Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus regenerated


  • This topic is locked This topic is locked
9 replies to this topic

#1 Marnel

Marnel

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:12:02 AM

Posted 19 October 2014 - 01:45 PM

DDS Scan:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.67.2
Run by admin at 2:43:55 on 2014-10-26
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1789.1153 [GMT 8:00]
.
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WSE_Astromenda\BRS\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\PennyBee\PennyBee.exe
C:\Program Files\PennyBee\PennyBeeW.exe
C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\tsxb.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\wineukxpb.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://astromenda.com/?f=1&a=ast_ir_14_36_ch&cd=2XzuyEtN2Y1L1QzutDtDzytD0FyDzy0EyCyE0A0CyC0DyC0BtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0CyEzy0ByB0CzztGyCyE0E0FtG0FtDtCtCtGtDtB0A0EtGtDtDtDtAyEyE0C0EzytA0F0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCyEyCtC0C0FtBtAtGtC0B0A0DtGyEyCyDzztGzztB0CzytGzy0B0C0CyDyC0AyCyEyD0B0E2Q&cr=233662480&ir=
uInternet Connection Wizard,ShellNext = hxxps://www.mozilla.org/en-US/firefox/installer-help/?channel=release&installer_lang=en-US
uSearchAssistant = hxxp://www.google.com
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [GarenaPlus] "c:\program files\garena plus\GarenaMessenger.exe" -autolaunch
uRun: [BRS] c:\program files\wse_astromenda\brs\brs.exe -runBRS
uRun: [KakaoTalk] "c:\program files\kakao\kakaotalk\KakaoTalk.exe" -bystartup
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - hxxps://www.e-games.com.ph/com/EGamesPlugin.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{A5942F0D-40C2-432B-A509-84FF2E463798} : DHCPNameServer = 192.168.254.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.104\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\ft4xboq3.default-1398210631046\
FF - prefs.js: browser.startup.homepage - hxxp://astromenda.com/?f=1&a=ast_ir_14_36_ch&cd=2XzuyEtN2Y1L1QzutDtDzytD0FyDzy0EyCyE0A0CyC0DyC0BtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0CyEzy0ByB0CzztGyCyE0E0FtG0FtDtCtCtGtDtB0A0EtGtDtDtDtAyEyE0C0EzytA0F0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCyEyCtC0C0FtBtAtGtC0B0A0DtGyEyCyDzztGzztB0CzytGzy0B0C0CyDyC0AyCyEyD0B0E2Q&cr=233662480&ir=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\admin\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\garena plus\bbtalk\plugins\npplugin\npGarenaTalkPlugin.dll
FF - plugin: c:\program files\google\update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1200112.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: c:\windows\system32\macromed\authorwa\np32asw.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_14_0_0_179.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-2-20 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-2-20 180248]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2014-2-20 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-2-20 775952]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2014-2-20 67824]
R2 PennyBee;PennyBee service;c:\program files\pennybee\PennyBee.exe [2014-8-18 57856]
R2 TeamViewer9;TeamViewer 9;c:\program files\teamviewer\version9\TeamViewer_Service.exe [2014-9-12 5052224]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\ikqnhr.sys --> c:\windows\system32\drivers\ikqnhr.sys [?]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2014-2-14 148208]
S1 BAPIDRV;BAPIDRV;c:\windows\system32\drivers\bapidrv.sys --> c:\windows\system32\drivers\BAPIDRV.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2014-2-14 1691480]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys --> c:\windows\system32\drivers\ewusbdev.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-2-20 410784]
.
=============== Created Last 30 ================
.
2014-10-21 00:27:35 -------- d-----w- C:\TouchDefence
2014-10-20 21:16:05 -------- d-----w- c:\documents and settings\admin\application data\.minecraft
2014-10-19 22:15:45 103140 --sh--r- C:\pofq.pif
2014-10-18 14:33:59 -------- d-sh--w- c:\documents and settings\admin\IECompatCache
2014-10-17 18:16:14 -------- d-----w- C:\Horrible Bosses (2011)
2014-10-17 18:12:28 -------- d-----w- C:\Sex Tape (2014)
2014-10-17 18:05:15 -------- d-----w- C:\Lucy (2014) 720p HDRip HC x264 AAC-CPG
2014-10-17 18:01:56 -------- d-----w- C:\Edge of Tomorrow (2014)
2014-10-13 19:23:15 -------- d-----w- c:\program files\OpenDownloaderManager
2014-10-11 19:00:50 -------- d-----w- C:\SAO
2014-10-07 08:07:58 -------- d-----w- c:\documents and settings\all users\application data\Western Digital
.
==================== Find3M  ====================
.
2014-10-06 03:14:45 291075 ------w- c:\windows\Setup1.exe
2014-10-06 03:14:44 80131 ----a-w- c:\windows\ST6UNST.EXE
2014-09-11 21:38:47 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-09-11 21:38:46 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-09-10 00:18:17 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-10 00:18:17 699568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-07 12:28:14 38400 ----a-w- c:\windows\pchealth\uploadlb\Gallery                                                             .scr
2014-09-07 12:28:12 38400 ----a-w- c:\windows\pchealth\uploadlb\Lagu - Server                                                             .scr
2014-09-07 12:28:09 38400 ----a-w- c:\windows\pchealth\uploadlb\Love Song                                                             .scr
2014-09-07 12:28:06 38400 ----a-w- c:\windows\pchealth\uploadlb\THe Best Ungu                                                             .scr
2014-09-07 12:28:04 38400 ----a-w- c:\windows\pchealth\uploadlb\Windows Vista setup                                                             .scr
2014-08-19 10:10:55 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2008-04-14 04:42:02 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
.
============= FINISH:  2:44:36.45 ===============
 


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:02 PM

Posted 19 October 2014 - 01:49 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi Marnel,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Marnel

Marnel
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:12:02 AM

Posted 19 October 2014 - 02:13 PM

Hey Toffee thank you for responding here's my FRST Scan results:

