AP5T\AP5T_R3\ap5t-3.exe
[2006-03-13 15:31:04 | 001,562,068 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mes Documents\Imprimante_HP\lj1300pcl6win9xme-en.exe

< %USERPROFILE%\My Documents\*.* >
[2007-09-05 11:01:25 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\DAEMON Tools.lnk
[2008-05-28 14:43:35 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2012-10-23 06:07:29 | 000,000,084 | -HS- | M] () -- C:\Documents and Settings\Administrator\My Documents\desktop.ini
[2007-09-06 14:15:27 | 006,018,096 | ---- | M] (Mozilla) -- C:\Documents and Settings\Administrator\My Documents\Firefox Setup 2.0.0.6.exe
[2007-09-06 14:24:59 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mozilla Firefox.lnk
[2008-09-17 11:12:00 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\My Sharing Folders.lnk
[2010-03-24 22:38:27 | 000,077,150 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Picture.jpg

< %USERPROFILE%\Application Data\*.* >
[2007-09-04 05:05:37 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini

< %USERPROFILE%\Application Data\*. >
[2008-02-14 12:30:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2010-01-16 22:32:23 | 000,000,000 | R--D | M] -- C:\Documents and Settings\Administrator\Application Data\Brother
[2013-03-09 11:29:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CyberLink
[2010-03-24 22:11:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GrabIt
[2010-01-25 21:40:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Help
[2007-09-04 09:30:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2010-01-16 20:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2013-04-11 20:37:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Intuit Canada
[2008-05-01 07:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LimeWire
[2007-09-06 18:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2013-10-05 20:44:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011-07-07 20:58:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2008-09-03 13:43:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010-02-17 22:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC-FAX TX
[2010-02-19 23:19:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ScanSoft
[2007-09-17 12:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2007-09-06 14:25:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Talkback
[2010-02-19 23:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Zeon

< %USERPROFILE%\Local Settings\*.* >
[2013-10-16 21:07:02 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Local Settings\desktop.ini

< %USERPROFILE%\Local Settings\*. >
[2013-10-05 12:19:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\Local Settings\History
[2013-10-16 21:25:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Temp
[2010-04-01 20:09:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

< %USERPROFILE%\Local Settings\Application Data\*.* >
[2013-09-15 01:24:49 | 000,135,680 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013-05-04 12:32:31 | 000,028,296 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2013-10-06 00:59:56 | 004,838,502 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

< %USERPROFILE%\Local Settings\Application Data\*. >
[2009-03-10 20:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2013-10-05 12:14:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2011-10-11 21:23:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Help
[2007-09-06 11:32:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities
[2008-10-10 09:02:37 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2007-09-06 14:25:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010-10-31 16:13:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Power2Go
[2010-01-27 21:44:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Scansoft
[2012-10-23 19:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun
[2010-01-31 23:57:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\WMTools Downloaded Files

< %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\*.* >

< %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\*. >

< %AllUsersProfile%\*. >
[2013-10-06 00:44:07 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2013-03-09 11:42:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\CyberLink
[2013-10-06 10:49:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Desktop
[2008-10-30 10:50:28 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Documents
[2007-09-06 20:10:49 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\DRM
[2007-09-04 05:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Favorites
[2012-10-23 01:17:06 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu
[2007-09-04 05:05:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Templates

< %AllUsersProfile%\*.exe /s >
[2010-03-24 14:17:47 | 000,326,056 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\8.2\ARM\11288\AcrobatUpdater.exe
[2010-03-24 14:17:47 | 000,952,768 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\8.2\ARM\11288\AdobeARM.exe
[2010-03-24 14:17:47 | 000,326,056 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\8.2\ARM\11288\ReaderUpdater.exe
[2010-03-24 14:17:47 | 000,326,056 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\8.2\ARM\11303\AcrobatUpdater.exe
[2010-03-24 14:17:47 | 000,952,768 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\8.2\ARM\11303\AdobeARM.exe
[2010-03-24 14:17:47 | 000,326,056 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\Reader\8.2\ARM\11303\ReaderUpdater.exe
[2007-06-20 05:53:06 | 000,032,592 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.0.123\French\setup.exe
[2010-10-31 16:12:03 | 000,053,319 | ---- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\Temp\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
[2010-10-31 16:08:43 | 000,053,319 | ---- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\Temp\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe
[2010-10-31 16:06:52 | 000,036,864 | ---- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\Temp\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
[2010-10-31 16:04:17 | 000,053,319 | ---- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\Temp\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
[2010-10-31 16:10:19 | 000,036,864 | ---- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\Temp\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe

< %AllUsersProfile%\DRM\*.tmp >

< %AllUsersProfile%\Application Data\*.* >
[2007-09-04 05:05:37 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini

< %AllUsersProfile%\Application Data\*. >
[2013-07-31 05:34:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2013-10-05 12:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2008-03-30 10:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bluetooth
[2010-01-27 21:27:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Brother
[2013-10-06 00:44:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2013-03-09 11:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2010-01-27 21:34:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2013-04-11 20:35:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit Canada
[2007-09-04 13:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2013-10-05 20:43:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008-10-10 09:02:37 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2010-02-19 23:26:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2010-06-09 23:00:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010-10-31 16:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2007-12-10 19:29:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2007-09-06 19:46:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
[2010-02-19 23:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zeon

< %AllUsersProfile%\Documents\*.exe /s >

< %CommonProgramFiles%\*.exe >

< %CommonProgramFiles%\ComObjects\*.* >

< %PROGRAMFILES%\*.* >
[2010-01-25 21:44:04 | 000,000,512 | ---- | M] () -- C:\Program Files\PMAIL.CFG
[2010-01-25 22:18:55 | 000,020,928 | -H-- | M] () -- C:\Program Files\WINPM-32.GID

