hi

yesterday after seeing a C++ compiler installed on a location where it should not be, i did a full scan on my system with nod32.

Nod 32 found:


C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\10\2db2554a-465fab38 Java/Agent.DW

C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\34\27cc5822-684aa012 variation of Java/Agent.DW

C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\41\76f3af69-56e3630d variation of Java/Agent.DW

As nod 32 did not remove it itself, What i did is remove the Cache directory and all it's content.
but I would like to know if there is not something else left that nod 32 has not seen or maybe a rootkit installed.

Here is the DDS log, after looking at this log I found 2 items that looks suspicious:

S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [2011-11-20 453504]

S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [2011-11-20 416640]

I found this site that suggest that FR.exe is a trojan.
http://www.auditmypc.com/fr.asp

I have not done anything yet to remove this 2 files.

I have also run Gmer to look for a rootkit, but nothing looks suspicious to me in this log.

thanks for your help !!
bye
philippe

DDS log & Gmer logs bellow:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by HP_Administrateur at 20:31:16 on 2011-11-21
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.204 [GMT 1:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
c:\progra~1\modsec~1\modsec~1.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Serveur Media\twonkymediaserverwatchdog.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Serveur Media\TwonkyMediaServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
C:\Program Files\Serveur Media\twonkymediaserverconfig.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Google Update] "c:\documents and settings\hp_administrateur\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [LaCie Ethernet Agent Startup] "c:\program files\lacie\network assistant\LaCie Network Assistant.exe" silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.ini"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\fichie~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\adobeg~1.lnk - c:\program files\fichiers communs\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\agents~1.lnk - c:\program files\serveur media\twonkymediaserverconfig.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photoweb.fr/telechargement/telechargement-photoweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{1CEDAE29-FA41-4AE6-BD3D-D3CBBA6A701C} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{8DB0263C-FA1D-4003-B095-14543902067D} : DhcpNameServer = 89.2.0.1 89.2.0.2
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 85.17.174.182 voyagesinterieurs.com www.voyagesinterieurs.com (http://www.voyagesinterieurs.com)
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\hp_administrateur\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPBeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\videoegg\loader\2663\npvideoegg-loader.dll
FF - Ext: Cooliris: http://forums.spybot.info/misc.php?do=email_dev&email=cGljbGVuc0Bjb29saXJpcy5jb20= - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: http://forums.spybot.info/misc.php?do=email_dev&email=ZmlyZWJ1Z0Bzb2Z0d2FyZS5qb2VoZXdpdHQuY29t - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: http://forums.spybot.info/misc.php?do=email_dev&email=Y29udGFjdEBwZXRpdHNjYWlsbG91eC5jb20= - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-3-14 8576]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [2008-1-1 138752]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 Serveur Média;Serveur Média;c:\program files\serveur media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\serveur media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-11-15 102912]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [2011-11-20 453504]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [2011-11-20 416640]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2006-12-2 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [2009-7-13 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
.
=============== Created Last 30 ================
.
2011-11-21 17:35:01 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a0d185ae-c8dc-4681-bc8e-34476ddce69b}\offreg.dll
2011-11-20 08:18:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-18 06:53:15 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a0d185ae-c8dc-4681-bc8e-34476ddce69b}\mpengine.dll
2011-11-15 21:15:04 -------- d-----w- c:\documents and settings\hp_administrateur\local settings\application data\LaCie
2011-11-15 21:12:41 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12:11 -------- d-----w- c:\program files\LaCie
.
==================== Find3M ====================
.
2011-10-10 14:23:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15:50 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06:46 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41:40 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:32:55,20 ===============




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-21 21:59:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.10.0
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\axlcafod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Elkbd.sys (Intel Corporation)

---- EOF - GMER 1.0.15 ----

hi superb1000,

We will get a download to use, its called combofix. There is a guide to read first, read through the guide then apply the directions on your own machine. Post the combofix log in your reply.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

hi shelf life

thanks for helping me... here is the log of combofix run.

Combofix saw that this is a french OS, and generated a french speaking report, if you need help for some translations do ask.


bye
philippe

ComboFix 11-11-23.01 - HP_Administrateur 23/11/2011 21:47:14.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.458 [GMT 1:00]
Lancé depuis: c:\data\security\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrateur\WINDOWS
c:\documents and settings\All Users\Application Data\VideoEgg
c:\documents and settings\All Users\Application Data\VideoEgg\user.dat
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\eMule_Secure\WINDOWS
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\avcodec.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\crashRpt.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\dataCollection.tmp
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\FLVEncoder.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\lame_enc.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\LevelMeter.ax
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\libcurlve.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\libpng.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\npvideoegg-publisher.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\remoteblacklist
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\report.log
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\aol_watermark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\audio_combo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\audio_source.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\big_gray_logo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\big_logo_cropped.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\blank_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_up.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorder_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorder_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorders_title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_left.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_left_curve.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_right.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_top_right.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_bottom_left.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_horiz.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_vertical.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropzone.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_fast_forward.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_stop.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_instructions.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\eraser.CUR
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\eraser_cursor.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\file_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\file_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\help.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorders.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_ff.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_file_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_file_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_phone_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_phone_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_stop.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcams.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\loading.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\loading_movie.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\locating.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_bottom.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_middle.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_top.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_slide_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\movie_placeholder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fast_forward.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fast_forward_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fill.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind_to_start.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\playhead.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\powered_by.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\progress.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_up.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\restart.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\restart_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_over_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\tab_slide_deselected.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\tape_control.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_camcorder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_camcorder_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_file.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_file_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_phone.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_phone_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_webcam.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_webcam_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_from.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_fill.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_high.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_low.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_medium.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_thumbnail.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_gray.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_green.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_high.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_low.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_orange.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_red.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\waiting_for_email.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcam_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcam_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcams_title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\messages\messages.en-US.bundle
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\VideoEgg_FLVWriter.ax
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\zlib.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\publisher.ver
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\2663\libcurlve.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\2663\updater.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\updater.ver
c:\documents and settings\HP_Administrateur\WINDOWS
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
G:\install.exe
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-10-23 au 2011-11-23 ))))))))))))))))))))))))))))))))))))
.
.
2011-11-21 19:29 . 2011-11-21 19:29 -------- d-----w- c:\program files\ERUNT
2011-11-20 08:18 . 2011-10-03 01:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-15 21:15 . 2011-11-15 21:15 -------- d-----w- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\LaCie
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\LaCie
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:23 . 2004-08-10 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2007-03-31 07:27 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 04:06 . 2011-06-08 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15 . 2011-09-28 15:15 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06 . 2004-08-10 11:00 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41 . 2007-10-09 11:03 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2004-08-10 04:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2004-08-10 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10 . 2004-08-10 11:00 1859072 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-11-15 313856]
"LaCie Ethernet Agent Startup"="c:\program files\LaCie\Network Assistant\LaCie Network Assistant.exe" [2011-08-26 9803264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-22 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7622656]
"nwiz"="nwiz.exe" [2006-06-21 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 128000]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregFre\Ereg.exe" [2003-07-07 729088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\eMule_Secure\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
c:\documents and settings\HP_Administrateur\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Adobe Gamma Loader.exe.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-2 113664]
Agent Serveur Média.lnk - c:\program files\Serveur Media\twonkymediaserverconfig.exe [2010-12-14 603736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-6-28 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
c:\documents and settings\Default User\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserverwatchdog.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestion à distance de Windows
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [21/12/2010 14:04 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [14/03/2008 22:47 8576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/01/2011 15:41 810144]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]
R2 Serveur Média;Serveur Média;c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [01/01/2008 15:29 138752]
S3 FR;FR;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe [?]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S3 RNZF;RNZF;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [02/12/2006 08:56 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [13/07/2009 17:20 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/08/2004 12:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contenu du dossier 'Tâches planifiées'
.
2011-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007Core.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007UA.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
FF - ProfilePath - c:\documents and settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: contact@petitscailloux.com - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHELINS SUPPRIMES - - - -
.
HKLM-Run-PCDrProfiler - (no file)
AddRemove-CloneDVD - c:\program files\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe
AddRemove-FileZilla - c:\program files\FileZilla\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-23 22:09
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
Heure de fin: 2011-11-23 22:14:43
ComboFix-quarantined-files.txt 2011-11-23 21:14
.
Avant-CF: 10*745*180*160 octets libres
Après-CF: 18*706*194*432 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C4510EA29F04B1B1067FF1309886B6D4

Ok thanks for the log. To help show all files you can do this:

For XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

Next take a look here:
c:\docume~1\hp_adm~1\locals~1\temp

C:\documents and settings\HP admin\local settings\Temp
Delete everything you can from the Temp directory.

Next download and run malwarebytes;

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

NOTE: The free version must be updated manually and a scan started manually

hi shelf life,

thanks for the analysis.

Except from this,
>c:\docume~1\hp_adm~1\locals~1\temp
>C:\documents and settings\HP admin\local settings\Temp

did you saw something suspicious in the log ?

I will do Malwarebytes scan tonight. Is Malwarebytes complementeray to Nod32 ? and should I get the Pro version ?

Also I did run into malware problems on an external multimedia HDD a couple of months ago, I did ask support to Nod32 and to the EXternal drive company but did not get anywere. I ended up reformating & upgrading the firmware of the external multimedia HDD. (It was like if the malware had infetced the operating system of the external multimedia HHD).

But when I got this trojan problems on my main computer recently I also got a warning from NOD32 about the old malware on the Exeternal HDD.

Should I post here the initial issues I had with the external multimedia HDD ?
Should I do a DDS scan on this drive as well ?

Also I have a laptop running Windows 7, I did a full scan search with Nod32 and It did not found anything, can I use DDS to do a scan on this as well ? or another utility that is windows7 compatible ?

Last entry: My wife has a Mac Ipad, should I have a look there, if yes with what utility ?


bye
philippe

malwarebytes will be ok with NOD32. The pro version of offers a real time protection component that runs in the background. Its worth the money.
Log looks ok other than the processes running out of a temp directory.

If the external drive is connected then combofix would have scanned it. It looks like two drives (other than C) were connected at the time it ran:
D:\Autorun.inf
G:\install.exe
DDS will run on W7, you can post a log.

Any malware on a Ipad will not run on the Windows OS and Windows malware will not run on a Ipad. They are two completly different operating systems.

hi shelf life,

here is the log of malwarebytes:

Database version: 8234

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/11/2011 06:40:32
mbam-log-2011-11-25 (06-40-32).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 771266
Time elapsed: 7 hour(s), 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\VideoEgg.ActiveXLoader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/Publisher,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/Updater,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\VideoEgg\Loader\2663\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.

hi shelf life,

Before running malwarebytes I did as you suggested, removed everything in:

>C:\documents and settings\HP admin\local settings\Temp

However I was not able to remove 2 files that where used by another application (I don't know wich one).
and also to my surprise I did not find the very suspicious RNZF.exe & FR.exe....

Did Combofix removed then when I run it ? if not can they still be hidden somewhere else.


>If the external drive is connected then combofix would have scanned it. It >looks like two drives (other than C) were connected at the time it ran:

Now that things looks ok on the main PC, Whould it be a good idea to re-run combofix with the external multimedia drive connected to the PC ?

bye
philippe

hi,

Those files in the temp may not exsist and have aleady been removed:
try this script like you did before:



Driver:
FR
RNZF


Go ahead and connect your external drive then rerun combofix and malwarebytes, i think with malwarebytes you will have to chose the external drive with a check mark for it to scan it

hi shelf life,

>try this script like you did before:

I did not use any scripts form you yet.

>Go ahead and connect your external drive then rerun combofix and >malwarebytes, i think with malwarebytes you will have to chose the external >drive with a check mark for it to scan it

Will do and post the logs.

thanks again.


bye
philippe

hi shelf life,


Bellow you can find the DDS log of my laptop, I did not see anything suspicious, but I am not sure.



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by admin at 21:14:39 on 2011-11-25
Microsoft Windows*7 Édition Familiale Premium 6.1.7601.1.1252.33.1036.18.3037.1875 [GMT 1:00]
.
AV: ESET Smart Security 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET Smart Security 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Pare-feu personnel d'ESET *Disabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\windows\system32\atieclxx.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
C:\windows\SYSTEM32\Rezip.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\ICQ7.0\ICQ.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\wbem\wmiprvse.exe
c:\program files\windows defender\MpCmdRun.exe
C:\windows\explorer.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.icq.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyServer = localhost:8080
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
mURLSearchHooks: H - No File
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [ICQ] "c:\program files\icq7.0\ICQ.exe" silent loginmode=4
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Nexus Radio] c:\program files\nexus radio\Nexus Radio.exe -0
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {88EB38EF-4D2C-436D-ABD3-56B232674062} - c:\program files\icq7.0\ICQ.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUpldfr-fr.cab
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B} : DhcpNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\3596475636F6D61405 : DhcpNameServer = 192.168.5.17
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\4556C656B6F6D6 : DhcpNameServer = 10.120.136.116
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\C496675626F687D266566683 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\E4545564F544147383 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\E4545564F593338383 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\E45657660275966496 : DhcpNameServer = 84.103.237.147 86.64.145.147
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\08dxgdyg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.1.2&q=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2009-10-7 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-10-8 172032]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-11-16 38240]
R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2010-3-13 246520]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\samsung casual games\gameconsole\OberonGameConsoleService.exe [2009-12-25 44312]
R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2009-10-7 311296]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-25 54632]
S3 fsssvc;Service Windows Live Contrôle parental;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-9 52224]
S3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-8 1343400]
.
=============== Created Last 30 ================
.
2011-11-25 20:03:51 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90608144-3dd6-46d5-8bfc-4d6c3d53e234}\offreg.dll
2011-11-25 12:57:14 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90608144-3dd6-46d5-8bfc-4d6c3d53e234}\mpengine.dll
2011-11-09 20:04:11 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 20:04:10 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 20:04:09 2341888 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-11-25 19:22:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 21:15:41,62 ===============

hi shelf life,

here is the ComboFix run I did with your script on my main PC, the strange this is that FR.exe & RNZF.exe are still in the log ...?

S3 FR;FR;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe [?]
S3 RNZF;RNZF;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe [?]

bye
philippe

Log Bellow:

ComboFix 11-11-25.02 - HP_Administrateur 25/11/2011 22:19:15.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.268 [GMT 1:00]
Lancé depuis: c:\data\security\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\HP_Administrateur\Bureau\CFScript.txt
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-10-25 au 2011-11-25 ))))))))))))))))))))))))))))))))))))
.
.
2011-11-25 20:46 . 2011-11-25 20:46 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{43F97699-455E-4096-A504-DD61228B0A58}\offreg.dll
2011-11-25 20:46 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{43F97699-455E-4096-A504-DD61228B0A58}\mpengine.dll
2011-11-24 19:54 . 2011-11-24 19:54 -------- d-----w- c:\documents and settings\HP_Administrateur\Application Data\Malwarebytes
2011-11-24 19:54 . 2011-11-24 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-24 19:54 . 2011-11-24 19:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-24 19:54 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 19:29 . 2011-11-21 19:29 -------- d-----w- c:\program files\ERUNT
2011-11-20 08:18 . 2011-10-03 01:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-15 21:15 . 2011-11-15 21:15 -------- d-----w- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\LaCie
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\LaCie
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:23 . 2004-08-10 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2007-03-31 07:27 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 04:06 . 2011-06-08 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15 . 2011-09-28 15:15 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06 . 2004-08-10 11:00 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41 . 2007-10-09 11:03 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2004-08-10 04:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2004-08-10 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10 . 2004-08-10 11:00 1859072 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-23_21.09.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-25 20:39 . 2011-11-25 20:39 16384 c:\windows\Temp\Perflib_Perfdata_374.dat
+ 2011-11-25 20:42 . 2011-11-25 20:42 233472 c:\windows\ERDNT\AutoBackup\25-11-2011\Users\00000002\UsrClass.dat
+ 2011-11-25 20:42 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\25-11-2011\ERDNT.EXE
+ 2011-11-24 19:34 . 2011-11-24 19:34 233472 c:\windows\ERDNT\AutoBackup\24-11-2011\Users\00000002\UsrClass.dat
+ 2011-11-24 19:34 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\24-11-2011\ERDNT.EXE
+ 2011-11-25 20:42 . 2011-11-25 20:42 14565376 c:\windows\ERDNT\AutoBackup\25-11-2011\Users\00000001\NTUSER.DAT
+ 2011-11-24 19:34 . 2011-11-24 19:34 14548992 c:\windows\ERDNT\AutoBackup\24-11-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-11-15 313856]
"LaCie Ethernet Agent Startup"="c:\program files\LaCie\Network Assistant\LaCie Network Assistant.exe" [2011-08-26 9803264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-22 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7622656]
"nwiz"="nwiz.exe" [2006-06-21 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 128000]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregFre\Ereg.exe" [2003-07-07 729088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\eMule_Secure\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
c:\documents and settings\HP_Administrateur\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Adobe Gamma Loader.exe.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-2 113664]
Agent Serveur Média.lnk - c:\program files\Serveur Media\twonkymediaserverconfig.exe [2010-12-14 603736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-6-28 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
c:\documents and settings\Default User\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserverwatchdog.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestion à distance de Windows
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [21/12/2010 14:04 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [14/03/2008 22:47 8576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/01/2011 15:41 810144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [24/11/2011 20:54 366152]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]
R2 Serveur Média;Serveur Média;c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24/11/2011 20:54 22216]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [01/01/2008 15:29 138752]
S3 FR;FR;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe [?]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RNZF;RNZF;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [02/12/2006 08:56 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [13/07/2009 17:20 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/08/2004 12:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contenu du dossier 'Tâches planifiées'
.
2011-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007Core.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007UA.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
FF - ProfilePath - c:\documents and settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: contact@petitscailloux.com - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 22:39
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(3840)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSFR.DLL
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\fr-fr\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\fr-fr\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2011-11-25 22:47:28
ComboFix-quarantined-files.txt 2011-11-25 21:47
ComboFix2.txt 2011-11-23 21:14
.
Avant-CF: 18*642*481*152 octets libres
Après-CF: 18*625*835*008 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 760C2EE3076FC5C473AF20286EC5FD7F

Thanks for the info. The log from your Windows 7 machine looks ok. The two .exe from the other log must not exist anymore and have been removed.

hi shelf life,

I just got a notification from nod32 for my Windows 7 laptop: supected file send for analisys: json/Parser.class

I installed Java JRE 7.