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-10-2014
Ran by admin (administrator) on MARKETING-PC on 26-10-2014 03:12:30
Running from C:\Documents and Settings\admin\Desktop
Loaded Profile: admin (Available profiles: admin)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files\WSE_Astromenda\BRS\brs.exe
(Agere Systems) C:\WINDOWS\system32\agrsmsvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\inetsrv\inetinfo.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
() C:\Program Files\PennyBee\PennyBee.exe
() C:\Program Files\PennyBee\PennyBeeW.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
() C:\DOCUME~1\admin\LOCALS~1\temp\tsxb.exe
() C:\DOCUME~1\admin\LOCALS~1\temp\wineukxpb.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [326528 2014-07-25] (Oracle Corporation)
HKLM\...\Winlogon: [UIHost] C:\WINDOWS\system32\logonui.exe [514560 2008-04-14] ( (Microsoft Corporation))
HKU\S-1-5-21-57989841-1085031214-1417001333-1003\...\Run: [GarenaPlus] => C:\Program Files\Garena Plus\GarenaMessenger.exe [9960240 2014-10-17] ()
HKU\S-1-5-21-57989841-1085031214-1417001333-1003\...\Run: [BRS] => C:\Program Files\WSE_Astromenda\BRS\brs.exe [1074688 2014-09-10] ()
HKU\S-1-5-21-57989841-1085031214-1417001333-1003\...\Run: [KakaoTalk] => C:\Program Files\Kakao\KakaoTalk\KakaoTalk.exe [5645512 2014-09-05] (Kakao Inc.)
HKU\S-1-5-21-57989841-1085031214-1417001333-1003\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6673752 2012-05-25] (Yahoo! Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)
AlternateShell: 
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} https://www.e-games.com.ph/com/EGamesPlugin.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\ft4xboq3.default-1398210631046
FF Homepage: hxxp://astromenda.com/?f=1&a=ast_ir_14_36_ch&cd=2XzuyEtN2Y1L1QzutDtDzytD0FyDzy0EyCyE0A0CyC0DyC0BtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0CyEzy0ByB0CzztGyCyE0E0FtG0FtDtCtCtGtDtB0A0EtGtDtDtDtAyEyE0C0EzytA0F0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCyEyCtC0C0FtBtAtGtC0B0A0DtGyEyCyDzztGzztB0CzytGzy0B0C0CyDyC0AyCyEyD0B0E2Q&cr=233662480&ir=
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/AuthorwarePlayer -> C:\WINDOWS\system32\Macromed\AUTHORWA\np32asw.dll (Macromedia, Inc.)
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_179.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1200112.dll (Adobe Systems, Inc.)
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\WINDOWS\system32\C2MP\npdivx32.dll (DivX,Inc.)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @t.garena.com/garenatalk -> C:\Program Files\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll ( Garena)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 -> C:\Documents and Settings\admin\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF user.js: detected! => C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\ft4xboq3.default-1398210631046\user.js
FF SearchPlugin: C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\ft4xboq3.default-1398210631046\searchplugins\Astromenda.xml
FF Extension: Yahoo! Toolbar - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\ft4xboq3.default-1398210631046\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2014-09-13]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-02-20]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-09-09]
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://touch.3claws.com/home/"
CHR Profile: C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-06]
CHR Extension: (avast! Online Security) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-09-06]
CHR Extension: (Google Wallet) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-06]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-02-20]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 6to4; C:\WINDOWS\System32\6to4svc.dll [100864 2010-02-12] (Microsoft Corporation)
R2 AgereModemAudio; C:\WINDOWS\system32\agrsmsvc.exe [13312 2008-03-18] (Agere Systems) [File not signed]
R2 Alerter; C:\WINDOWS\system32\alrsvc.dll [17408 2008-04-14] (Microsoft Corporation) [File not signed]
S4 ALG; C:\WINDOWS\System32\alg.exe [44544 2008-04-14] (Microsoft Corporation) [File not signed]
S3 AppMgmt; C:\WINDOWS\System32\appmgmts.dll [167936 2008-04-14] (Microsoft Corporation) [File not signed]
R2 AudioSrv; C:\WINDOWS\System32\audiosrv.dll [42496 2008-04-14] (Microsoft Corporation) [File not signed]
R2 BITS; C:\WINDOWS\system32\qmgr.dll [409088 2008-04-14] (Microsoft Corporation) [File not signed]
S3 CiSvc; C:\WINDOWS\system32\cisvc.exe [5632 2008-04-14] (Microsoft Corporation) [File not signed]
S3 ClipSrv; C:\WINDOWS\system32\clipsrv.exe [33280 2008-04-14] (Microsoft Corporation) [File not signed]
S3 COMSysApp; C:\WINDOWS\system32\dllhost.exe [5120 2008-04-14] (Microsoft Corporation) [File not signed]
R2 CryptSvc; C:\WINDOWS\System32\cryptsvc.dll [62464 2008-04-14] (Microsoft Corporation) [File not signed]
R2 Dhcp; C:\WINDOWS\System32\dhcpcsvc.dll [126976 2008-04-14] (Microsoft Corporation) [File not signed]
S3 dmadmin; C:\WINDOWS\System32\dmadmin.exe [224768 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
R2 dmserver; C:\WINDOWS\System32\dmserver.dll [23552 2008-04-14] (Microsoft Corp.) [File not signed]
S3 Dot3svc; C:\WINDOWS\System32\dot3svc.dll [132096 2008-04-14] (Microsoft Corporation) [File not signed]
S3 EapHost; C:\WINDOWS\System32\eapsvc.dll [33792 2008-04-14] (Microsoft Corporation) [File not signed]
R2 ERSvc; C:\WINDOWS\System32\ersvc.dll [23040 2008-04-14] (Microsoft Corporation) [File not signed]
R2 helpsvc; C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll [38400 2008-04-14] (Microsoft Corporation) [File not signed]
R2 HidServ; C:\WINDOWS\System32\hidserv.dll [21504 2008-04-14] (Microsoft Corporation) [File not signed]
S3 hkmsvc; C:\WINDOWS\System32\kmsvc.dll [61440 2008-04-14] (Microsoft Corporation) [File not signed]
S3 HTTPFilter; C:\WINDOWS\System32\w3ssl.dll [15872 2008-04-14] (Microsoft Corporation) [File not signed]
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-14] (Microsoft Corporation) [File not signed]
S3 ImapiService; C:\WINDOWS\system32\imapi.exe [150528 2008-04-14] (Microsoft Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-09-12] (Oracle Corporation)
R2 LmHosts; C:\WINDOWS\System32\lmhsvc.dll [13824 2008-04-14] (Microsoft Corporation) [File not signed]
S4 Messenger; C:\WINDOWS\System32\msgsvc.dll [33792 2008-04-14] (Microsoft Corporation) [File not signed]
S3 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [32768 2008-04-14] (Microsoft Corporation) [File not signed]
S3 MSDTC; C:\WINDOWS\system32\msdtc.exe [6144 2008-04-14] (Microsoft Corporation) [File not signed]
S3 MSIServer; C:\WINDOWS\System32\msiexec.exe [78848 2008-04-14] (Microsoft Corporation) [File not signed]
S3 napagent; C:\WINDOWS\System32\qagentrt.dll [291328 2008-04-14] (Microsoft Corporation) [File not signed]
S4 NetDDE; C:\WINDOWS\system32\netdde.exe [111104 2008-04-14] (Microsoft Corporation) [File not signed]
S4 NetDDEdsdm; C:\WINDOWS\system32\netdde.exe [111104 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Netlogon; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Netman; C:\WINDOWS\System32\netman.dll [198144 2008-04-14] (Microsoft Corporation) [File not signed]
S3 npggsvc; C:\WINDOWS\system32\GameMon.des [4546608 2013-01-04] (INCA Internet Co., Ltd.)
S3 NtLmSsp; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NtmsSvc; C:\WINDOWS\system32\ntmssvc.dll [435200 2008-04-14] (Microsoft Corporation) [File not signed]
S3 ose; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [158768 2014-09-06] (Microsoft Corporation) [File not signed]
R2 PennyBee; C:\Program Files\PennyBee\PennyBee.exe [57856 2014-08-18] () [File not signed]
R2 PolicyAgent; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
R2 ProtectedStorage; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
S3 RasAuto; C:\WINDOWS\System32\rasauto.dll [88576 2008-04-14] (Microsoft Corporation) [File not signed]
R3 RasMan; C:\WINDOWS\System32\rasmans.dll [186368 2008-04-14] (Microsoft Corporation) [File not signed]
S3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [141312 2008-04-14] (Microsoft Corporation) [File not signed]
S4 RemoteAccess; C:\WINDOWS\System32\mprdim.dll [53248 2008-04-14] (Microsoft Corporation) [File not signed]
R2 RemoteRegistry; C:\WINDOWS\system32\regsvc.dll [59904 2008-04-14] (Microsoft Corporation) [File not signed]
S3 RpcLocator; C:\WINDOWS\system32\locator.exe [75264 2008-04-14] (Microsoft Corporation) [File not signed]
S3 RSVP; C:\WINDOWS\system32\rsvp.exe [132608 2004-08-04] (Microsoft Corporation) [File not signed]
R2 SamSs; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
S3 SCardSvr; C:\WINDOWS\System32\SCardSvr.exe [95744 2008-04-14] (Microsoft Corporation) [File not signed]
R2 Schedule; C:\WINDOWS\system32\schedsvc.dll [192512 2008-04-14] (Microsoft Corporation) [File not signed]
R2 seclogon; C:\WINDOWS\System32\seclogon.dll [18944 2008-04-14] (Microsoft Corporation) [File not signed]
R2 SENS; C:\WINDOWS\system32\sens.dll [39424 2008-04-14] (Microsoft Corporation) [File not signed]
R2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-14] (Microsoft Corporation) [File not signed]
R2 srservice; C:\WINDOWS\system32\srsvc.dll [171008 2008-04-14] (Microsoft Corporation) [File not signed]
R3 SSDPSRV; C:\WINDOWS\System32\ssdpsrv.dll [71680 2008-04-14] (Microsoft Corporation) [File not signed]
R2 stisvc; C:\WINDOWS\system32\wiaservc.dll [333824 2008-04-14] (Microsoft Corporation) [File not signed]
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe [5120 2008-04-14] (Microsoft Corporation) [File not signed]
S3 SysmonLog; C:\WINDOWS\system32\smlogsvc.exe [89600 2008-04-14] (Microsoft Corporation) [File not signed]
R3 TapiSrv; C:\WINDOWS\System32\tapisrv.dll [249856 2008-04-14] (Microsoft Corporation) [File not signed]
R3 TermService; C:\WINDOWS\System32\termsrv.dll [295424 2008-04-14] (Microsoft Corporation) [File not signed]
S3 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [73216 2008-04-14] (Microsoft Corporation) [File not signed]
R2 TrkWks; C:\WINDOWS\system32\trkwks.dll [90112 2008-04-14] (Microsoft Corporation) [File not signed]
S3 upnphost; C:\WINDOWS\System32\upnphost.dll [185856 2008-04-14] (Microsoft Corporation) [File not signed]
S3 UPS; C:\WINDOWS\System32\ups.exe [18432 2008-04-14] (Microsoft Corporation) [File not signed]
S3 VSS; C:\WINDOWS\System32\vssvc.exe [289792 2008-04-14] (Microsoft Corporation) [File not signed]
R2 W32Time; C:\WINDOWS\system32\w32time.dll [175104 2008-04-14] (Microsoft Corporation) [File not signed]
R2 W3SVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-14] (Microsoft Corporation) [File not signed]
R2 WebClient; C:\WINDOWS\System32\webclnt.dll [68096 2008-04-14] (Microsoft Corporation) [File not signed]
R2 winmgmt; C:\WINDOWS\system32\wbem\WMIsvc.dll [144896 2008-04-14] (Microsoft Corporation) [File not signed]
S3 WmiApSrv; C:\WINDOWS\system32\wbem\wmiapsrv.exe [126464 2008-04-14] (Microsoft Corporation) [File not signed]
S4 wscsvc; C:\WINDOWS\system32\wscsvc.dll [80896 2008-04-14] (Microsoft Corporation) [File not signed]
R2 WZCSVC; C:\WINDOWS\System32\wzcsvc.dll [483840 2008-04-14] (Microsoft Corporation) [File not signed]
S3 xmlprov; C:\WINDOWS\System32\xmlprov.dll [129024 2008-04-14] (Microsoft Corporation) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 ACPI; C:\WINDOWS\System32\DRIVERS\ACPI.sys [187776 2008-04-14] (Microsoft Corporation) [File not signed]
R0 ACPIEC; C:\WINDOWS\System32\DRIVERS\ACPIEC.sys [11648 2004-08-04] (Microsoft Corporation) [File not signed]
S3 aec; C:\WINDOWS\System32\drivers\aec.sys [142592 2008-04-13] (Microsoft Corporation) [File not signed]
R3 AgereSoftModem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [1202560 2008-02-29] (Agere Systems) [File not signed]
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [26136 2014-02-20] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [67824 2014-02-20] (AVAST Software)
S4 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [54832 2014-02-20] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-02-20] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [775952 2014-02-20] (AVAST Software)
S4 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [410784 2014-02-20] (AVAST Software)
S4 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57672 2014-02-20] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [180248 2014-02-20] ()
S3 AsyncMac; C:\WINDOWS\System32\DRIVERS\asyncmac.sys [14336 2008-04-14] (Microsoft Corporation) [File not signed]
R0 atapi; C:\WINDOWS\System32\DRIVERS\atapi.sys [96512 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Atmarpc; C:\WINDOWS\System32\DRIVERS\atmarpc.sys [59904 2008-04-14] (Microsoft Corporation) [File not signed]
R3 audstub; C:\WINDOWS\System32\DRIVERS\audstub.sys [3072 2001-08-17] (Microsoft Corporation) [File not signed]
R1 Beep; C:\WINDOWS\system32\Drivers\Beep.sys [4224 2004-08-04] (Microsoft Corporation) [File not signed]
S4 cbidf2k; C:\WINDOWS\system32\Drivers\cbidf2k.sys [13952 2004-08-04] (Microsoft Corporation) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation) [File not signed]
S1 Cdaudio; C:\WINDOWS\system32\Drivers\Cdaudio.sys [18688 2004-08-04] (Microsoft Corporation) [File not signed]
R4 Cdfs; C:\WINDOWS\system32\Drivers\Cdfs.sys [63744 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Cdrom; C:\WINDOWS\System32\DRIVERS\cdrom.sys [62976 2008-04-14] (Microsoft Corporation) [File not signed]
R3 CmBatt; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [13952 2008-04-14] (Microsoft Corporation) [File not signed]
R0 Compbatt; C:\WINDOWS\System32\DRIVERS\compbatt.sys [10240 2008-04-14] (Microsoft Corporation) [File not signed]
R0 Disk; C:\WINDOWS\System32\DRIVERS\disk.sys [36352 2008-04-14] (Microsoft Corporation) [File not signed]
S4 dmboot; C:\WINDOWS\System32\drivers\dmboot.sys [799744 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
R0 dmio; C:\WINDOWS\System32\drivers\dmio.sys [153344 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
R0 dmload; C:\WINDOWS\System32\drivers\dmload.sys [5888 2004-08-04] (Microsoft Corp., Veritas Software.) [File not signed]
S3 DMusic; C:\WINDOWS\System32\drivers\DMusic.sys [52864 2008-04-14] (Microsoft Corporation) [File not signed]
S3 drmkaud; C:\WINDOWS\System32\drivers\drmkaud.sys [2944 2008-04-14] (Microsoft Corporation) [File not signed]
S4 Fastfat; C:\WINDOWS\system32\Drivers\Fastfat.sys [143744 2008-04-14] (Microsoft Corporation) [File not signed]
S1 Fdc; C:\WINDOWS\system32\Drivers\Fdc.sys [27392 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Fips; C:\WINDOWS\system32\Drivers\Fips.sys [44544 2008-04-14] (Microsoft Corporation) [File not signed]
S1 Flpydisk; C:\WINDOWS\system32\Drivers\Flpydisk.sys [20480 2008-04-14] (Microsoft Corporation) [File not signed]
R0 FltMgr; C:\WINDOWS\System32\DRIVERS\fltMgr.sys [129792 2008-04-14] (Microsoft Corporation) [File not signed]
U1 Fs_Rec; C:\WINDOWS\system32\Drivers\Fs_Rec.sys [7936 2004-08-04] (Microsoft Corporation) [File not signed]
R0 Ftdisk; C:\WINDOWS\System32\DRIVERS\ftdisk.sys [125056 2004-08-04] (Microsoft Corporation) [File not signed]
R3 Gpc; C:\WINDOWS\System32\DRIVERS\msgpc.sys [35072 2008-04-14] (Microsoft Corporation) [File not signed]
R3 HDAudBus; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows ® Server 2003 DDK provider) [File not signed]
R3 HidUsb; C:\WINDOWS\System32\DRIVERS\hidusb.sys [10368 2008-04-14] (Microsoft Corporation) [File not signed]
R1 i8042prt; C:\WINDOWS\System32\DRIVERS\i8042prt.sys [52480 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Imapi; C:\WINDOWS\System32\DRIVERS\imapi.sys [42112 2008-04-14] (Microsoft Corporation) [File not signed]
R1 intelppm; C:\WINDOWS\System32\DRIVERS\intelppm.sys [36352 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Ip6Fw; C:\WINDOWS\System32\DRIVERS\Ip6Fw.sys [36608 2008-04-14] (Microsoft Corporation) [File not signed]
R3 IpFilterDriver; C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [32896 2004-08-04] (Microsoft Corporation) [File not signed]
S3 IpInIp; C:\WINDOWS\System32\DRIVERS\ipinip.sys [20864 2008-04-14] (Microsoft Corporation) [File not signed]
S3 IpNat; C:\WINDOWS\System32\DRIVERS\ipnat.sys [152832 2008-04-14] (Microsoft Corporation) [File not signed]
R1 IPSec; C:\WINDOWS\System32\DRIVERS\ipsec.sys [75264 2008-04-14] (Microsoft Corporation) [File not signed]
S3 IRENUM; C:\WINDOWS\System32\DRIVERS\irenum.sys [11264 2008-04-14] (Microsoft Corporation) [File not signed]
R0 isapnp; C:\WINDOWS\System32\DRIVERS\isapnp.sys [37248 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Kbdclass; C:\WINDOWS\System32\DRIVERS\kbdclass.sys [24576 2008-04-14] (Microsoft Corporation) [File not signed]
S1 kbdhid; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [14592 2008-04-14] (Microsoft Corporation) [File not signed]
R3 kmixer; C:\WINDOWS\System32\drivers\kmixer.sys [172416 2008-04-14] (Microsoft Corporation) [File not signed]
R1 mnmdd; C:\WINDOWS\system32\Drivers\mnmdd.sys [4224 2004-08-04] (Microsoft Corporation) [File not signed]
R3 Modem; C:\WINDOWS\system32\Drivers\Modem.sys [30080 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
R1 Mouclass; C:\WINDOWS\System32\DRIVERS\mouclass.sys [23040 2008-04-14] (Microsoft Corporation) [File not signed]
R3 mouhid; C:\WINDOWS\System32\DRIVERS\mouhid.sys [12160 2001-08-17] (Microsoft Corporation) [File not signed]
R0 MountMgr; C:\WINDOWS\system32\Drivers\MountMgr.sys [42368 2008-04-14] (Microsoft Corporation) [File not signed]
R3 MRxDAV; C:\WINDOWS\System32\DRIVERS\mrxdav.sys [180608 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Msfs; C:\WINDOWS\system32\Drivers\Msfs.sys [19072 2008-04-14] (Microsoft Corporation) [File not signed]
S3 MSKSSRV; C:\WINDOWS\System32\drivers\MSKSSRV.sys [7552 2008-04-14] (Microsoft Corporation) [File not signed]
S3 MSPCLOCK; C:\WINDOWS\System32\drivers\MSPCLOCK.sys [5376 2008-04-14] (Microsoft Corporation) [File not signed]
S3 MSPQM; C:\WINDOWS\System32\drivers\MSPQM.sys [4992 2008-04-14] (Microsoft Corporation) [File not signed]
R3 mssmbios; C:\WINDOWS\System32\DRIVERS\mssmbios.sys [15488 2008-04-14] (Microsoft Corporation) [File not signed]
S3 MSTEE; C:\WINDOWS\System32\drivers\MSTEE.sys [5504 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NABTSFEC; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-14] (Microsoft Corporation) [File not signed]
R0 NDIS; C:\WINDOWS\system32\Drivers\NDIS.sys [182656 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Ndisuio; C:\WINDOWS\System32\DRIVERS\ndisuio.sys [14592 2008-04-14] (Microsoft Corporation) [File not signed]
R3 NdisWan; C:\WINDOWS\System32\DRIVERS\ndiswan.sys [91520 2008-04-14] (Microsoft Corporation) [File not signed]
R1 NetBIOS; C:\WINDOWS\System32\DRIVERS\netbios.sys [34688 2008-04-14] (Microsoft Corporation) [File not signed]
R1 NetBT; C:\WINDOWS\System32\DRIVERS\netbt.sys [162816 2008-04-14] (Microsoft Corporation) [File not signed]
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Npfs; C:\WINDOWS\system32\Drivers\Npfs.sys [30848 2008-04-14] (Microsoft Corporation) [File not signed]
R4 Ntfs; C:\WINDOWS\system32\Drivers\Ntfs.sys [574976 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Null; C:\WINDOWS\system32\Drivers\Null.sys [2944 2004-08-04] (Microsoft Corporation) [File not signed]
S3 NwlnkFlt; C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [12416 2004-08-04] (Microsoft Corporation) [File not signed]
S3 NwlnkFwd; C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [32512 2004-08-04] (Microsoft Corporation) [File not signed]
S3 Parport; C:\WINDOWS\system32\Drivers\Parport.sys [80128 2008-04-14] (Microsoft Corporation) [File not signed]
R0 PartMgr; C:\WINDOWS\system32\Drivers\PartMgr.sys [19712 2008-04-14] (Microsoft Corporation) [File not signed]
S2 ParVdm; C:\WINDOWS\system32\Drivers\ParVdm.sys [6784 2004-08-04] (Microsoft Corporation) [File not signed]
R0 PCI; C:\WINDOWS\System32\DRIVERS\pci.sys [68224 2008-04-14] (Microsoft Corporation) [File not signed]
R0 PCIIde; C:\WINDOWS\System32\DRIVERS\pciide.sys [3328 2004-08-04] (Microsoft Corporation) [File not signed]
S4 Pcmcia; C:\WINDOWS\system32\Drivers\Pcmcia.sys [120192 2008-04-14] (Microsoft Corporation) [File not signed]
R3 PptpMiniport; C:\WINDOWS\System32\DRIVERS\raspptp.sys [48384 2008-04-14] (Microsoft Corporation) [File not signed]
R3 PSched; C:\WINDOWS\System32\DRIVERS\psched.sys [69120 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Ptilink; C:\WINDOWS\System32\DRIVERS\ptilink.sys [17792 2004-08-04] (Parallel Technologies, Inc.) [File not signed]
R1 RasAcd; C:\WINDOWS\System32\DRIVERS\rasacd.sys [8832 2004-08-04] (Microsoft Corporation) [File not signed]
R3 Rasl2tp; C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [51328 2008-04-14] (Microsoft Corporation) [File not signed]
R3 RasPppoe; C:\WINDOWS\System32\DRIVERS\raspppoe.sys [41472 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Raspti; C:\WINDOWS\System32\DRIVERS\raspti.sys [16512 2004-08-04] (Microsoft Corporation) [File not signed]
R1 Rdbss; C:\WINDOWS\System32\DRIVERS\rdbss.sys [175744 2008-04-14] (Microsoft Corporation) [File not signed]
R1 RDPCDD; C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [4224 2004-08-04] (Microsoft Corporation) [File not signed]
R3 rdpdr; C:\WINDOWS\System32\DRIVERS\rdpdr.sys [196224 2008-04-14] (Microsoft Corporation) [File not signed]
R1 redbook; C:\WINDOWS\System32\DRIVERS\redbook.sys [57600 2008-04-14] (Microsoft Corporation) [File not signed]
S3 sdbus; C:\WINDOWS\System32\DRIVERS\sdbus.sys [79232 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [20480 2008-04-14] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [File not signed]
S2 Serial; C:\WINDOWS\system32\Drivers\Serial.sys [64512 2008-04-14] (Microsoft Corporation) [File not signed]
S1 Sfloppy; C:\WINDOWS\system32\Drivers\Sfloppy.sys [11392 2008-04-14] (Microsoft Corporation) [File not signed]
R3 SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [325120 2010-10-26] (Silicon Integrated Systems Corporation) [File not signed]
R0 SISAGP; C:\WINDOWS\System32\DRIVERS\SISAGPX.sys [35712 2006-06-16] (Silicon Integrated Systems Corporation) [File not signed]
R3 SiSGbeXP; C:\WINDOWS\System32\DRIVERS\SiSGbeXP.sys [43392 2008-03-04] (Silicon Integrated Systems Corp.) [File not signed]
R0 SiSide; C:\WINDOWS\System32\DRIVERS\siside.sys [4096 2003-03-26] (Silicon Integrated Systems Corp.) [File not signed]
R1 SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [19200 2010-10-26] (Silicon Integrated Systems Corporation) [File not signed]
S3 SLIP; C:\WINDOWS\System32\DRIVERS\SLIP.sys [11136 2008-04-14] (Microsoft Corporation) [File not signed]
S3 splitter; C:\WINDOWS\System32\drivers\splitter.sys [6272 2008-04-14] (Microsoft Corporation) [File not signed]
R0 sr; C:\WINDOWS\System32\DRIVERS\sr.sys [73472 2008-04-14] (Microsoft Corporation) [File not signed]
S3 streamip; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [15232 2008-04-14] (Microsoft Corporation) [File not signed]
R3 swenum; C:\WINDOWS\System32\DRIVERS\swenum.sys [4352 2008-04-14] (Microsoft Corporation) [File not signed]
S3 swmidi; C:\WINDOWS\System32\drivers\swmidi.sys [56576 2008-04-14] (Microsoft Corporation) [File not signed]
R3 sysaudio; C:\WINDOWS\System32\drivers\sysaudio.sys [60800 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Tcpip6; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
S3 TDPIPE; C:\WINDOWS\system32\Drivers\TDPIPE.sys [12040 2008-04-14] (Microsoft Corporation) [File not signed]
S3 TDTCP; C:\WINDOWS\system32\Drivers\TDTCP.sys [21896 2008-04-14] (Microsoft Corporation) [File not signed]
R1 TermDD; C:\WINDOWS\System32\DRIVERS\termdd.sys [40840 2008-04-14] (Microsoft Corporation) [File not signed]
U3 TrueSight; C:\WINDOWS\system32\drivers\TrueSight.sys [33512 2014-08-19] ()
R3 tunmp; C:\WINDOWS\System32\DRIVERS\tunmp.sys [12288 2008-04-14] (Microsoft Corporation) [File not signed]
R0 uagp35; C:\WINDOWS\System32\DRIVERS\uagp35.sys [44672 2008-04-14] (Microsoft Corporation) [File not signed]
S4 Udfs; C:\WINDOWS\system32\Drivers\Udfs.sys [66048 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Update; C:\WINDOWS\System32\DRIVERS\update.sys [384768 2008-04-14] (Microsoft Corporation) [File not signed]
R3 usbccgp; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [32128 2008-04-14] (Microsoft Corporation) [File not signed]
R3 usbhub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [59520 2008-04-14] (Microsoft Corporation) [File not signed]
R3 usbohci; C:\WINDOWS\System32\DRIVERS\usbohci.sys [17152 2008-04-14] (Microsoft Corporation) [File not signed]
S3 USBSTOR; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [26368 2008-04-14] (Microsoft Corporation) [File not signed]
R1 VgaSave; C:\WINDOWS\System32\drivers\vga.sys [20992 2008-04-14] (Microsoft Corporation) [File not signed]
R0 VolSnap; C:\WINDOWS\system32\Drivers\VolSnap.sys [52352 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Wanarp; C:\WINDOWS\System32\DRIVERS\wanarp.sys [34560 2008-04-14] (Microsoft Corporation) [File not signed]
R3 wdmaud; C:\WINDOWS\System32\drivers\wdmaud.sys [83072 2008-04-14] (Microsoft Corporation) [File not signed]
R1 WmiAcpi; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [8832 2008-04-14] (Microsoft Corporation) [File not signed]
R1 WS2IFSL; C:\WINDOWS\System32\drivers\ws2ifsl.sys [12032 2004-08-04] (Microsoft Corporation) [File not signed]
S3 WSTCODEC; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-14] (Microsoft Corporation) [File not signed]
R3 amsint32; \??\C:\WINDOWS\system32\drivers\ikqnhr.sys [X]
S1 BAPIDRV; system32\DRIVERS\BAPIDRV.sys [X]
U5 BattC; C:\Windows\System32\Drivers\BattC.sys [14208 2008-04-14] (Microsoft Corporation) [File not signed]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
U3 mbr; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\mbr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-26 02:44 - 2014-10-26 02:45 - 00015427 _____ () C:\Documents and Settings\admin\Desktop\attach.txt
2014-10-26 02:44 - 2014-10-26 02:44 - 00010204 _____ () C:\Documents and Settings\admin\Desktop\dds.txt
2014-10-26 02:43 - 2014-10-26 02:43 - 00688992 ____R (Swearware) C:\Documents and Settings\admin\Desktop\dds.com
2014-10-25 14:33 - 2014-10-25 14:33 - 00020854 _____ () C:\Documents and Settings\admin\Desktop\Addition.txt
2014-10-25 14:32 - 2014-10-26 03:12 - 00034773 _____ () C:\Documents and Settings\admin\Desktop\FRST.txt
2014-10-25 14:32 - 2014-10-26 03:11 - 01103360 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FRST.exe
2014-10-25 14:32 - 2014-10-25 14:32 - 00000000 ____D () C:\Documents and Settings\admin\Desktop\FRST-OlderVersion
2014-10-21 08:27 - 2014-10-26 02:49 - 00000438 _____ () C:\Documents and Settings\All Users\Desktop\Touch.lnk
2014-10-21 08:27 - 2014-10-26 02:49 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Touch
2014-10-21 08:27 - 2014-10-21 08:27 - 00000000 ____D () C:\TouchDefence
2014-10-21 08:26 - 2014-10-15 08:19 - 33085600 _____ (Touch 3Claws ) C:\Documents and Settings\admin\Desktop\SetupTouch_int.exe
2014-10-21 06:00 - 2012-08-27 01:26 - 00000000 ____D () C:\Documents and Settings\admin\Desktop\asd
2014-10-21 05:55 - 2014-10-21 05:55 - 00000134 _____ () C:\Documents and Settings\admin\Desktop\asd.txt
2014-10-21 05:48 - 2014-09-06 19:19 - 02806920 _____ () C:\Documents and Settings\admin\Desktop\Adaware_Installer.exe
2014-10-21 05:46 - 2014-10-21 05:44 - 00522752 _____ (OldTimer Tools) C:\Documents and Settings\admin\Desktop\TFC (1).exe
2014-10-21 05:16 - 2014-10-25 14:21 - 00000000 ____D () C:\Documents and Settings\admin\Application Data\.minecraft
2014-10-20 06:19 - 2014-10-20 06:19 - 00016306 _____ () C:\ComboFix.txt
2014-10-20 06:19 - 2014-10-20 06:19 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-10-20 06:19 - 2014-10-20 06:19 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-10-20 06:15 - 2014-10-20 06:15 - 00103140 __RSH () C:\pofq.pif
2014-10-20 06:13 - 2014-10-26 03:12 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-10-18 22:33 - 2014-10-18 22:33 - 00000000 __SHD () C:\Documents and Settings\admin\IECompatCache
2014-10-18 22:26 - 2014-10-18 22:26 - 00000034 _____ () C:\WINDOWS\setupact.log
2014-10-18 22:26 - 2014-10-18 22:26 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-10-18 02:16 - 2014-10-18 02:19 - 00000000 ____D () C:\Horrible Bosses (2011)
2014-10-18 02:12 - 2014-10-18 02:35 - 00000000 ____D () C:\Sex Tape (2014)
2014-10-18 02:05 - 2014-10-18 02:10 - 00000000 ____D () C:\Lucy (2014) 720p HDRip HC x264 AAC-CPG
2014-10-18 02:01 - 2014-10-18 02:05 - 00000000 ____D () C:\Edge of Tomorrow (2014)
2014-10-14 03:23 - 2014-10-14 03:23 - 00000000 ____D () C:\Program Files\OpenDownloaderManager
2014-10-14 00:37 - 2014-10-14 00:37 - 00014848 ___SH () C:\Documents and Settings\admin\Desktop\Thumbs.db
2014-10-12 17:34 - 2014-09-17 13:59 - 00096914 ____N () C:\Documents and Settings\admin\Desktop\edge-of-tomorrow.720p.BluRay.x264.YIFY.srt
2014-10-12 03:19 - 2014-09-19 04:39 - 00083071 _____ () C:\Documents and Settings\admin\Desktop\X-Men.Days.of.Future.Past.2014.1080p-720p.BluRay.x264.YIFY.Eng.srt
2014-10-12 03:00 - 2014-10-12 03:19 - 00000000 ____D () C:\SAO
2014-10-11 08:13 - 2014-09-20 02:38 - 00181104 _____ () C:\Documents and Settings\admin\Desktop\Transformers.Age.of.Extinction.2014.1080p-720p.BluRay.x264.YIFY.Hearing.Impaired.Eng.srt
2014-10-11 07:56 - 2014-10-05 07:55 - 00064983 _____ () C:\Documents and Settings\admin\Desktop\transformers-age-of-extinction-english-yify-23675.zip
2014-10-09 22:42 - 2014-10-25 13:20 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-07 16:07 - 2014-10-07 16:07 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Western Digital
2014-10-06 11:12 - 2014-10-06 11:15 - 00011152 _____ () C:\ST6UNST.000
2014-10-06 11:12 - 2014-10-06 11:14 - 00013697 _____ () C:\ST6UNST.LOG
2014-10-06 11:09 - 2014-10-06 11:09 - 00000000 ____D () C:\Documents and Settings\admin\Start Menu\Programs\Campus Information System 2.0
2014-10-05 15:24 - 2014-10-05 15:30 - 00000000 ____D () C:\Documents and Settings\admin\Desktop\Logic Design
2014-10-01 14:54 - 2014-10-01 14:56 - 00000000 ____D () C:\Documents and Settings\admin\Desktop\CISCO 1
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-26 03:12 - 2014-08-23 23:41 - 00000000 ____D () C:\FRST
2014-10-26 02:50 - 2014-02-22 17:06 - 00000000 ____D () C:\Documents and Settings\admin\Application Data\vlc
2014-10-26 02:42 - 2014-02-14 21:54 - 00000000 ____D () C:\WINDOWS\system32\inetsrv
2014-10-26 02:41 - 2014-04-09 04:29 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\GarenaMessenger
2014-10-26 02:41 - 2014-04-09 04:29 - 00000000 ____D () C:\Documents and Settings\admin\Application Data\GarenaPlus
2014-10-26 02:38 - 2014-09-18 06:11 - 00368222 _____ () C:\WINDOWS\setupapi.log
2014-10-26 02:38 - 2014-09-07 08:43 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-10-26 02:38 - 2014-02-14 22:04 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-10-26 02:38 - 2014-02-14 22:04 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-10-26 02:38 - 2014-02-14 14:18 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-10-25 22:48 - 2014-08-19 17:51 - 01160975 _____ () C:\WINDOWS\WindowsUpdate.log
2014-10-25 22:48 - 2014-02-14 14:19 - 00000278 ___SH () C:\Documents and Settings\admin\ntuser.ini
2014-10-25 22:48 - 2014-02-14 14:18 - 00032492 _____ () C:\WINDOWS\SchedLgU.Txt
2014-10-24 23:23 - 2014-09-06 20:24 - 00000000 ____D () C:\Program Files\Garena Plus
2014-10-23 21:43 - 2014-04-17 19:19 - 00000000 ____D () C:\Documents and Settings\admin\Application Data\Skype
2014-10-23 21:42 - 2014-04-17 19:19 - 00002265 _____ () C:\Documents and Settings\All Users\Desktop\Skype.lnk
2014-10-22 15:51 - 2014-09-25 14:43 - 00000210 _____ () C:\Documents and Settings\admin\.packettracer
2014-10-22 03:44 - 2014-02-14 14:16 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-10-21 23:19 - 2014-09-06 21:08 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2014-10-21 05:51 - 2004-08-04 20:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-10-21 05:49 - 2014-02-14 14:19 - 00000000 ____D () C:\Documents and Settings\admin
2014-10-20 11:58 - 2014-02-19 08:16 - 00024576 _____ () C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-10-20 06:19 - 2014-09-06 19:28 - 00000000 ____D () C:\Qoobox
2014-10-20 06:14 - 2014-02-14 22:00 - 28311552 _____ () C:\WINDOWS\system32\config\software.bak
2014-10-20 06:14 - 2014-02-14 22:00 - 06815744 _____ () C:\WINDOWS\system32\config\system.bak
2014-10-20 06:14 - 2014-02-14 22:00 - 00262144 _____ () C:\WINDOWS\system32\config\SECURITY.bak
2014-10-20 06:14 - 2014-02-14 22:00 - 00262144 _____ () C:\WINDOWS\system32\config\default.bak
2014-10-20 06:14 - 2014-02-14 22:00 - 00032768 _____ () C:\WINDOWS\system32\config\SAM.bak
2014-10-20 06:14 - 2004-08-04 20:00 - 00000264 _____ () C:\WINDOWS\system.ini
2014-10-20 06:13 - 2014-09-06 19:35 - 00008192 ____H () C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-10-20 06:13 - 2014-09-06 19:27 - 00000000 ____D () C:\WINDOWS\erdnt
2014-10-18 22:40 - 2014-09-06 21:14 - 00000241 _____ () C:\Documents and Settings\admin\BullseyeCoverageError.txt
2014-10-10 02:45 - 2014-02-14 15:33 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-10-06 11:24 - 2014-02-17 08:19 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-10-06 11:14 - 2014-02-20 13:27 - 00291075 ____N (Microsoft Corporation) C:\WINDOWS\Setup1.exe
2014-10-06 11:14 - 2014-02-20 10:33 - 00080131 _____ (Microsoft Corporation) C:\WINDOWS\ST6UNST.EXE
2014-10-06 11:09 - 2014-02-20 10:29 - 00000000 ____D () C:\Program Files\Campus Information System
2014-10-02 14:55 - 2014-09-25 14:43 - 00000000 ____D () C:\Documents and Settings\admin\Cisco Packet Tracer 6.0.1
2014-10-02 14:46 - 2014-09-25 14:30 - 00000000 ____D () C:\Documents and Settings\admin\Desktop\CISCO 2
2014-09-30 10:13 - 2014-02-18 11:56 - 00055672 _____ () C:\Documents and Settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-09-28 10:48 - 2014-02-14 22:00 - 00254272 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
 