< %PROGRAMFILES%\*. >
[2010-04-29 20:13:21 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2007-09-26 10:55:56 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2013-10-05 12:11:15 | 000,000,000 | ---D | M] -- C:\Program Files\AVAST Software
[2010-01-27 21:37:20 | 000,000,000 | ---D | M] -- C:\Program Files\Brother
[2010-01-30 20:00:43 | 000,000,000 | ---D | M] -- C:\Program Files\CDCHECK
[2013-10-06 10:49:06 | 000,000,000 | ---D | M] -- C:\Program Files\CheckPoint
[2012-04-16 20:41:59 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2007-09-04 09:17:24 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010-10-31 16:10:29 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2007-09-06 12:35:40 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools
[2013-08-02 01:25:29 | 000,000,000 | ---D | M] -- C:\Program Files\eBahn
[2013-10-05 12:14:42 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2008-07-17 10:20:27 | 000,000,000 | ---D | M] -- C:\Program Files\GrabIt
[2012-04-16 21:43:46 | 000,000,000 | ---D | M] -- C:\Program Files\ImpotRapide 2011
[2013-04-11 22:05:45 | 000,000,000 | ---D | M] -- C:\Program Files\ImpotRapide 2012
[2013-01-05 21:38:53 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2013-01-02 14:22:20 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010-08-30 20:41:08 | 000,000,000 | ---D | M] -- C:\Program Files\IrfanView
[2008-03-30 10:29:23 | 000,000,000 | ---D | M] -- C:\Program Files\IVT Corporation
[2012-10-22 23:07:50 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2013-01-05 21:38:53 | 000,000,000 | ---D | M] -- C:\Program Files\LizardTech
[2013-10-05 23:20:57 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011-10-04 23:54:28 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2007-09-05 11:20:14 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2010-10-03 17:25:59 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010-10-03 17:26:39 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2007-09-05 11:15:45 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2013-01-05 03:34:26 | 000,000,000 | ---D | M] -- C:\Program Files\MiniTool Partition Wizard Home Edition 7.6.1
[2011-10-04 23:56:57 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2013-10-14 21:31:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2007-09-04 09:15:49 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2007-09-04 09:16:30 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2008-09-17 11:09:57 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Messenger
[2007-09-04 09:23:08 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2007-09-06 14:32:25 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2010-01-25 21:25:32 | 000,000,000 | ---D | M] -- C:\Program Files\mycpu111
[2011-10-04 23:57:16 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010-01-27 21:34:49 | 000,000,000 | ---D | M] -- C:\Program Files\Nuance
[2007-09-04 09:20:27 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2011-10-04 23:57:12 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2012-12-16 22:25:35 | 000,000,000 | ---D | M] -- C:\Program Files\Pmail
[2010-01-27 21:28:43 | 000,000,000 | ---D | M] -- C:\Program Files\ScanSoft
[2007-09-12 12:34:32 | 000,000,000 | ---D | M] -- C:\Program Files\SiS7012
[2010-10-03 17:26:31 | 000,000,000 | ---D | M] -- C:\Program Files\Snapshot Viewer
[2007-09-04 09:30:33 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2007-11-30 04:01:09 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live Toolbar
[2011-10-04 23:54:46 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2011-10-04 23:57:17 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2011-10-04 23:54:12 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2007-09-04 09:20:32 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2010-01-30 20:17:31 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2007-09-04 09:23:40 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %systemroot%\system32\config\systemprofile\*.* >
[2011-10-11 20:53:08 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\NtUser.dat
[2013-09-29 18:06:19 | 000,001,024 | -H-- | M] () -- C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG

< %systemroot%\system32\config\systemprofile\*. >
[2007-09-04 05:05:37 | 000,000,000 | RH-D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\WINDOWS\system32\config\systemprofile\Cookies
[2007-09-04 05:05:37 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Desktop
[2007-09-04 05:05:37 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Favorites
[2007-09-04 05:05:37 | 000,000,000 | RH-D | M] -- C:\WINDOWS\system32\config\systemprofile\Local Settings
[2007-09-04 05:05:37 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\My Documents
[2007-09-04 05:05:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\system32\config\systemprofile\NetHood
[2007-09-04 05:05:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\system32\config\systemprofile\PrintHood
[2007-09-04 05:05:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\system32\config\systemprofile\Recent
[2007-09-04 09:20:51 | 000,000,000 | RH-D | M] -- C:\WINDOWS\system32\config\systemprofile\SendTo
[2007-09-04 05:05:37 | 000,000,000 | R--D | M] -- C:\WINDOWS\system32\config\systemprofile\Start Menu
[2007-09-04 09:16:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\system32\config\systemprofile\Templates

< %systemroot%\system32\config\systemprofile\*.exe /s >

< %systemroot%\system32\config\systemprofile\Application Data\*.* >
[2007-09-04 05:05:37 | 000,000,062 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini

< %systemroot%\system32\config\systemprofile\Application Data\*. >
[2007-09-04 05:04:14 | 000,000,000 | --SD | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft

< %systemroot%\system32\config\systemprofile\Local Settings\*.* >
[2007-09-04 05:05:37 | 000,000,062 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini

< %systemroot%\system32\config\systemprofile\Local Settings\*. >
[2013-10-06 11:53:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\History
[2013-10-06 14:05:04 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files

< %systemroot%\system32\config\systemprofile\Local Settings\Application Data\*.* >

< %systemroot%\system32\config\systemprofile\Local Settings\Application Data\*. >
[2013-10-06 11:53:11 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google
[2007-09-04 09:21:56 | 000,000,000 | --SD | M] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft

< C:\Documents and Settings\Default User\*.exe /s >
[2007-09-04 09:19:29 | 000,000,065 | RH-- | C] () -- C:\WINDOWS\Tasks\desktop.ini
[2007-09-04 09:29:59 | 000,000,006 | -H-- | C] () -- C:\WINDOWS\Tasks\SA.DAT
[2013-10-05 12:14:11 | 000,000,378 | -H-- | C] () -- C:\WINDOWS\Tasks\avast! Emergency Update.job
[2013-10-05 12:14:49 | 000,000,896 | ---- | C] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
[2013-10-05 12:14:49 | 000,000,900 | ---- | C] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

< C:\Documents and Settings\Default User\Application Data\*.* >
[2007-09-04 05:05:37 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Default User\Application Data\desktop.ini

< C:\Documents and Settings\Default User\Application Data\*. >
[2007-09-04 09:22:42 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Default User\Application Data\Microsoft

< C:\Documents and Settings\Default User\Local Settings\*.* >
[2007-09-04 05:05:37 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Default User\Local Settings\desktop.ini

< C:\Documents and Settings\Default User\Local Settings\*. >
[2007-09-04 09:21:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Default User\Local Settings\Application Data
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Default User\Local Settings\History
[2007-09-04 05:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Local Settings\Temp
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files

< C:\Documents and Settings\Default User\Local Settings\Application Data\*.* >

< C:\Documents and Settings\Default User\Local Settings\Application Data\*. >
[2007-09-04 09:22:42 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft

< C:\Documents and Settings\LocalService\*.exe /s >

< C:\Documents and Settings\LocalService\*.* >
[2013-10-16 21:05:19 | 000,241,664 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2013-10-16 21:08:35 | 000,001,024 | -H-- | M] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2007-09-04 09:29:58 | 000,000,020 | -HS- | M] () -- C:\Documents and Settings\LocalService\ntuser.ini

< C:\Documents and Settings\LocalService\Application Data\*.* >

< C:\Documents and Settings\LocalService\Application Data\*. >
[2007-09-06 20:12:14 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

< C:\Documents and Settings\LocalService\Local Settings\*.* >
[2013-10-16 21:06:23 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\LocalService\Local Settings\desktop.ini