Do you think there can be any links with the Initial java problem reported by Nod32 on my main XP pc ?

bye
philippe

I installed Java JRE 7.
Probably better off without it. Is that the latest version? Old versions are full of exploits, java patches come out more the adobe's. Do a search for java exploit in your favorite search engine. You could also disable it in your browser.

Nod32 must have picked something up in your java cache and took care of it.

I would install the free version of malwarebytes on your W7 machine. Note that the free version must be updated manually and a scan started manually. Hows it all looking on your end now?

hi shelf life,

I installed the free version of malwarebytes and Spybox 2 beta 4, on my 2 systems XP & W7. (Nod 32 is also there on the 2 systems).

However I get a very slow XP system especially just after the boot,
at a point where I can not really use Firefox or Chrome,
and when it stabelize I still get a lot of disk activity.

Maybe it's due to some background file scanning going on because of the recent install of malwarebytes and Spybox 2.

What I noticed is that the systems become more usable when I un-plug the network cable.

What I plan to do is make some room, remove all unecessary soft, and defragment the disk.

I have also installed some sysinternals tools from windows to try understand what is going on.

Any advices on tools to use to monitor what is driving this disk activity ?
(the CPU is ok).


bye
philippe

hi shelf life,

I forgoted to mention that there is also Windows defender on the XP box, that was installed a while ago, and I never got any notification from it when I got some problems... so maybe I should remouve that.

bye
philippe

I installed the free version of malwarebytes and Spybox 2 beta 4, on my 2 systems XP & W7. (Nod 32 is also there on the 2 systems).

However I get a very slow XP system especially just after the boot,

The free MBAM dosnt have a real time protection component, I think Spybot does. You could try disabling it and see if anything improves.

You can also remove combofix like this:
start>run and type in:
combofix /uninstall
click ok or enter
Note the space after the x and before the /

Also, on your XP machine please post a new DDS log, both logs. You only posted one last time. You can just rerun DDS again to generate the two logs.

hi shelf life,

when trying to post my reply I just got this error message in chrome ?
Erreur 147 (net::ERR_ADDRESS_IN_USE) : Erreur inconnue

Here is the DDS logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by HP_Administrateur at 21:09:23 on 2011-12-01
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.404 [GMT 1:00]
.
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [LaCie Ethernet Agent Startup] "c:\program files\lacie\network assistant\LaCie Network Assistant.exe" silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.ini"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [DWQueuedReporting] "c:\progra~1\fichie~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\adobeg~1.lnk - c:\program files\fichiers communs\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photoweb.fr/telechargement/telechargement-photoweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{1CEDAE29-FA41-4AE6-BD3D-D3CBBA6A701C} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\hp_administrateur\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPBeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: contact@petitscailloux.com - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\spybot - search & destroy 2\SDHookDrv32.sys [2011-11-26 38504]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-3-14 8576]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-24 366152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-24 22216]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-11-15 102912]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\spybot - search & destroy 2\SDHookSvc.exe [2011-11-26 130976]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-11-26 892336]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-11-26 955816]
S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\fr.exe --> c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [?]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\rnzf.exe --> c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2006-12-2 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [2009-7-13 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
.
=============== Created Last 30 ================
.
2011-12-01 18:32:04 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{d4df4242-9ac7-4e83-9071-0ec8db0702de}\offreg.dll
2011-11-29 17:50:04 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{d4df4242-9ac7-4e83-9071-0ec8db0702de}\mpengine.dll
2011-11-28 21:04:07 -------- d-----w- C:\ProcAlyzer Dumps
2011-11-26 17:36:44 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-11-26 17:35:54 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-11-26 17:35:41 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-11-25 20:57:56 -------- d-sha-r- C:\cmdcons
2011-11-24 19:54:32 -------- d-----w- c:\documents and settings\hp_administrateur\application data\Malwarebytes
2011-11-24 19:54:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-24 19:54:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 19:54:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-23 20:05:21 98816 ----a-w- c:\windows\sed.exe
2011-11-23 20:05:21 518144 ----a-w- c:\windows\SWREG.exe
2011-11-23 20:05:21 256000 ----a-w- c:\windows\PEV.exe
2011-11-23 20:05:21 208896 ----a-w- c:\windows\MBR.exe
2011-11-20 08:18:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-15 21:15:04 -------- d-----w- c:\documents and settings\hp_administrateur\local settings\application data\LaCie
2011-11-15 21:12:41 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12:11 -------- d-----w- c:\program files\LaCie
.
==================== Find3M ====================
.
2011-10-10 14:23:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15:50 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06:46 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41:40 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 21:11:18,75 ===============

here is the attache log,

hi shelf life,

I have identifided the process that is using so much disk IO, it's chrome.exe the navigator,
I am using process explorer and when I suspend the process IO activity at the led level on the box itself stop immediatly, when I resume it restart... ??

also there is no description / comapny name / signature ... it's all blank as if the navigator has been patched, but I am not sure.

here is the output of the process explorer.

bye
philippe

I assume thats the chrome browser you mean? Is it up to date? Does it appear to function normally when you use it as a browser?

hi shelf life,

Yes chrome browser

>Is it up to date? Does it appear to function normally when you use it as a >browser?

the system was so unstable, that I did a fresh re-intsall with my HP recovery DVDs. I booted from the utility that did a reformat of the drive and installed a fresh OS, I install SP3, and did all the windows update, installed NO32, and Malware Byte both in detection mode.

Then I installed FireFox, I took it from here:
http://www.01net.com/telecharger/windows/Internet/navigateur/fiches/25711.html

that seems to be place where I should not get any infections from... but...

And As Soon As I did the install process I got a detection of Trojan.FakeAlert from Malware Byte:

here is the Log:

11:41:01 HP_Administrateur MESSAGE Protection started successfully
11:41:06 HP_Administrateur MESSAGE IP Protection started successfully
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert QUARANTINE
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:43 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:44 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:44 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert QUARANTINE
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:47 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:48 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:50 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:52 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:53 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:53 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:53 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:53 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:53 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:45:53 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:06 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert QUARANTINE
11:46:06 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:06 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:06 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:06 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:06 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\ShellLink.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\InstallOptions.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur DETECTION C:\Documents and Settings\HP_Administrateur\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert DENY
11:46:07 HP_Administrateur ERROR Quarantine failed: UtilityReadFile failed with error code 3
12:02:42 HP_Administrateur MESSAGE Protection started successfully
12:02:47 HP_Administrateur MESSAGE IP Protection started successfully

hi,

I downloaded FF from that website and the .exe itself seems to be ok. Can you post a new DDS log since you reformatted and reinstalled Windows?
Did Firefox actually install after all those warnings from Malwarebytes?


DDS:
Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.

Double click dds.scr to run the tool. When done, DDS.txt will open.

Save both reports to your desktop.

Please Copy/paste both logs in your reply.

>I downloaded FF from that website and the .exe itself seems to be ok. Can >you post a new DDS log since you reformatted and reinstalled Windows?

>Did Firefox actually install after all those warnings from Malwarebytes?

Yes It did install.

Also I tried to download a HHD low level format tool and as soon as I tried to save the installer on my desktop I got warnings from Nod32 about 2 different type of malware, I tried with IE and again got warnings from Nod32 about a different one...

it's just like if my browsers on this fresh system where trying to download/inject different types of malware...

>Please Copy/paste both logs in your reply.
I will do now,

bye
philippe

here is the Nod32 logs:

04/12/2011 13:33:59 Filtre HTTP fichier http://software-files-l.cnet.com/s/software/12/16/92/77/cnet_HDDLLFsetup_4_12_exe.exe?e=1323023514&h=fe0b247e9eeeccc5df38520f3c422c21&lop=link&ptype=3001&ontid=2094&siteId=4&edId=3&spi=f19b997fb1cfc73d11f259fa0f24e144&pid=12169277&psid=75544788&isDlm=1&fileName=cnet_HDDLLFsetup_4_12_exe.exe une variante de Win32/InstallCore.D application potentiellement indésirable connexion arrêtée - mis en quarantaine NOM-FB9B15D2723\HP_Administrateur Une menace a été détectée lors de l'accès au Web par l'application : C:\Program Files\Internet Explorer\iexplore.exe.
04/12/2011 13:32:45 Filtre HTTP fichier http://software-files-l.cnet.com/s/software/12/16/92/77/cnet_HDDLLFsetup_4_12_exe.exe?e=1323023514&h=fe0b247e9eeeccc5df38520f3c422c21&lop=link&ptype=3001&ontid=2094&siteId=4&edId=3&spi=f19b997fb1cfc73d11f259fa0f24e144&pid=12169277&psid=75544788&isDlm=1&fileName=cnet_HDDLLFsetup_4_12_exe.exe une variante de Win32/InstallCore.D application potentiellement indésirable connexion arrêtée - mis en quarantaine NOM-FB9B15D2723\HP_Administrateur Une menace a été détectée lors de l'accès au Web par l'application : C:\Program Files\Internet Explorer\iexplore.exe.
04/12/2011 13:28:04 Protection en temps réel du système de fichiers fichier C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eKIhY0Gc.exe.part Win32/SoftonicDownloader application potentiellement indésirable nettoyé par suppression - mis en quarantaine NOM-FB9B15D2723\HP_Administrateur Un événement s'est produit sur un fichier modifié par l'application : C:\Program Files\Mozilla Firefox\firefox.exe.
04/12/2011 13:27:36 Filtre HTTP fichier http://universal-downloader.softonic.fr/65000/65355/ud_300/SoftonicDownloader_pour_hdd-low-level-format-tool.exe?AWSAccessKeyId=0HXVA1YMG3HX1XDSGT02&Expires=1323017821&Signature=4E0/F0kJ7FIc4q3IQkTx98ftH5g=&file=/SoftonicDownloader_pour_hdd-low-level-format-tool.exe Win32/SoftonicDownloader application potentiellement indésirable connexion arrêtée - mis en quarantaine NOM-FB9B15D2723\HP_Administrateur Une menace a été détectée lors de l'accès au Web par l'application : C:\Program Files\Mozilla Firefox\firefox.exe.

here are DDS logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrateur at 16:19:02 on 2011-12-04
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.520 [GMT 1:00]
.
AV: ESET Smart Security 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HP_Administrateur\Mes documents\Téléchargements\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: &Traduire à partir de l'anglais - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Pages liées - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Pages similaires - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Recherche &Google - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Version de la page actuelle disponible dans le cache Google - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: Interfaces\{1CEDAE29-FA41-4AE6-BD3D-D3CBBA6A701C} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\2qcv5h9b.default\
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-9-22 974944]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-4 366152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-4 22216]
.
=============== Created Last 30 ================
.
2011-12-04 10:46:22 -------- d-----w- c:\documents and settings\hp_administrateur\local settings\application data\Mozilla
2011-12-04 10:40:25 -------- d-----w- c:\documents and settings\hp_administrateur\application data\Malwarebytes
2011-12-04 10:40:18 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-04 10:40:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-04 10:40:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-04 08:29:46 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-12-04 08:29:36 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-12-04 08:29:36 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-12-04 08:29:36 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-12-04 08:29:36 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-12-04 08:29:36 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-12-04 08:29:36 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-12-04 08:29:36 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-12-04 08:29:36 117760 ------w- c:\windows\system32\prntvpt.dll
2011-12-04 08:24:58 -------- d-----w- c:\windows\system32\LogFiles
2011-12-04 07:57:04 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-04 07:57:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-03 22:53:26 -------- d-----r- C:\Program Files
2011-12-03 22:53:23 -------- d-----r- c:\documents and settings\all users\Menu Démarrer
2011-12-03 22:52:52 -------- d-----r- c:\documents and settings\all users\Documents
2011-12-03 22:51:18 -------- d-----r- c:\windows\Offline Web Pages
2011-12-03 22:47:59 -------- d-sh--r- c:\windows\system32\dllcache
2011-12-03 19:29:08 -------- d-----w- c:\windows\system32\XPSViewer
2011-12-03 19:25:23 -------- d-----w- c:\program files\Windows Media Connect 2
2011-12-03 19:22:21 -------- d-----w- c:\windows\NV35323560.TMP
2011-12-03 18:56:11 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2011-12-03 18:55:38 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2011-12-03 18:55:38 265728 ------w- c:\windows\system32\dllcache\http.sys
2011-12-03 18:30:23 -------- d-----w- c:\program files\MSXML 4.0
2011-12-03 18:27:34 -------- d-sh--w- c:\documents and settings\hp_administrateur\IECompatCache
2011-12-03 18:26:51 -------- d-sh--w- c:\documents and settings\hp_administrateur\PrivacIE
2011-12-03 18:24:49 -------- d-sh--w- c:\documents and settings\hp_administrateur\IETldCache
2011-12-03 18:06:51 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2011-12-03 18:05:54 -------- d-----w- c:\windows\ie8updates
2011-12-03 18:05:47 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-03 18:05:47 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-03 18:05:47 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-03 18:05:47 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-03 18:05:47 2000384 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-12-03 18:05:47 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-12-03 18:05:47 11081728 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-12-03 18:04:10 -------- dc-h--w- c:\windows\ie8
2011-12-03 17:53:50 239104 ------w- c:\windows\system32\dllcache\fxscover.exe
2011-12-03 17:53:18 8518656 ------w- c:\windows\system32\dllcache\shell32.dll
2011-12-03 17:52:51 2067456 ------w- c:\windows\system32\dllcache\lhmstscx.dll
2011-12-03 17:52:46 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2011-12-03 17:52:46 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2011-12-03 17:52:45 85504 ------w- c:\windows\system32\dllcache\avifil32.dll
2011-12-03 17:52:40 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2011-12-03 17:52:21 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2011-12-03 17:52:21 150528 ------w- c:\windows\system32\dllcache\rastls.dll
2011-12-03 17:48:01 90112 ------w- c:\windows\system32\dllcache\wshext.dll
2011-12-03 17:48:01 420864 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2011-12-03 17:48:01 180224 ------w- c:\windows\system32\dllcache\scrobj.dll
2011-12-03 17:48:01 172032 ------w- c:\windows\system32\dllcache\scrrun.dll
2011-12-03 17:48:01 155648 ------w- c:\windows\system32\dllcache\wscript.exe
2011-12-03 17:48:00 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2011-12-03 17:48:00 135168 ------w- c:\windows\system32\dllcache\cscript.exe
2011-12-03 17:47:18 272768 ------w- c:\windows\system32\dllcache\bthport.sys
2011-12-03 17:47:10 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-12-03 17:47:09 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-12-03 17:46:59 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-12-03 17:46:58 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-12-03 17:46:58 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-12-03 17:46:19 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-12-03 17:46:08 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-12-03 17:45:59 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-12-03 17:45:48 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-12-03 17:45:41 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-12-03 17:45:25 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-12-03 17:43:49 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-12-03 17:43:23 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-12-03 17:43:00 293376 ------w- c:\windows\system32\browserchoice.exe
2011-12-03 17:42:35 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-12-03 17:42:17 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-12-03 17:41:12 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2011-12-03 17:40:53 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-12-03 17:40:02 221696 ------w- c:\windows\system32\dllcache\wordpad.exe
2011-12-03 17:40:00 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-12-03 17:37:35 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-12-03 17:36:57 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-12-03 17:36:48 -------- d-sh--w- c:\documents and settings\hp_administrateur\UserData
2011-12-03 17:36:10 -------- d-----w- c:\windows\system32\PreInstall
2011-12-03 17:33:28 -------- d-----w- c:\documents and settings\hp_administrateur\local settings\application data\ESET
2011-12-03 17:33:28 -------- d-----w- c:\documents and settings\hp_administrateur\application data\ESET
2011-12-03 17:31:06 -------- d-----w- c:\program files\ESET
2011-12-03 17:27:51 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-12-03 16:40:29 -------- d-----w- c:\windows\ServicePackFiles
2011-12-03 16:37:24 19569 ----a-w- c:\windows\002842_.tmp
2011-12-03 16:18:20 -------- d-----w- c:\windows\system32\appmgmt
2011-12-03 16:07:13 -------- d-sh--w- C:\cmdcons
2011-12-03 16:07:11 -------- d-----w- c:\windows\setup.pss
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP951b.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP925c.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP90e5.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP90b6.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP90a7.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP9097.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP9088.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP9049.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP902a.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP901b.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP901a.tmp
2011-12-03 15:13:35 90112 ----a-w- c:\windows\DUMP8fcc.tmp
.
==================== Find3M ====================
.
2011-10-10 14:23:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:46 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:40 614400 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:19:57,51 ===============