Some content of TEMP:
====================
C:\Documents and Settings\admin\Local Settings\temp\tsxb.exe
C:\Documents and Settings\admin\Local Settings\temp\wineukxpb.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================
 
Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 18-10-2014 01
Ran by admin at 2014-10-25 14:33:35
Running from C:\Documents and Settings\admin\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe AIR (HKLM\...\Adobe AIR) (Version: 14.0.0.178 - Adobe Systems Incorporated)
Adobe AIR (Version: 14.0.0.178 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.176 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 14.0.0.179 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Adobe Shockwave Player + Authorware Web Player (HKLM\...\Adobe Shockwave Player + Authorware Web Player) (Version: v12.0.0.112 - Adobe Systems, Inc.)
Agere Systems HDA Modem (HKLM\...\Agere Systems Soft Modem) (Version:  - Agere Systems)
Audition Dance Battle (HKLM\...\Audition Dance Battle 01.61.0) (Version: 01.61.0 - Level Up Games)
Audition Dance Battle (Version: 01.61.0 - Level Up Games) Hidden
Campus Information System 2.0 (HKLM\...\Campus Information System 2.0) (Version:  - )
Cisco Packet Tracer 6.0.1 (HKLM\...\Cisco Packet Tracer 6.0.1_is1) (Version:  - Cisco Systems, Inc.)
DomDomSoft Manga Downloader (remove only) (HKLM\...\DomDomSoft Manga Downloader) (Version:  - )
Garena+ (HKLM\...\im) (Version: 2011 - Garena Online Pte Ltd.)
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.104 - Google Inc.)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java Auto Updater (Version: 2.1.67.1 - Oracle, Inc.) Hidden
KakaoTalk (HKLM\...\KakaoTalk) (Version: 2.0.1.683 - Kakao)
LibreOffice 4.2.5.2 (HKLM\...\{8D8F47B2-0E03-4C50-9803-A01120878F96}) (Version: 4.2.5.2 - The Document Foundation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable - x86 8.0.50727.42 False (Version: 8.0.50727.42 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable - x86 8.0.51011 False (Version: 8.0.51011 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable - x86 8.0.56336 False (Version: 8.0.56336 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable - x86 8.0.59193 False (Version: 8.0.59193 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable - x86 8.0.61001 (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 False (Version: 9.0.21022 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.0 False (Version: 9.0.21022 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 False (Version: 9.0.21022.218 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 False (Version: 9.0.30411 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 False (Version: 9.0.30729 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 False (Version: 9.0.30729 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 False (Version: 9.0.30729.4148 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.5570 False (Version: 9.0.30729.5570 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.30319 False (Version: 10.0.30319 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{615bc16d-60f5-482e-91b3-b51d8130963b}) (Version: 11.0.51106.1 - Корпорация Майкрософт)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106 (Version: 11.0.51106 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106 (Version: 11.0.51106 - Microsoft Corporation) Hidden
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
NVIDIA PhysX (HKLM\...\{80407BA7-7763-4395-AB98-5233F1B34E65}) (Version: 9.13.1220 - NVIDIA Corporation)
PennyBee (HKLM\...\PennyBee) (Version: 1.0.2.2 - PennyBee) <==== ATTENTION
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6839 - Realtek Semiconductor Corp.)
SAM CoDeC Pack (HKLM\...\SAM CoDeC Pack) (Version: 5.05 - www.SamLab.ws)
Skype™ 6.14 (HKLM\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.14.104 - Skype Technologies S.A.)
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.31064 - TeamViewer)
Touch version 1.0 (HKLM\...\{06A4EEFC-8692-48AB-9709-BFC268D7196C}_is1) (Version: 1.0 - Touch 3Claws)
Unity Web Player (HKCU\...\UnityWebPlayer) (Version:  - Unity Technologies ApS)
Update CIS 2.0 Libraries 1 (HKLM\...\ST6UNST #1) (Version:  - )
Update CIS 2.0 Libraries 2 (HKLM\...\ST6UNST #2) (Version:  - )
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2598845) (HKLM\...\KB2598845-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
VLC media player 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows 7 Codec Pack 2.3.0 (HKLM\...\Windows 7 - Codec Pack) (Version:  - Windows 7 Codec Pack)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
WinRAR 5.01 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
WSE_Astromenda (HKLM\...\WSE_Astromenda) (Version:  - WSE_Astromenda) <==== ATTENTION
x264vfw - H.264/MPEG-4 AVC codec (remove only) (HKLM\...\x264vfw) (Version:  - )
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden
Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version:  - Yahoo! Inc.)
Yahoo! Software Update (HKLM\...\Yahoo! Software Update) (Version:  - )
Yahoo! Toolbar (HKLM\...\Yahoo! Companion) (Version:  - Yahoo! Inc.)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-57989841-1085031214-1417001333-1003_Classes\CLSID\{1FD1FE74-9E3C-4C1C-AEEB-AAB592AD770F}\localserver32 -> C:\Documents and Settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-1085031214-1417001333-1003_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Documents and Settings\admin\Local Settings\Application Data\Unity\WebPlayer\loader\UnityWebPluginAX.ocx (Unity Technologies ApS)
CustomCLSID: HKU\S-1-5-21-57989841-1085031214-1417001333-1003_Classes\CLSID\{5E71E4F3-E8C7-4906-9626-973E418762B6}\InprocServer32 -> C:\Documents and Settings\admin\Local Settings\Application Data\Facebook\Update\1.2.205.0\goopdate.dll (Facebook Inc.)
 
==================== Restore Points  =========================
 
25-10-2014 05:39:53 System Checkpoint
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2004-08-04 20:00 - 2014-10-20 06:14 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-57989841-1085031214-1417001333-1003Core.job => C:\Documents and Settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-57989841-1085031214-1417001333-1003UA.job => C:\Documents and Settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
 
==================== Loaded Modules (whitelisted) =============
 
2009-01-11 06:15 - 2009-01-11 06:15 - 00159744 _____ () C:\WINDOWS\system32\mmfinfo.dll
2009-01-11 06:14 - 2009-01-11 06:14 - 00023552 _____ () C:\WINDOWS\system32\mkunicode.dll
2014-09-10 04:39 - 2014-09-10 04:39 - 01074688 _____ () C:\Program Files\WSE_Astromenda\BRS\brs.exe
2014-10-25 09:59 - 2014-10-25 09:59 - 00019114 _____ () C:\Documents and Settings\admin\Local Settings\temp\kvear.exe
2008-04-14 12:42 - 2013-01-02 14:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll
2014-08-18 22:51 - 2014-08-18 22:51 - 00408584 _____ () C:\Program Files\PennyBee\PennyBeeW.exe
2014-08-18 22:51 - 2014-08-18 22:51 - 00311816 _____ () C:\Program Files\PennyBee\DealplyInstallerHelper.dll
2014-10-25 12:13 - 2014-10-25 12:13 - 00012970 _____ () C:\Documents and Settings\admin\Local Settings\temp\mjxy.exe
2014-08-28 18:56 - 2014-08-28 18:56 - 00049456 _____ () C:\Program Files\Garena Plus\ggdllhost.exe
2014-08-28 18:56 - 2014-08-28 18:56 - 00553776 ____N () C:\Program Files\Garena Plus\ggspawn.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupreg: Facebook Update => "C:\Documents and Settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: RTHDCPL => RTHDCPL.EXE
MSCONFIG\startupreg: SiSPower => Rundll32.exe SiSPower.dll,ModeAgent
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
 
========================= Accounts: ==========================
 
admin (S-1-5-21-57989841-1085031214-1417001333-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\admin
Administrator (S-1-5-21-57989841-1085031214-1417001333-500 - Administrator - Enabled)
ASPNET (S-1-5-21-57989841-1085031214-1417001333-1006 - Limited - Enabled)
Guest (S-1-5-21-57989841-1085031214-1417001333-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-57989841-1085031214-1417001333-1000 - Limited - Disabled)
IUSR_MARKETING-PC (S-1-5-21-57989841-1085031214-1417001333-1004 - Limited - Enabled)
IWAM_MARKETING-PC (S-1-5-21-57989841-1085031214-1417001333-1005 - Limited - Enabled)
SUPPORT_388945a0 (S-1-5-21-57989841-1085031214-1417001333-1002 - Limited - Disabled)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/20/2014 06:11:41 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established
 
Error: (10/11/2014 05:05:13 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 32.0.3.5379, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (10/10/2014 09:00:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 32.0.3.5379, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (10/10/2014 08:59:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 32.0.3.5379, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (10/10/2014 02:45:49 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 32.0.3.5379, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (09/21/2014 00:40:19 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application OUTLOOK.EXE, version 11.0.5510.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (09/06/2014 09:00:58 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
 
System errors:
=============
Error: (10/25/2014 00:10:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The PennyBee service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/25/2014 00:09:50 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Yahoo! Updater service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/25/2014 00:09:49 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The TeamViewer 9 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 2000 milliseconds: Restart the service.
 