< C:\Documents and Settings\LocalService\Local Settings\*. >
[2007-09-04 09:29:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\LocalService\Local Settings\History
[2007-09-26 11:01:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Temp
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files

< C:\Documents and Settings\LocalService\Local Settings\Application Data\*.* >

< C:\Documents and Settings\LocalService\Local Settings\Application Data\*. >
[2007-09-04 09:22:42 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

< C:\Documents and Settings\LocalService\Local Settings\temp\*.tlb >

< C:\Documents and Settings\NetworkService\*.exe /s >

< C:\Documents and Settings\NetworkService\*.* >
[2013-10-16 21:05:19 | 000,241,664 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2013-10-16 21:08:37 | 000,001,024 | -H-- | M] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2007-09-04 09:29:49 | 000,000,020 | -HS- | M] () -- C:\Documents and Settings\NetworkService\ntuser.ini

< C:\Documents and Settings\NetworkService\Application Data\*.* >

< C:\Documents and Settings\NetworkService\Application Data\*. >
[2007-09-04 09:22:42 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

< C:\Documents and Settings\NetworkService\Local Settings\*.* >
[2013-10-16 21:06:21 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\desktop.ini

< C:\Documents and Settings\NetworkService\Local Settings\*. >
[2007-09-04 09:29:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data
[2013-10-05 15:40:00 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\NetworkService\Local Settings\History
[2013-07-09 21:56:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Temp
[2007-09-04 05:05:37 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

< C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.* >

< C:\Documents and Settings\NetworkService\Local Settings\Application Data\*. >
[2007-09-04 09:22:42 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

< C:\Documents and Settings\NetworkService\Local Settings\temp\*.tlb >

< C:\Documents and Settings\Guest Access\*.exe /s >

< C:\Documents and Settings\Guest Access\*.* >

< C:\Documents and Settings\Guest Access\Application Data\*.* >

< C:\Documents and Settings\Guest Access\Application Data\*. >

< C:\Documents and Settings\Guest Access\Local Settings\*.* >

< C:\Documents and Settings\Guest Access\Local Settings\*. >

< C:\Documents and Settings\Guest Access\Local Settings\Application Data\*.* >

< C:\Documents and Settings\Guest Access\Local Settings\Application Data\*. >

< %windir%\temp\*.exe /s >

< %windir%\*. >
[2013-01-02 14:17:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$hf_mig$
[2008-09-15 09:40:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtServicePackUninstall$
[2013-01-02 14:17:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2749655$
[2013-01-02 14:18:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2779562$
[2007-09-06 14:30:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB885884$
[2007-09-06 14:32:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB921503$
[2008-05-28 10:26:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB932823-v3$
[2007-09-06 14:31:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB933360$
[2007-10-10 03:02:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB933729$
[2013-10-13 17:58:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB936021$
[2007-09-06 14:30:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB936782_WMP11$
[2007-12-12 04:03:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB937894$
[2008-09-15 09:56:21 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938464$
[2008-09-11 03:00:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938464_0$
[2007-09-06 14:32:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938828$
[2007-09-06 14:32:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938829$
[2007-09-06 14:31:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB939683$
[2007-10-10 03:00:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB941202$
[2007-12-12 04:01:08 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB941568$
[2007-12-12 04:01:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB941569$
[2008-01-09 09:31:35 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB941644$
[2008-04-09 03:02:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB941693$
[2007-12-12 04:02:08 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB942763$
[2008-02-13 14:03:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB943055$
[2007-11-14 13:11:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB943460$
[2008-01-09 09:31:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB943485$
[2007-12-12 04:00:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB944653$
[2008-04-09 03:01:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB945553$
[2008-02-13 14:05:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB946026$
[2008-09-15 09:56:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB946648$
[2008-08-13 03:05:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB946648_0$
[2008-04-09 03:02:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB948590$
[2008-04-09 03:02:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB948881$
[2008-05-15 03:01:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950749$
[2008-06-10 15:18:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950760$
[2008-09-15 09:56:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950762$
[2008-06-10 15:18:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950762_0$
[2008-09-15 09:56:56 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950974$
[2008-08-13 03:04:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950974_0$
[2008-09-15 09:57:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951066$
[2008-08-13 03:01:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951066_0$
[2008-08-13 03:02:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951072-v2$
[2008-09-15 09:57:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376$
[2008-09-15 09:57:28 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376-v2$
[2008-06-20 09:57:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376-v2_0$
[2008-06-10 15:17:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376_0$
[2008-09-15 09:57:38 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951698$
[2008-06-10 15:18:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951698_0$
[2008-09-15 09:57:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951748$
[2008-07-09 09:25:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951748_0$
[2008-09-16 07:15:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951978$
[2008-12-12 04:01:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952069_WM9$
[2008-09-15 09:57:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952287$
[2008-08-13 03:02:35 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952287_0$
[2008-09-15 09:58:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952954$
[2008-08-13 03:06:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952954_0$
[2008-08-13 03:05:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB953839$
[2008-09-11 03:00:23 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954154_WM11$
[2008-10-15 03:02:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954211$
[2008-11-13 04:01:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954459$
[2008-12-12 04:00:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954600$
[2008-11-13 04:00:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB955069$
[2008-12-12 04:04:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB955839$
[2008-10-15 03:03:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956391$
[2008-12-12 04:00:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956802$
[2008-10-15 03:03:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956803$
[2008-10-15 03:01:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956841$
[2008-10-15 03:03:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB957095$
[2008-11-13 04:01:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB957097$
[2008-10-24 03:00:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958644$
[2013-01-02 14:16:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB968389$
[2013-01-02 14:17:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971029$
[2013-01-02 14:17:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975467$
[2010-02-27 20:44:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975560$
[2010-02-27 20:43:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975713$
[2010-02-27 20:44:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB977914$
[2010-02-27 20:43:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978037$
[2010-02-27 20:43:46 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978251$
[2010-02-27 20:44:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978262$
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\addins
[2008-09-15 10:10:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\AppPatch
[2013-07-31 01:16:16 | 000,000,000 | -HSD | M] -- C:\WINDOWS\assembly
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\Config
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\Connection Wizard
[2013-05-02 00:40:00 | 000,000,000 | -HSD | M] -- C:\WINDOWS\CSC
[2007-09-04 09:16:26 | 000,000,000 | ---D | M] -- C:\WINDOWS\Cursors
[2008-09-15 08:02:50 | 000,000,000 | ---D | M] -- C:\WINDOWS\Debug
[2012-10-23 00:16:36 | 000,000,000 | --SD | M] -- C:\WINDOWS\Downloaded Program Files
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\Driver Cache
[2013-01-05 21:30:45 | 000,000,000 | ---D | M] -- C:\WINDOWS\eBahn
[2008-09-15 09:35:47 | 000,000,000 | ---D | M] -- C:\WINDOWS\ehome
[2013-09-24 22:39:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\erdnt
[2010-10-31 16:11:44 | 000,000,000 | R-SD | M] -- C:\WINDOWS\Fonts
[2013-10-13 19:46:57 | 000,000,000 | ---D | M] -- C:\WINDOWS\Help
[2008-12-19 04:00:28 | 000,000,000 | ---D | M] -- C:\WINDOWS\ie7updates
[2012-10-23 05:52:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\ie8
[2013-01-02 14:17:53 | 000,000,000 | ---D | M] -- C:\WINDOWS\ie8updates
[2008-09-15 09:49:23 | 000,000,000 | ---D | M] -- C:\WINDOWS\ime
[2013-01-05 04:07:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\inf
[2013-10-06 12:00:05 | 000,000,000 | -HSD | M] -- C:\WINDOWS\Installer
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\java
[2008-09-15 09:49:08 | 000,000,000 | ---D | M] -- C:\WINDOWS\l2schemas
[2012-10-23 06:06:48 | 000,000,000 | ---D | M] -- C:\WINDOWS\Media
[2013-09-24 23:11:11 | 000,000,000 | ---D | M] -- C:\WINDOWS\Minidump
[2008-09-15 09:44:41 | 000,000,000 | ---D | M] -- C:\WINDOWS\msagent
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\msapps
[2008-09-15 09:44:42 | 000,000,000 | ---D | M] -- C:\WINDOWS\mui
[2012-10-23 18:40:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\Network Diagnostic
[2007-09-04 09:16:43 | 000,000,000 | ---D | M] -- C:\WINDOWS\Offline Web Pages
[2007-09-04 09:19:03 | 000,000,000 | ---D | M] -- C:\WINDOWS\pchealth
[2008-09-15 09:49:07 | 000,000,000 | ---D | M] -- C:\WINDOWS\PeerNet
[2010-10-31 13:24:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\PIF
[2013-10-16 21:21:24 | 000,000,000 | ---D | M] -- C:\WINDOWS\Prefetch
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\Provisioning
[2011-10-10 22:18:13 | 000,000,000 | ---D | M] -- C:\WINDOWS\pss
[2013-04-06 00:46:34 | 000,000,000 | ---D | M] -- C:\WINDOWS\Registration
[2008-10-10 09:09:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\repair
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\Resources
[2013-07-02 19:23:49 | 000,000,000 | ---D | M] -- C:\WINDOWS\security
[2008-09-15 09:49:37 | 000,000,000 | ---D | M] -- C:\WINDOWS\ServicePackFiles
[2013-09-28 16:22:48 | 000,000,000 | ---D | M] -- C:\WINDOWS\setup.pss
[2007-09-05 11:16:56 | 000,000,000 | ---D | M] -- C:\WINDOWS\ShellNew
[2012-10-23 00:24:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\SoftwareDistribution
[2008-09-15 09:44:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\srchasst
[2007-09-17 12:27:37 | 000,000,000 | ---D | M] -- C:\WINDOWS\Sun
[2008-09-15 09:44:12 | 000,000,000 | ---D | M] -- C:\WINDOWS\system
[2013-10-16 21:23:50 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32
[2013-10-05 12:14:49 | 000,000,000 | --SD | M] -- C:\WINDOWS\Tasks
[2013-10-16 21:23:53 | 000,000,000 | ---D | M] -- C:\WINDOWS\Temp
[2010-01-27 21:37:48 | 000,000,000 | ---D | M] -- C:\WINDOWS\twain_32
[2007-09-04 09:16:44 | 000,000,000 | ---D | M] -- C:\WINDOWS\WBEM
[2007-09-04 09:20:52 | 000,000,000 | R--D | M] -- C:\WINDOWS\Web
[2013-10-05 12:13:33 | 000,000,000 | ---D | M] -- C:\WINDOWS\WinSxS