an the attach log:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professionnel
Boot Device: \Device\HarddiskVolume1
Install Date: 03/12/2011 16:59:44
System Uptime: 04/12/2011 16:11:16 (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | LEUCITE3
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Socket 775 | 2800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 273 GiB total, 259,309 GiB free.
D: is FIXED (NTFS) - 226 GiB total, 75,705 GiB free.
E: is FIXED (NTFS) - 1863 GiB total, 670,713 GiB free.
F: is FIXED (FAT32) - 7 GiB total, 1,161 GiB free.
G: is FIXED (FAT32) - 7 GiB total, 0,823 GiB free.
H: is CDROM ()
I: is Removable
J: is Removable
K: is Removable
L: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 03/12/2011 17:18:01 - Supprimé J2SE Runtime Environment 5.0 Update 6
RP2: 03/12/2011 17:22:59 - Supprimé Adobe Reader 7.0.5 - Français
RP3: 03/12/2011 17:37:31 - Le Service Pack*3 pour Windows XP a été installé.
RP4: 03/12/2011 18:35:58 - Software Distribution Service 3.0
RP5: 03/12/2011 18:43:05 - Software Distribution Service 3.0
RP6: 03/12/2011 18:55:34 - Software Distribution Service 3.0
RP7: 03/12/2011 19:28:04 - Software Distribution Service 3.0
RP8: 03/12/2011 19:56:31 - Software Distribution Service 3.0
RP9: 03/12/2011 20:21:12 - Software Distribution Service 3.0
RP10: 04/12/2011 08:54:51 - Opération de restauration
RP11: 04/12/2011 09:22:50 - Software Distribution Service 3.0
RP12: 04/12/2011 10:01:00 - Software Distribution Service 3.0
RP13: 04/12/2011 11:11:50 - Software Distribution Service 3.0
RP14: 04/12/2011 11:29:56 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Amélioration de nos services
AutoUpdate
BufferChm
Connexion Facile à Internet
Correctif n°*2 pour Windows XP Édition Media Center 2005
Correctif pour Lecteur Windows Media 10 (KB910393)
Correctif pour Lecteur Windows Media 11 (KB939683)
Correctif pour Windows XP (KB2570791)
Correctif pour Windows XP (KB952287)
Correctif pour Windows XP (KB961118)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Destinations
DeviceManagementQFolder
DivX
Enhanced Multimedia Keyboard Solution
ESET Smart Security
FullDPAppQFolder
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Software Update
HPPhotoSmartExpress
HpSdpAppCoreApp
InstantShareDevices
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) Quick Resume Technology Drivers
Le logiciel Intel® Viiv™
Lecteur Windows Media*11
LightScribe 1.4.105.1
Macromedia Flash Player 8
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 French Language Pack
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mise à jour de sécurité pour Lecteur Windows Media (KB2378111)
Mise à jour de sécurité pour Lecteur Windows Media (KB952069)
Mise à jour de sécurité pour Lecteur Windows Media (KB954155)
Mise à jour de sécurité pour Lecteur Windows Media (KB973540)
Mise à jour de sécurité pour Lecteur Windows Media (KB975558)
Mise à jour de sécurité pour Lecteur Windows Media (KB978695)
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB911565)
Mise à jour de sécurité pour Lecteur Windows Media 11 (KB954154)
Mise à jour de sécurité pour Microsoft Windows (KB2564958)
Mise à jour de sécurité pour Step by Step Interactive Training (KB923723)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2510531)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2544521)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2586448)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB982381)
Mise à jour de sécurité pour Windows XP (KB2079403)
Mise à jour de sécurité pour Windows XP (KB2115168)
Mise à jour de sécurité pour Windows XP (KB2229593)
Mise à jour de sécurité pour Windows XP (KB2296011)
Mise à jour de sécurité pour Windows XP (KB2347290)
Mise à jour de sécurité pour Windows XP (KB2360937)
Mise à jour de sécurité pour Windows XP (KB2387149)
Mise à jour de sécurité pour Windows XP (KB2393802)
Mise à jour de sécurité pour Windows XP (KB2412687)
Mise à jour de sécurité pour Windows XP (KB2419632)
Mise à jour de sécurité pour Windows XP (KB2423089)
Mise à jour de sécurité pour Windows XP (KB2440591)
Mise à jour de sécurité pour Windows XP (KB2443105)
Mise à jour de sécurité pour Windows XP (KB2476490)
Mise à jour de sécurité pour Windows XP (KB2478960)
Mise à jour de sécurité pour Windows XP (KB2478971)
Mise à jour de sécurité pour Windows XP (KB2481109)
Mise à jour de sécurité pour Windows XP (KB2483185)
Mise à jour de sécurité pour Windows XP (KB2485663)
Mise à jour de sécurité pour Windows XP (KB2491683)
Mise à jour de sécurité pour Windows XP (KB2506212)
Mise à jour de sécurité pour Windows XP (KB2507618)
Mise à jour de sécurité pour Windows XP (KB2507938)
Mise à jour de sécurité pour Windows XP (KB2508272)
Mise à jour de sécurité pour Windows XP (KB2508429)
Mise à jour de sécurité pour Windows XP (KB2509553)
Mise à jour de sécurité pour Windows XP (KB2535512)
Mise à jour de sécurité pour Windows XP (KB2536276-v2)
Mise à jour de sécurité pour Windows XP (KB2544893-v2)
Mise à jour de sécurité pour Windows XP (KB2562937)
Mise à jour de sécurité pour Windows XP (KB2566454)
Mise à jour de sécurité pour Windows XP (KB2567053)
Mise à jour de sécurité pour Windows XP (KB2567680)
Mise à jour de sécurité pour Windows XP (KB2570222)
Mise à jour de sécurité pour Windows XP (KB2570947)
Mise à jour de sécurité pour Windows XP (KB2592799)
Mise à jour de sécurité pour Windows XP (KB923561)
Mise à jour de sécurité pour Windows XP (KB941569)
Mise à jour de sécurité pour Windows XP (KB946648)
Mise à jour de sécurité pour Windows XP (KB950762)
Mise à jour de sécurité pour Windows XP (KB950974)
Mise à jour de sécurité pour Windows XP (KB951376-v2)
Mise à jour de sécurité pour Windows XP (KB952004)
Mise à jour de sécurité pour Windows XP (KB952954)
Mise à jour de sécurité pour Windows XP (KB954459)
Mise à jour de sécurité pour Windows XP (KB956572)
Mise à jour de sécurité pour Windows XP (KB956744)
Mise à jour de sécurité pour Windows XP (KB956802)
Mise à jour de sécurité pour Windows XP (KB956844)
Mise à jour de sécurité pour Windows XP (KB958644)
Mise à jour de sécurité pour Windows XP (KB959426)
Mise à jour de sécurité pour Windows XP (KB960803)
Mise à jour de sécurité pour Windows XP (KB960859)
Mise à jour de sécurité pour Windows XP (KB961501)
Mise à jour de sécurité pour Windows XP (KB969059)
Mise à jour de sécurité pour Windows XP (KB970430)
Mise à jour de sécurité pour Windows XP (KB971657)
Mise à jour de sécurité pour Windows XP (KB972270)
Mise à jour de sécurité pour Windows XP (KB973507)
Mise à jour de sécurité pour Windows XP (KB973869)
Mise à jour de sécurité pour Windows XP (KB973904)
Mise à jour de sécurité pour Windows XP (KB974112)
Mise à jour de sécurité pour Windows XP (KB974318)
Mise à jour de sécurité pour Windows XP (KB974392)
Mise à jour de sécurité pour Windows XP (KB974571)
Mise à jour de sécurité pour Windows XP (KB975025)
Mise à jour de sécurité pour Windows XP (KB975467)
Mise à jour de sécurité pour Windows XP (KB975560)
Mise à jour de sécurité pour Windows XP (KB975562)
Mise à jour de sécurité pour Windows XP (KB975713)
Mise à jour de sécurité pour Windows XP (KB977816)
Mise à jour de sécurité pour Windows XP (KB977914)
Mise à jour de sécurité pour Windows XP (KB978338)
Mise à jour de sécurité pour Windows XP (KB978542)
Mise à jour de sécurité pour Windows XP (KB978601)
Mise à jour de sécurité pour Windows XP (KB978706)
Mise à jour de sécurité pour Windows XP (KB979309)
Mise à jour de sécurité pour Windows XP (KB979482)
Mise à jour de sécurité pour Windows XP (KB979687)
Mise à jour de sécurité pour Windows XP (KB980436)
Mise à jour de sécurité pour Windows XP (KB981322)
Mise à jour de sécurité pour Windows XP (KB981997)
Mise à jour de sécurité pour Windows XP (KB982132)
Mise à jour de sécurité pour Windows XP (KB982665)
Mise à jour pour Windows Internet Explorer 8 (KB2598845)
Mise à jour pour Windows XP (KB2345886)
Mise à jour pour Windows XP (KB2467659)
Mise à jour pour Windows XP (KB2492386)
Mise à jour pour Windows XP (KB2541763)
Mise à jour pour Windows XP (KB2641690)
Mise à jour pour Windows XP (KB898461)
Mise à jour pour Windows XP (KB951978)
Mise à jour pour Windows XP (KB955759)
Mise à jour pour Windows XP (KB968389)
Mise à jour pour Windows XP (KB971029)
Mise à jour pour Windows XP (KB971737)
Mise à jour pour Windows XP (KB973687)
Mise à jour pour Windows XP (KB973815)
Mozilla Firefox 8.0.1 (x86 fr)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
NVIDIA Drivers
OptionalContentQFolder
Otto
PC-Doctor 5 pour Windows
PhotoGallery
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
RandMap
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Services Internet
SkinsHP1
SlideShow
SlideShowMusic
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack*3
.
==== Event Viewer Messages From Past Week ========
.
03/12/2011 17:06:32, Informations: Windows File Protection [64001] - Tentative de remplacement du fichier système protégé c:\windows\system32\powercfg.exe. Ce fichier a été restauré en utilisant sa version initiale pour maintenir la stabilité du système. La version du fichier incorrect est 5.1.3565.0, la version du fichier système actuel est 5.1.2600.2180.
.
==== End Of File ===========================

Lets get two more tools to use; aswMBR and Tdsskiller. Both will check for rootkits;

Please download aswmbr.exe (http://public.avast.com/~gmerek/aswMBR.exe)to your desktop.

Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply



Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop

Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)

Please post the log report

here are the logs:


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-04 19:41:51
-----------------------------
19:41:51.687 OS Version: Windows 5.1.2600 Service Pack 3
19:41:51.687 Number of processors: 2 586 0x604
19:41:51.687 ComputerName: NOM-FB9B15D2723 UserName:
19:41:52.812 Initialize success
19:42:40.640 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:42:40.640 Disk 0 Vendor: WDC_WD25 10.0 Size: 238475MB BusType: 3
19:42:40.640 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
19:42:40.640 Disk 1 Vendor: SAMSUNG_ 1AQ1 Size: 1907729MB BusType: 3
19:42:40.640 Disk 2 (boot) \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T1L0-c
19:42:40.640 Disk 2 Vendor: Maxtor_6L300R0 BAJ41G20 Size: 286188MB BusType: 3
19:42:42.656 Disk 2 MBR read successfully
19:42:42.656 Disk 2 MBR scan
19:42:42.656 Disk 2 unknown MBR code
19:42:42.656 Disk 2 scanning sectors +586099395
19:42:42.718 Disk 2 scanning C:\WINDOWS\system32\drivers
19:42:50.390 Service scanning
19:42:52.656 Modules scanning
19:42:57.531 Disk 2 trace - called modules:
19:42:57.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:42:57.546 1 nt!IofCallDriver -> \Device\Harddisk2\DR2[0x86784ab8]
19:42:57.546 3 CLASSPNP.SYS[f7670fd7] -> nt!IofCallDriver -> \Device\00000067[0x86787e98]
19:42:57.546 5 ACPI.sys[f74e6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-c[0x85e0bb00]
19:42:57.546 Scan finished successfully
19:43:30.890 Disk 2 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrateur\Bureau\MBR.dat"
19:43:30.921 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrateur\Bureau\aswMBR.txt"