Error: (10/21/2014 06:46:29 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The World Wide Web Publishing service terminated unexpectedly.  It has done this 2 time(s).
 
Error: (10/21/2014 06:46:29 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly.  It has done this 2 time(s).
 
Error: (10/21/2014 06:46:29 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The IIS Admin service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.
 
Error: (10/21/2014 06:46:27 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TeamViewer 9 service terminated unexpectedly.  It has done this 3 time(s).
 
Error: (10/21/2014 06:46:25 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/21/2014 06:46:19 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The World Wide Web Publishing service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/21/2014 06:46:19 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly.  It has done this 1 time(s).
 
 
Microsoft Office Sessions:
=========================
Error: (10/20/2014 06:11:41 AM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established
 
Error: (10/11/2014 05:05:13 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe32.0.3.5379hungapp0.0.0.000000000
 
Error: (10/10/2014 09:00:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe32.0.3.5379hungapp0.0.0.000000000
 
Error: (10/10/2014 08:59:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe32.0.3.5379hungapp0.0.0.000000000
 
Error: (10/10/2014 02:45:49 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe32.0.3.5379hungapp0.0.0.000000000
 
Error: (09/21/2014 00:40:19 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: OUTLOOK.EXE11.0.5510.0hungapp0.0.0.000000000
 
Error: (09/06/2014 09:00:58 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe6.0.2900.5512hungapp0.0.0.000000000
 
 
==================== Memory info =========================== 
 
Processor: Pentium® Dual-Core CPU T4400 @ 2.20GHz
Percentage of memory in use: 27%
Total physical RAM: 1789.1 MB
Available physical RAM: 1292.44 MB
Total Pagefile: 3683.57 MB
Available Pagefile: 3374.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 1927.7 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:97.65 GB) (Free:15.94 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (Lokal Disk) (Fixed) (Total:135.22 GB) (Free:10.13 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: A6F7ACD2)
Partition 1: (Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=135.2 GB) - (Type=OF Extended)
 
==================== End Of Log ============================
 
 
BTW What kind of malware am I facing here?
 

Edited by Marnel, 19 October 2014 - 02:21 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:02 PM

Posted 19 October 2014 - 02:42 PM

Hi Marnel,

 

What malware exactly this is remains to be seen, but my guess is some kind of worm perhaps.

 

Can you please post the contents of ComboFix.txt located in the root of your C drive.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Marnel

Marnel
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:12:02 AM

Posted 19 October 2014 - 02:48 PM

Combofix.txt

 

ComboFix 14-10-13.01 - admin 10/20/2014   6:07.6.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1789.1278 [GMT 8:00]
Running from: c:\documents and settings\admin\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\autorun.inf
C:\kdqa.exe
c:\windows\dasetup.log
c:\windows\system32\oledb32.dll
D:\Autorun.inf
D:\vhfs.exe
.
---- Previous Run -------
.
c:\docume~1\admin\LOCALS~1\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\documents and settings\admin\Local Settings\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\windows\Icon_1.ico
c:\windows\system32\scrnrdr.exe
c:\windows\system32\VIRepair\vi.sif
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-19 to 2014-10-19  )))))))))))))))))))))))))))))))
.
.
2014-10-18 14:33 . 2014-10-18 14:33 -------- d-sh--w- c:\documents and settings\admin\IECompatCache
2014-10-17 18:16 . 2014-10-17 18:19 -------- d-----w- C:\Horrible Bosses (2011)
2014-10-17 18:12 . 2014-10-17 18:35 -------- d-----w- C:\Sex Tape (2014)
2014-10-17 18:05 . 2014-10-17 18:10 -------- d-----w- C:\Lucy (2014) 720p HDRip HC x264 AAC-CPG
2014-10-17 18:01 . 2014-10-17 18:05 -------- d-----w- C:\Edge of Tomorrow (2014)
2014-10-13 19:23 . 2014-10-13 19:23 -------- d-----w- c:\program files\OpenDownloaderManager
2014-10-11 19:00 . 2014-10-11 19:19 -------- d-----w- C:\SAO
2014-10-07 08:07 . 2014-10-07 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2014-09-28 08:31 . 2008-04-13 16:10 36352 ----a-w- c:\windows\system32\drivers\SET7.tmp
2014-09-25 06:53 . 2014-09-25 06:53 -------- d-----w- c:\documents and settings\admin\Application Data\LibreOffice
2014-09-25 06:47 . 2014-09-25 06:47 -------- d-----w- c:\program files\LibreOffice 4
2014-09-25 06:43 . 2014-10-02 06:55 -------- d-----w- c:\documents and settings\admin\Cisco Packet Tracer 6.0.1
2014-09-25 06:43 . 2014-09-25 06:43 -------- d-----w- c:\program files\Cisco Packet Tracer 6.0.1
2014-09-25 02:35 . 2008-04-13 16:10 36352 ----a-w- c:\windows\system32\drivers\SET8.tmp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-06 03:14 . 2014-02-20 05:27 291075 ------w- c:\windows\Setup1.exe
2014-10-06 03:14 . 2014-02-20 02:33 80131 ----a-w- c:\windows\ST6UNST.EXE
2014-09-11 21:38 . 2014-09-11 21:33 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-09-11 21:38 . 2014-09-11 21:39 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-09-10 00:18 . 2014-02-14 06:26 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-10 00:18 . 2014-02-14 06:26 699568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-07 12:28 . 2014-05-21 04:05 38400 ----a-w- c:\windows\pchealth\UploadLB\Gallery                                                             .scr
2014-09-07 12:28 . 2014-05-21 04:05 38400 ----a-w- c:\windows\pchealth\UploadLB\Lagu - Server                                                             .scr
2014-09-07 12:28 . 2014-05-21 04:05 38400 ----a-w- c:\windows\pchealth\UploadLB\Love Song                                                             .scr
2014-09-07 12:28 . 2014-05-21 04:05 38400 ----a-w- c:\windows\pchealth\UploadLB\THe Best Ungu                                                             .scr
2014-09-07 12:28 . 2014-05-21 04:05 38400 ----a-w- c:\windows\pchealth\UploadLB\Windows Vista setup                                                             .scr
2014-08-19 10:10 . 2014-08-19 09:45 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2008-04-14 04:42 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-02-20 01:13 259464 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GarenaPlus"="c:\program files\Garena Plus\GarenaMessenger.exe" [2014-09-18 9958192]
"BRS"="c:\program files\WSE_Astromenda\BRS\brs.exe" [2014-09-09 1074688]
"KakaoTalk"="c:\program files\Kakao\KakaoTalk\KakaoTalk.exe" [2014-09-05 5645512]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-24 6673752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2014-09-06 12:35 207728 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2013-01-10 14:35 25709128 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2010-10-26 11:04 53248 ----a-w- c:\windows\system32\SiSPower.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2014-07-25 04:29 256896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Documents and Settings\\admin\\Local Settings\\Application Data\\Facebook\\Update\\FacebookUpdate.exe"=
"c:\\WINDOWS\\system32\\dumprep.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\WINDOWS\\system32\\wscript.exe"=
"c:\\WINDOWS\\system32\\at.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Documents and Settings\\admin\\Desktop\\CCE\\KillSwitch.exe"=
"c:\\WINDOWS\\system32\\IPCONFIG.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Garena Plus\\ggdllhost.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer_Service.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\RECOVERED\\1 NTFS\\CIS\\Grading29_Semestral_27.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Reader 11.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Kakao\\KakaoTalk\\KakaoTalk.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Garena Plus\\GarenaMessenger.exe"=
"c:\\Program Files\\WSE_Astromenda\\BRS\\brs.exe"=
"c:\\DOCUME~1\\admin\\LOCALS~1\\Temp\\winnuryym.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7779:TCP"= 7779:TCP:wfailpvs
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2/20/2014 9:14 AM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2/20/2014 9:14 AM 180248]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2/20/2014 9:13 AM 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/20/2014 9:14 AM 775952]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2/20/2014 9:14 AM 67824]
R2 PennyBee;PennyBee service;c:\program files\PennyBee\PennyBee.exe [8/18/2014 7:58 PM 57856]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [10/23/2013 8:15 AM 172192]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [9/12/2014 12:29 AM 5052224]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/14/2014 2:21 PM 148208]
S1 BAPIDRV;BAPIDRV;c:\windows\system32\DRIVERS\BAPIDRV.sys --> c:\windows\system32\DRIVERS\BAPIDRV.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/14/2014 2:23 PM 1691480]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/20/2014 9:14 AM 410784]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AMSINT32
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-01 06:16 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-04-19 00:18]
.
2014-06-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-57989841-1085031214-1417001333-1003Core.job
- c:\documents and settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-04-12 12:35]
.
2014-06-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-57989841-1085031214-1417001333-1003UA.job
- c:\documents and settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-04-12 12:35]
.
2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-09-06 13:02]
.
2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-09-06 13:02]
.
2014-10-19 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-09-06 01:59]
.
2014-09-07 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-09-06 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://astromenda.com/?f=1&a=ast_ir_14_36_ch&cd=2XzuyEtN2Y1L1QzutDtDzytD0FyDzy0EyCyE0A0CyC0DyC0BtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0CyEzy0ByB0CzztGyCyE0E0FtG0FtDtCtCtGtDtB0A0EtGtDtDtDtAyEyE0C0EzytA0F0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCyEyCtC0C0FtBtAtGtC0B0A0DtGyEyCyDzztGzztB0CzytGzy0B0C0CyDyC0AyCyEyD0B0E2Q&cr=233662480&ir=
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\ft4xboq3.default-1398210631046\
FF - prefs.js: browser.search.selectedEngine - Astromenda
FF - prefs.js: browser.startup.homepage - hxxp://astromenda.com/?f=1&a=ast_ir_14_36_ch&cd=2XzuyEtN2Y1L1QzutDtDzytD0FyDzy0EyCyE0A0CyC0DyC0BtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0CyEzy0ByB0CzztGyCyE0E0FtG0FtDtCtCtGtDtB0A0EtGtDtDtDtAyEyE0C0EzytA0F0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCyEyCtC0C0FtBtAtGtC0B0A0DtGyEyCyDzztGzztB0CzytGzy0B0C0CyDyC0AyCyEyD0B0E2Q&cr=233662480&ir=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe
MSConfigStartUp-Avira Systray - c:\program files\Avira\My Avira\Avira.OE.Systray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-10-20 06:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-57989841-1085031214-1417001333-1003\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{54739D49-AC03-4C57-9264-C5195596B3A1}"=hex:51,66,7a,6c,4c,1d,38,12,27,9e,60,
   50,31,e2,39,09,ed,72,86,59,50,c8,f7,b5
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(784)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\PennyBee\PennyBeeW.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\rundll32.exe
c:\docume~1\admin\LOCALS~1\Temp\winnuryym.exe
c:\docume~1\admin\LOCALS~1\Temp\ueqw.exe
.
**************************************************************************
.
Completion time: 2014-10-20  06:19:01 - machine was rebooted
ComboFix-quarantined-files.txt  2014-10-19 22:18
ComboFix2.txt  2014-09-07 07:25
ComboFix3.txt  2014-09-06 11:42
.
Pre-Run: 18,532,986,880 bytes free
Post-Run: 18,283,442,176 bytes free
.
- - End Of File - - 7B260BC726876D53A75DB82287E0B6EA
8F558EB6672622401DA993E1E865C861


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:02 PM

Posted 20 October 2014 - 01:42 PM

Hi Marnel,
 
Running Combofix Script:

  • Close any open browsers.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text below into the Notepad document
File::
C:\DOCUME~1\admin\LOCALS~1\temp\tsxb.exe
C:\DOCUME~1\admin\LOCALS~1\temp\wineukxpb.exe
C:\Documents and Settings\admin\Local Settings\temp\mjxy.exe
c:\windows\pchealth\UploadLB\Gallery                                                             .scr
c:\windows\pchealth\UploadLB\Lagu - Server                                                             .scr
c:\windows\pchealth\UploadLB\Love Song                                                             .scr
c:\windows\pchealth\UploadLB\THe Best Ungu                                                             .scr
c:\windows\pchealth\UploadLB\Windows Vista setup                                                             .scr

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\WSE_Astromenda\\BRS\\brs.exe"=-
"c:\\DOCUME~1\\admin\\LOCALS~1\\Temp\\winnuryym.exe"=-
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7779:TCP"=-
  • Save this on your desktop as CFScript.txt

CFScriptB-4.gif

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

--------------
 
Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
 
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

After the tool has finished running, a text file named Rkill.txt should be located on the desktop. Please copy and paste the contents into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Combofix.txt
  • Rkill.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 Marnel

Marnel
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:12:02 AM

Posted 20 October 2014 - 06:57 PM

Combofix.txt:

 

ComboFix 14-10-20.01 - admin 10/27/2014   7:23.7.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1789.1032 [GMT 8:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\docume~1\admin\LOCALS~1\temp\tsxb.exe"
"c:\docume~1\admin\LOCALS~1\temp\wineukxpb.exe"
"c:\documents and settings\admin\Local Settings\temp\mjxy.exe"
"c:\windows\pchealth\UploadLB\Gallery                                                             .scr"
"c:\windows\pchealth\UploadLB\Lagu - Server                                                             .scr"
"c:\windows\pchealth\UploadLB\Love Song                                                             .scr"
"c:\windows\pchealth\UploadLB\THe Best Ungu                                                             .scr"
"c:\windows\pchealth\UploadLB\Windows Vista setup                                                             .scr"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Autorun.inf
C:\pofq.pif
c:\windows\pchealth\UploadLB\Gallery                                                             .scr
c:\windows\pchealth\UploadLB\Lagu - Server                                                             .scr
c:\windows\pchealth\UploadLB\Love Song                                                             .scr
c:\windows\pchealth\UploadLB\THe Best Ungu                                                             .scr
c:\windows\pchealth\UploadLB\Windows Vista setup                                                             .scr
D:\Autorun.inf
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-26 to 2014-10-26  )))))))))))))))))))))))))))))))
.
.
2014-10-21 00:27 . 2014-10-21 00:27 -------- d-----w- C:\TouchDefence
2014-10-20 21:16 . 2014-10-25 06:21 -------- d-----w- c:\documents and settings\admin\Application Data\.minecraft
2014-10-18 14:33 . 2014-10-18 14:33 -------- d-sh--w- c:\documents and settings\admin\IECompatCache
2014-10-17 18:16 . 2014-10-17 18:19 -------- d-----w- C:\Horrible Bosses (2011)
2014-10-17 18:12 . 2014-10-17 18:35 -------- d-----w- C:\Sex Tape (2014)
2014-10-17 18:05 . 2014-10-17 18:10 -------- d-----w- C:\Lucy (2014) 720p HDRip HC x264 AAC-CPG
2014-10-17 18:01 . 2014-10-17 18:05 -------- d-----w- C:\Edge of Tomorrow (2014)
2014-10-13 19:23 . 2014-10-13 19:23 -------- d-----w- c:\program files\OpenDownloaderManager
2014-10-11 19:00 . 2014-10-11 19:19 -------- d-----w- C:\SAO
2014-10-07 08:07 . 2014-10-07 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-06 03:14 . 2014-02-20 05:27 291075 ------w- c:\windows\Setup1.exe
2014-10-06 03:14 . 2014-02-20 02:33 80131 ----a-w- c:\windows\ST6UNST.EXE
2014-09-11 21:38 . 2014-09-11 21:33 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-09-11 21:38 . 2014-09-11 21:39 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-09-10 00:18 . 2014-02-14 06:26 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-10 00:18 . 2014-02-14 06:26 699568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-08-19 10:10 . 2014-08-19 09:45 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2008-04-14 04:42 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-02-20 01:13 259464 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GarenaPlus"="c:\program files\Garena Plus\GarenaMessenger.exe" [2014-10-17 9960240]
"BRS"="c:\program files\WSE_Astromenda\BRS\brs.exe" [2014-09-09 1074688]
"KakaoTalk"="c:\program files\Kakao\KakaoTalk\KakaoTalk.exe" [2014-09-05 5645512]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-24 6673752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 326528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2014-09-06 12:35 207728 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2013-01-10 14:35 25709128 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2010-10-26 11:04 53248 ----a-w- c:\windows\system32\SiSPower.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2014-07-25 04:29 326528 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Documents and Settings\\admin\\Local Settings\\Application Data\\Facebook\\Update\\FacebookUpdate.exe"=
"c:\\WINDOWS\\system32\\dumprep.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\WINDOWS\\system32\\wscript.exe"=
"c:\\WINDOWS\\system32\\at.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Documents and Settings\\admin\\Desktop\\CCE\\KillSwitch.exe"=
"c:\\WINDOWS\\system32\\IPCONFIG.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Garena Plus\\ggdllhost.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer_Service.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\RECOVERED\\1 NTFS\\CIS\\Grading29_Semestral_27.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Reader 11.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Kakao\\KakaoTalk\\KakaoTalk.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Garena Plus\\GarenaMessenger.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\DOCUME~1\\admin\\LOCALS~1\\Temp\\ljhot.exe"=
"c:\\DOCUME~1\\admin\\LOCALS~1\\Temp\\winympbs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7779:TCP"= 7779:TCP:wfailpvs
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2/20/2014 9:14 AM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2/20/2014 9:14 AM 180248]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2/20/2014 9:13 AM 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/20/2014 9:14 AM 775952]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2/20/2014 9:14 AM 67824]
R2 PennyBee;PennyBee service;c:\program files\PennyBee\PennyBee.exe [8/18/2014 7:58 PM 57856]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [9/12/2014 12:29 AM 5052224]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/14/2014 2:21 PM 148208]
S1 BAPIDRV;BAPIDRV;c:\windows\system32\DRIVERS\BAPIDRV.sys --> c:\windows\system32\DRIVERS\BAPIDRV.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [10/23/2013 8:15 AM 172192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/14/2014 2:23 PM 1691480]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/20/2014 9:14 AM 410784]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AMSINT32
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-21 15:09 1089352 ----a-w- c:\program files\Google\Chrome\Application\38.0.2125.104\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-04-19 00:18]
.
2014-06-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-57989841-1085031214-1417001333-1003Core.job
- c:\documents and settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-04-12 12:35]
.
2014-06-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-57989841-1085031214-1417001333-1003UA.job
- c:\documents and settings\admin\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-04-12 12:35]
.
2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-09-06 13:02]
.
2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-09-06 13:02]
.
2014-10-26 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-09-06 01:59]
.
2014-09-07 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-09-06 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://astromenda.com/?f=1&a=ast_ir_14_36_ch&cd=2XzuyEtN2Y1L1QzutDtDzytD0FyDzy0EyCyE0A0CyC0DyC0BtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0CyEzy0ByB0CzztGyCyE0E0FtG0FtDtCtCtGtDtB0A0EtGtDtDtDtAyEyE0C0EzytA0F0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCyEyCtC0C0FtBtAtGtC0B0A0DtGyEyCyDzztGzztB0CzytGzy0B0C0CyDyC0AyCyEyD0B0E2Q&cr=233662480&ir=
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\ft4xboq3.default-1398210631046\
FF - prefs.js: browser.startup.homepage - hxxp://astromenda.com/?f=1&a=ast_ir_14_36_ch&cd=2XzuyEtN2Y1L1QzutDtDzytD0FyDzy0EyCyE0A0CyC0DyC0BtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0CyEzy0ByB0CzztGyCyE0E0FtG0FtDtCtCtGtDtB0A0EtGtDtDtDtAyEyE0C0EzytA0F0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCyEyCtC0C0FtBtAtGtC0B0A0DtGyEyCyDzztGzztB0CzytGzy0B0C0CyDyC0AyCyEyD0B0E2Q&cr=233662480&ir=
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-10-27 07:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-57989841-1085031214-1417001333-1003\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{54739D49-AC03-4C57-9264-C5195596B3A1}"=hex:51,66,7a,6c,4c,1d,38,12,27,9e,60,
   50,31,e2,39,09,ed,72,86,59,50,c8,f7,b5
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\PennyBee\PennyBeeW.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\docume~1\admin\LOCALS~1\Temp\ljhot.exe
c:\docume~1\admin\LOCALS~1\Temp\winympbs.exe
.
**************************************************************************
.
Completion time: 2014-10-27  07:40:49 - machine was rebooted
ComboFix-quarantined-files.txt  2014-10-26 23:40
ComboFix2.txt  2014-09-07 07:25
ComboFix3.txt  2014-09-06 11:42
.
Pre-Run: 16,813,363,200 bytes free
Post-Run: 16,829,476,864 bytes free
.
- - End Of File - - A743B94ECD26B391B1558F7C18298654
8F558EB6672622401DA993E1E865C861
 