< %windir%\AppPatch\*.exe >

< %windir%\ShellNew\*.* >
[2000-04-06 12:49:50 | 000,098,304 | ---- | M] () -- C:\WINDOWS\ShellNew\ACCESS9.MDB
[2000-02-06 08:26:28 | 000,011,776 | ---- | M] () -- C:\WINDOWS\ShellNew\EXCEL9.XLS
[1999-03-10 03:41:52 | 000,011,264 | ---- | M] () -- C:\WINDOWS\ShellNew\PWRPNT10.POT
[1997-07-31 20:37:00 | 000,010,752 | ---- | M] () -- C:\WINDOWS\ShellNew\WINWORD8.DOC

< %windir%\installer\*. >
[2007-09-07 09:10:41 | 000,000,000 | -HSD | M] -- C:\WINDOWS\installer\$PatchCache$
[2007-09-06 19:46:03 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\MSN Messenger 8.1.0178
[2008-09-15 09:49:08 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\tsclientmsitrans
[2010-01-27 21:34:06 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}
[2007-09-06 14:32:26 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
[2008-03-30 10:30:42 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{11B5E957-FCF2-469D-AB66-963C38134231}
[2010-10-31 16:12:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}
[2012-09-27 21:44:57 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{26A24AE4-039D-4CA4-87B4-2F83216035FF}
[2010-01-27 21:34:51 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}
[2010-10-31 16:09:46 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}
[2007-09-06 19:02:30 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{3248F0A8-6813-11D6-A77B-00B0D0160020}
[2007-11-01 17:54:49 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{3248F0A8-6813-11D6-A77B-00B0D0160030}
[2008-04-01 14:42:12 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{3248F0A8-6813-11D6-A77B-00B0D0160050}
[2008-08-13 07:10:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{3248F0A8-6813-11D6-A77B-00B0D0160070}
[2008-09-19 16:09:55 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}
[2007-09-04 09:23:09 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
[2010-10-31 16:08:05 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{40BF1E83-20EB-11D8-97C5-0009C5020658}
[2012-04-16 20:42:19 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{4FEE3953-CE3D-4D46-8835-2FF0D5F64098}
[2008-09-17 11:10:18 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
[2013-04-11 20:37:09 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{79F370C8-08A0-4B7E-A147-859088771D11}
[2007-09-04 09:30:49 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{7CCEBC24-62DB-4280-A8EC-BFA49F167920}
[2008-11-13 04:00:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
[2008-12-12 04:03:57 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{90280409-6000-11D3-8CFE-0050048383C9}
[2013-07-31 05:34:52 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{AC76BA86-7AD7-1033-7B44-A82000000003}
[2010-10-31 16:11:26 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{B7A0CE06-068E-11D6-97FD-0050BACBF861}
[2007-09-06 14:30:43 | 000,000,000 | ---D | M] -- C:\WINDOWS\installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}