19:44:58.0531 3588 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
19:44:58.0828 3588 ============================================================
19:44:58.0828 3588 Current date / time: 2011/12/04 19:44:58.0828
19:44:58.0828 3588 SystemInfo:
19:44:58.0828 3588
19:44:58.0828 3588 OS Version: 5.1.2600 ServicePack: 3.0
19:44:58.0828 3588 Product type: Workstation
19:44:58.0828 3588 ComputerName: NOM-FB9B15D2723
19:44:58.0828 3588 UserName: HP_Administrateur
19:44:58.0828 3588 Windows directory: C:\WINDOWS
19:44:58.0828 3588 System windows directory: C:\WINDOWS
19:44:58.0828 3588 Processor architecture: Intel x86
19:44:58.0828 3588 Number of processors: 2
19:44:58.0828 3588 Page size: 0x1000
19:44:58.0828 3588 Boot type: Normal boot
19:44:58.0828 3588 ============================================================
19:45:00.0609 3588 Initialize success
19:45:28.0031 4060 ============================================================
19:45:28.0031 4060 Scan started
19:45:28.0031 4060 Mode: Manual;
19:45:28.0031 4060 ============================================================
19:45:29.0265 4060 Abiosdsk - ok
19:45:29.0328 4060 abp480n5 - ok
19:45:29.0437 4060 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:45:29.0453 4060 ACPI - ok
19:45:29.0515 4060 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:45:29.0515 4060 ACPIEC - ok
19:45:29.0687 4060 adpu160m - ok
19:45:30.0140 4060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:45:30.0140 4060 aec - ok
19:45:30.0218 4060 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:45:30.0250 4060 AFD - ok
19:45:30.0453 4060 Aha154x - ok
19:45:30.0625 4060 aic78u2 - ok
19:45:30.0859 4060 aic78xx - ok
19:45:30.0953 4060 AliIde - ok
19:45:31.0046 4060 amsint - ok
19:45:31.0140 4060 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:45:31.0140 4060 Arp1394 - ok
19:45:31.0265 4060 asc - ok
19:45:31.0328 4060 asc3350p - ok
19:45:31.0562 4060 asc3550 - ok
19:45:31.0671 4060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:45:31.0671 4060 AsyncMac - ok
19:45:31.0812 4060 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:45:31.0812 4060 atapi - ok
19:45:31.0937 4060 Atdisk - ok
19:45:32.0062 4060 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:45:32.0062 4060 Atmarpc - ok
19:45:32.0140 4060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:45:32.0140 4060 audstub - ok
19:45:32.0234 4060 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
19:45:32.0234 4060 bb-run - ok
19:45:32.0265 4060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:45:32.0265 4060 Beep - ok
19:45:32.0343 4060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:45:32.0343 4060 cbidf2k - ok
19:45:32.0421 4060 cd20xrnt - ok
19:45:32.0500 4060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:45:32.0500 4060 Cdaudio - ok
19:45:32.0625 4060 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:45:32.0625 4060 Cdfs - ok
19:45:32.0734 4060 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:45:32.0750 4060 Cdrom - ok
19:45:32.0796 4060 Changer - ok
19:45:32.0875 4060 CmdIde - ok
19:45:33.0015 4060 Cpqarray - ok
19:45:33.0156 4060 dac2w2k - ok
19:45:33.0187 4060 dac960nt - ok
19:45:33.0265 4060 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:45:33.0265 4060 Disk - ok
19:45:33.0421 4060 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys
19:45:33.0468 4060 dmboot - ok
19:45:33.0609 4060 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys
19:45:33.0609 4060 dmio - ok
19:45:33.0703 4060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:45:33.0703 4060 dmload - ok
19:45:33.0812 4060 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:45:33.0812 4060 DMusic - ok
19:45:33.0890 4060 dpti2o - ok
19:45:34.0203 4060 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:45:35.0046 4060 drmkaud - ok
19:45:35.0468 4060 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:45:35.0484 4060 E100B - ok
19:45:35.0890 4060 eamon (9309c5c9831203436e64cf2ae605c5d7) C:\WINDOWS\system32\DRIVERS\eamon.sys
19:45:35.0890 4060 eamon - ok
19:45:36.0703 4060 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
19:45:36.0718 4060 ehdrv - ok
19:45:36.0828 4060 ELacpi (0923aec043f5d355b4ef0c2b29a362de) C:\WINDOWS\system32\DRIVERS\ELacpi.sys
19:45:36.0828 4060 ELacpi - ok
19:45:37.0515 4060 ELhid (cbd71e7772f92bfb85ccc302b2deefba) C:\WINDOWS\System32\Drivers\Elhid.sys
19:45:37.0515 4060 ELhid - ok
19:45:38.0203 4060 ELkbd (ac75b576c45d144e146fd1f0576a1f53) C:\WINDOWS\System32\Drivers\Elkbd.sys
19:45:38.0203 4060 ELkbd - ok
19:45:38.0437 4060 ELmon (483cce5e40137d4e437f4def55c80007) C:\WINDOWS\System32\Drivers\Elmon.sys
19:45:38.0437 4060 ELmon - ok
19:45:38.0812 4060 ELmou (8e88cafeac0812bf2d15beeedfcce8bd) C:\WINDOWS\System32\Drivers\Elmou.sys
19:45:38.0812 4060 ELmou - ok
19:45:39.0156 4060 epfw (5ba193ca0ae31209aaa39939ce6736b2) C:\WINDOWS\system32\DRIVERS\epfw.sys
19:45:39.0156 4060 epfw - ok
19:45:39.0906 4060 Epfwndis (75d3bcd3e0eded0ab0f96d9a10ff01c9) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
19:45:39.0906 4060 Epfwndis - ok
19:45:40.0359 4060 epfwtdi (dc64f26f35e32c9472bbf8acd84060d3) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
19:45:40.0359 4060 epfwtdi - ok
19:45:40.0953 4060 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:45:41.0265 4060 Fastfat - ok
19:45:41.0531 4060 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:45:41.0531 4060 Fdc - ok
19:45:41.0578 4060 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys
19:45:41.0578 4060 Fips - ok
19:45:41.0609 4060 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:45:41.0609 4060 Flpydisk - ok
19:45:41.0671 4060 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:45:41.0671 4060 FltMgr - ok
19:45:41.0718 4060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:45:41.0734 4060 Fs_Rec - ok
19:45:41.0765 4060 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:45:41.0765 4060 Ftdisk - ok
19:45:41.0812 4060 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
19:45:41.0812 4060 ftsata2 - ok
19:45:41.0875 4060 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:45:41.0875 4060 Gpc - ok
19:45:41.0921 4060 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:45:41.0937 4060 HDAudBus - ok
19:45:41.0968 4060 hpn - ok
19:45:42.0078 4060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:45:42.0093 4060 HTTP - ok
19:45:42.0125 4060 i2omgmt - ok
19:45:42.0187 4060 i2omp - ok
19:45:42.0265 4060 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:45:42.0265 4060 i8042prt - ok
19:45:42.0453 4060 iaStor (88b1943ecff661f765228099138cf6ab) C:\WINDOWS\system32\DRIVERS\iastor.sys
19:45:42.0453 4060 iaStor - ok
19:45:42.0515 4060 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:45:42.0515 4060 Imapi - ok
19:45:42.0562 4060 ini910u - ok
19:45:42.0781 4060 IntcAzAudAddService (12f4d2aa29745dc2a403ff42e75cf7fa) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:45:42.0812 4060 IntcAzAudAddService - ok
19:45:42.0859 4060 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:45:42.0859 4060 IntelIde - ok
19:45:42.0906 4060 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:45:42.0906 4060 intelppm - ok
19:45:42.0984 4060 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:45:42.0984 4060 Ip6Fw - ok
19:45:43.0109 4060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:45:43.0109 4060 IpFilterDriver - ok
19:45:43.0281 4060 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:45:43.0281 4060 IpInIp - ok
19:45:43.0328 4060 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:45:43.0328 4060 IpNat - ok
19:45:43.0375 4060 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:45:43.0375 4060 IPSec - ok
19:45:43.0421 4060 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:45:43.0421 4060 IRENUM - ok
19:45:43.0500 4060 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:45:43.0500 4060 isapnp - ok
19:45:43.0562 4060 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:45:43.0562 4060 Kbdclass - ok
19:45:43.0625 4060 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:45:43.0625 4060 kmixer - ok
19:45:43.0703 4060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:45:43.0703 4060 KSecDD - ok
19:45:43.0906 4060 lbrtfdc - ok
19:45:43.0968 4060 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
19:45:43.0968 4060 MBAMProtector - ok
19:45:44.0046 4060 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
19:45:44.0046 4060 MHNDRV - ok
19:45:44.0093 4060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:45:44.0093 4060 mnmdd - ok
19:45:44.0156 4060 Modem (510ade9327fe84c10254e1902697e25f) C:\WINDOWS\system32\drivers\Modem.sys
19:45:44.0156 4060 Modem - ok
19:45:44.0218 4060 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:45:44.0218 4060 Mouclass - ok
19:45:44.0296 4060 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:45:44.0296 4060 MountMgr - ok
19:45:44.0328 4060 mraid35x - ok
19:45:44.0375 4060 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:45:44.0390 4060 MRxDAV - ok
19:45:44.0468 4060 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:45:44.0484 4060 MRxSmb - ok
19:45:44.0546 4060 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:45:44.0546 4060 Msfs - ok
19:45:44.0765 4060 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:45:44.0765 4060 MSKSSRV - ok
19:45:44.0843 4060 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:45:44.0843 4060 MSPCLOCK - ok
19:45:44.0906 4060 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:45:44.0906 4060 MSPQM - ok
19:45:44.0968 4060 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:45:44.0968 4060 mssmbios - ok
19:45:45.0093 4060 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:45:45.0093 4060 Mup - ok
19:45:45.0203 4060 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:45:45.0234 4060 NDIS - ok
19:45:45.0296 4060 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:45:45.0296 4060 NdisTapi - ok
19:45:45.0421 4060 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:45:45.0421 4060 Ndisuio - ok
19:45:45.0578 4060 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:45:45.0578 4060 NdisWan - ok
19:45:45.0625 4060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:45:45.0625 4060 NDProxy - ok
19:45:45.0687 4060 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:45:45.0687 4060 NetBIOS - ok
19:45:45.0765 4060 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:45:45.0781 4060 NetBT - ok
19:45:45.0843 4060 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:45:45.0843 4060 NIC1394 - ok
19:45:45.0906 4060 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:45:45.0906 4060 Npfs - ok
19:45:45.0984 4060 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:45:46.0046 4060 Ntfs - ok
19:45:46.0093 4060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:45:46.0093 4060 Null - ok
19:45:46.0296 4060 nv (c66a980b4b5e5f84351b286b9eb200bd) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:45:46.0453 4060 nv - ok
19:45:46.0687 4060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:45:46.0703 4060 NwlnkFlt - ok
19:45:46.0750 4060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:45:46.0750 4060 NwlnkFwd - ok
19:45:46.0812 4060 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:45:46.0812 4060 ohci1394 - ok
19:45:46.0859 4060 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys
19:45:46.0875 4060 Parport - ok
19:45:46.0906 4060 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:45:46.0906 4060 PartMgr - ok
19:45:46.0953 4060 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys
19:45:46.0953 4060 ParVdm - ok
19:45:47.0000 4060 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys
19:45:47.0000 4060 PCI - ok
19:45:47.0046 4060 PCIDump - ok
19:45:47.0093 4060 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:45:47.0093 4060 PCIIde - ok
19:45:47.0156 4060 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:45:47.0156 4060 Pcmcia - ok
19:45:47.0203 4060 PDCOMP - ok
19:45:47.0234 4060 PDFRAME - ok
19:45:47.0265 4060 PDRELI - ok
19:45:47.0296 4060 PDRFRAME - ok
19:45:47.0328 4060 perc2 - ok
19:45:47.0375 4060 perc2hib - ok
19:45:47.0421 4060 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:45:47.0421 4060 PptpMiniport - ok
19:45:47.0453 4060 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
19:45:47.0468 4060 Ps2 - ok
19:45:47.0500 4060 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:45:47.0500 4060 PSched - ok
19:45:47.0531 4060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:45:47.0531 4060 Ptilink - ok
19:45:47.0578 4060 PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:45:47.0578 4060 PxHelp20 - ok
19:45:47.0625 4060 ql1080 - ok
19:45:47.0656 4060 Ql10wnt - ok
19:45:47.0687 4060 ql12160 - ok
19:45:47.0718 4060 ql1240 - ok
19:45:47.0765 4060 ql1280 - ok
19:45:47.0796 4060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:45:47.0796 4060 RasAcd - ok
19:45:47.0843 4060 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:45:47.0843 4060 Rasl2tp - ok
19:45:47.0906 4060 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:45:47.0906 4060 RasPppoe - ok
19:45:47.0953 4060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:45:47.0953 4060 Raspti - ok
19:45:48.0140 4060 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:45:48.0156 4060 Rdbss - ok
19:45:48.0234 4060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:45:48.0234 4060 RDPCDD - ok
19:45:48.0312 4060 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:45:48.0328 4060 rdpdr - ok
19:45:48.0406 4060 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:45:48.0406 4060 RDPWD - ok
19:45:48.0453 4060 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:45:48.0453 4060 redbook - ok
19:45:48.0656 4060 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:45:48.0656 4060 rtl8139 - ok
19:45:48.0750 4060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:45:48.0765 4060 Secdrv - ok
19:45:48.0859 4060 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\drivers\Serial.sys
19:45:48.0859 4060 Serial - ok
19:45:48.0890 4060 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:45:48.0890 4060 Sfloppy - ok
19:45:48.0937 4060 Simbad - ok
19:45:49.0140 4060 Sparrow - ok
19:45:49.0203 4060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:45:49.0203 4060 splitter - ok
19:45:49.0265 4060 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys
19:45:49.0281 4060 sr - ok
19:45:49.0390 4060 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:45:49.0406 4060 Srv - ok
19:45:49.0484 4060 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:45:49.0484 4060 swenum - ok
19:45:49.0515 4060 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:45:49.0515 4060 swmidi - ok
19:45:49.0703 4060 symc810 - ok
19:45:49.0750 4060 symc8xx - ok
19:45:49.0828 4060 sym_hi - ok
19:45:49.0859 4060 sym_u3 - ok
19:45:49.0906 4060 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:45:49.0906 4060 sysaudio - ok
19:45:50.0078 4060 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:45:50.0187 4060 Tcpip - ok
19:45:50.0265 4060 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:45:50.0265 4060 TDPIPE - ok
19:45:50.0343 4060 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:45:50.0343 4060 TDTCP - ok
19:45:50.0390 4060 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:45:50.0390 4060 TermDD - ok
19:45:50.0562 4060 TosIde - ok
19:45:50.0640 4060 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:45:50.0640 4060 Udfs - ok
19:45:50.0687 4060 ultra - ok
19:45:50.0750 4060 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:45:50.0765 4060 Update - ok
19:45:50.0859 4060 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:45:50.0859 4060 usbehci - ok
19:45:50.0921 4060 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:45:50.0921 4060 usbhub - ok
19:45:51.0093 4060 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:45:51.0109 4060 usbstor - ok
19:45:51.0171 4060 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:45:51.0171 4060 usbuhci - ok
19:45:51.0203 4060 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:45:51.0203 4060 VgaSave - ok
19:45:51.0250 4060 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:45:51.0250 4060 ViaIde - ok
19:45:51.0281 4060 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys
19:45:51.0281 4060 VolSnap - ok
19:45:51.0328 4060 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:45:51.0328 4060 Wanarp - ok
19:45:51.0375 4060 WDICA - ok
19:45:51.0421 4060 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:45:51.0421 4060 wdmaud - ok
19:45:51.0546 4060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:45:51.0546 4060 WudfPf - ok
19:45:51.0750 4060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:45:51.0750 4060 WudfRd - ok
19:45:51.0781 4060 MBR (0x1B8) (fe3fdfe9b33e4927984d4971ab015308) \Device\Harddisk2\DR2
19:45:51.0812 4060 \Device\Harddisk2\DR2 - ok
19:45:51.0812 4060 MBR (0x1B8) (fe3fdfe9b33e4927984d4971ab015308) \Device\Harddisk0\DR0
19:45:51.0828 4060 \Device\Harddisk0\DR0 - ok
19:45:51.0828 4060 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
19:45:51.0828 4060 \Device\Harddisk1\DR1 - ok
19:45:51.0843 4060 Boot (0x1200) (c2155667fd2b84ba582ee2ce6c49f7ed) \Device\Harddisk2\DR2\Partition0
19:45:51.0843 4060 \Device\Harddisk2\DR2\Partition0 - ok
19:45:51.0843 4060 Boot (0x1200) (2b2a524ea2fbe26d6cca197256d5f95d) \Device\Harddisk2\DR2\Partition1
19:45:51.0843 4060 \Device\Harddisk2\DR2\Partition1 - ok
19:45:51.0843 4060 Boot (0x1200) (0cd32d62a762641e4ca5d14d146963fe) \Device\Harddisk0\DR0\Partition0
19:45:51.0843 4060 \Device\Harddisk0\DR0\Partition0 - ok
19:45:51.0859 4060 Boot (0x1200) (23a00328fcb17bf9759750417f2057f0) \Device\Harddisk0\DR0\Partition1
19:45:51.0859 4060 \Device\Harddisk0\DR0\Partition1 - ok
19:45:51.0859 4060 Boot (0x1200) (ed6ab68c98e40570ebccce18f4fb8dc9) \Device\Harddisk1\DR1\Partition0
19:45:51.0859 4060 \Device\Harddisk1\DR1\Partition0 - ok
19:45:51.0859 4060 ============================================================
19:45:51.0859 4060 Scan finished
19:45:51.0859 4060 ============================================================
19:45:51.0875 4080 Detected object count: 0
19:45:51.0875 4080 Actual detected object count: 0

hi,

here is some malwarebyte protection logs i just noticed on the W7 box that was not looking infected but who may be...:


protection-log-2011-11-27

09:13:29 admin MESSAGE Protection started successfully
09:13:33 admin MESSAGE IP Protection started successfully
18:38:23 admin MESSAGE Scheduled update executed successfully
18:39:55 admin MESSAGE IP Protection stopped
18:39:58 admin MESSAGE Database updated successfully
18:39:59 admin MESSAGE IP Protection started successfully
22:59:42 admin IP-BLOCK 94.100.19.132 (Type: outgoing, Port: 54278, Process: firefox.exe)
23:00:39 admin IP-BLOCK 94.100.19.132 (Type: outgoing, Port: 54504, Process: firefox.exe)
23:01:03 admin IP-BLOCK 94.100.19.132 (Type: outgoing, Port: 54613, Process: firefox.exe)


protection-log-2011-12-04
10:12:16 admin MESSAGE Protection started successfully
10:12:20 admin MESSAGE IP Protection started successfully
21:44:05 admin IP-BLOCK 82.98.86.163 (Type: outgoing, Port: 51936, Process: firefox.exe)
21:44:05 admin IP-BLOCK 89.149.227.56 (Type: outgoing, Port: 51992, Process: firefox.exe)
21:44:05 admin IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52010, Process: firefox.exe)
21:44:05 admin IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52011, Process: firefox.exe)

Logs look ok. For the XP machine:

Please also download MBRcheck (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log on your desktop named similar to MBRCheck_07.16.10_00.32.33.txt which is based on the date and time.

Post the log in your reply.

here are the 3 logs for the W7 box, MBR check found something see below:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
BIOS Manufacturer: Phoenix Technologies Ltd.
System Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
System Product Name: R720
Logical Drives Mask: 0x0000009c