 
Rkill.txt:
 
Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/27/2014 07:51:08 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\WINDOWS\system32\agrsmsvc.exe (PID: 1844) [WD-HEUR]
 * C:\WINDOWS\system32\inetsrv\inetinfo.exe (PID: 620) [WD-HEUR]
 * C:\DOCUME~1\admin\LOCALS~1\Temp\ljhot.exe (PID: 3452) [SUP-HEUR]
 * C:\DOCUME~1\admin\LOCALS~1\Temp\ljhot.exe (PID: 3452) [T-HEUR]
 * C:\DOCUME~1\admin\LOCALS~1\Temp\winympbs.exe (PID: 1808) [SUP-HEUR]
 
5 proccesses terminated!
 
Possibly Patched Files.
 
 * C:\WINDOWS\system32\lsass.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
 
Checking Windows Service Integrity: 
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Disabled
 
 * WmdmPmSN [Missing ImagePath]
 
Searching for Missing Digital Signatures: 
 
 * C:\WINDOWS\System32\appmgmts.dll : 167,936 : 04/14/2008 12:41 AM : d8849f77c0b66226335a59d26cb4edc6 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\appmgmts.dll : 167,936 : 04/14/2008 12:41 AM : d8849f77c0b66226335a59d26cb4edc6 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\appmgmts.dll : 167,936 : 04/14/2008 12:41 AM : d8849f77c0b66226335a59d26cb4edc6 [Pos Repl]
 
 * C:\WINDOWS\System32\clipsrv.exe : 33,280 : 04/14/2008 12:42 AM : 34cbe729f38138217f9c80212a2a0c82 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\clipsrv.exe : 33,280 : 04/14/2008 12:42 AM : 34cbe729f38138217f9c80212a2a0c82 [Pos Repl]
 
 * C:\WINDOWS\System32\comres.dll : 792,064 : 04/14/2008 12:41 AM : 1280a158c722fa95a80fb7aebe78fa7d [NoSig]
 +-> C:\WINDOWS\erdnt\cache\comres.dll : 792,064 : 04/14/2008 12:41 AM : 1280a158c722fa95a80fb7aebe78fa7d [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\comres.dll : 792,064 : 04/14/2008 12:41 AM : 1280a158c722fa95a80fb7aebe78fa7d [Pos Repl]
 
 * C:\WINDOWS\System32\cryptsvc.dll : 62,464 : 04/14/2008 12:41 AM : 3d4e199942e29207970e04315d02ad3b [NoSig]
 +-> C:\WINDOWS\erdnt\cache\cryptsvc.dll : 62,464 : 04/14/2008 12:41 AM : 3d4e199942e29207970e04315d02ad3b [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\cryptsvc.dll : 62,464 : 04/14/2008 12:41 AM : 3d4e199942e29207970e04315d02ad3b [Pos Repl]
 
 * C:\WINDOWS\System32\csrss.exe : 6,144 : 04/14/2008 12:42 AM : 44f275c64738ea2056e3d9580c23b60f [NoSig]
 +-> C:\WINDOWS\system32\dllcache\csrss.exe : 6,144 : 04/14/2008 12:42 AM : 44f275c64738ea2056e3d9580c23b60f [Pos Repl]
 
 * C:\WINDOWS\System32\ctfmon.exe : 15,360 : 04/14/2008 12:42 AM : 5f1d5f88303d4a4dbc8e5f97ba967cc3 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ctfmon.exe : 15,360 : 04/14/2008 12:42 AM : 5f1d5f88303d4a4dbc8e5f97ba967cc3 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ctfmon.exe : 15,360 : 04/14/2008 12:42 AM : 5f1d5f88303d4a4dbc8e5f97ba967cc3 [Pos Repl]
 
 * C:\WINDOWS\System32\d3d8.dll : 1,179,648 : 04/14/2008 12:41 AM : f099b129022170f2df9e1c0185c9bcfb [NoSig]
 +-> C:\WINDOWS\system32\dllcache\d3d8.dll : 1,179,648 : 04/14/2008 12:41 AM : f099b129022170f2df9e1c0185c9bcfb [Pos Repl]
 
 * C:\WINDOWS\System32\d3d8thk.dll : 8,192 : 04/14/2008 12:41 AM : 31b067c412fa1a9bad3ca2a63d7da440 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\d3d8thk.dll : 8,192 : 04/14/2008 12:41 AM : 31b067c412fa1a9bad3ca2a63d7da440 [Pos Repl]
 
 * C:\WINDOWS\System32\d3d9.dll : 1,689,088 : 04/14/2008 12:41 AM : 0607cbc6fa20114cb491efe4b2f9efad [NoSig]
 +-> C:\WINDOWS\erdnt\cache\d3d9.dll : 1,689,088 : 04/14/2008 12:41 AM : 0607cbc6fa20114cb491efe4b2f9efad [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\d3d9.dll : 1,689,088 : 04/14/2008 12:41 AM : 0607cbc6fa20114cb491efe4b2f9efad [Pos Repl]
 
 * C:\WINDOWS\System32\ddraw.dll : 279,552 : 04/14/2008 12:41 AM : a340cd71eb535a3dd751b5f28723e50c [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ddraw.dll : 279,552 : 04/14/2008 12:41 AM : a340cd71eb535a3dd751b5f28723e50c [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ddraw.dll : 279,552 : 04/14/2008 12:41 AM : a340cd71eb535a3dd751b5f28723e50c [Pos Repl]
 
 * C:\WINDOWS\System32\dllhost.exe : 5,120 : 04/14/2008 12:42 AM : 0a9ba6af531afe7fa5e4fb973852d863 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dllhost.exe : 5,120 : 04/14/2008 12:42 AM : 0a9ba6af531afe7fa5e4fb973852d863 [Pos Repl]
 
 * C:\WINDOWS\System32\dsound.dll : 367,616 : 04/14/2008 12:41 AM : 4d83ed8bddec431fc8ad907b47cfb6e3 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\dsound.dll : 367,616 : 04/14/2008 12:41 AM : 4d83ed8bddec431fc8ad907b47cfb6e3 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\dsound.dll : 367,616 : 04/14/2008 12:41 AM : 4d83ed8bddec431fc8ad907b47cfb6e3 [Pos Repl]
 
 * C:\WINDOWS\System32\dssenh.dll : 138,752 : 04/14/2008 06:07 AM : fede68bf80052bad393afd5c2e60dcb0 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dssenh.dll : 138,752 : 04/14/2008 06:07 AM : fede68bf80052bad393afd5c2e60dcb0 [Pos Repl]
 
 * C:\WINDOWS\System32\eventlog.dll : 56,320 : 04/14/2008 12:41 AM : 6d4feb43ee538fc5428cc7f0565aa656 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\eventlog.dll : 56,320 : 04/14/2008 12:41 AM : 6d4feb43ee538fc5428cc7f0565aa656 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\eventlog.dll : 56,320 : 04/14/2008 12:41 AM : 6d4feb43ee538fc5428cc7f0565aa656 [Pos Repl]
 
 * C:\WINDOWS\System32\hid.dll : 20,992 : 04/14/2008 12:51 AM : 8973122796e3b5d6b5900fc186e55fea [NoSig]
 
 * C:\WINDOWS\System32\hnetcfg.dll : 344,064 : 04/14/2008 12:41 AM : 3cb32d3b8cbe79899d63280bb7a83cd9 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\hnetcfg.dll : 344,064 : 04/14/2008 12:41 AM : 3cb32d3b8cbe79899d63280bb7a83cd9 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\hnetcfg.dll : 344,064 : 04/14/2008 12:41 AM : 3cb32d3b8cbe79899d63280bb7a83cd9 [Pos Repl]
 
 * C:\WINDOWS\System32\imm32.dll : 110,080 : 04/14/2008 12:41 AM : 0da85218e92526972a821587e6a8bf8f [NoSig]
 +-> C:\WINDOWS\erdnt\cache\imm32.dll : 110,080 : 04/14/2008 12:41 AM : 0da85218e92526972a821587e6a8bf8f [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\imm32.dll : 110,080 : 04/14/2008 12:41 AM : 0da85218e92526972a821587e6a8bf8f [Pos Repl]
 
 * C:\WINDOWS\System32\ipsecsvc.dll : 183,808 : 04/14/2008 12:41 AM : 332760fba1655fcfd35bd6f4fd871300 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ipsecsvc.dll : 183,808 : 04/14/2008 12:41 AM : 332760fba1655fcfd35bd6f4fd871300 [Pos Repl]
 
 * C:\WINDOWS\System32\ksuser.dll : 4,096 : 04/14/2008 05:41 AM : 9b9f1c38d559047b8ac0dba2d5febde9 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ksuser.dll : 4,096 : 04/14/2008 05:41 AM : 9b9f1c38d559047b8ac0dba2d5febde9 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ksuser.dll : 4,096 : 04/14/2008 05:41 AM : 9b9f1c38d559047b8ac0dba2d5febde9 [Pos Repl]
 
 * C:\WINDOWS\System32\linkinfo.dll : 19,968 : 04/14/2008 12:41 AM : 2dc5a8019e2387987905f77c664e4be2 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\linkinfo.dll : 19,968 : 04/14/2008 12:41 AM : 2dc5a8019e2387987905f77c664e4be2 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\linkinfo.dll : 19,968 : 04/14/2008 12:41 AM : 2dc5a8019e2387987905f77c664e4be2 [Pos Repl]
 
 * C:\WINDOWS\System32\lpk.dll : 22,016 : 04/14/2008 12:41 AM : 012df358cebaa23acb26d82077820817 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\lpk.dll : 22,016 : 04/14/2008 12:41 AM : 012df358cebaa23acb26d82077820817 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\lpk.dll : 22,016 : 04/14/2008 12:41 AM : 012df358cebaa23acb26d82077820817 [Pos Repl]
 
 * C:\WINDOWS\System32\lsass.exe : 13,312 : 04/14/2008 12:42 AM : bf2466b3e18e970d8a976fb95fc1ca85 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\lsass.exe : 13,312 : 04/14/2008 12:42 AM : bf2466b3e18e970d8a976fb95fc1ca85 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\lsass.exe : 13,312 : 04/14/2008 12:42 AM : bf2466b3e18e970d8a976fb95fc1ca85 [Pos Repl]
 
 * C:\WINDOWS\System32\midimap.dll : 18,944 : 04/14/2008 12:41 AM : 5c12660a97822f6e61576943b49aaad6 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\midimap.dll : 18,944 : 04/14/2008 12:41 AM : 5c12660a97822f6e61576943b49aaad6 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\midimap.dll : 18,944 : 04/14/2008 12:41 AM : 5c12660a97822f6e61576943b49aaad6 [Pos Repl]
 
 * C:\WINDOWS\System32\msgsvc.dll : 33,792 : 04/14/2008 12:42 AM : 986b1ff5814366d71e0ac5755c88f2d3 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\msgsvc.dll : 33,792 : 04/14/2008 12:42 AM : 986b1ff5814366d71e0ac5755c88f2d3 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\msgsvc.dll : 33,792 : 04/14/2008 12:42 AM : 986b1ff5814366d71e0ac5755c88f2d3 [Pos Repl]
 
 * C:\WINDOWS\System32\msimg32.dll : 4,608 : 04/14/2008 12:42 AM : affc87e2501fce8f09d4c10ba6421ccf [NoSig]
 +-> C:\WINDOWS\erdnt\cache\msimg32.dll : 4,608 : 04/14/2008 12:42 AM : affc87e2501fce8f09d4c10ba6421ccf [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\msimg32.dll : 4,608 : 04/14/2008 12:42 AM : affc87e2501fce8f09d4c10ba6421ccf [Pos Repl]
 
 * C:\WINDOWS\System32\mspmsnsv.dll : 52,224 : 04/14/2008 12:42 AM : c7e39ea41233e9f5b86c8da3a9f1e4a8 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\mspmsnsv.dll : 52,224 : 04/14/2008 12:42 AM : c7e39ea41233e9f5b86c8da3a9f1e4a8 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\mspmsnsv.dll : 52,224 : 04/14/2008 12:42 AM : c7e39ea41233e9f5b86c8da3a9f1e4a8 [Pos Repl]
 
 * C:\WINDOWS\System32\msprivs.dll : 48,128 : 04/14/2008 04:53 AM : c6bb1d1500db4a0e224cb65e6c7e8a80 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\msprivs.dll : 48,128 : 04/14/2008 04:53 AM : c6bb1d1500db4a0e224cb65e6c7e8a80 [Pos Repl]
 
 * C:\WINDOWS\System32\msvcrt.dll : 343,040 : 04/14/2008 12:42 AM : 355edbb4d412b01f1740c17e3f50fa00 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\msvcrt.dll : 343,040 : 04/14/2008 12:42 AM : 355edbb4d412b01f1740c17e3f50fa00 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\msvcrt.dll : 343,040 : 04/14/2008 12:42 AM : 355edbb4d412b01f1740c17e3f50fa00 [Pos Repl]
 +-> C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\webplr08\msvcrt.dll : 135,680 : 01/22/2010 06:01 PM : a84795930bd7212ffddf342cb99a451d [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll : 322,560 : 08/04/2004 08:00 PM : 4200be3808f6406dbe45a7b88dae5035 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll : 343,040 : 04/14/2008 12:42 AM : d7075e95aa599ee77b7a89d39296bd3d [Pos Repl]
 
 * C:\WINDOWS\System32\netlogon.dll : 407,040 : 04/14/2008 12:42 AM : 1b7f071c51b77c272875c3a23e1e4550 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\netlogon.dll : 407,040 : 04/14/2008 12:42 AM : 1b7f071c51b77c272875c3a23e1e4550 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\netlogon.dll : 407,040 : 04/14/2008 12:42 AM : 1b7f071c51b77c272875c3a23e1e4550 [Pos Repl]
 
 * C:\WINDOWS\System32\netman.dll : 198,144 : 04/14/2008 12:42 AM : 13e67b55b3abd7bf3fe7aae5a0f9a9de [NoSig]
 +-> C:\WINDOWS\erdnt\cache\netman.dll : 198,144 : 04/14/2008 12:42 AM : 13e67b55b3abd7bf3fe7aae5a0f9a9de [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\netman.dll : 198,144 : 04/14/2008 12:42 AM : 13e67b55b3abd7bf3fe7aae5a0f9a9de [Pos Repl]
 
 * C:\WINDOWS\System32\ntmssvc.dll : 435,200 : 04/14/2008 12:42 AM : 156f64a3345bd23c600655fb4d10bc08 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ntmssvc.dll : 435,200 : 04/14/2008 12:42 AM : 156f64a3345bd23c600655fb4d10bc08 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ntmssvc.dll : 435,200 : 04/14/2008 12:42 AM : 156f64a3345bd23c600655fb4d10bc08 [Pos Repl]
 
 * C:\WINDOWS\System32\olepro32.dll : 84,992 : 04/14/2008 12:42 AM : 5652f6ce1d9e9d8068b9d29bc21b5409 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\olepro32.dll : 84,992 : 04/14/2008 12:42 AM : 5652f6ce1d9e9d8068b9d29bc21b5409 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\olepro32.dll : 84,992 : 04/14/2008 12:42 AM : 5652f6ce1d9e9d8068b9d29bc21b5409 [Pos Repl]
 