< %windir%\system32\*. >
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1025
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1028
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1031
[2007-09-04 04:58:34 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1033
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1037
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1041
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1042
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\1054
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\2052
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\3076
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\3com_dmi
[2007-09-12 12:39:11 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\appmgmt
[2008-09-15 09:49:07 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\bits
[2013-01-02 14:18:27 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\CatRoot
[2013-10-16 21:09:26 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\CatRoot2
[2008-09-15 09:44:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Com
[2007-10-10 07:04:55 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\dhcp
[2007-09-04 09:20:03 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\DirectX
[2013-01-02 14:18:19 | 000,000,000 | RHSD | M] -- C:\WINDOWS\system32\dllcache
[2013-10-14 15:57:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\drivers
[2010-01-16 20:46:13 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\DRVSTORE
[2008-09-15 09:49:07 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\en
[2012-10-23 06:06:48 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\en-us
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\export
[2007-09-28 12:52:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\system32\GroupPolicy
[2007-09-04 09:21:51 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ias
[2007-09-04 04:59:03 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\icsxml
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\IME
[2013-08-03 20:09:45 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\inetsrv
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Macromed
[2008-09-12 16:48:05 | 000,000,000 | --SD | M] -- C:\WINDOWS\system32\Microsoft
[2007-09-04 09:17:14 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\MsDtc
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\mui
[2008-09-15 09:44:43 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\npp
[2013-06-01 09:31:10 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\NtmsData
[2008-09-15 09:44:13 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\oobe
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\PreInstall
[2007-09-04 04:59:09 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ras
[2008-09-15 09:41:14 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups
[2013-09-24 23:12:01 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Restore
[2008-09-15 09:49:09 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\scripting
[2008-09-15 10:10:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\Setup
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ShellExt
[2007-09-06 11:03:29 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\SoftwareDistribution
[2007-09-04 09:14:50 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\spool
[2008-09-15 09:49:10 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\usmt
[2008-09-15 10:10:35 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\wbem
[2007-09-04 04:57:39 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\wins
[2007-09-04 09:23:40 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\xircom

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >
[2013-08-30 03:48:11 | 000,029,816 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys
[2013-08-30 03:48:11 | 000,066,336 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswMonFlt.sys
[2013-08-30 03:48:12 | 000,049,760 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys
[2013-08-30 03:48:12 | 000,049,376 | ---- | M] () -- C:\WINDOWS\system32\drivers\aswRvrt.sys
[2013-08-30 03:48:12 | 000,770,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswSnx.sys
[2013-08-30 03:48:13 | 000,369,584 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswSP.sys
[2013-08-30 03:48:13 | 000,056,080 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswTdi.sys
[2013-08-30 03:48:13 | 000,177,864 | ---- | M] () -- C:\WINDOWS\system32\drivers\aswVmm.sys

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %SYSTEMDRIVE%\*. /rp /s >

< %systemroot%\assembly\tmp\*.* /S /MD5 >

< %systemroot%\assembly\temp\*.* /S /MD5 >

< %systemroot%\assembly\GAC\*.ini >

< %systemroot%\assembly\GAC_32\*.ini >

< %SystemRoot%\assembly\GAC_MSIL\*.ini >

< wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn >

< %systemdrive%\$Recycle.Bin|@;true;true;true /fp >

< HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s >
"" = PSFactoryBuffer
[HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemsvc.dll -- [2008-04-13 20:12:08 | 000,043,520 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s >
"" = Microsoft WBEM New Event Subsystem
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008-04-13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s >
"" = Microsoft WBEM New Event Subsystem
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008-04-13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s >
"" = MruPidlList
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008-04-13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s >
"" = Start Menu Pin
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\InProcServer32]
"" = %SystemRoot%\system32\SHELL32.dll -- [2009-07-27 19:17:41 | 008,461,824 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s >
"" = PSFactoryBuffer
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemsvc.dll -- [2008-04-13 20:12:08 | 000,043,520 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s >
"" = Microsoft WBEM _WbemFetchRefresherMgr Proxy Helper
[HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2008-04-13 20:11:53 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

< HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s >
"" = ShellFolder for CD Burning
[HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"" = %SystemRoot%\system32\SHELL32.dll -- [2009-07-27 19:17:41 | 008,461,824 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\MergedFolder]
"Attributes" = 0x0
"AttributeMask" = 0xffffffff
"Location" = @shell32.dll,-12589 -- [2009-07-27 19:17:41 | 008,461,824 | ---- | M] (Microsoft Corporation)
"ConflictOverlayIcon" = %SystemRoot%\system32\SHELL32.dll,-232 -- [2009-07-27 19:17:41 | 008,461,824 | ---- | M] (Microsoft Corporation)

< HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s >
"" = Microsoft WBEM _WbemFetchRefresherMgr Proxy Helper
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2008-04-13 20:11:53 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor /s >
"CompletionChar" = 64
"DefaultColor" = 0
"EnableExtensions" = 1
"PathCompletionChar" = 64
"DelayedExpansion" = 0

< HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s >

< HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s >

< HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s >

< HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s >

< HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s >

< HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s >

< HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s >

< HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s >

< HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s >
[HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\FileSystem]
"" = {217FC9C0-3AEA-1069-A2DB-08002B30309D}
[HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\MyDocuments]
"" = {ECF03A33-103D-11d2-854D-006008059367}
[HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\Sharing]
"" = {40dd6e20-7c17-11ce-a804-00aa003ca9f6}

< HKEY_CLASSES_ROOT\Directory\Shellex\CopyHookHandlers\MSCopy /s >

< HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s >
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystem]
"" = {217FC9C0-3AEA-1069-A2DB-08002B30309D}
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\MyDocuments]
"" = {ECF03A33-103D-11d2-854D-006008059367}
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\Sharing]
"" = {40dd6e20-7c17-11ce-a804-00aa003ca9f6}

< HKEY_CURRENT_USER\Software\MSOLoad /s >

< type C:\WINDOWS\system.ini >> test.txt /c >
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

< type c:\diskreport.txt /c >
Microsoft DiskPart version 5.1.3565
Copyright © 1999-2003 Microsoft Corporation.
On computer: SHOP
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E CD-ROM 0 B
Volume 1 F DVD-ROM 0 B
Volume 2 C Local Disk NTFS Partition 17 GB Healthy System
Volume 3 D New Volume NTFS Partition 20 GB Healthy

< MD5 for: AFD.SYS >
[2008-04-13 15:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2008-04-13 15:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2008-08-14 06:34:26 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=4D43E74F2A1239D53929B82600F1971C -- C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2004-08-03 18:14:16 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys
[2008-08-14 06:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\system32\dllcache\afd.sys
[2008-08-14 06:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\system32\drivers\afd.sys
[2008-06-20 07:48:03 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=D6EE6014241D034E63C49A50CB2B442A -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008-06-20 06:44:08 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=D99DDFFB33DEACDCF20717CB520379F6 -- C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2008-06-20 07:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
[2008-06-20 07:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$NtUninstallKB956803$\afd.sys