Kernel Drivers (total 159):
0x83016000 \SystemRoot\system32\ntoskrnl.exe
0x83419000 \SystemRoot\system32\halmacpi.dll
0x80BC0000 \SystemRoot\system32\kdcom.dll
0x8B823000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8B8A8000 \SystemRoot\system32\PSHED.dll
0x8B8B9000 \SystemRoot\system32\BOOTVID.dll
0x8B8C1000 \SystemRoot\system32\CLFS.SYS
0x8B903000 \SystemRoot\system32\CI.dll
0x8B9AE000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8BA1F000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8BA2D000 \SystemRoot\system32\drivers\ACPI.sys
0x8BA75000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8BA7E000 \SystemRoot\system32\drivers\msisadrv.sys
0x8BA86000 \SystemRoot\system32\drivers\pci.sys
0x8BAB0000 \SystemRoot\system32\drivers\vdrvroot.sys
0x8BABB000 \SystemRoot\System32\drivers\partmgr.sys
0x8BACC000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8BAD4000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8BADF000 \SystemRoot\system32\drivers\volmgr.sys
0x8BAEF000 \SystemRoot\System32\drivers\volmgrx.sys
0x8BB3A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8BC22000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x8BCFC000 \SystemRoot\system32\drivers\atapi.sys
0x8BD05000 \SystemRoot\system32\drivers\ataport.SYS
0x8BD28000 \SystemRoot\system32\drivers\msahci.sys
0x8BD32000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8BD40000 \SystemRoot\system32\drivers\amdxata.sys
0x8BD49000 \SystemRoot\system32\drivers\fltmgr.sys
0x8BD7D000 \SystemRoot\system32\drivers\fileinfo.sys
0x8BD8E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BEBD000 \SystemRoot\System32\Drivers\msrpc.sys
0x8BEE8000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8BEFB000 \SystemRoot\System32\Drivers\cng.sys
0x8BF58000 \SystemRoot\System32\drivers\pcw.sys
0x8BF66000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8C023000 \SystemRoot\system32\drivers\ndis.sys
0x8C0DA000 \SystemRoot\system32\drivers\NETIO.SYS
0x8C118000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C13D000 \SystemRoot\System32\drivers\tcpip.sys
0x8C287000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C2B8000 \SystemRoot\system32\drivers\volsnap.sys
0x8C2F7000 \SystemRoot\System32\Drivers\spldr.sys
0x8C2FF000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C32C000 \SystemRoot\System32\Drivers\mup.sys
0x8C33C000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C344000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C376000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C387000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x9290B000 \SystemRoot\system32\drivers\cdrom.sys
0x9292A000 \SystemRoot\System32\Drivers\Null.SYS
0x92931000 \SystemRoot\System32\Drivers\Beep.SYS
0x92938000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0x92955000 \SystemRoot\System32\drivers\vga.sys
0x92961000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x92982000 \SystemRoot\System32\drivers\watchdog.sys
0x9298F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x92997000 \SystemRoot\system32\drivers\rdpencdd.sys
0x9299F000 \SystemRoot\system32\drivers\rdprefmp.sys
0x929A7000 \SystemRoot\System32\Drivers\Msfs.SYS
0x929B2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x929C0000 \SystemRoot\system32\DRIVERS\tdx.sys
0x929D7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x929E3000 \SystemRoot\system32\drivers\afd.sys
0x92A3D000 \SystemRoot\System32\DRIVERS\netbt.sys
0x92A6F000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x92A76000 \SystemRoot\system32\DRIVERS\pacer.sys
0x92A95000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x92AA6000 \SystemRoot\system32\DRIVERS\netbios.sys
0x92AB4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x92AC7000 \SystemRoot\system32\drivers\termdd.sys
0x92AD8000 \??\C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
0x92AE0000 \??\C:\windows\system32\Drivers\SABI.sys
0x92AE8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x92B29000 \SystemRoot\system32\drivers\nsiproxy.sys
0x92B33000 \SystemRoot\system32\drivers\mssmbios.sys
0x92B3D000 \SystemRoot\System32\drivers\discache.sys
0x92B49000 \SystemRoot\System32\Drivers\dfsc.sys
0x92B61000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x92B6F000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x93818000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x93D58000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x93E0F000 \SystemRoot\System32\drivers\dxgmms1.sys
0x93E48000 \SystemRoot\system32\drivers\HDAudBus.sys
0x93E67000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x93E72000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x93EBD000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x93ECC000 \SystemRoot\system32\DRIVERS\athr.sys
0x93800000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x92B90000 \SystemRoot\system32\DRIVERS\yk62x86.sys
0x9380A000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x92BE1000 \SystemRoot\system32\drivers\i8042prt.sys
0x92800000 \SystemRoot\system32\drivers\kbdclass.sys
0x8C3B9000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x9380E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9280D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x93810000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8C000000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8C012000 \SystemRoot\system32\drivers\CompositeBus.sys
0x8C3F3000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
0x8BF6F000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8BF81000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8BF99000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8BFA4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8BFC6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8BFDE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8BC00000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x93816000 \SystemRoot\system32\drivers\swenum.sys
0x8BB50000 \SystemRoot\system32\drivers\ks.sys
0x8BB84000 \SystemRoot\system32\drivers\umbus.sys
0x8BB92000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8BBD6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x94026000 \SystemRoot\system32\drivers\HdAudio.sys
0x94076000 \SystemRoot\system32\drivers\portcls.sys
0x940A5000 \SystemRoot\system32\drivers\drmk.sys
0x940BE000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x94363000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x9436E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x94381000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x94388000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x970E0000 \SystemRoot\System32\win32k.sys
0x94393000 \SystemRoot\System32\drivers\Dxapi.sys
0x9439D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x943B4000 \SystemRoot\system32\DRIVERS\monitor.sys
0x943BF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x943D6000 \SystemRoot\System32\Drivers\usbvideo.sys
0x94000000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9281A000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x9400D000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x97340000 \SystemRoot\System32\TSDDD.dll
0x97370000 \SystemRoot\System32\cdd.dll
0x8B800000 \SystemRoot\system32\drivers\luafv.sys
0x9B82F000 \SystemRoot\system32\DRIVERS\eamon.sys
0x9B8FB000 \SystemRoot\system32\drivers\WudfPf.sys
0x9B915000 \SystemRoot\system32\DRIVERS\epfw.sys
0x9B938000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9B948000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9B98E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9B99E000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9B9B1000 \SystemRoot\System32\Drivers\fastfat.SYS
0x9B9DB000 \SystemRoot\system32\drivers\HTTP.sys
0x9BA60000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9BA79000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9BA8B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9BAAE000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9BAE9000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9BB1C000 \SystemRoot\system32\DRIVERS\epfwwfp.sys
0x9BB2A000 \SystemRoot\system32\drivers\peauth.sys
0x9BBC1000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9BBCB000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9BBEC000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA3807000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA3857000 \SystemRoot\System32\DRIVERS\srv.sys
0xA38A9000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA38CA000 \??\C:\windows\system32\drivers\mbam.sys
0x97010000 \SystemRoot\System32\ATMFD.DLL
0xA3B97000 \SystemRoot\system32\DRIVERS\udfs.sys
0x773B0000 \Windows\System32\ntdll.dll
0x47720000 \Windows\System32\smss.exe
0x775F0000 \Windows\System32\apisetschema.dll

Processes (total 83):
0 System Idle Process
4 System
312 C:\Windows\System32\smss.exe
468 csrss.exe
544 C:\Windows\System32\wininit.exe
552 csrss.exe
592 C:\Windows\System32\services.exe
616 C:\Windows\System32\lsass.exe
624 C:\Windows\System32\lsm.exe
708 C:\Windows\System32\winlogon.exe
772 C:\Windows\System32\svchost.exe
848 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\atiesrxx.exe
976 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\svchost.exe
1284 C:\Windows\System32\atieclxx.exe
1384 C:\Windows\System32\svchost.exe
1572 C:\Windows\System32\spoolsv.exe
1608 C:\Windows\System32\svchost.exe
1716 C:\Program Files\LSI SoftModem\agrsmsvc.exe
1748 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1776 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
1800 C:\Program Files\Bonjour\mDNSResponder.exe
1832 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
1884 C:\Program Files\ICQ6Toolbar\ICQ Service.exe
1920 C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
2004 C:\Windows\System32\Rezip.exe
2036 C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe
400 C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
1912 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
396 C:\Windows\System32\svchost.exe
540 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
1472 C:\Windows\System32\svchost.exe
1244 C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
2228 C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
2680 C:\Windows\System32\svchost.exe
2740 WUDFHost.exe
3396 C:\Windows\System32\svchost.exe
3924 C:\Windows\System32\dwm.exe
4000 C:\Windows\System32\taskhost.exe
4064 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2076 C:\Windows\System32\taskeng.exe
2476 C:\Windows\System32\svchost.exe
1668 C:\Program Files\Windows Media Player\wmpnetwk.exe
2952 C:\Windows\System32\SearchIndexer.exe
1872 C:\Windows\explorer.exe
1860 C:\Windows\System32\svchost.exe
3064 C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
3796 C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
3788 C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
4092 C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
740 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
1812 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
3220 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4304 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
4860 C:\Program Files\ESET\ESET Smart Security\egui.exe
5064 C:\Windows\WindowsMobile\wmdc.exe
5424 C:\Program Files\Mozilla Firefox\firefox.exe
5940 C:\Program Files\Mozilla Firefox\plugin-container.exe
3392 C:\Program Files\iTunes\iTunesHelper.exe
4448 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
1208 C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
2144 C:\Program Files\iPod\bin\iPodService.exe
1808 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
6700 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
7056 C:\Program Files\ICQ7.0\ICQ.exe
12256 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
15220 C:\Program Files\OpenOffice.org 3\program\soffice.exe
15376 C:\Program Files\OpenOffice.org 3\program\soffice.bin
24496 C:\Program Files\Samsung\Samsung Update Plus\SUPNotifier.exe
23312 C:\Program Files\Internet Explorer\iexplore.exe
5820 C:\Program Files\Internet Explorer\iexplore.exe
1092 C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe
23016 C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
25612 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
22920 C:\Windows\System32\audiodg.exe
26320 C:\Windows\System32\dllhost.exe
25036 dllhost.exe
1348 dllhost.exe
26560 C:\data\security\MBRCheck.exe
24712 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`c6500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000068`0bf00000 (NTFS)

PhysicalDrive0 Model Number: ST9500325AS, Rev: 0001SDM1

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F5C09ACABD4A5370BDD907E8EDFE0C1DA0F9D3F5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!