 * C:\WINDOWS\System32\perfctrs.dll : 39,936 : 04/14/2008 12:42 AM : dbe2b62353660ecca0d75ea307a717e9 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\perfctrs.dll : 39,936 : 04/14/2008 12:42 AM : dbe2b62353660ecca0d75ea307a717e9 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\perfctrs.dll : 39,936 : 04/14/2008 12:42 AM : dbe2b62353660ecca0d75ea307a717e9 [Pos Repl]
 
 * C:\WINDOWS\System32\powrprof.dll : 17,408 : 04/14/2008 12:42 AM : 50a166237a0fa771261275a405646cc0 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\powrprof.dll : 17,408 : 04/14/2008 12:42 AM : 50a166237a0fa771261275a405646cc0 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\powrprof.dll : 17,408 : 04/14/2008 12:42 AM : 50a166237a0fa771261275a405646cc0 [Pos Repl]
 
 * C:\WINDOWS\System32\psbase.dll : 96,768 : 04/14/2008 12:42 AM : 22d89d84e8e081cda529dbf8c0255a38 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\psbase.dll : 96,768 : 04/14/2008 12:42 AM : 22d89d84e8e081cda529dbf8c0255a38 [Pos Repl]
 
 * C:\WINDOWS\System32\pstorsvc.dll : 34,304 : 04/14/2008 12:42 AM : 853d0d0c6f02d7bfdf1cf99dd7553732 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\pstorsvc.dll : 34,304 : 04/14/2008 12:42 AM : 853d0d0c6f02d7bfdf1cf99dd7553732 [Pos Repl]
 
 * C:\WINDOWS\System32\qmgr.dll : 409,088 : 04/14/2008 12:42 AM : 574738f61fca2935f5265dc4e5691314 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\qmgr.dll : 409,088 : 04/14/2008 12:42 AM : 574738f61fca2935f5265dc4e5691314 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\qmgr.dll : 409,088 : 04/14/2008 12:42 AM : 574738f61fca2935f5265dc4e5691314 [Pos Repl]
 
 * C:\WINDOWS\System32\rasadhlp.dll : 7,680 : 04/14/2008 12:42 AM : 6f9bef24c578d5d6740e080bedd6a448 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\rasadhlp.dll : 7,680 : 04/14/2008 12:42 AM : 6f9bef24c578d5d6740e080bedd6a448 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\rasadhlp.dll : 7,680 : 04/14/2008 12:42 AM : 6f9bef24c578d5d6740e080bedd6a448 [Pos Repl]
 
 * C:\WINDOWS\System32\regsvc.dll : 59,904 : 04/14/2008 12:42 AM : 5b19b557b0c188210a56a6b699d90b8f [NoSig]
 +-> C:\WINDOWS\erdnt\cache\regsvc.dll : 59,904 : 04/14/2008 12:42 AM : 5b19b557b0c188210a56a6b699d90b8f [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\regsvc.dll : 59,904 : 04/14/2008 12:42 AM : 5b19b557b0c188210a56a6b699d90b8f [Pos Repl]
 
 * C:\WINDOWS\System32\scecli.dll : 181,248 : 04/14/2008 12:42 AM : a86bb5e61bf3e39b62ab4c7e7085a084 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\scecli.dll : 181,248 : 04/14/2008 12:42 AM : a86bb5e61bf3e39b62ab4c7e7085a084 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\scecli.dll : 181,248 : 04/14/2008 12:42 AM : a86bb5e61bf3e39b62ab4c7e7085a084 [Pos Repl]
 
 * C:\WINDOWS\System32\schedsvc.dll : 192,512 : 04/14/2008 12:42 AM : 0a9a7365a1ca4319aa7c1d6cd8e4eafa [NoSig]
 +-> C:\WINDOWS\erdnt\cache\schedsvc.dll : 192,512 : 04/14/2008 12:42 AM : 0a9a7365a1ca4319aa7c1d6cd8e4eafa [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\schedsvc.dll : 192,512 : 04/14/2008 12:42 AM : 0a9a7365a1ca4319aa7c1d6cd8e4eafa [Pos Repl]
 
 * C:\WINDOWS\System32\setupapi.dll : 985,088 : 04/14/2008 12:42 AM : 24192246760e0e64435522e246b1d6c2 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\setupapi.dll : 985,088 : 04/14/2008 12:42 AM : 24192246760e0e64435522e246b1d6c2 [Pos Repl]
 
 * C:\WINDOWS\System32\sfc.dll : 5,120 : 04/14/2008 12:42 AM : 96e1c926f22ee1bfbae82901a35f6bf3 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\sfc.dll : 5,120 : 04/14/2008 12:42 AM : 96e1c926f22ee1bfbae82901a35f6bf3 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\sfc.dll : 5,120 : 04/14/2008 12:42 AM : 96e1c926f22ee1bfbae82901a35f6bf3 [Pos Repl]
 
 * C:\WINDOWS\System32\sfcfiles.dll : 1,614,848 : 04/14/2008 12:42 AM : 9dd07af82244867ca36681ea2d29ce79 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\sfcfiles.dll : 1,614,848 : 04/14/2008 12:42 AM : 9dd07af82244867ca36681ea2d29ce79 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\sfcfiles.dll : 1,614,848 : 04/14/2008 12:42 AM : 9dd07af82244867ca36681ea2d29ce79 [Pos Repl]
 
 * C:\WINDOWS\System32\smss.exe : 50,688 : 04/14/2008 12:42 AM : 5f816c1f539266d2d4c78694239da0b5 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\smss.exe : 50,688 : 04/14/2008 12:42 AM : 5f816c1f539266d2d4c78694239da0b5 [Pos Repl]
 
 * C:\WINDOWS\System32\srsvc.dll : 171,008 : 04/14/2008 12:42 AM : 3805df0ac4296a34ba4bf93b346cc378 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\srsvc.dll : 171,008 : 04/14/2008 12:42 AM : 3805df0ac4296a34ba4bf93b346cc378 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\srsvc.dll : 171,008 : 04/14/2008 12:42 AM : 3805df0ac4296a34ba4bf93b346cc378 [Pos Repl]
 
 * C:\WINDOWS\System32\ssdpsrv.dll : 71,680 : 04/14/2008 12:42 AM : 0a5679b3714edab99e357057ee88fca6 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ssdpsrv.dll : 71,680 : 04/14/2008 12:42 AM : 0a5679b3714edab99e357057ee88fca6 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ssdpsrv.dll : 71,680 : 04/14/2008 12:42 AM : 0a5679b3714edab99e357057ee88fca6 [Pos Repl]
 
 * C:\WINDOWS\System32\svchost.exe : 14,336 : 04/14/2008 12:42 AM : 27c6d03bcdb8cfeb96b716f3d8be3e18 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\svchost.exe : 14,336 : 04/14/2008 12:42 AM : 27c6d03bcdb8cfeb96b716f3d8be3e18 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\svchost.exe : 14,336 : 04/14/2008 12:42 AM : 27c6d03bcdb8cfeb96b716f3d8be3e18 [Pos Repl]
 
 * C:\WINDOWS\System32\tapisrv.dll : 249,856 : 04/14/2008 12:42 AM : 3cb78c17bb664637787c9a1c98f79c38 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\tapisrv.dll : 249,856 : 04/14/2008 12:42 AM : 3cb78c17bb664637787c9a1c98f79c38 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\tapisrv.dll : 249,856 : 04/14/2008 12:42 AM : 3cb78c17bb664637787c9a1c98f79c38 [Pos Repl]
 
 * C:\WINDOWS\System32\termsrv.dll : 295,424 : 04/14/2008 12:42 AM : ff3477c03be7201c294c35f684b3479f [NoSig]
 +-> C:\WINDOWS\erdnt\cache\termsrv.dll : 295,424 : 04/14/2008 12:42 AM : ff3477c03be7201c294c35f684b3479f [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\termsrv.dll : 295,424 : 04/14/2008 12:42 AM : ff3477c03be7201c294c35f684b3479f [Pos Repl]
 
 * C:\WINDOWS\System32\upnphost.dll : 185,856 : 04/14/2008 12:42 AM : 1ebafeb9a3fbdc41b8d9c7f0f687ad91 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\upnphost.dll : 185,856 : 04/14/2008 12:42 AM : 1ebafeb9a3fbdc41b8d9c7f0f687ad91 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\upnphost.dll : 185,856 : 04/14/2008 12:42 AM : 1ebafeb9a3fbdc41b8d9c7f0f687ad91 [Pos Repl]
 
 * C:\WINDOWS\System32\user32.dll : 578,560 : 04/14/2008 12:42 AM : b26b135ff1b9f60c9388b4a7d16f600b [NoSig]
 +-> C:\WINDOWS\erdnt\cache\user32.dll : 578,560 : 04/14/2008 12:42 AM : b26b135ff1b9f60c9388b4a7d16f600b [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\user32.dll : 578,560 : 04/14/2008 12:42 AM : b26b135ff1b9f60c9388b4a7d16f600b [Pos Repl]
 
 * C:\WINDOWS\System32\userinit.exe : 26,112 : 04/14/2008 12:42 AM : a93aee1928a9d7ce3e16d24ec7380f89 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\userinit.exe : 26,112 : 04/14/2008 12:42 AM : a93aee1928a9d7ce3e16d24ec7380f89 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\userinit.exe : 26,112 : 04/14/2008 12:42 AM : a93aee1928a9d7ce3e16d24ec7380f89 [Pos Repl]
 
 * C:\WINDOWS\System32\UxTheme.dll : 218,624 : 04/14/2008 12:42 AM : 7a2cc3719b255e6b5d74396183b7715b [NoSig]
 +-> C:\WINDOWS\system32\dllcache\uxtheme.dll : 218,624 : 04/14/2008 12:42 AM : 7a2cc3719b255e6b5d74396183b7715b [Pos Repl]
 
 * C:\WINDOWS\System32\version.dll : 18,944 : 04/14/2008 12:42 AM : c7ce131408739b0b3a318be2d0032719 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\version.dll : 18,944 : 04/14/2008 12:42 AM : c7ce131408739b0b3a318be2d0032719 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\version.dll : 18,944 : 04/14/2008 12:42 AM : c7ce131408739b0b3a318be2d0032719 [Pos Repl]
 
 * C:\WINDOWS\System32\w32time.dll : 175,104 : 04/14/2008 12:42 AM : 54af4b1d5459500ef0937f6d33b1914f [NoSig]
 +-> C:\WINDOWS\erdnt\cache\w32time.dll : 175,104 : 04/14/2008 12:42 AM : 54af4b1d5459500ef0937f6d33b1914f [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\w32time.dll : 175,104 : 04/14/2008 12:42 AM : 54af4b1d5459500ef0937f6d33b1914f [Pos Repl]
 
 * C:\WINDOWS\System32\wiaservc.dll : 333,824 : 04/14/2008 12:42 AM : 8bad69cbac032d4bbacfce0306174c30 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\wiaservc.dll : 333,824 : 04/14/2008 12:42 AM : 8bad69cbac032d4bbacfce0306174c30 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\wiaservc.dll : 333,824 : 04/14/2008 12:42 AM : 8bad69cbac032d4bbacfce0306174c30 [Pos Repl]
 
 * C:\WINDOWS\System32\winlogon.exe : 507,904 : 04/14/2008 12:42 AM : ed0ef0a136dec83df69f04118870003e [NoSig]
 +-> C:\WINDOWS\erdnt\cache\winlogon.exe : 507,904 : 04/14/2008 12:42 AM : ed0ef0a136dec83df69f04118870003e [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\winlogon.exe : 507,904 : 04/14/2008 12:42 AM : ed0ef0a136dec83df69f04118870003e [Pos Repl]
 
 * C:\WINDOWS\System32\ws2_32.dll : 82,432 : 04/14/2008 12:42 AM : 2ccc474eb85ceaa3e1fa1726580a3e5a [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ws2_32.dll : 82,432 : 04/14/2008 12:42 AM : 2ccc474eb85ceaa3e1fa1726580a3e5a [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ws2_32.dll : 82,432 : 04/14/2008 12:42 AM : 2ccc474eb85ceaa3e1fa1726580a3e5a [Pos Repl]
 
 * C:\WINDOWS\System32\ws2help.dll : 19,968 : 04/14/2008 12:42 AM : 9789e95e1d88eeb4b922bf3ea7779c28 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ws2help.dll : 19,968 : 04/14/2008 12:42 AM : 9789e95e1d88eeb4b922bf3ea7779c28 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ws2help.dll : 19,968 : 04/14/2008 12:42 AM : 9789e95e1d88eeb4b922bf3ea7779c28 [Pos Repl]
 
 * C:\WINDOWS\System32\wscntfy.exe : 13,824 : 04/14/2008 12:42 AM : f92e1076c42fcd6db3d72d8cfe9816d5 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\wscntfy.exe : 13,824 : 04/14/2008 12:42 AM : f92e1076c42fcd6db3d72d8cfe9816d5 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\wscntfy.exe : 13,824 : 04/14/2008 12:42 AM : f92e1076c42fcd6db3d72d8cfe9816d5 [Pos Repl]
 
 * C:\WINDOWS\System32\xmlprov.dll : 129,024 : 04/14/2008 12:42 AM : 295d21f14c335b53cb8154e5b1f892b9 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\xmlprov.dll : 129,024 : 04/14/2008 12:42 AM : 295d21f14c335b53cb8154e5b1f892b9 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\xmlprov.dll : 129,024 : 04/14/2008 12:42 AM : 295d21f14c335b53cb8154e5b1f892b9 [Pos Repl]
 
 * C:\WINDOWS\explorer.exe : 1,033,728 : 04/14/2008 12:42 AM : 12896823fb95bfb3dc9b46bcaedc9923 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\explorer.exe : 1,033,728 : 04/14/2008 12:42 AM : 12896823fb95bfb3dc9b46bcaedc9923 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\explorer.exe : 1,033,728 : 04/14/2008 12:42 AM : 12896823fb95bfb3dc9b46bcaedc9923 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\acpiec.sys : 11,648 : 08/04/2004 08:00 PM : 9859c0f6936e723e4892d7141b1327d5 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\acpiec.sys : 11,648 : 08/04/2004 08:00 PM : 9859c0f6936e723e4892d7141b1327d5 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\acpi.sys : 187,776 : 04/14/2008 07:06 AM : 8fd99680a539792a30e97944fdaecf17 [NoSig]
 
 * C:\WINDOWS\System32\drivers\aec.sys : 142,592 : 04/13/2008 10:09 PM : 8bed39e3c35d6a489438b8141717a557 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\aec.sys : 142,592 : 04/13/2008 10:09 PM : 8bed39e3c35d6a489438b8141717a557 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\aec.sys : 142,592 : 04/13/2008 10:09 PM : 8bed39e3c35d6a489438b8141717a557 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\amdk6.sys : 37,376 : 04/14/2008 12:51 AM : d7701d7e72243286cc88c9973d891057 [NoSig]
 
 * C:\WINDOWS\System32\drivers\amdk7.sys : 37,760 : 04/14/2008 12:51 AM : 8fce268cdbdd83b23419d1f35f42c7b1 [NoSig]
 
 * C:\WINDOWS\System32\drivers\arp1394.sys : 60,800 : 04/14/2008 12:51 AM : b5b8a80875c1dededa8b02765642c32f [NoSig]
 
 * C:\WINDOWS\System32\drivers\asyncmac.sys : 14,336 : 04/14/2008 07:27 AM : b153affac761e7f5fcfa822b9c4e97bc [NoSig]
 +-> C:\WINDOWS\erdnt\cache\asyncmac.sys : 14,336 : 04/14/2008 07:27 AM : b153affac761e7f5fcfa822b9c4e97bc [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\asyncmac.sys : 14,336 : 04/14/2008 07:27 AM : b153affac761e7f5fcfa822b9c4e97bc [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\atapi.sys : 96,512 : 04/14/2008 07:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\atapi.sys : 96,512 : 04/14/2008 07:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 +-> C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys : 96,512 : 04/14/2008 07:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\audstub.sys : 3,072 : 08/17/2001 09:59 PM : d9f724aa26c010a217c97606b160ed68 [NoSig]
 
 * C:\WINDOWS\System32\drivers\battc.sys : 14,208 : 04/14/2008 08:06 AM : 0d93976f7801b7fcd8135cc77257bbd0 [NoSig]
 
 * C:\WINDOWS\System32\drivers\beep.sys : 4,224 : 08/04/2004 08:00 PM : da1f27d85e0d1525f6621372e7b685e9 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\beep.sys : 4,224 : 08/04/2004 08:00 PM : da1f27d85e0d1525f6621372e7b685e9 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\beep.sys : 4,224 : 08/04/2004 08:00 PM : da1f27d85e0d1525f6621372e7b685e9 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\bridge.sys : 71,552 : 04/14/2008 07:23 AM : f934d1b230f84e1d19dd00ac5a7a83ed [NoSig]
 +-> C:\WINDOWS\system32\dllcache\bridge.sys : 71,552 : 04/14/2008 07:23 AM : f934d1b230f84e1d19dd00ac5a7a83ed [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\cbidf2k.sys : 13,952 : 08/04/2004 08:00 PM : 90a673fc8e12a79afbed2576f6a7aaf9 [NoSig]
 
 * C:\WINDOWS\System32\drivers\cdaudio.sys : 18,688 : 08/04/2004 08:00 PM : c1b486a7658353d33a10cc15211a873b [NoSig]
 
 * C:\WINDOWS\System32\drivers\cdfs.sys : 63,744 : 04/14/2008 07:44 AM : c885b02847f5d2fd45a24e219ed93b32 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\cdfs.sys : 63,744 : 04/14/2008 07:44 AM : c885b02847f5d2fd45a24e219ed93b32 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\cdrom.sys : 62,976 : 04/14/2008 07:10 AM : 1f4260cc5b42272d71f79e570a27a4fe [NoSig]
 