< MD5 for: ATAPI.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:atapi.sys
[2008-04-13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004-08-03 17:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:disk.sys
[2004-08-03 17:59:56 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008-04-13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008-04-13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008-04-13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008-04-13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004-08-03 19:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008-04-13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008-04-13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007-06-13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2007-07-22 07:31:34 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=DF3F40C1C0C4EA6BFD4CFACD4CB18BF1 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: FASTFAT.SYS >
[2004-08-03 18:14:18 | 000,143,360 | ---- | M] (Microsoft Corporation) MD5=3117F595E9615E04F05A54FC15A03B20 -- C:\WINDOWS\$NtServicePackUninstall$\fastfat.sys
[2008-04-13 15:14:29 | 000,143,744 | ---- | M] (Microsoft Corporation) MD5=38D332A6D56AF32635675F132548343E -- C:\WINDOWS\ServicePackFiles\i386\fastfat.sys
[2008-04-13 15:14:29 | 000,143,744 | ---- | M] (Microsoft Corporation) MD5=38D332A6D56AF32635675F132548343E -- C:\WINDOWS\system32\drivers\fastfat.sys

< MD5 for: I8042PRT.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:i8042prt.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:i8042prt.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:i8042prt.sys
[2008-04-13 15:18:00 | 000,052,480 | ---- | M] (Microsoft Corporation) MD5=4A0B06AA8943C1E332520F7440C0AA30 -- C:\WINDOWS\ServicePackFiles\i386\i8042prt.sys
[2008-04-13 15:18:00 | 000,052,480 | ---- | M] (Microsoft Corporation) MD5=4A0B06AA8943C1E332520F7440C0AA30 -- C:\WINDOWS\system32\drivers\i8042prt.sys
[2004-08-03 18:14:38 | 000,052,736 | ---- | M] (Microsoft Corporation) MD5=5502B58EEF7486EE6F93F3F164DCB808 -- C:\WINDOWS\$NtServicePackUninstall$\i8042prt.sys

< MD5 for: IMAPI.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:imapi.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:imapi.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:imapi.sys
[2008-04-13 14:40:58 | 000,042,112 | ---- | M] (Microsoft Corporation) MD5=083A052659F5310DD8B6A6CB05EDCF8E -- C:\WINDOWS\ServicePackFiles\i386\imapi.sys
[2008-04-13 14:40:58 | 000,042,112 | ---- | M] (Microsoft Corporation) MD5=083A052659F5310DD8B6A6CB05EDCF8E -- C:\WINDOWS\system32\drivers\imapi.sys
[2007-07-22 07:14:10 | 000,041,984 | ---- | M] (Microsoft Corporation) MD5=12C59B8929121ACE2F55ACC86682CF12 -- C:\WINDOWS\$NtServicePackUninstall$\imapi.sys

< MD5 for: IPSEC.SYS >
[2008-04-13 15:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008-04-13 15:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\drivers\ipsec.sys
[2004-08-03 18:14:30 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=64537AA5C003A6AFEEE1DF819062D0D1 -- C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys

< MD5 for: KBDCLASS.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:kbdclass.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:kbdclass.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:kbdclass.sys
[2008-04-13 14:39:47 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=463C1EC80CD17420A542B7F36A36F128 -- C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys
[2008-04-13 14:39:47 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=463C1EC80CD17420A542B7F36A36F128 -- C:\WINDOWS\system32\drivers\kbdclass.sys
[2004-08-03 17:58:34 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=EBDEE8A2EE5393890A1ACEE971C4C246 -- C:\WINDOWS\$NtServicePackUninstall$\kbdclass.sys

< MD5 for: LSASS.EXE >
[2004-08-03 19:56:52 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=84885F9B82F4D55C6146EBF6065D75D2 -- C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
[2008-04-13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=BF2466B3E18E970D8A976FB95FC1CA85 -- C:\WINDOWS\ServicePackFiles\i386\lsass.exe
[2008-04-13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=BF2466B3E18E970D8A976FB95FC1CA85 -- C:\WINDOWS\system32\lsass.exe

< MD5 for: MOUCLASS.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:mouclass.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:mouclass.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:mouclass.sys
[2007-08-09 15:49:12 | 000,023,040 | ---- | M] (Microsoft Corporation) MD5=34E1F0031153E491910E12551400192C -- C:\WINDOWS\$NtServicePackUninstall$\mouclass.sys
[2008-04-13 14:39:47 | 000,023,040 | ---- | M] (Microsoft Corporation) MD5=35C9E97194C8CFB8430125F8DBC34D04 -- C:\WINDOWS\ServicePackFiles\i386\mouclass.sys
[2008-04-13 14:39:47 | 000,023,040 | ---- | M] (Microsoft Corporation) MD5=35C9E97194C8CFB8430125F8DBC34D04 -- C:\WINDOWS\system32\drivers\mouclass.sys

< MD5 for: MOUHID.SYS >
[2007-08-09 15:49:12 | 000,012,160 | ---- | M] (Microsoft Corporation) MD5=B1C303E17FB9D46E87A98E4BA6769685 -- C:\WINDOWS\system32\drivers\mouhid.sys

< MD5 for: NETBT.SYS >
[2004-08-03 18:14:38 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2008-04-13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2008-04-13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\drivers\netbt.sys

< MD5 for: NETLOGON.DLL >
[2008-04-13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008-04-13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004-08-03 19:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: REDBOOK.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:redbook.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:redbook.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:redbook.sys
[2004-08-03 18:59:38 | 000,057,472 | ---- | M] (Microsoft Corporation) MD5=B31B4588E4086D8D84ADBF9845C2402B -- C:\WINDOWS\$NtServicePackUninstall$\redbook.sys
[2008-04-13 14:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\ServicePackFiles\i386\redbook.sys
[2008-04-13 14:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\system32\drivers\redbook.sys

< MD5 for: SCECLI.DLL >
[2004-08-03 19:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008-04-13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008-04-13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SERIAL.SYS >
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:serial.sys
[2008-09-15 09:35:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:serial.sys
[2008-04-14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\XP\I386\sp3.cab:serial.sys
[2008-04-13 15:15:45 | 000,064,512 | ---- | M] (Microsoft Corporation) MD5=CCA207A8896D4C6A0C9CE29A4AE411A7 -- C:\WINDOWS\ServicePackFiles\i386\serial.sys
[2008-04-13 15:15:45 | 000,064,512 | ---- | M] (Microsoft Corporation) MD5=CCA207A8896D4C6A0C9CE29A4AE411A7 -- C:\WINDOWS\system32\drivers\serial.sys
[2004-08-03 18:15:54 | 000,064,896 | ---- | M] (Microsoft Corporation) MD5=CD9404D115A00D249F70A371B46D5A26 -- C:\WINDOWS\$NtServicePackUninstall$\serial.sys