23:08:00.0197 10936 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
23:08:01.0066 10936 ============================================================
23:08:01.0066 10936 Current date / time: 2011/12/04 23:08:01.0066
23:08:01.0066 10936 SystemInfo:
23:08:01.0066 10936
23:08:01.0066 10936 OS Version: 6.1.7601 ServicePack: 1.0
23:08:01.0066 10936 Product type: Workstation
23:08:01.0066 10936 ComputerName: ADMIN-PC
23:08:01.0066 10936 UserName: admin
23:08:01.0066 10936 Windows directory: C:\windows
23:08:01.0066 10936 System windows directory: C:\windows
23:08:01.0066 10936 Processor architecture: Intel x86
23:08:01.0066 10936 Number of processors: 2
23:08:01.0066 10936 Page size: 0x1000
23:08:01.0066 10936 Boot type: Normal boot
23:08:01.0066 10936 ============================================================
23:08:01.0860 10936 Initialize success
23:08:03.0221 11096 ============================================================
23:08:03.0221 11096 Scan started
23:08:03.0221 11096 Mode: Manual;
23:08:03.0221 11096 ============================================================
23:08:03.0737 11096 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\windows\system32\drivers\1394ohci.sys
23:08:03.0738 11096 1394ohci - ok
23:08:03.0796 11096 ACPI (cea80c80bed809aa0da6febc04733349) C:\windows\system32\drivers\ACPI.sys
23:08:03.0798 11096 ACPI - ok
23:08:03.0874 11096 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\windows\system32\drivers\acpipmi.sys
23:08:03.0874 11096 AcpiPmi - ok
23:08:03.0940 11096 AdfuUd (9ed5d777a31ee654b0899cd1d2e778ba) C:\windows\system32\Drivers\AdfuUd.sys
23:08:03.0940 11096 AdfuUd - ok
23:08:04.0005 11096 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
23:08:04.0011 11096 adp94xx - ok
23:08:04.0030 11096 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
23:08:04.0035 11096 adpahci - ok
23:08:04.0055 11096 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
23:08:04.0056 11096 adpu320 - ok
23:08:04.0178 11096 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\windows\system32\drivers\afd.sys
23:08:04.0180 11096 AFD - ok
23:08:04.0363 11096 AgereSoftModem (07758c2196a62f207f77556311e7459a) C:\windows\system32\DRIVERS\AGRSM.sys
23:08:04.0370 11096 AgereSoftModem - ok
23:08:04.0412 11096 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\drivers\agp440.sys
23:08:04.0413 11096 agp440 - ok
23:08:04.0509 11096 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
23:08:04.0511 11096 aic78xx - ok
23:08:04.0588 11096 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\drivers\aliide.sys
23:08:04.0588 11096 aliide - ok
23:08:04.0642 11096 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\drivers\amdagp.sys
23:08:04.0645 11096 amdagp - ok
23:08:04.0687 11096 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\drivers\amdide.sys
23:08:04.0688 11096 amdide - ok
23:08:04.0723 11096 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
23:08:04.0726 11096 AmdK8 - ok
23:08:04.0745 11096 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
23:08:04.0747 11096 AmdPPM - ok
23:08:04.0804 11096 amdsata (d320bf87125326f996d4904fe24300fc) C:\windows\system32\drivers\amdsata.sys
23:08:04.0805 11096 amdsata - ok
23:08:04.0834 11096 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
23:08:04.0837 11096 amdsbs - ok
23:08:04.0877 11096 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\windows\system32\drivers\amdxata.sys
23:08:04.0877 11096 amdxata - ok
23:08:04.0939 11096 AppID (aea177f783e20150ace5383ee368da19) C:\windows\system32\drivers\appid.sys
23:08:04.0939 11096 AppID - ok
23:08:05.0034 11096 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
23:08:05.0036 11096 arc - ok
23:08:05.0055 11096 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
23:08:05.0057 11096 arcsas - ok
23:08:05.0087 11096 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
23:08:05.0109 11096 AsyncMac - ok
23:08:05.0207 11096 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\drivers\atapi.sys
23:08:05.0207 11096 atapi - ok
23:08:05.0302 11096 athr (7d0a662d7b116169854b4ec941a7822d) C:\windows\system32\DRIVERS\athr.sys
23:08:05.0312 11096 athr - ok
23:08:05.0517 11096 atikmdag (745c79700646c3f285cd09775618a04b) C:\windows\system32\DRIVERS\atikmdag.sys
23:08:05.0617 11096 atikmdag - ok
23:08:05.0760 11096 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
23:08:05.0767 11096 b06bdrv - ok
23:08:05.0805 11096 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
23:08:05.0810 11096 b57nd60x - ok
23:08:05.0864 11096 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
23:08:05.0865 11096 Beep - ok
23:08:05.0905 11096 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
23:08:05.0909 11096 blbdrive - ok
23:08:06.0065 11096 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\windows\system32\DRIVERS\bowser.sys
23:08:06.0084 11096 bowser - ok
23:08:06.0121 11096 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
23:08:06.0122 11096 BrFiltLo - ok
23:08:06.0141 11096 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
23:08:06.0142 11096 BrFiltUp - ok
23:08:06.0270 11096 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
23:08:06.0275 11096 Brserid - ok
23:08:06.0308 11096 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
23:08:06.0313 11096 BrSerWdm - ok
23:08:06.0345 11096 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
23:08:06.0346 11096 BrUsbMdm - ok
23:08:06.0499 11096 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
23:08:06.0500 11096 BrUsbSer - ok
23:08:06.0635 11096 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\windows\system32\drivers\BthEnum.sys
23:08:06.0653 11096 BthEnum - ok
23:08:06.0756 11096 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
23:08:06.0758 11096 BTHMODEM - ok
23:08:06.0794 11096 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\windows\system32\DRIVERS\bthpan.sys
23:08:06.0796 11096 BthPan - ok
23:08:06.0866 11096 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\windows\System32\Drivers\BTHport.sys
23:08:06.0874 11096 BTHPORT - ok
23:08:06.0905 11096 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\windows\System32\Drivers\BTHUSB.sys
23:08:06.0924 11096 BTHUSB - ok
23:08:06.0956 11096 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
23:08:06.0958 11096 cdfs - ok
23:08:07.0027 11096 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\windows\system32\drivers\cdrom.sys
23:08:07.0028 11096 cdrom - ok
23:08:07.0060 11096 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
23:08:07.0062 11096 circlass - ok
23:08:07.0087 11096 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
23:08:07.0091 11096 CLFS - ok
23:08:07.0145 11096 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
23:08:07.0146 11096 CmBatt - ok
23:08:07.0201 11096 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\drivers\cmdide.sys
23:08:07.0201 11096 cmdide - ok
23:08:07.0274 11096 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
23:08:07.0281 11096 CNG - ok
23:08:07.0398 11096 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
23:08:07.0418 11096 Compbatt - ok
23:08:07.0524 11096 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\windows\system32\drivers\CompositeBus.sys
23:08:07.0525 11096 CompositeBus - ok
23:08:07.0571 11096 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
23:08:07.0573 11096 crcdisk - ok
23:08:07.0716 11096 DfsC (f024449c97ec1e464aaffda18593db88) C:\windows\system32\Drivers\dfsc.sys
23:08:07.0717 11096 DfsC - ok
23:08:07.0757 11096 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
23:08:07.0757 11096 discache - ok
23:08:07.0862 11096 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
23:08:07.0864 11096 Disk - ok
23:08:07.0904 11096 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
23:08:07.0905 11096 drmkaud - ok
23:08:07.0971 11096 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\windows\System32\drivers\dxgkrnl.sys
23:08:07.0978 11096 DXGKrnl - ok
23:08:08.0063 11096 eamon (af82dc664e3d8e2cba3b95e68f6448a7) C:\windows\system32\DRIVERS\eamon.sys
23:08:08.0065 11096 eamon - ok
23:08:08.0186 11096 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
23:08:08.0286 11096 ebdrv - ok
23:08:08.0415 11096 ehdrv (686a799c1bf1b18941994daf9f45db06) C:\windows\system32\DRIVERS\ehdrv.sys
23:08:08.0416 11096 ehdrv - ok
23:08:08.0554 11096 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
23:08:08.0562 11096 elxstor - ok
23:08:08.0592 11096 epfw (39f48a0784be8465cd1ac80b36d61613) C:\windows\system32\DRIVERS\epfw.sys
23:08:08.0594 11096 epfw - ok
23:08:08.0625 11096 Epfwndis (3b47010b2425b69826004767e59045ba) C:\windows\system32\DRIVERS\Epfwndis.sys
23:08:08.0626 11096 Epfwndis - ok
23:08:08.0651 11096 epfwwfp (702a4695ca4ebdefa30235dda300c9d0) C:\windows\system32\DRIVERS\epfwwfp.sys
23:08:08.0652 11096 epfwwfp - ok
23:08:08.0708 11096 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\drivers\errdev.sys
23:08:08.0709 11096 ErrDev - ok
23:08:08.0768 11096 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
23:08:08.0777 11096 exfat - ok
23:08:08.0840 11096 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
23:08:08.0845 11096 fastfat - ok
23:08:08.0964 11096 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
23:08:08.0967 11096 fdc - ok
23:08:09.0047 11096 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
23:08:09.0050 11096 FileInfo - ok
23:08:09.0154 11096 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
23:08:09.0156 11096 Filetrace - ok
23:08:09.0197 11096 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
23:08:09.0199 11096 flpydisk - ok
23:08:09.0230 11096 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
23:08:09.0234 11096 FltMgr - ok
23:08:09.0265 11096 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
23:08:09.0267 11096 FsDepends - ok
23:08:09.0309 11096 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\windows\system32\DRIVERS\fssfltr.sys
23:08:09.0312 11096 fssfltr - ok
23:08:09.0362 11096 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
23:08:09.0363 11096 Fs_Rec - ok
23:08:09.0439 11096 fvevol (8a73e79089b282100b9393b644cb853b) C:\windows\system32\DRIVERS\fvevol.sys
23:08:09.0442 11096 fvevol - ok
23:08:09.0528 11096 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
23:08:09.0531 11096 gagp30kx - ok
23:08:09.0650 11096 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
23:08:09.0660 11096 GEARAspiWDM - ok
23:08:09.0741 11096 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
23:08:09.0743 11096 hcw85cir - ok
23:08:09.0803 11096 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\windows\system32\drivers\HdAudio.sys
23:08:09.0806 11096 HdAudAddService - ok
23:08:09.0911 11096 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\windows\system32\drivers\HDAudBus.sys
23:08:09.0912 11096 HDAudBus - ok
23:08:09.0944 11096 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
23:08:09.0946 11096 HidBatt - ok
23:08:09.0964 11096 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
23:08:09.0965 11096 HidBth - ok
23:08:09.0980 11096 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
23:08:09.0983 11096 HidIr - ok
23:08:10.0055 11096 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\windows\system32\DRIVERS\hidusb.sys
23:08:10.0055 11096 HidUsb - ok
23:08:10.0114 11096 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\drivers\HpSAMD.sys
23:08:10.0115 11096 HpSAMD - ok
23:08:10.0224 11096 HTTP (871917b07a141bff43d76d8844d48106) C:\windows\system32\drivers\HTTP.sys
23:08:10.0230 11096 HTTP - ok
23:08:10.0310 11096 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\windows\system32\drivers\hwpolicy.sys
23:08:10.0311 11096 hwpolicy - ok
23:08:10.0380 11096 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\drivers\i8042prt.sys
23:08:10.0382 11096 i8042prt - ok
23:08:10.0431 11096 iaStor (d483687eace0c065ee772481a96e05f5) C:\windows\system32\DRIVERS\iaStor.sys
23:08:10.0434 11096 iaStor - ok
23:08:10.0537 11096 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\windows\system32\drivers\iaStorV.sys
23:08:10.0543 11096 iaStorV - ok
23:08:10.0755 11096 igfx (ad626f6964f4d364d226c39e06872dd3) C:\windows\system32\DRIVERS\igdkmd32.sys
23:08:10.0885 11096 igfx - ok
23:08:10.0993 11096 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
23:08:10.0996 11096 iirsp - ok
23:08:11.0143 11096 IntcAzAudAddService (db96b8bd676bb24bd4f1dc53ca1f182c) C:\windows\system32\drivers\RTKVHDA.sys
23:08:11.0207 11096 IntcAzAudAddService - ok
23:08:11.0399 11096 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\drivers\intelide.sys
23:08:11.0400 11096 intelide - ok
23:08:11.0462 11096 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
23:08:11.0463 11096 intelppm - ok
23:08:11.0497 11096 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
23:08:11.0499 11096 IpFilterDriver - ok
23:08:11.0576 11096 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\windows\system32\drivers\IPMIDrv.sys
23:08:11.0577 11096 IPMIDRV - ok
23:08:11.0611 11096 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
23:08:11.0613 11096 IPNAT - ok
23:08:11.0724 11096 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
23:08:11.0727 11096 IRENUM - ok
23:08:11.0798 11096 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\drivers\isapnp.sys
23:08:11.0800 11096 isapnp - ok
23:08:11.0826 11096 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\windows\system32\drivers\msiscsi.sys
23:08:11.0827 11096 iScsiPrt - ok
23:08:11.0939 11096 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\drivers\kbdclass.sys
23:08:11.0942 11096 kbdclass - ok
23:08:12.0014 11096 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\windows\system32\drivers\kbdhid.sys
23:08:12.0034 11096 kbdhid - ok
23:08:12.0100 11096 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\windows\system32\Drivers\ksecdd.sys
23:08:12.0103 11096 KSecDD - ok
23:08:12.0139 11096 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\windows\system32\Drivers\ksecpkg.sys
23:08:12.0143 11096 KSecPkg - ok
23:08:12.0245 11096 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
23:08:12.0278 11096 lltdio - ok
23:08:12.0317 11096 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
23:08:12.0320 11096 LSI_FC - ok
23:08:12.0343 11096 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
23:08:12.0345 11096 LSI_SAS - ok
23:08:12.0362 11096 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
23:08:12.0364 11096 LSI_SAS2 - ok
23:08:12.0384 11096 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
23:08:12.0386 11096 LSI_SCSI - ok
23:08:12.0420 11096 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
23:08:12.0423 11096 luafv - ok
23:08:12.0541 11096 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\windows\system32\drivers\mbam.sys
23:08:12.0542 11096 MBAMProtector - ok
23:08:12.0659 11096 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
23:08:12.0715 11096 megasas - ok
23:08:12.0749 11096 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
23:08:12.0754 11096 MegaSR - ok
23:08:12.0777 11096 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
23:08:12.0779 11096 Modem - ok
23:08:12.0814 11096 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
23:08:12.0815 11096 monitor - ok
23:08:12.0878 11096 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
23:08:12.0879 11096 mouclass - ok
23:08:12.0919 11096 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
23:08:12.0921 11096 mouhid - ok
23:08:12.0977 11096 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\windows\system32\drivers\mountmgr.sys
23:08:13.0009 11096 mountmgr - ok
23:08:13.0065 11096 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\windows\system32\drivers\mpio.sys
23:08:13.0066 11096 mpio - ok
23:08:13.0097 11096 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
23:08:13.0099 11096 mpsdrv - ok
23:08:13.0143 11096 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\windows\system32\drivers\mrxdav.sys
23:08:13.0145 11096 MRxDAV - ok
23:08:13.0210 11096 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\windows\system32\DRIVERS\mrxsmb.sys
23:08:13.0212 11096 mrxsmb - ok
23:08:13.0274 11096 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\windows\system32\DRIVERS\mrxsmb10.sys
23:08:13.0277 11096 mrxsmb10 - ok
23:08:13.0304 11096 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\windows\system32\DRIVERS\mrxsmb20.sys
23:08:13.0305 11096 mrxsmb20 - ok
23:08:13.0350 11096 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\windows\system32\drivers\msahci.sys
23:08:13.0351 11096 msahci - ok
23:08:13.0397 11096 msdsm (55055f8ad8be27a64c831322a780a228) C:\windows\system32\drivers\msdsm.sys
23:08:13.0398 11096 msdsm - ok
23:08:13.0572 11096 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
23:08:13.0573 11096 Msfs - ok
23:08:13.0736 11096 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
23:08:13.0737 11096 mshidkmdf - ok
23:08:13.0824 11096 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\drivers\msisadrv.sys
23:08:13.0826 11096 msisadrv - ok
23:08:13.0897 11096 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
23:08:13.0898 11096 MSKSSRV - ok
23:08:13.0919 11096 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
23:08:13.0920 11096 MSPCLOCK - ok
23:08:13.0944 11096 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
23:08:13.0945 11096 MSPQM - ok
23:08:13.0969 11096 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
23:08:13.0977 11096 MsRPC - ok
23:08:14.0025 11096 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\drivers\mssmbios.sys
23:08:14.0027 11096 mssmbios - ok
23:08:14.0074 11096 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
23:08:14.0075 11096 MSTEE - ok
23:08:14.0087 11096 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
23:08:14.0120 11096 MTConfig - ok
23:08:14.0152 11096 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
23:08:14.0154 11096 Mup - ok
23:08:14.0204 11096 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
23:08:14.0208 11096 NativeWifiP - ok
23:08:14.0285 11096 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\windows\system32\drivers\ndis.sys
23:08:14.0289 11096 NDIS - ok
23:08:14.0327 11096 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
23:08:14.0330 11096 NdisCap - ok
23:08:14.0355 11096 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
23:08:14.0357 11096 NdisTapi - ok
23:08:14.0427 11096 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\windows\system32\DRIVERS\ndisuio.sys
23:08:14.0428 11096 Ndisuio - ok
23:08:14.0501 11096 NdisWan (38fbe267e7e6983311179230facb1017) C:\windows\system32\DRIVERS\ndiswan.sys
23:08:14.0502 11096 NdisWan - ok
23:08:14.0551 11096 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\windows\system32\drivers\NDProxy.sys
23:08:14.0552 11096 NDProxy - ok
23:08:14.0586 11096 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
23:08:14.0588 11096 NetBIOS - ok
23:08:14.0636 11096 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\windows\system32\DRIVERS\netbt.sys
23:08:14.0638 11096 NetBT - ok
23:08:14.0679 11096 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
23:08:14.0681 11096 nfrd960 - ok
23:08:14.0711 11096 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
23:08:14.0712 11096 Npfs - ok
23:08:14.0736 11096 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
23:08:14.0754 11096 nsiproxy - ok
23:08:14.0833 11096 Ntfs (81189c3d7763838e55c397759d49007a) C:\windows\system32\drivers\Ntfs.sys
23:08:14.0868 11096 Ntfs - ok
23:08:14.0900 11096 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
23:08:14.0901 11096 Null - ok
23:08:14.0961 11096 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\windows\system32\drivers\nvraid.sys
23:08:14.0963 11096 nvraid - ok
23:08:15.0023 11096 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\windows\system32\drivers\nvstor.sys
23:08:15.0026 11096 nvstor - ok
23:08:15.0070 11096 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\drivers\nv_agp.sys
23:08:15.0073 11096 nv_agp - ok
23:08:15.0139 11096 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\drivers\ohci1394.sys
23:08:15.0140 11096 ohci1394 - ok
23:08:15.0191 11096 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
23:08:15.0193 11096 Parport - ok
23:08:15.0238 11096 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\windows\system32\drivers\partmgr.sys
23:08:15.0239 11096 partmgr - ok
23:08:15.0263 11096 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
23:08:15.0264 11096 Parvdm - ok
23:08:15.0318 11096 pci (673e55c3498eb970088e812ea820aa8f) C:\windows\system32\drivers\pci.sys
23:08:15.0320 11096 pci - ok
23:08:15.0378 11096 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\drivers\pciide.sys
23:08:15.0383 11096 pciide - ok
23:08:15.0464 11096 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
23:08:15.0468 11096 pcmcia - ok
23:08:15.0513 11096 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
23:08:15.0516 11096 pcw - ok
23:08:15.0562 11096 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
23:08:15.0585 11096 PEAUTH - ok
23:08:15.0671 11096 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
23:08:15.0673 11096 PptpMiniport - ok
23:08:15.0688 11096 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
23:08:15.0690 11096 Processor - ok
23:08:15.0749 11096 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
23:08:15.0751 11096 Psched - ok
23:08:15.0817 11096 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
23:08:15.0878 11096 ql2300 - ok
23:08:16.0048 11096 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
23:08:16.0049 11096 ql40xx - ok
23:08:16.0131 11096 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
23:08:16.0133 11096 QWAVEdrv - ok
23:08:16.0178 11096 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
23:08:16.0179 11096 RasAcd - ok
23:08:16.0261 11096 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
23:08:16.0263 11096 RasAgileVpn - ok
23:08:16.0301 11096 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
23:08:16.0303 11096 Rasl2tp - ok
23:08:16.0399 11096 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
23:08:16.0402 11096 RasPppoe - ok
23:08:16.0427 11096 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
23:08:16.0429 11096 RasSstp - ok
23:08:16.0491 11096 rdbss (d528bc58a489409ba40334ebf96a311b) C:\windows\system32\DRIVERS\rdbss.sys
23:08:16.0495 11096 rdbss - ok
23:08:16.0541 11096 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
23:08:16.0543 11096 rdpbus - ok
23:08:16.0620 11096 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\windows\system32\DRIVERS\RDPCDD.sys
23:08:16.0648 11096 RDPCDD - ok
23:08:16.0747 11096 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
23:08:16.0748 11096 RDPENCDD - ok
23:08:16.0779 11096 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
23:08:16.0780 11096 RDPREFMP - ok
23:08:16.0842 11096 RDPWD (288b06960d78428ff89e811632684e20) C:\windows\system32\drivers\RDPWD.sys
23:08:16.0846 11096 RDPWD - ok
23:08:16.0961 11096 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\windows\system32\drivers\rdyboost.sys
23:08:16.0965 11096 rdyboost - ok
23:08:17.0068 11096 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\windows\system32\DRIVERS\rfcomm.sys
23:08:17.0071 11096 RFCOMM - ok
23:08:17.0156 11096 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
23:08:17.0159 11096 rspndr - ok
23:08:17.0193 11096 RTL8167 (7dfd48e24479b68b258d8770121155a0) C:\windows\system32\DRIVERS\Rt86win7.sys
23:08:17.0196 11096 RTL8167 - ok
23:08:17.0328 11096 SABI (6e5fbb7cbaec47038b945d5e9b144a64) C:\windows\system32\Drivers\SABI.sys
23:08:17.0329 11096 SABI - ok
23:08:17.0542 11096 sbp2port (05d860da1040f111503ac416ccef2bca) C:\windows\system32\drivers\sbp2port.sys
23:08:17.0543 11096 sbp2port - ok
23:08:17.0728 11096 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\windows\system32\DRIVERS\scfilter.sys
23:08:17.0729 11096 scfilter - ok
23:08:17.0921 11096 SDHookDriver (47dd7bb6b72a5f49e01f53597bcaeac7) C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
23:08:17.0927 11096 SDHookDriver - ok
23:08:18.0075 11096 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
23:08:18.0077 11096 secdrv - ok
23:08:18.0160 11096 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
23:08:18.0178 11096 Serenum - ok
23:08:18.0294 11096 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
23:08:18.0300 11096 Serial - ok
23:08:18.0487 11096 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
23:08:18.0488 11096 sermouse - ok
23:08:18.0600 11096 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\drivers\sffdisk.sys
23:08:18.0601 11096 sffdisk - ok
23:08:18.0617 11096 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\drivers\sffp_mmc.sys
23:08:18.0618 11096 sffp_mmc - ok
23:08:18.0648 11096 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\windows\system32\drivers\sffp_sd.sys
23:08:18.0649 11096 sffp_sd - ok
23:08:18.0679 11096 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
23:08:18.0680 11096 sfloppy - ok
23:08:18.0775 11096 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\drivers\sisagp.sys
23:08:18.0778 11096 sisagp - ok
23:08:18.0828 11096 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
23:08:18.0830 11096 SiSRaid2 - ok
23:08:18.0871 11096 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
23:08:18.0872 11096 SiSRaid4 - ok
23:08:18.0944 11096 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
23:08:18.0946 11096 Smb - ok
23:08:19.0054 11096 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
23:08:19.0055 11096 spldr - ok
23:08:19.0131 11096 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\windows\system32\DRIVERS\srv.sys
23:08:19.0135 11096 srv - ok
23:08:19.0171 11096 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\windows\system32\DRIVERS\srv2.sys
23:08:19.0176 11096 srv2 - ok
23:08:19.0194 11096 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\windows\system32\DRIVERS\srvnet.sys
23:08:19.0195 11096 srvnet - ok
23:08:19.0240 11096 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
23:08:19.0241 11096 stexstor - ok
23:08:19.0289 11096 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\drivers\swenum.sys
23:08:19.0290 11096 swenum - ok
23:08:19.0369 11096 SynTP (069e5728e565bd401347cb94732c4733) C:\windows\system32\DRIVERS\SynTP.sys
23:08:19.0411 11096 SynTP - ok
23:08:19.0508 11096 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\drivers\tcpip.sys
23:08:19.0572 11096 Tcpip - ok
23:08:19.0627 11096 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\DRIVERS\tcpip.sys
23:08:19.0636 11096 TCPIP6 - ok
23:08:19.0703 11096 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\windows\system32\drivers\tcpipreg.sys
23:08:19.0704 11096 tcpipreg - ok
23:08:19.0755 11096 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\windows\system32\drivers\tdpipe.sys
23:08:19.0756 11096 TDPIPE - ok
23:08:19.0806 11096 TDTCP (2c10395baa4847f83042813c515cc289) C:\windows\system32\drivers\tdtcp.sys
23:08:19.0807 11096 TDTCP - ok
23:08:19.0861 11096 tdx (b459575348c20e8121d6039da063c704) C:\windows\system32\DRIVERS\tdx.sys
23:08:19.0862 11096 tdx - ok
23:08:19.0925 11096 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\windows\system32\drivers\termdd.sys
23:08:19.0926 11096 TermDD - ok
23:08:20.0092 11096 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\windows\system32\DRIVERS\tssecsrv.sys
23:08:20.0093 11096 tssecsrv - ok
23:08:20.0197 11096 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\windows\system32\drivers\tsusbflt.sys
23:08:20.0198 11096 TsUsbFlt - ok
23:08:20.0282 11096 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\windows\system32\DRIVERS\tunnel.sys
23:08:20.0284 11096 tunnel - ok
23:08:20.0313 11096 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
23:08:20.0315 11096 uagp35 - ok
23:08:20.0369 11096 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\windows\system32\DRIVERS\udfs.sys
23:08:20.0374 11096 udfs - ok
23:08:20.0449 11096 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\drivers\uliagpkx.sys
23:08:20.0452 11096 uliagpkx - ok
23:08:20.0720 11096 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\windows\system32\drivers\umbus.sys
23:08:20.0722 11096 umbus - ok
23:08:20.0776 11096 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
23:08:20.0778 11096 UmPass - ok
23:08:20.0868 11096 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\windows\system32\Drivers\usbaapl.sys
23:08:20.0870 11096 USBAAPL - ok
23:08:20.0940 11096 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\windows\system32\DRIVERS\usbccgp.sys
23:08:20.0944 11096 usbccgp - ok
23:08:21.0062 11096 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\drivers\usbcir.sys
23:08:21.0065 11096 usbcir - ok
23:08:21.0226 11096 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\windows\system32\DRIVERS\usbehci.sys
23:08:21.0227 11096 usbehci - ok
23:08:21.0385 11096 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\windows\system32\DRIVERS\usbhub.sys
23:08:21.0418 11096 usbhub - ok
23:08:21.0481 11096 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys
23:08:21.0499 11096 usbohci - ok
23:08:21.0515 11096 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
23:08:21.0516 11096 usbprint - ok
23:08:21.0622 11096 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
23:08:21.0625 11096 usbscan - ok
23:08:21.0698 11096 USBSTOR (f991ab9cc6b908db552166768176896a) C:\windows\system32\DRIVERS\USBSTOR.SYS
23:08:21.0700 11096 USBSTOR - ok
23:08:21.0745 11096 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\windows\system32\DRIVERS\usbuhci.sys
23:08:21.0746 11096 usbuhci - ok
23:08:21.0854 11096 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\windows\System32\Drivers\usbvideo.sys
23:08:21.0855 11096 usbvideo - ok
23:08:21.0935 11096 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\drivers\vdrvroot.sys
23:08:21.0936 11096 vdrvroot - ok
23:08:21.0981 11096 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
23:08:21.0982 11096 vga - ok
23:08:22.0013 11096 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
23:08:22.0015 11096 VgaSave - ok
23:08:22.0086 11096 vhdmp (5461686cca2fda57b024547733ab42e3) C:\windows\system32\drivers\vhdmp.sys
23:08:22.0091 11096 vhdmp - ok
23:08:22.0147 11096 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\drivers\viaagp.sys
23:08:22.0192 11096 viaagp - ok
23:08:22.0275 11096 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
23:08:22.0277 11096 ViaC7 - ok
23:08:22.0324 11096 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\drivers\viaide.sys
23:08:22.0326 11096 viaide - ok
23:08:22.0375 11096 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\windows\system32\drivers\volmgr.sys
23:08:22.0377 11096 volmgr - ok
23:08:22.0400 11096 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
23:08:22.0406 11096 volmgrx - ok
23:08:22.0479 11096 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\windows\system32\drivers\volsnap.sys
23:08:22.0483 11096 volsnap - ok
23:08:22.0729 11096 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
23:08:22.0732 11096 vsmraid - ok
23:08:22.0752 11096 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
23:08:22.0771 11096 vwifibus - ok
23:08:22.0822 11096 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
23:08:22.0824 11096 vwififlt - ok
23:08:22.0864 11096 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
23:08:22.0866 11096 WacomPen - ok
23:08:22.0959 11096 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
23:08:22.0960 11096 WANARP - ok
23:08:22.0991 11096 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
23:08:22.0992 11096 Wanarpv6 - ok
23:08:23.0122 11096 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
23:08:23.0123 11096 Wd - ok
23:08:23.0158 11096 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
23:08:23.0166 11096 Wdf01000 - ok
23:08:23.0288 11096 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
23:08:23.0289 11096 WfpLwf - ok
23:08:23.0307 11096 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
23:08:23.0308 11096 WIMMount - ok
23:08:23.0592 11096 WINUSB (a67e5f9a400f3bd1be3d80613b45f708) C:\windows\system32\drivers\WinUSB.SYS
23:08:23.0594 11096 WINUSB - ok
23:08:23.0776 11096 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\drivers\wmiacpi.sys
23:08:23.0777 11096 WmiAcpi - ok
23:08:23.0892 11096 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
23:08:23.0893 11096 ws2ifsl - ok
23:08:23.0957 11096 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\windows\system32\drivers\WudfPf.sys
23:08:23.0958 11096 WudfPf - ok
23:08:24.0078 11096 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\windows\system32\DRIVERS\WUDFRd.sys
23:08:24.0079 11096 WUDFRd - ok
23:08:24.0184 11096 yukonw7 (30b73eb97218a16cbc6de535782a1b35) C:\windows\system32\DRIVERS\yk62x86.sys
23:08:24.0191 11096 yukonw7 - ok
23:08:24.0280 11096 MBR (0x1B8) (2e5debb2116b3417023e0d6562d7ed07) \Device\Harddisk0\DR0
23:08:24.0596 11096 \Device\Harddisk0\DR0 - ok
23:08:24.0602 11096 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
23:08:24.0642 11096 \Device\Harddisk1\DR1 - ok
23:08:24.0647 11096 Boot (0x1200) (35ad429c41eabd3cb5aa0c137174f74e) \Device\Harddisk0\DR0\Partition0
23:08:24.0649 11096 \Device\Harddisk0\DR0\Partition0 - ok
23:08:24.0678 11096 Boot (0x1200) (8ef57f636c3472629962a8279554bffc) \Device\Harddisk0\DR0\Partition1
23:08:24.0680 11096 \Device\Harddisk0\DR0\Partition1 - ok
23:08:24.0710 11096 Boot (0x1200) (18763aeac0ee39fec1defec9b7171ab2) \Device\Harddisk0\DR0\Partition2
23:08:24.0721 11096 \Device\Harddisk0\DR0\Partition2 - ok
23:08:24.0730 11096 Boot (0x1200) (c17c16547be32acadda8a1f42eeb1198) \Device\Harddisk1\DR1\Partition0
23:08:24.0731 11096 \Device\Harddisk1\DR1\Partition0 - ok
23:08:24.0732 11096 ============================================================
23:08:24.0732 11096 Scan finished
23:08:24.0732 11096 ============================================================
23:08:24.0749 11700 Detected object count: 0
23:08:24.0749 11700 Actual detected object count: 0
23:09:48.0844 10880 Deinitialize success