 * C:\WINDOWS\System32\drivers\classpnp.sys : 49,536 : 04/14/2008 07:46 AM : fe47dd8fe6d7768ff94ebec6c74b2719 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\classpnp.sys : 49,536 : 04/14/2008 07:46 AM : fe47dd8fe6d7768ff94ebec6c74b2719 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\CmBatt.sys : 13,952 : 04/14/2008 08:06 AM : 0f6c187d38d98f8df904589a5f94d411 [NoSig]
 
 * C:\WINDOWS\System32\drivers\compbatt.sys : 10,240 : 04/14/2008 08:06 AM : 6e4c9f21f0fae8940661144f41b13203 [NoSig]
 
 * C:\WINDOWS\System32\drivers\cpqdap01.sys : 11,776 : 08/04/2004 08:00 PM : 9624293e55ad405415862b504ca95b73 [NoSig]
 
 * C:\WINDOWS\System32\drivers\crusoe.sys : 36,736 : 04/14/2008 12:51 AM : f50d9bdbb25cce075e514dc07472a22f [NoSig]
 
 * C:\WINDOWS\System32\drivers\diskdump.sys : 14,208 : 04/14/2008 07:10 AM : e65e2353a5d74ea89971cb918eeeb2f6 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\diskdump.sys : 14,208 : 04/14/2008 07:10 AM : e65e2353a5d74ea89971cb918eeeb2f6 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\disk.sys : 36,352 : 04/14/2008 00:10 AM : 044452051f3e02e7963599fc8f4f3e25 [NoSig]
 
 * C:\WINDOWS\System32\drivers\dmboot.sys : 799,744 : 04/14/2008 07:14 AM : d992fe1274bde0f84ad826acae022a41 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dmboot.sys : 799,744 : 04/14/2008 07:14 AM : d992fe1274bde0f84ad826acae022a41 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\dmio.sys : 153,344 : 04/14/2008 07:14 AM : 7c824cf7bbde77d95c08005717a95f6f [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dmio.sys : 153,344 : 04/14/2008 07:14 AM : 7c824cf7bbde77d95c08005717a95f6f [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\dmload.sys : 5,888 : 08/04/2004 08:00 PM : e9317282a63ca4d188c0df5e09c6ac5f [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dmload.sys : 5,888 : 08/04/2004 08:00 PM : e9317282a63ca4d188c0df5e09c6ac5f [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\DMusic.sys : 52,864 : 04/14/2008 00:15 AM : 8a208dfcf89792a484e76c40e5f50b45 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dmusic.sys : 52,864 : 04/14/2008 00:15 AM : 8a208dfcf89792a484e76c40e5f50b45 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\drmkaud.sys : 2,944 : 04/14/2008 00:15 AM : 8f5fcff8e8848afac920905fbd9d33c8 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\drmkaud.sys : 2,944 : 04/14/2008 00:15 AM : 8f5fcff8e8848afac920905fbd9d33c8 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\drmk.sys : 60,160 : 04/14/2008 00:15 AM : 6cb08593487f5701d2d2254e693eafce [NoSig]
 +-> C:\WINDOWS\system32\dllcache\drmk.sys : 60,160 : 04/14/2008 00:15 AM : 6cb08593487f5701d2d2254e693eafce [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\dxapi.sys : 10,496 : 08/04/2004 08:00 PM : fe97d0343acfdebdd578fc67cc91fa87 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dxapi.sys : 10,496 : 08/04/2004 08:00 PM : fe97d0343acfdebdd578fc67cc91fa87 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\dxg.sys : 71,168 : 04/14/2008 07:08 AM : ac7280566a7bb85cb3291f04ddc1198e [NoSig]
 
 * C:\WINDOWS\System32\drivers\dxgthk.sys : 3,328 : 08/04/2004 08:00 PM : a73f5d6705b1d820c19b18782e176efd [NoSig]
 +-> C:\WINDOWS\system32\dllcache\dxgthk.sys : 3,328 : 08/04/2004 08:00 PM : a73f5d6705b1d820c19b18782e176efd [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\fastfat.sys : 143,744 : 04/14/2008 07:44 AM : 38d332a6d56af32635675f132548343e [NoSig]
 +-> C:\WINDOWS\system32\dllcache\fastfat.sys : 143,744 : 04/14/2008 07:44 AM : 38d332a6d56af32635675f132548343e [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\fdc.sys : 27,392 : 04/14/2008 07:10 AM : 92cdd60b6730b9f50f6a1a0c1f8cdc81 [NoSig]
 
 * C:\WINDOWS\System32\drivers\fips.sys : 44,544 : 04/14/2008 07:03 AM : d45926117eb9fa946a6af572fbe1caa3 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\fips.sys : 44,544 : 04/14/2008 07:03 AM : d45926117eb9fa946a6af572fbe1caa3 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\flpydisk.sys : 20,480 : 04/14/2008 07:10 AM : 9d27e7b80bfcdf1cdd9b555862d5e7f0 [NoSig]
 
 * C:\WINDOWS\System32\drivers\fltMgr.sys : 129,792 : 04/14/2008 07:03 AM : b2cf4b0786f8212cb92ed2b50c6db6b0 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\fltmgr.sys : 129,792 : 04/14/2008 07:03 AM : b2cf4b0786f8212cb92ed2b50c6db6b0 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\fs_rec.sys : 7,936 : 08/04/2004 08:00 PM : 3e1e2bd4f39b0e2b7dc4f4d2bcc2779a [NoSig]
 +-> C:\WINDOWS\system32\dllcache\fs_rec.sys : 7,936 : 08/04/2004 08:00 PM : 3e1e2bd4f39b0e2b7dc4f4d2bcc2779a [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\fsvga.sys : 12,160 : 08/04/2004 08:00 PM : 455f778ee14368468560bd7cb8c854d0 [NoSig]
 
 * C:\WINDOWS\System32\drivers\ftdisk.sys : 125,056 : 08/04/2004 08:00 PM : 6ac26732762483366c3969c9e4d2259d [NoSig]
 
 * C:\WINDOWS\System32\drivers\hidclass.sys : 36,864 : 04/14/2008 00:15 AM : 1af592532532a402ed7c060f6954004f [NoSig]
 
 * C:\WINDOWS\System32\drivers\hidusb.sys : 10,368 : 04/14/2008 00:15 AM : ccf82c5ec8a7326c3066de870c06daf1 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\hidusb.sys : 10,368 : 04/14/2008 00:15 AM : ccf82c5ec8a7326c3066de870c06daf1 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\i8042prt.sys : 52,480 : 04/14/2008 07:48 AM : 4a0b06aa8943c1e332520f7440c0aa30 [NoSig]
 
 * C:\WINDOWS\System32\drivers\imapi.sys : 42,112 : 04/14/2008 07:11 AM : 083a052659f5310dd8b6a6cb05edcf8e [NoSig]
 
 * C:\WINDOWS\System32\drivers\intelppm.sys : 36,352 : 04/14/2008 07:01 AM : 8c953733d8f36eb2133f5bb58808b66b [NoSig]
 
 * C:\WINDOWS\System32\drivers\ip6fw.sys : 36,608 : 04/14/2008 07:23 AM : 3bb22519a194418d5fec05d800a19ad0 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ip6fw.sys : 36,608 : 04/14/2008 07:23 AM : 3bb22519a194418d5fec05d800a19ad0 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ip6fw.sys : 36,608 : 04/14/2008 07:23 AM : 3bb22519a194418d5fec05d800a19ad0 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ipfltdrv.sys : 32,896 : 08/04/2004 08:00 PM : 731f22ba402ee4b62748adaf6363c182 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ipfltdrv.sys : 32,896 : 08/04/2004 08:00 PM : 731f22ba402ee4b62748adaf6363c182 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ipinip.sys : 20,864 : 04/14/2008 07:27 AM : b87ab476dcf76e72010632b5550955f5 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ipinip.sys : 20,864 : 04/14/2008 07:27 AM : b87ab476dcf76e72010632b5550955f5 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ipnat.sys : 152,832 : 04/14/2008 07:27 AM : cc748ea12c6effde940ee98098bf96bb [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ipnat.sys : 152,832 : 04/14/2008 07:27 AM : cc748ea12c6effde940ee98098bf96bb [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ipsec.sys : 75,264 : 04/14/2008 07:49 AM : 23c74d75e36e7158768dd63d92789a91 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ipsec.sys : 75,264 : 04/14/2008 07:49 AM : 23c74d75e36e7158768dd63d92789a91 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ipsec.sys : 75,264 : 04/14/2008 07:49 AM : 23c74d75e36e7158768dd63d92789a91 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\irenum.sys : 11,264 : 04/14/2008 07:24 AM : c93c9ff7b04d772627a3646d89f7bf89 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\irenum.sys : 11,264 : 04/14/2008 07:24 AM : c93c9ff7b04d772627a3646d89f7bf89 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\isapnp.sys : 37,248 : 04/14/2008 07:06 AM : 05a299ec56e52649b1cf2fc52d20f2d7 [NoSig]
 
 * C:\WINDOWS\System32\drivers\kbdclass.sys : 24,576 : 04/14/2008 07:09 AM : 463c1ec80cd17420a542b7f36a36f128 [NoSig]
 +-> C:\WINDOWS\erdnt\cache\kbdclass.sys : 24,576 : 04/14/2008 07:09 AM : 463c1ec80cd17420a542b7f36a36f128 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\kmixer.sys : 172,416 : 04/14/2008 00:15 AM : 692bcf44383d056aed41b045a323d378 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\kmixer.sys : 172,416 : 04/14/2008 00:15 AM : 692bcf44383d056aed41b045a323d378 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ks.sys : 141,056 : 04/14/2008 00:46 AM : 0753515f78df7f271a5e61c20bcd36a1 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ks.sys : 141,056 : 04/14/2008 00:46 AM : 0753515f78df7f271a5e61c20bcd36a1 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\mcd.sys : 7,680 : 08/04/2004 08:00 PM : d1f8be91ed4ddb671d42e473e3fe71ab [NoSig]
 +-> C:\WINDOWS\system32\dllcache\mcd.sys : 7,680 : 08/04/2004 08:00 PM : d1f8be91ed4ddb671d42e473e3fe71ab [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\mf.sys : 63,744 : 04/14/2008 12:51 AM : a7da20ab18a1bdae28b0f349e57da0d1 [NoSig]
 
 * C:\WINDOWS\System32\drivers\mnmdd.sys : 4,224 : 08/04/2004 08:00 PM : 4ae068242760a1fb6e1a44bf4e16afa6 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\mnmdd.sys : 4,224 : 08/04/2004 08:00 PM : 4ae068242760a1fb6e1a44bf4e16afa6 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\modem.sys : 30,080 : 04/14/2008 12:51 AM : dfcbad3cec1c5f964962ae10e0bcc8e1 [NoSig]
 
 * C:\WINDOWS\System32\drivers\mouclass.sys : 23,040 : 04/14/2008 00:09 AM : 35c9e97194c8cfb8430125f8dbc34d04 [NoSig]
 
 * C:\WINDOWS\System32\drivers\mouhid.sys : 12,160 : 08/17/2001 01:48 PM : b1c303e17fb9d46e87a98e4ba6769685 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\mouhid.sys : 12,160 : 08/17/2001 01:48 PM : b1c303e17fb9d46e87a98e4ba6769685 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\mountmgr.sys : 42,368 : 04/14/2008 07:09 AM : a80b9a0bad1b73637dbcbba7df72d3fd [NoSig]
 +-> C:\WINDOWS\system32\dllcache\mountmgr.sys : 42,368 : 04/14/2008 07:09 AM : a80b9a0bad1b73637dbcbba7df72d3fd [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\mqac.sys : 92,544 : 04/14/2008 07:09 AM : 70c14f5cca5cf73f8a645c73a01d8726 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\mqac.sys : 92,544 : 04/14/2008 07:09 AM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\mrxdav.sys : 180,608 : 04/14/2008 07:02 AM : 11d42bb6206f33fbb3ba0288d3ef81bd [NoSig]
 +-> C:\WINDOWS\system32\dllcache\mrxdav.sys : 180,608 : 04/14/2008 07:02 AM : 11d42bb6206f33fbb3ba0288d3ef81bd [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\msfs.sys : 19,072 : 04/14/2008 07:02 AM : c941ea2454ba8350021d774daf0f1027 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\msfs.sys : 19,072 : 04/14/2008 07:02 AM : c941ea2454ba8350021d774daf0f1027 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\msgpc.sys : 35,072 : 04/14/2008 07:26 AM : 0a02c63c8b144bd8c86b103dee7c86a2 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\msgpc.sys : 35,072 : 04/14/2008 07:26 AM : 0a02c63c8b144bd8c86b103dee7c86a2 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\MSKSSRV.sys : 7,552 : 04/14/2008 08:09 AM : d1575e71568f4d9e14ca56b7b0453bf1 [NoSig]
 
 * C:\WINDOWS\System32\drivers\MSPCLOCK.sys : 5,376 : 04/14/2008 08:09 AM : 325bb26842fc7ccc1fcce2c457317f3e [NoSig]
 
 * C:\WINDOWS\System32\drivers\MSPQM.sys : 4,992 : 04/14/2008 08:09 AM : bad59648ba099da4a17680b39730cb3d [NoSig]
 
 * C:\WINDOWS\System32\drivers\mssmbios.sys : 15,488 : 04/14/2008 12:51 AM : af5f4f3f14a8ea2c26de30f7a1e17136 [NoSig]
 
 * C:\WINDOWS\System32\drivers\ndis.sys : 182,656 : 04/14/2008 07:50 AM : 1df7f42665c94b825322fae71721130d [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ndis.sys : 182,656 : 04/14/2008 07:50 AM : 1df7f42665c94b825322fae71721130d [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ndis.sys : 182,656 : 04/14/2008 07:50 AM : 1df7f42665c94b825322fae71721130d [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ndisuio.sys : 14,592 : 04/14/2008 12:51 AM : f927a4434c5028758a842943ef1a3849 [NoSig]
 
 * C:\WINDOWS\System32\drivers\ndiswan.sys : 91,520 : 04/14/2008 07:50 AM : edc1531a49c80614b2cfda43ca8659ab [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ndiswan.sys : 91,520 : 04/14/2008 07:50 AM : edc1531a49c80614b2cfda43ca8659ab [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\netbios.sys : 34,688 : 04/14/2008 07:26 AM : 5d81cf9a2f1a3a756b66cf684911cdf0 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\netbios.sys : 34,688 : 04/14/2008 07:26 AM : 5d81cf9a2f1a3a756b66cf684911cdf0 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\netbt.sys : 162,816 : 04/14/2008 07:51 AM : 74b2b2f5bea5e9a3dc021d685551bd3d [NoSig]
 +-> C:\WINDOWS\system32\dllcache\netbt.sys : 162,816 : 04/14/2008 07:51 AM : 74b2b2f5bea5e9a3dc021d685551bd3d [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\nic1394.sys : 61,824 : 04/14/2008 12:51 AM : e9e47cfb2d461fa0fc75b7a74c6383ea [NoSig]
 
 * C:\WINDOWS\System32\drivers\nikedrv.sys : 12,032 : 08/04/2004 08:00 PM : be984d604d91c217355cdd3737aad25d [NoSig]
 
 * C:\WINDOWS\System32\drivers\nmnt.sys : 40,320 : 04/14/2008 07:23 AM : 1e421a6bcf2203cc61b821ada9de878b [NoSig]
 +-> C:\WINDOWS\system32\dllcache\nmnt.sys : 40,320 : 04/14/2008 07:23 AM : 1e421a6bcf2203cc61b821ada9de878b [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\npfs.sys : 30,848 : 04/14/2008 07:02 AM : 3182d64ae053d6fb034f44b6def8034a [NoSig]
 +-> C:\WINDOWS\system32\dllcache\npfs.sys : 30,848 : 04/14/2008 07:02 AM : 3182d64ae053d6fb034f44b6def8034a [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ntfs.sys : 574,976 : 04/14/2008 07:45 AM : 78a08dd6a8d65e697c18e1db01c5cdca [NoSig]
 +-> C:\WINDOWS\erdnt\cache\ntfs.sys : 574,976 : 04/14/2008 07:45 AM : 78a08dd6a8d65e697c18e1db01c5cdca [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\ntfs.sys : 574,976 : 04/14/2008 07:45 AM : 78a08dd6a8d65e697c18e1db01c5cdca [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\null.sys : 2,944 : 08/04/2004 08:00 PM : 73c1e1f395918bc2c6dd67af7591a3ad [NoSig]
 +-> C:\WINDOWS\erdnt\cache\null.sys : 2,944 : 08/04/2004 08:00 PM : 73c1e1f395918bc2c6dd67af7591a3ad [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\null.sys : 2,944 : 08/04/2004 08:00 PM : 73c1e1f395918bc2c6dd67af7591a3ad [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\nwlnkflt.sys : 12,416 : 08/04/2004 08:00 PM : b305f3fad35083837ef46a0bbce2fc57 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\nwlnkflt.sys : 12,416 : 08/04/2004 08:00 PM : b305f3fad35083837ef46a0bbce2fc57 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\nwlnkfwd.sys : 32,512 : 08/04/2004 08:00 PM : c99b3415198d1aab7227f2c88fd664b9 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\nwlnkfwd.sys : 32,512 : 08/04/2004 08:00 PM : c99b3415198d1aab7227f2c88fd664b9 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\nwlnkipx.sys : 88,320 : 04/14/2008 07:26 AM : 8b8b1be2dba4025da6786c645f77f123 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\nwlnkipx.sys : 88,320 : 04/14/2008 07:26 AM : 8b8b1be2dba4025da6786c645f77f123 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\nwlnknb.sys : 63,232 : 08/04/2004 08:00 PM : 56d34a67c05e94e16377c60609741ff8 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\nwlnknb.sys : 63,232 : 08/04/2004 08:00 PM : 56d34a67c05e94e16377c60609741ff8 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\nwlnkspx.sys : 55,936 : 08/04/2004 08:00 PM : c0bb7d1615e1acbdc99757f6ceaf8cf0 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\nwlnkspx.sys : 55,936 : 08/04/2004 08:00 PM : c0bb7d1615e1acbdc99757f6ceaf8cf0 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\nwrdr.sys : 163,584 : 04/14/2008 07:04 AM : 36b9b950e3d2e100970a48d8bad86740 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\nwrdr.sys : 163,584 : 04/14/2008 07:04 AM : 36b9b950e3d2e100970a48d8bad86740 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\oprghdlr.sys : 3,456 : 08/04/2004 08:00 PM : 4bb30ddc53ebc76895e38694580cdfe9 [NoSig]
 