< MD5 for: SERVICES.EXE >
[2008-04-13 20:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2008-04-13 20:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\system32\services.exe
[2004-08-03 19:56:56 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SMSS.EXE >
[2008-04-14 05:42:40 | 000,470,016 | ---- | M] (Microsoft Corporation) MD5=3C3393C92A73A3006C7B706DAC54A812 -- C:\XP\I386\SYSTEM32\SMSS.EXE
[2008-04-13 20:12:36 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=5F816C1F539266D2D4C78694239DA0B5 -- C:\WINDOWS\ServicePackFiles\i386\smss.exe
[2008-04-13 20:12:36 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=5F816C1F539266D2D4C78694239DA0B5 -- C:\WINDOWS\system32\smss.exe
[2004-08-03 19:56:58 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=BD7FB0957C716F1A60333AEE04DE2178 -- C:\WINDOWS\$NtServicePackUninstall$\smss.exe
[2001-08-23 08:00:00 | 000,469,504 | ---- | M] (Microsoft Corporation) MD5=C37F36D08F06A7B0CAF8C1EE9E4079A3 -- C:\cmdcons\system32\smss.exe

< MD5 for: SVCHOST.EXE >
[2008-04-13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008-04-13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004-08-03 19:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2013-04-04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: TCPIP.SYS >
[2007-10-30 12:53:32 | 000,360,832 | ---- | M] (Microsoft Corporation) MD5=64798ECFA43D78C7178375FCDD16D8C8 -- C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
[2008-06-20 06:44:42 | 000,360,960 | ---- | M] (Microsoft Corporation) MD5=744E57C99232201AE98C49168B918F48 -- C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
[2008-04-13 15:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
[2008-04-13 15:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
[2008-06-20 07:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[2008-06-20 07:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\dllcache\tcpip.sys
[2008-06-20 07:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\drivers\tcpip.sys
[2008-06-20 07:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[2007-07-22 07:16:38 | 000,360,704 | ---- | M] (Microsoft Corporation) MD5=E6B15BCC470953E600EF7ADED3CAB142 -- C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys

< MD5 for: USERINIT.EXE >
[2004-08-03 19:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008-04-13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008-04-13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2008-04-13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008-04-13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004-08-03 18:00:18 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004-08-03 19:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2013-04-04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008-04-13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008-04-13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\Desktop\ComboFix.exe:SummaryInformation

< End of report >

And Extras.txt

OTL Extras logfile created on: 16-10-13 21:32:11 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: dd-MM-yy

255.53 Mb Total Physical Memory | 124.43 Mb Available Physical Memory | 48.69% Memory free
619.40 Mb Paging File | 342.25 Mb Available in Paging File | 55.26% Paging File free
Paging file location(s): D:\pagefile.sys 2 1000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 17.30 Gb Total Space | 7.60 Gb Free Space | 43.96% Space Free | Partition Type: NTFS
Drive D: | 19.97 Gb Total Space | 16.74 Gb Free Space | 83.84% Space Free | Partition Type: NTFS

Computer Name: SHOP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}" = ScanSoft PaperPort 11
"{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1" = MiniTool Partition Wizard Home Edition 7.6.1
"{08231A62-7918-4663-AC9F-89D7E40DBBA5}" = ZoneAlarm Firewall
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = Lizardtech DjVu Control
"{11B5E957-FCF2-469D-AB66-963C38134231}" = Bluesoleil2.6.0.1 Release 070402
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
"{26A24AE4-039D-4CA4-87B4-2F83216035FF}" = Java™ 6 Update 35
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = LG CyberLink PowerDVD
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = LG CyberLink Power2Go
"{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4FEE3953-CE3D-4D46-8835-2FF0D5F64098}" = ImpôtRapide 2011
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{6BF66AED-3EA4-4106-B240-5CE96C9B76B0}" = Brother MFL-Pro Suite MFC-295CN
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{79F370C8-08A0-4B7E-A147-859088771D11}" = ImpôtRapide 2012
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D316F3C-73D0-4334-B784-B3F3FE8F46D1}" = ZoneAlarm Security
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.0
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = LG CyberLink PowerProducer
"{D0619FF1-9960-4A21-B45F-7F77A8CD0E66}" = Brother MFC-295CN
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{DB75941E-30C4-4D97-B000-D17C764B998C}" = Brother BRAdmin Light 1.17.0002
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"eBahn Reader" = eBahn® Reader
"GrabIt_is1" = GrabIt 1.7.1 Beta (build 960)
"ie8" = Windows Internet Explorer 8
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = LG CyberLink PowerDVD
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = LG CyberLink Power2Go
"InstallShield_{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = LG CyberLink PowerProducer
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"Pegasus Mail" = Pegasus Mail
"SiS7012" = SiS Audio Driver
"Windows Live Toolbar" = Windows Live Toolbar
"Windows XP Service Pack" = Windows XP Service Pack 3
"ZoneAlarm Free Firewall" = ZoneAlarm Free Firewall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1801674531-1993962763-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 13-10-13 23:34:31 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:34:31.939]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:35:01 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:35:01.972]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:35:32 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:35:32.006]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:36:02 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:36:02.039]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:36:32 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:36:32.062]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:37:02 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:37:02.085]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:37:32 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:37:32.108]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:38:02 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:38:02.132]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:38:32 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:38:32.155]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

Error - 13-10-13 23:39:02 | Computer Name = SHOP | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/10/13 23:39:02.178]: [00001024]: GetDeviceIpAddress:
GetAddressByName [BRN001BA916F511] Error

[ System Events ]
Error - 14-10-13 08:07:09 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 14-10-13 12:35:25 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 14-10-13 12:57:11 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 14-10-13 17:59:38 | Computer Name = SHOP | Source = Service Control Manager | ID = 7034
Description = The Service Google Update (gupdate) service terminated unexpectedly.
It has done this 1 time(s).

Error - 14-10-13 20:06:46 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 14-10-13 21:51:37 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 15-10-13 19:35:33 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 15-10-13 20:10:36 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 16-10-13 19:39:34 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 16-10-13 21:06:51 | Computer Name = SHOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060


< End of report >

#11 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 16 October 2013 - 10:11 PM

Do not know what happen there.
Here are the two report files zipped.

Attached Files



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:31 PM

Posted 17 October 2013 - 07:39 AM

Hi,

 

Thank you for the logs. I need to check a few things and will reply later today.