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-04 23:06:58
-----------------------------
23:06:58.047 OS Version: Windows 6.1.7601 Service Pack 1
23:06:58.047 Number of processors: 2 586 0x170A
23:06:58.115 ComputerName: ADMIN-PC UserName: admin
23:07:03.017 Initialize success
23:07:07.616 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:07:07.618 Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 3
23:07:07.672 Disk 0 MBR read successfully
23:07:07.674 Disk 0 MBR scan
23:07:07.676 Disk 0 unknown MBR code
23:07:07.680 Disk 0 scanning sectors +976771072
23:07:07.783 Disk 0 scanning C:\windows\system32\drivers
23:07:21.760 Service scanning
23:07:22.973 Modules scanning
23:07:30.906 Disk 0 trace - called modules:
23:07:30.948 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
23:07:30.952 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dac030]
23:07:30.956 3 CLASSPNP.SYS[8c38b59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85f5f028]
23:07:30.961 Scan finished successfully
23:07:47.746 Disk 0 MBR has been saved successfully to "C:\Users\admin\Desktop\MBR.dat"
23:07:47.753 The log file has been saved successfully to "C:\Users\admin\Desktop\aswMBR.txt"

here is the MBR Check logs for the XP box, MBR check found something see below:


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000ffc

Kernel Drivers (total 126):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7B10000 \WINDOWS\system32\KDCOM.DLL
0xF7A20000 \WINDOWS\system32\BOOTVID.dll
0xF74E0000 ACPI.sys
0xF7B12000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74CF000 pci.sys
0xF7610000 isapnp.sys
0xF7620000 ohci1394.sys
0xF7630000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7BD8000 pciide.sys
0xF7890000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7B14000 viaide.sys
0xF7B16000 intelide.sys
0xF7640000 MountMgr.sys
0xF74B0000 ftdisk.sys
0xF7B18000 dmload.sys
0xF748A000 dmio.sys
0xF7898000 PartMgr.sys
0xF7650000 VolSnap.sys
0xF73CA000 iastor.sys
0xF73B2000 atapi.sys
0xF736F000 ftsata2.sys
0xF7357000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7660000 disk.sys
0xF7670000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7337000 fltmgr.sys
0xF7325000 sr.sys
0xF7680000 bb-run.sys
0xF7690000 PxHelp20.sys
0xF730E000 KSecDD.sys
0xF7281000 Ntfs.sys
0xF7254000 NDIS.sys
0xF723A000 Mup.sys
0xF7830000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7940000 \SystemRoot\system32\DRIVERS\ELacpi.sys
0xF6E0B000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6DF7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6DCF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7948000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6DAB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7950000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7840000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6D83000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF6D6F000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7850000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7958000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B3A000 \??\C:\WINDOWS\System32\Drivers\Elmou.sys
0xF7960000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF7968000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7B3C000 \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
0xF7860000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7870000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7880000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6D4C000 \SystemRoot\system32\DRIVERS\ks.sys
0xF76C0000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
0xF7D45000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76D0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B04000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6D35000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76E0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76F0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7970000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6C84000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7700000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7978000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7980000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6C25000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7710000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B3E000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6BC7000 \SystemRoot\system32\DRIVERS\update.sys
0xF720A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7730000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF4189000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF4165000 \SystemRoot\system32\drivers\portcls.sys
0xF7740000 \SystemRoot\system32\drivers\drmk.sys
0xF7750000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B46000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B48000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7D2B000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B4A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF40F5000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0xF79A8000 \SystemRoot\System32\drivers\vga.sys
0xF7B4C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B4E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79B0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79B8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6BBF000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF40C2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF4069000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF4056000 \SystemRoot\system32\DRIVERS\epfwtdi.sys
0xF4030000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF4008000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7760000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF3FE6000 \SystemRoot\System32\drivers\afd.sys
0xF7770000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3FBB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7780000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF3F4B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7790000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7B50000 \??\C:\WINDOWS\System32\Drivers\Elmon.sys
0xF6BA7000 \??\C:\WINDOWS\System32\Drivers\Elhid.sys
0xF79C8000 \??\C:\WINDOWS\System32\Drivers\HIDPARSE.SYS
0xF79D0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF3E87000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF3E6F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BAA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF411D000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78E0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C9C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF45B000 \SystemRoot\System32\ATMFD.DLL
0xBA4BD000 \SystemRoot\system32\DRIVERS\eamon.sys
0xBA5D4000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xBA46D000 \SystemRoot\system32\DRIVERS\epfw.sys
0xBA5F4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB9FF8000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA43D000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7810000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB968D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB9534000 \SystemRoot\System32\Drivers\HTTP.sys
0xB94B4000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA44D000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
952 C:\WINDOWS\system32\smss.exe
1024 csrss.exe
1052 C:\WINDOWS\system32\winlogon.exe
1096 C:\WINDOWS\system32\services.exe
1108 C:\WINDOWS\system32\lsass.exe
1296 C:\WINDOWS\system32\svchost.exe
1424 svchost.exe
1548 C:\WINDOWS\system32\svchost.exe
1624 svchost.exe
1784 svchost.exe
2024 C:\WINDOWS\system32\spoolsv.exe
284 C:\WINDOWS\explorer.exe
388 C:\WINDOWS\ehome\ehtray.exe
472 C:\WINDOWS\RTHDCPL.EXE
480 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
524 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
556 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
564 C:\Program Files\ESET\ESET Smart Security\egui.exe
572 C:\WINDOWS\system32\rundll32.exe
568 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
584 C:\Program Files\Messenger\msmsgs.exe
596 C:\WINDOWS\system32\ctfmon.exe
752 svchost.exe
800 C:\WINDOWS\ehome\ehrecvr.exe
816 C:\WINDOWS\ehome\ehSched.exe
828 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
1008 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1176 C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
1600 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
1680 C:\WINDOWS\system32\nvsvc32.exe
1884 svchost.exe
2160 C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
2368 C:\WINDOWS\system32\wuauclt.exe
2404 mcrdsvc.exe
3380 C:\WINDOWS\system32\dllhost.exe
3748 alg.exe
4040 C:\WINDOWS\ehome\ehmsas.exe
2736 C:\Program Files\Mozilla Firefox\firefox.exe
3756 C:\hp\KBD\kbd.exe
2916 C:\WINDOWS\system\hpsysdrv.exe
896 C:\Documents and Settings\HP_Administrateur\Bureau\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000044`28098a00 (FAT32)
\\.\G: --> \\.\PhysicalDrive0 at offset 0x00000038`82bc8800 (FAT32)

PhysicalDrive2 Model Number: Maxtor6L300R0, Rev: BAJ41G20
PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02
PhysicalDrive1 Model Number: SAMSUNGHD204UI, Rev: 1AQ10001

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: 1CA67A0BFF17E11956F16C348FF70DEC63296236
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 1CA67A0BFF17E11956F16C348FF70DEC63296236
1863 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

The unknown code most likely is because commercially purchased machines can use custom MBR code, like HP, Gateway, Acer etc
Lets see if Gmer can dig up anything:

Download the gmer (http://www.gmer.net/gmer.zip) utility and save to your desktop.

Extract the contents of the zipped file to your desktop

Double click GMER.exe to start.

If it gives you a warning about rootkit activity and asks if you want to run a scan...select--> NO

In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...

* IAT/EAT

* Drives/Partition other than Systemdrive (typically C:\)

* Show All <--don't miss this one

click the Scan button & wait for it to finish.

When the scan is complete, click Save and save the log to your desktop. Post the log in your reply.

I wont be back on line for 16 hrs or so.......

hi shelf life

here is the log from the XP box:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-05 22:31:17
Windows 5.1.2600 Service Pack 3 Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T1L0-c Maxtor_6L300R0 rev.BAJ41G20
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fgpirfoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xF411E4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xF411E7F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xF411EAB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xF411E5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0xF411E8B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xF411E350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xF411E410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xF411E570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xF411E630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xF411E530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xF411E4F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xF411E670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0xF411E870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xF411E3B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xF411E430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xF411E830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xF411E370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xF411E470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xF411E5F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes [B0, EA, 11, F4] {MOV AL, 0xea; ADC ESP, ESI}
.text ntkrnlpa.exe!ZwCallbackReturn + 2D68 80504604 4 Bytes CALL E3653A1A
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA4 80504840 4 Bytes CALL BE693C56
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [B0, E3, 11, F4, 30, E4, 11, ...] {MOV AL, 0xe3; ADC ESP, ESI; XOR AH, AH; ADC ESP, ESI; XOR AL, CH; ADC ESP, ESI}
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6E0B380, 0x24192E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1880] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 01263690 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I also did a scan on the XP box with mbr.exe -t from gmer.net see bellow:


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L300R0 rev.BAJ41G20 -> Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T1L0-c

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk2\DR2[0x8676DAB8]
3 CLASSPNP[0xF7670FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000067[0x867C5A38]
5 ACPI[0xF74E6620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP0T1L0-c[0x85E24D98]
kernel: MBR read successfully
user & kernel MBR OK

I also did a scan with this tool;

http://www.usec.at/radix.html

I have attached the log.

hi,

The recent logs all look ok, I will go back for another look at the earlier ones you posted.

hi shelf life,

Do you think I can use the features of the samsung recovery utility to recover the W7 box, or will it recover the virus/rootkit with it ?

I will do a gmer scan on the W7 box tonight and post the log, yesterday I did one, but it took ages to complete & I had to cancel it, however I saw a lot of JMP instructions on different exe. and it does not look very good.

Bye
philippe

here is the start of the Gmer log of the W7 box, it's still running so I will let it run during the night & post the log when done.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-06 22:25:52
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001
Running: gmer.exe; Driver: C:\Users\admin\AppData\Local\Temp\aglorpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey + 13CD 830729C9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 830924E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92C04000, 0x2DEB7A, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\SYSTEM32\Rezip.exe[280] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\SYSTEM32\Rezip.exe[280] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe[392] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe[392] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[488] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A70F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[488] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AD0F5A
.text C:\windows\system32\wininit.exe[544] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\wininit.exe[544] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\services.exe[592] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\services.exe[592] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\lsm.exe[624] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\lsm.exe[624] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[728] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[728] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[792] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[792] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[820] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[820] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\atiesrxx.exe[844] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\atiesrxx.exe[844] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\winlogon.exe[896] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\winlogon.exe[896] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[948] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\System32\svchost.exe[948] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1304] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1304] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[1384] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[1384] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\System32\spoolsv.exe[1416] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\System32\spoolsv.exe[1416] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1444] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1444] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\LSI SoftModem\agrsmsvc.exe[1548] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\LSI SoftModem\agrsmsvc.exe[1548] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1568] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1568] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1600] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1600] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\atieclxx.exe[1628] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\atieclxx.exe[1628] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[1652] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\System32\svchost.exe[1652] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1828] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1828] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1908] kernel32.dll!SetUnhandledExceptionFilter 760CF4FB 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[1916] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[1916] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ICQ6Toolbar\ICQ Service.exe[1928] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\ICQ6Toolbar\ICQ Service.exe[1928] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[1940] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\System32\svchost.exe[1940] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe[1968] KERNEL32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe[1968] KERNEL32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2112] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2112] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2320] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2320] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\SearchIndexer.exe[2352] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\SearchIndexer.exe[2352] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2548] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2548] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2560] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2560] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2580] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2580] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2620] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2620] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[2636] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[2636] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\servicing\TrustedInstaller.exe[2796] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\servicing\TrustedInstaller.exe[2796] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Windows\system32\WUDFHost.exe[2824] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Windows\system32\WUDFHost.exe[2824] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[2880] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[2880] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe[3084] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe[3084] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3092] KERNEL32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3092] KERNEL32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Users\admin\Desktop\gmer.exe[3148] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Users\admin\Desktop\gmer.exe[3148] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3340] KERNEL32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3340] KERNEL32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3488] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3488] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\Dwm.exe[3500] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\Dwm.exe[3500] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\taskhost.exe[3508] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\taskhost.exe[3508] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\taskeng.exe[3608] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\taskeng.exe[3608] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3712] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3712] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[3912] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[3912] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\Explorer.EXE[3992] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\Explorer.EXE[3992] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[4056] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[4056] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[4072] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[4072] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4292] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4292] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[4388] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[4388] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ESET\ESET Smart Security\egui.exe[4948] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\ESET\ESET Smart Security\egui.exe[4948] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Windows\WindowsMobile\wmdc.exe[5156] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Windows\WindowsMobile\wmdc.exe[5156] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[5904] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[5904] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Runtime de l’infrastructure de pilotes en mode noyau/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Runtime de l’infrastructure de pilotes en mode noyau/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Gestionnaire de filtres de système de fichiers Microsoft/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:4204] A4D0EF2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ea6bb2
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ea93e9
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ea6bb2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ea93e9 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2011-12-06 18:13:09
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect@LastSuccessTime 2011-12-05 20:33:03
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download@LastSuccessTime 2011-12-03 08:08:24
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP@LastIndex 294

hi,

Dont see anything that looks out of the ordinary in the log. No harm in running aswMBR and Tdskiller on the W7 machine.
As far as the Samsung utility goes, unless it writes a new MBR then it wont do much good as far as a MBR rootkit goes.