 * C:\WINDOWS\System32\drivers\p3.sys : 42,752 : 04/14/2008 12:51 AM : c90018bafdc7098619a4a95b046b30f3 [NoSig]
 
 * C:\WINDOWS\System32\drivers\parport.sys : 80,128 : 04/14/2008 12:51 AM : 5575faf8f97ce5e713d108c2a58d7c7c [NoSig]
 
 * C:\WINDOWS\System32\drivers\partmgr.sys : 19,712 : 04/14/2008 07:10 AM : beb3ba25197665d82ec7065b724171c6 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\partmgr.sys : 19,712 : 04/14/2008 07:10 AM : beb3ba25197665d82ec7065b724171c6 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\parvdm.sys : 6,784 : 08/04/2004 08:00 PM : 70e98b3fd8e963a6a46a2e6247e0bea1 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\parvdm.sys : 6,784 : 08/04/2004 08:00 PM : 70e98b3fd8e963a6a46a2e6247e0bea1 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\pciidex.sys : 24,960 : 04/14/2008 07:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [NoSig]
 +-> C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\pciidex.sys : 24,960 : 04/14/2008 07:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\pci.sys : 68,224 : 04/14/2008 07:06 AM : a219903ccf74233761d92bef471a07b1 [NoSig]
 
 * C:\WINDOWS\System32\drivers\pcmcia.sys : 120,192 : 04/14/2008 07:06 AM : 9e89ef60e9ee05e3f2eef2da7397f1c1 [NoSig]
 
 * C:\WINDOWS\System32\drivers\portcls.sys : 146,048 : 04/14/2008 00:49 AM : e82a496c3961efc6828b508c310ce98f [NoSig]
 +-> C:\WINDOWS\system32\dllcache\portcls.sys : 146,048 : 04/14/2008 00:49 AM : e82a496c3961efc6828b508c310ce98f [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\processr.sys : 35,840 : 04/14/2008 12:51 AM : a32bebaf723557681bfc6bd93e98bd26 [NoSig]
 
 * C:\WINDOWS\System32\drivers\psched.sys : 69,120 : 04/14/2008 07:26 AM : 09298ec810b07e5d582cb3a3f9255424 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\psched.sys : 69,120 : 04/14/2008 07:26 AM : 09298ec810b07e5d582cb3a3f9255424 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ptilink.sys : 17,792 : 08/04/2004 08:00 PM : 80d317bd1c3dbc5d4fe7b1678c60cadd [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ptilink.sys : 17,792 : 08/04/2004 08:00 PM : 80d317bd1c3dbc5d4fe7b1678c60cadd [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\rasacd.sys : 8,832 : 08/04/2004 08:00 PM : fe0d99d6f31e4fad8159f690d68ded9c [NoSig]
 +-> C:\WINDOWS\system32\dllcache\rasacd.sys : 8,832 : 08/04/2004 08:00 PM : fe0d99d6f31e4fad8159f690d68ded9c [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\rasl2tp.sys : 51,328 : 04/14/2008 07:49 AM : 11b4a627bc9614b885c4969bfa5ff8a6 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\rasl2tp.sys : 51,328 : 04/14/2008 07:49 AM : 11b4a627bc9614b885c4969bfa5ff8a6 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\raspppoe.sys : 41,472 : 04/14/2008 07:27 AM : 5bc962f2654137c9909c3d4603587dee [NoSig]
 +-> C:\WINDOWS\system32\dllcache\raspppoe.sys : 41,472 : 04/14/2008 07:27 AM : 5bc962f2654137c9909c3d4603587dee [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\raspptp.sys : 48,384 : 04/14/2008 07:49 AM : efeec01b1d3cf84f16ddd24d9d9d8f99 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\raspptp.sys : 48,384 : 04/14/2008 07:49 AM : efeec01b1d3cf84f16ddd24d9d9d8f99 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\raspti.sys : 16,512 : 08/04/2004 08:00 PM : fdbb1d60066fcfbb7452fd8f9829b242 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\raspti.sys : 16,512 : 08/04/2004 08:00 PM : fdbb1d60066fcfbb7452fd8f9829b242 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\rawwan.sys : 34,432 : 08/04/2004 08:00 PM : 01524cd237223b18adbb48f70083f101 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\rawwan.sys : 34,432 : 08/04/2004 08:00 PM : 01524cd237223b18adbb48f70083f101 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\rdbss.sys : 175,744 : 04/14/2008 07:58 AM : 7ad224ad1a1437fe28d89cf22b17780a [NoSig]
 +-> C:\WINDOWS\system32\dllcache\rdbss.sys : 175,744 : 04/14/2008 07:58 AM : 7ad224ad1a1437fe28d89cf22b17780a [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\rdpcdd.sys : 4,224 : 08/04/2004 08:00 PM : 4912d5b403614ce99c28420f75353332 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\rdpcdd.sys : 4,224 : 08/04/2004 08:00 PM : 4912d5b403614ce99c28420f75353332 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\rdpdr.sys : 196,224 : 04/14/2008 00:02 AM : 15cabd0f7c00c47c70124907916af3f1 [NoSig]
 
 * C:\WINDOWS\System32\drivers\redbook.sys : 57,600 : 04/14/2008 08:10 AM : f828dd7e1419b6653894a8f97a0094c5 [NoSig]
 
 * C:\WINDOWS\System32\drivers\rndismp.sys : 30,592 : 04/14/2008 07:26 AM : 601844cbcf617ff8c868130ca5b2039d [NoSig]
 +-> C:\WINDOWS\system32\dllcache\rndismp.sys : 30,592 : 04/14/2008 07:26 AM : 601844cbcf617ff8c868130ca5b2039d [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\rootmdm.sys : 5,888 : 08/04/2004 08:00 PM : d8b0b4ade32574b2d9c5cc34dc0dbbe7 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\rootmdm.sys : 5,888 : 08/04/2004 08:00 PM : d8b0b4ade32574b2d9c5cc34dc0dbbe7 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\scsiport.sys : 96,384 : 04/14/2008 07:10 AM : 76c465f570e90c28942d52ccb2580a10 [NoSig]
 
 * C:\WINDOWS\System32\drivers\sdbus.sys : 79,232 : 04/14/2008 07:06 AM : 8d04819a3ce51b9eb47e5689b44d43c4 [NoSig]
 
 * C:\WINDOWS\System32\drivers\serenum.sys : 15,744 : 04/14/2008 07:10 AM : 0f29512ccd6bead730039fb4bd2c85ce [NoSig]
 
 * C:\WINDOWS\System32\drivers\serial.sys : 64,512 : 04/14/2008 07:45 AM : cca207a8896d4c6a0c9ce29a4ae411a7 [NoSig]
 
 * C:\WINDOWS\System32\drivers\sffdisk.sys : 11,904 : 04/14/2008 07:10 AM : 0fa803c64df0914b41f807ea276bf2a6 [NoSig]
 
 * C:\WINDOWS\System32\drivers\sffp_sd.sys : 11,008 : 04/14/2008 07:10 AM : c17c331e435ed8737525c86a7557b3ac [NoSig]
 
 * C:\WINDOWS\System32\drivers\sfloppy.sys : 11,392 : 04/14/2008 07:10 AM : 8e6b8c671615d126fdc553d1e2de5562 [NoSig]
 
 * C:\WINDOWS\System32\drivers\smclib.sys : 14,592 : 08/04/2004 08:00 PM : 017daecf0ed3aa731313433601ec40fa [NoSig]
 +-> C:\WINDOWS\system32\dllcache\smclib.sys : 14,592 : 08/04/2004 08:00 PM : 017daecf0ed3aa731313433601ec40fa [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\sonydcam.sys : 25,344 : 04/14/2008 12:51 AM : 489703624dac94ed943c2abda022a1cd [NoSig]
 
 * C:\WINDOWS\System32\drivers\splitter.sys : 6,272 : 04/14/2008 00:15 AM : ab8b92451ecb048a4d1de7c3ffcb4a9f [NoSig]
 +-> C:\WINDOWS\system32\dllcache\splitter.sys : 6,272 : 04/14/2008 00:15 AM : ab8b92451ecb048a4d1de7c3ffcb4a9f [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\sr.sys : 73,472 : 04/14/2008 07:06 AM : 76bb022c2fb6902fd5bdd4f78fc13a5d [NoSig]
 +-> C:\WINDOWS\system32\dllcache\sr.sys : 73,472 : 04/14/2008 07:06 AM : 76bb022c2fb6902fd5bdd4f78fc13a5d [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\stream.sys : 49,408 : 04/14/2008 00:15 AM : 3e5d89099ded9e86e5639f411693218f [NoSig]
 +-> C:\WINDOWS\system32\dllcache\stream.sys : 49,408 : 04/14/2008 00:15 AM : 3e5d89099ded9e86e5639f411693218f [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\swenum.sys : 4,352 : 04/14/2008 12:51 AM : 3941d127aef12e93addf6fe6ee027e0f [NoSig]
 
 * C:\WINDOWS\System32\drivers\swmidi.sys : 56,576 : 04/14/2008 00:15 AM : 8ce882bcc6cf8a62f2b2323d95cb3d01 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\swmidi.sys : 56,576 : 04/14/2008 00:15 AM : 8ce882bcc6cf8a62f2b2323d95cb3d01 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\sysaudio.sys : 60,800 : 04/14/2008 00:45 AM : 8b83f3ed0f1688b4958f77cd6d2bf290 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\sysaudio.sys : 60,800 : 04/14/2008 00:45 AM : 8b83f3ed0f1688b4958f77cd6d2bf290 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\tape.sys : 14,976 : 04/14/2008 07:10 AM : fd6093e3decd925f1cffc8a0dd539d72 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\tape.sys : 14,976 : 04/14/2008 07:10 AM : fd6093e3decd925f1cffc8a0dd539d72 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\tdi.sys : 19,072 : 04/14/2008 07:30 AM : 0539d5e53587f82d1b4fd74c5be205cf [NoSig]
 +-> C:\WINDOWS\system32\dllcache\tdi.sys : 19,072 : 04/14/2008 07:30 AM : 0539d5e53587f82d1b4fd74c5be205cf [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\tdpipe.sys : 12,040 : 04/14/2008 12:43 AM : 6471a66807f5e104e4885f5b67349397 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\tdpipe.sys : 12,040 : 04/14/2008 12:43 AM : 6471a66807f5e104e4885f5b67349397 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\tdtcp.sys : 21,896 : 04/14/2008 12:43 AM : c56b6d0402371cf3700eb322ef3aaf61 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\tdtcp.sys : 21,896 : 04/14/2008 12:43 AM : c56b6d0402371cf3700eb322ef3aaf61 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\termdd.sys : 40,840 : 04/14/2008 05:43 AM : 88155247177638048422893737429d9e [NoSig]
 
 * C:\WINDOWS\System32\drivers\tosdvd.sys : 51,712 : 08/04/2004 08:00 PM : 699450901c5ccfd82357cbc531cedd23 [NoSig]
 
 * C:\WINDOWS\System32\drivers\tunmp.sys : 12,288 : 04/14/2008 12:51 AM : 8f861eda21c05857eb8197300a92501c [NoSig]
 
 * C:\WINDOWS\System32\drivers\udfs.sys : 66,048 : 04/14/2008 07:02 AM : 5787b80c2e3c5e2f56c2a233d91fa2c9 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\udfs.sys : 66,048 : 04/14/2008 07:02 AM : 5787b80c2e3c5e2f56c2a233d91fa2c9 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\update.sys : 384,768 : 04/14/2008 07:09 AM : 402ddc88356b1bac0ee3dd1580c76a31 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\update.sys : 384,768 : 04/14/2008 07:09 AM : 402ddc88356b1bac0ee3dd1580c76a31 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\usbcamd2.sys : 25,728 : 04/14/2008 12:51 AM : ce97845d2e3f0d274b8bac1ed07c6149 [NoSig]
 
 * C:\WINDOWS\System32\drivers\usbcamd.sys : 25,600 : 04/14/2008 12:51 AM : 1c1a47b40c23358245aa8d0443b6935e [NoSig]
 
 * C:\WINDOWS\System32\drivers\usbccgp.sys : 32,128 : 04/14/2008 07:15 AM : 173f317ce0db8e21322e71b7e60a27e8 [NoSig]
 +-> C:\WINDOWS\Driver Cache\i386\usbccgp.sys : 32,384 : 08/09/2013 08:55 AM : 1b611611c28d2df25bc057d79c6f13fc [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\usbccgp.sys : 32,384 : 08/09/2013 08:55 AM : 1b611611c28d2df25bc057d79c6f13fc [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\usbd.sys : 4,736 : 08/04/2004 08:00 PM : 596eb39b50d6ebd9b734dc4ae0544693 [NoSig]
 +-> C:\WINDOWS\Driver Cache\i386\usbd.sys : 5,376 : 08/09/2013 08:55 AM : 04fe5ef6ed4818ec4839ea5c611a6310 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\usbd.sys : 5,376 : 08/09/2013 08:55 AM : 04fe5ef6ed4818ec4839ea5c611a6310 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\usbhub.sys : 59,520 : 04/14/2008 07:15 AM : 1ab3cdde553b6e064d2e754efe20285c [NoSig]
 
 * C:\WINDOWS\System32\drivers\usbintel.sys : 15,872 : 04/14/2008 12:51 AM : 290913dc4f1125e5a82de52579a44c43 [NoSig]
 
 * C:\WINDOWS\System32\drivers\usbport.sys : 143,872 : 04/14/2008 07:15 AM : 791912e524cc2cc6f50b5f2b52d1eb71 [NoSig]
 +-> C:\WINDOWS\Driver Cache\i386\usbport.sys : 144,128 : 08/09/2013 08:55 AM : 6df35ca139c3bc15cc74390abb114efe [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\usbport.sys : 144,128 : 08/09/2013 08:55 AM : 6df35ca139c3bc15cc74390abb114efe [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\USBSTOR.sys : 26,368 : 04/14/2008 00:15 AM : a32426d9b14a089eaa1d922e0c5801a9 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\usbstor.sys : 26,368 : 04/14/2008 00:15 AM : a32426d9b14a089eaa1d922e0c5801a9 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\vga.sys : 20,992 : 04/14/2008 07:14 AM : 0d3a8fafceacd8b7625cd549757a7df1 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\vga.sys : 20,992 : 04/14/2008 07:14 AM : 0d3a8fafceacd8b7625cd549757a7df1 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\videoprt.sys : 81,664 : 04/14/2008 07:14 AM : e28726b72c46821a28830e077d39a55b [NoSig]
 +-> C:\WINDOWS\system32\dllcache\videoprt.sys : 81,664 : 04/14/2008 07:14 AM : e28726b72c46821a28830e077d39a55b [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\volsnap.sys : 52,352 : 04/14/2008 07:11 AM : 4c8fcb5cc53aab716d810740fe59d025 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\volsnap.sys : 52,352 : 04/14/2008 07:11 AM : 4c8fcb5cc53aab716d810740fe59d025 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\wanarp.sys : 34,560 : 04/14/2008 07:27 AM : e20b95baedb550f32dd489265c1da1f6 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\wanarp.sys : 34,560 : 04/14/2008 07:27 AM : e20b95baedb550f32dd489265c1da1f6 [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\wdmaud.sys : 83,072 : 04/14/2008 00:47 AM : 6768acf64b18196494413695f0c3a00f [NoSig]
 +-> C:\WINDOWS\system32\dllcache\wdmaud.sys : 83,072 : 04/14/2008 00:47 AM : 6768acf64b18196494413695f0c3a00f [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\wmilib.sys : 4,352 : 08/04/2004 08:00 PM : 2f31b7f954bed437f2c75026c65caf7b [NoSig]
 +-> C:\WINDOWS\system32\dllcache\wmilib.sys : 4,352 : 08/04/2004 08:00 PM : 2f31b7f954bed437f2c75026c65caf7b [Pos Repl]
 
 * C:\WINDOWS\System32\drivers\ws2ifsl.sys : 12,032 : 08/04/2004 08:00 PM : 6abe6e225adb5a751622a9cc3bc19ce8 [NoSig]
 +-> C:\WINDOWS\system32\dllcache\ws2ifsl.sys : 12,032 : 08/04/2004 08:00 PM : 6abe6e225adb5a751622a9cc3bc19ce8 [Pos Repl]
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 10/27/2014 07:54:19 AM
Execution time: 0 hours(s), 3 minute(s), and 11 seconds(s)
 


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:02 PM

Posted 21 October 2014 - 10:26 AM

Running Combofix Script:

  • Close any open browsers.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text below into the Notepad document
File::
c:\docume~1\admin\LOCALS~1\Temp\winnuryym.exe
c:\docume~1\admin\LOCALS~1\Temp\ueqw.exe
c:\docume~1\admin\LOCALS~1\Temp\ljhot.exe
c:\docume~1\admin\LOCALS~1\Temp\winympbs.exe


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\DOCUME~1\\admin\\LOCALS~1\\Temp\\ljhot.exe"=-
"c:\\DOCUME~1\\admin\\LOCALS~1\\Temp\\winympbs.exe"=-
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7779:TCP"=-
  • Save this on your desktop as CFScript.txt

CFScriptB-4.gif

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

--------------
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Combofix.txt
  • New FRST.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:02 PM

Posted 25 October 2014 - 02:22 PM

Hi Marnel,
 
This is a 3 day bump:
 
It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:02 PM

Posted 29 October 2014 - 04:02 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users