 

 

Regards,

Georgi


cXfZ4wS.png


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:31 PM

Posted 17 October 2013 - 04:08 PM

Hi,

 

 

We need to run an OTL Fix



  • Please reopen otlDesktopIcon.png on your desktop.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word "Quote"

    :OTL
    IE - HKU\S-1-5-21-1801674531-1993962763-1957994488-500\..\SearchScopes,DefaultScope = {28B6BA2B-307F-42F5-9FBE-0F4D9EE53D00}
    [2013-07-31 01:15:47 | 000,000,000 | ---D | M] -- C:\recycler\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\   \   \๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\L
    [2013-09-24 22:40:44 | 000,000,000 | ---D | M] -- C:\recycler\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\   \   \๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\U
    [2013-10-05 12:33:14 | 000,000,000 | -HSD | M] -- C:\RECYCLER
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\Desktop\ComboFix.exe:SummaryInformation
    :files
    type C:\QooBox\ComboFix-quarantined-files.txt >> test.txt /c
    dir /s /a "C:\TDSSKiller_Quarantine" /c
    C:\Documents and Settings\Administrator\Local Settings\Temp\*.*
    C:\Documents and Settings\All Users\Application Data\Temp\*.*
    :commands
    [emptytemp]
  • Push runFixbutton.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click btnOK.png.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.

 

 

Also please download TDSSQlook and save it to your desktop.

Right click on it and extract the content to the desktop.

Run the file TDSSQlook.exe
It will open and you will see three options.

IWgXVMO.png
Type A and press Enter
A log will be produced named TDSSQ.txt

Please post the content to your next reply.

 

 

Regards,

Georgi

 

 

 


cXfZ4wS.png


#14 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 17 October 2013 - 07:50 PM

Hello.

Here is OTL Log file.

All processes killed
========== OTL ==========
HKEY_USERS\S-1-5-21-1801674531-1993962763-1957994488-500\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Folder C:\recycler\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\L\ not found.
Folder C:\recycler\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\U\ not found.
Folder move failed. C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮ﯹ๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\U scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮ﯹ๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\L scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮ﯹ๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694} scheduled to be moved on reboot.
C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮ﯹ๛ folder moved successfully.
Folder move failed. C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1 scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500 scheduled to be moved on reboot.
C:\RECYCLER folder moved successfully.
Unable to delete ADS C:\Documents and Settings\Administrator\Desktop\ComboFix.exe:SummaryInformation .
========== FILES ==========
< type C:\QooBox\ComboFix-quarantined-files.txt >> test.txt /c >
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
< dir /s /a "C:\TDSSKiller_Quarantine" /c >
Volume in drive C is Local Disk
Volume Serial Number is E3A7-9BF0
Directory of C:\TDSSKiller_Quarantine
06-10-13 00:32 <DIR> .
06-10-13 00:32 <DIR> ..
06-10-13 00:32 <DIR> 06.10.2013_00.22.33
0 File(s) 0 bytes
Directory of C:\TDSSKiller_Quarantine\06.10.2013_00.22.33
06-10-13 00:32 <DIR> .
06-10-13 00:32 <DIR> ..
06-10-13 00:32 <DIR> susp0000
0 File(s) 0 bytes
Directory of C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000
06-10-13 00:32 <DIR> .
06-10-13 00:32 <DIR> ..
06-10-13 00:32 112 object.ini
06-10-13 00:32 <DIR> svc0000
1 File(s) 112 bytes
Directory of C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\svc0000
06-10-13 00:32 <DIR> .
06-10-13 00:32 <DIR> ..
06-10-13 00:32 268 object.ini
06-10-13 00:32 62 336 tsk0000.dta
06-10-13 00:32 236 tsk0000.ini
3 File(s) 62 840 bytes
Total Files Listed:
4 File(s) 62 952 bytes
11 Dir(s) 8 109 101 056 bytes free
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\AdobeARM.log moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\BIT1A.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\edb0_appcompat.txt moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\{146F1089-E26C-4D08-A704-39C118F64B91}-GoogleUpdateSetup.exe moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDD53.tmp moved successfully.
File\Folder C:\Documents and Settings\All Users\Application Data\Temp\*.* not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Java cache emptied: 2242908 bytes
->FireFox cache emptied: 86994380 bytes
->Flash cache emptied: 3505 bytes

User: Administrator.COMPUTER
->Temp folder emptied: 31156161 bytes
->Flash cache emptied: 566 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes

User: User
->Temp folder emptied: 125531 bytes
->FireFox cache emptied: 3249582 bytes
->Flash cache emptied: 405 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4285212 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 818968 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 306024347 bytes

Total Files Cleaned = 417.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10172013_201640

Files\Folders moved on Reboot...
File\Folder C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮ﯹ๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\U not found!
File\Folder C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮ﯹ๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694}\L not found!
File\Folder C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ \‮ﯹ๛\{c27bb8e7-0546-f9a3-d207-028f6e6e4694} not found!
File\Folder C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ \ not found!
File\Folder C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1\ not found!
File\Folder C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500\Dc1 not found!
C:\RECYCLER\S-1-5-21-1801674531-1993962763-1957994488-500 folder moved successfully.
File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Here is TDSSQ Txt file.


TDSSKiller Quarantine Information log
TDSS Qlook Version 1.0.0.5 - Administrator - 17-10-13 - 20:32:25.48.
Microsoft Windows XP Professional 5.1.2600 Service Pack 3
***** START SCAN 17-10-13 20:32:27.54 *****

---------- TDSSKiller logs ----------

TDSSKiller.2.8.16.0_06.10.2013_00.22.31_log.txt
TDSSKiller.2.8.16.0_13.10.2013_18.29.27_log.txt
TDSSKiller.2.8.16.0_13.10.2013_18.34.06_log.txt
TDSSKiller.2.8.16.0_14.10.2013_12.54.06_log.txt
TDSSKiller.2.8.16.0_14.10.2013_12.56.08_log.txt
TDSSKiller.2.8.16.0_29.09.2013_15.26.09_log.txt
TDSSKiller.2.8.16.0_29.09.2013_21.59.41_log.txt
TDSSKiller.2.8.16.0_29.09.2013_22.04.50_log.txt

---------- TDSSStarter logs ----------


---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\06.10.2013_00.22.33
C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000
C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\object.ini
C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\svc0000
C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\svc0000\object.ini
C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\svc0000\tsk0000.ini

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\svc0000\object.ini

[InfectedObject]
Type: Service
Name: rspndr
Type: Kernel driver (0x1)
Start: Auto (0x2)
ImagePath: system32\DRIVERS\rspndr.sys


=== C:\TDSSKiller_Quarantine\06.10.2013_00.22.33\susp0000\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\DRIVERS\rspndr.sys
md5: 0E11B35E972796042044BC27CE13B065


***** END SCAN 17-10-13 20:32:28.12 *****


Thursday 20:48 -5 GMT
Pierre.

#15 gaup 1150

gaup 1150
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 17 October 2013 - 08:01 PM

Hello Again.
Weird, all backward again. Here the 2 file attached.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users