You can run farbar's utility on the XP machine and on the W7 after doing the above:

Please download Minitoolbox (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe) and save it to your desktop.
With Internet Explorer and Fire Fox closed:

* Double click on MiniToolBox.exe to run it.
Please check the following options:
Flush DNS
Reset IE Proxy Settings
Reset FF Proxy Settings
* Click the GO button. A log will open.
* Please post the contents of this log. It can also be found on the desktop as Result.txt.

hi shelf life,

here is the log for the XP box:


MiniToolBox by Farbar
Ran by HP_Administrateur (administrator) on 07-12-2011 at 21:14:33
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Configuration IP de Windows



Cache de résolution DNS vidé.


"Reset IE Proxy Settings": IE Proxy Settings were reset.

"Reset FF Proxy Settings": Firefox Proxy settings were reset.


**** End of log ****

extremely strange event:

on boot I loaded something that looks like the bios (but it was not the bio maybe an HP variation) by pressing the esc key,

in the menu it asked me the disk to boot from, and I selected the main Western Digital disk where the fresh OS has been installed doing a format (during the install procedure).

but instead of having the fresh OS it loded the old system (that was supposed to have been formatted). I tested some applications like FTP and it's working...

the even more strange thing is that ESET smart security is now showing smart security 5 when it used to be 4 on the formatted OS..... ???? (and the small icon at the bottom show 4)... In fact I did install the V5 but on the new fresh OS.

as it's very strange I tought this can be interesing.

bye
philippe

here is the full gmer log of the W7 box:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-07 22:42:03
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001
Running: gmer.exe; Driver: C:\Users\admin\AppData\Local\Temp\aglorpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey + 13CD 830729C9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 830924E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92C04000, 0x2DEB7A, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\SYSTEM32\Rezip.exe[280] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\SYSTEM32\Rezip.exe[280] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe[392] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe[392] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[488] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A70F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[488] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AD0F5A
.text C:\windows\system32\wininit.exe[544] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\wininit.exe[544] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\services.exe[592] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\services.exe[592] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\lsm.exe[624] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\lsm.exe[624] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[728] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[728] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[792] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[792] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[820] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[820] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\atiesrxx.exe[844] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\atiesrxx.exe[844] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\winlogon.exe[896] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\winlogon.exe[896] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[948] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\System32\svchost.exe[948] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1304] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1304] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[1384] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[1384] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\System32\spoolsv.exe[1416] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\System32\spoolsv.exe[1416] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\system32\svchost.exe[1444] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\svchost.exe[1444] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\LSI SoftModem\agrsmsvc.exe[1548] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\LSI SoftModem\agrsmsvc.exe[1548] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1568] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1568] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1600] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1600] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\atieclxx.exe[1628] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\windows\system32\atieclxx.exe[1628] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[1652] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\System32\svchost.exe[1652] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1828] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1828] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1908] kernel32.dll!SetUnhandledExceptionFilter 760CF4FB 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[1916] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[1916] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ICQ6Toolbar\ICQ Service.exe[1928] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\ICQ6Toolbar\ICQ Service.exe[1928] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\windows\System32\svchost.exe[1940] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\System32\svchost.exe[1940] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe[1968] KERNEL32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A80F5A
.text C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe[1968] KERNEL32.dll!CreateProcessA 76082082 6 Bytes JMP 71AE0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2112] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2112] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2320] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe[2320] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\SearchIndexer.exe[2352] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\SearchIndexer.exe[2352] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2548] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2548] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2560] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2560] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2580] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2580] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2620] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2620] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[2636] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[2636] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\servicing\TrustedInstaller.exe[2796] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\servicing\TrustedInstaller.exe[2796] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Windows\system32\WUDFHost.exe[2824] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Windows\system32\WUDFHost.exe[2824] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[2880] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[2880] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe[3084] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe[3084] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3092] KERNEL32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3092] KERNEL32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Users\admin\Desktop\gmer.exe[3148] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Users\admin\Desktop\gmer.exe[3148] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3340] KERNEL32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3340] KERNEL32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3488] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3488] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\Dwm.exe[3500] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\Dwm.exe[3500] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\taskhost.exe[3508] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\taskhost.exe[3508] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\taskeng.exe[3608] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\taskeng.exe[3608] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3712] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3712] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\system32\svchost.exe[3912] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\system32\svchost.exe[3912] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\windows\Explorer.EXE[3992] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\windows\Explorer.EXE[3992] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[4056] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[4056] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[4072] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[4072] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4292] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4292] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[4388] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[4388] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\ESET\ESET Smart Security\egui.exe[4948] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\ESET\ESET Smart Security\egui.exe[4948] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Windows\WindowsMobile\wmdc.exe[5156] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Windows\WindowsMobile\wmdc.exe[5156] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[5904] kernel32.dll!CreateProcessW 7608204D 6 Bytes JMP 71A90F5A
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[5904] kernel32.dll!CreateProcessA 76082082 6 Bytes JMP 71AF0F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Runtime de l’infrastructure de pilotes en mode noyau/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Runtime de l’infrastructure de pilotes en mode noyau/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Gestionnaire de filtres de système de fichiers Microsoft/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:4204] A4D0EF2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ea6bb2
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ea93e9
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ea6bb2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ea93e9 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2011-12-06 18:13:09
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect@LastSuccessTime 2011-12-05 20:33:03
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download@LastSuccessTime 2011-12-03 08:08:24
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP@LastIndex 294

---- Files - GMER 1.0.15 ----

File C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P5HS1S25\integrity-local[1].txt 40 bytes
File C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XDRV2TUD\integrity-local[1].txt 40 bytes

---- EOF - GMER 1.0.15 ----

MiniToolBox log for the W7 box


MiniToolBox by Farbar
Ran by admin (administrator) on 07-12-2011 at 22:46:56
Windows 7 Home Premium Service Pack 1 (X86)

***************************************************************************

========================= Flush DNS: ===================================

Configuration IP de Windows

Cache de r‚solution DNS vid‚.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

"Reset FF Proxy Settings": Firefox Proxy settings were reset.


**** End of log ****

in the menu it asked me the disk to boot from, and I selected the main Western Digital disk

Looks like you have 3 hard drives, and several partitions. One must have the new install you did, another a older install? Does that make sense? I would visit the HP web site and check your make and model to confirm what you have and how they function, one may be a drive that functions as a backup.

PhysicalDrive2 Model Number: Maxtor6L300R0, Rev: BAJ41G20
PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02
PhysicalDrive1 Model Number: SAMSUNGHD204UI, Rev: 1AQ10001

hi shelf life,


>Looks like you have 3 hard drives, and several partitions. One must have the >new install you did, another a older install? Does that make sense? I would >visit the HP web site and check your make and model to confirm what you >have and how they function, one may be a drive that functions as a backup.

I have 3 disks indeed, and a couple of partitions 2 restore partitions created by HP recovery, 1 main on the C, and the 2 other disk have only 1 partitions each.


I opened up the PC it's a Asus motherboard:P5LP-LE (Leonite)

http://h10025.www1.hp.com/ewfrf/wc/document?cc=fr&lc=fr&dlc=fr&docname=c00864946#N142

hp pavillon


I will check how it is supposed to operarte.

however I did disconnect the 2 additional disk, and when I try to boot on the C, the boot sequence start correctly I have the XP black screen then the blue logon, and it freez there, I can not go anywhere.... very strange, as if part of the fresh install has span on some of the other disks...??

I will do some more tests tomorrow.

bye
philippe

hi shelf life,

here are the logs for the W7 box:

nothing that looks suspicious to me, any other scanning tools I could use ?

because I dont' like to much to see firefox doing the activity MalwareByte did block, firefox should not be using such non standard ports to communicate with the outside ???

22:59:42 admin IP-BLOCK 94.100.19.132 (Type: outgoing, Port: 54278, Process: firefox.exe)
23:00:39 admin IP-BLOCK 94.100.19.132 (Type: outgoing, Port: 54504, Process: firefox.exe)
23:01:03 admin IP-BLOCK 94.100.19.132 (Type: outgoing, Port: 54613, Process: firefox.exe)


protection-log-2011-12-04
10:12:16 admin MESSAGE Protection started successfully
10:12:20 admin MESSAGE IP Protection started successfully
21:44:05 admin IP-BLOCK 82.98.86.163 (Type: outgoing, Port: 51936, Process: firefox.exe)
21:44:05 admin IP-BLOCK 89.149.227.56 (Type: outgoing, Port: 51992, Process: firefox.exe)
21:44:05 admin IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52010, Process: firefox.exe)
21:44:05 admin IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52011, Process: firefox.exe)


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-08 21:23:06
-----------------------------
21:23:06.569 OS Version: Windows 6.1.7601 Service Pack 1
21:23:06.569 Number of processors: 2 586 0x170A
21:23:06.569 ComputerName: ADMIN-PC UserName: admin
21:23:28.690 Initialize success
21:23:34.540 AVAST engine defs: 11120701
21:27:17.873 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:27:17.873 Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 3
21:27:17.904 Disk 0 MBR read successfully
21:27:17.904 Disk 0 MBR scan
21:27:17.904 Disk 0 unknown MBR code
21:27:17.904 Disk 0 scanning sectors +976771072
21:27:18.013 Disk 0 scanning C:\windows\system32\drivers
21:27:41.007 Service scanning
21:27:42.552 Modules scanning
21:27:52.505 Disk 0 trace - called modules:
21:27:52.520 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
21:27:52.520 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dac030]
21:27:52.536 3 CLASSPNP.SYS[8c38759e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85f5e028]
21:27:54.127 AVAST engine scan C:\
15:42:06.632 Scan finished successfully
18:41:46.532 Disk 0 MBR has been saved successfully to "C:\Users\admin\Desktop\MBR.dat"
18:41:46.532 The log file has been saved successfully to "C:\Users\admin\Desktop\aswMBR-log-9-12-2012.txt"





18:42:33.0027 15108 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
18:42:33.0058 15108 ============================================================
18:42:33.0058 15108 Current date / time: 2011/12/09 18:42:33.0058
18:42:33.0058 15108 SystemInfo:
18:42:33.0058 15108
18:42:33.0058 15108 OS Version: 6.1.7601 ServicePack: 1.0
18:42:33.0058 15108 Product type: Workstation
18:42:33.0058 15108 ComputerName: ADMIN-PC
18:42:33.0058 15108 UserName: admin
18:42:33.0058 15108 Windows directory: C:\windows
18:42:33.0058 15108 System windows directory: C:\windows
18:42:33.0058 15108 Processor architecture: Intel x86
18:42:33.0058 15108 Number of processors: 2
18:42:33.0058 15108 Page size: 0x1000
18:42:33.0058 15108 Boot type: Normal boot
18:42:33.0058 15108 ============================================================
18:42:34.0446 15108 Initialize success
18:43:07.0627 15632 ============================================================
18:43:07.0627 15632 Scan started
18:43:07.0627 15632 Mode: Manual; SigCheck; TDLFS;
18:43:07.0627 15632 ============================================================
18:43:08.0860 15632 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\windows\system32\drivers\1394ohci.sys
18:43:09.0016 15632 1394ohci - ok
18:43:09.0125 15632 ACPI (cea80c80bed809aa0da6febc04733349) C:\windows\system32\drivers\ACPI.sys
18:43:09.0156 15632 ACPI - ok
18:43:09.0219 15632 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\windows\system32\drivers\acpipmi.sys
18:43:09.0297 15632 AcpiPmi - ok
18:43:09.0406 15632 AdfuUd (9ed5d777a31ee654b0899cd1d2e778ba) C:\windows\system32\Drivers\AdfuUd.sys
18:43:09.0468 15632 AdfuUd - ok
18:43:09.0546 15632 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
18:43:09.0562 15632 adp94xx - ok
18:43:09.0609 15632 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
18:43:09.0624 15632 adpahci - ok
18:43:09.0640 15632 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
18:43:09.0655 15632 adpu320 - ok
18:43:09.0796 15632 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\windows\system32\drivers\afd.sys
18:43:09.0874 15632 AFD - ok
18:43:10.0014 15632 AgereSoftModem (07758c2196a62f207f77556311e7459a) C:\windows\system32\DRIVERS\AGRSM.sys
18:43:10.0092 15632 AgereSoftModem - ok
18:43:10.0186 15632 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\drivers\agp440.sys
18:43:10.0201 15632 agp440 - ok
18:43:10.0264 15632 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
18:43:10.0279 15632 aic78xx - ok
18:43:10.0404 15632 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\drivers\aliide.sys
18:43:10.0420 15632 aliide - ok
18:43:10.0498 15632 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\drivers\amdagp.sys
18:43:10.0513 15632 amdagp - ok
18:43:10.0591 15632 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\drivers\amdide.sys
18:43:10.0607 15632 amdide - ok
18:43:10.0701 15632 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
18:43:10.0747 15632 AmdK8 - ok
18:43:10.0857 15632 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
18:43:10.0888 15632 AmdPPM - ok
18:43:10.0997 15632 amdsata (d320bf87125326f996d4904fe24300fc) C:\windows\system32\drivers\amdsata.sys
18:43:11.0013 15632 amdsata - ok
18:43:11.0059 15632 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
18:43:11.0075 15632 amdsbs - ok
18:43:11.0122 15632 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\windows\system32\drivers\amdxata.sys
18:43:11.0137 15632 amdxata - ok
18:43:11.0247 15632 AppID (aea177f783e20150ace5383ee368da19) C:\windows\system32\drivers\appid.sys
18:43:11.0356 15632 AppID - ok
18:43:11.0481 15632 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
18:43:11.0496 15632 arc - ok
18:43:11.0543 15632 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
18:43:11.0559 15632 arcsas - ok
18:43:11.0605 15632 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
18:43:11.0715 15632 AsyncMac - ok
18:43:11.0793 15632 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\drivers\atapi.sys
18:43:11.0808 15632 atapi - ok
18:43:11.0902 15632 athr (7d0a662d7b116169854b4ec941a7822d) C:\windows\system32\DRIVERS\athr.sys
18:43:11.0949 15632 athr - ok
18:43:12.0167 15632 atikmdag (745c79700646c3f285cd09775618a04b) C:\windows\system32\DRIVERS\atikmdag.sys
18:43:12.0276 15632 atikmdag - ok
18:43:12.0417 15632 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
18:43:12.0463 15632 b06bdrv - ok
18:43:12.0541 15632 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
18:43:12.0557 15632 b57nd60x - ok
18:43:12.0635 15632 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
18:43:12.0682 15632 Beep - ok
18:43:12.0775 15632 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
18:43:12.0822 15632 blbdrive - ok
18:43:12.0963 15632 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\windows\system32\DRIVERS\bowser.sys
18:43:13.0056 15632 bowser - ok
18:43:13.0087 15632 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
18:43:13.0134 15632 BrFiltLo - ok
18:43:13.0212 15632 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
18:43:13.0259 15632 BrFiltUp - ok
18:43:13.0415 15632 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
18:43:13.0462 15632 Brserid - ok
18:43:13.0524 15632 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
18:43:13.0555 15632 BrSerWdm - ok
18:43:13.0587 15632 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
18:43:13.0618 15632 BrUsbMdm - ok
18:43:13.0633 15632 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
18:43:13.0680 15632 BrUsbSer - ok
18:43:13.0789 15632 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\windows\system32\drivers\BthEnum.sys
18:43:13.0836 15632 BthEnum - ok
18:43:13.0867 15632 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
18:43:13.0899 15632 BTHMODEM - ok
18:43:13.0992 15632 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\windows\system32\DRIVERS\bthpan.sys
18:43:14.0008 15632 BthPan - ok
18:43:14.0086 15632 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\windows\System32\Drivers\BTHport.sys
18:43:14.0133 15632 BTHPORT - ok
18:43:14.0195 15632 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\windows\System32\Drivers\BTHUSB.sys
18:43:14.0226 15632 BTHUSB - ok
18:43:14.0289 15632 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
18:43:14.0335 15632 cdfs - ok
18:43:14.0460 15632 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\windows\system32\drivers\cdrom.sys
18:43:14.0491 15632 cdrom - ok
18:43:14.0538 15632 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
18:43:14.0585 15632 circlass - ok
18:43:14.0632 15632 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
18:43:14.0663 15632 CLFS - ok
18:43:14.0772 15632 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
18:43:14.0803 15632 CmBatt - ok
18:43:14.0850 15632 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\drivers\cmdide.sys
18:43:14.0866 15632 cmdide - ok
18:43:14.0928 15632 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
18:43:14.0959 15632 CNG - ok
18:43:15.0006 15632 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
18:43:15.0037 15632 Compbatt - ok
18:43:15.0100 15632 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\windows\system32\drivers\CompositeBus.sys
18:43:15.0147 15632 CompositeBus - ok
18:43:15.0225 15632 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
18:43:15.0240 15632 crcdisk - ok
18:43:15.0318 15632 DfsC (f024449c97ec1e464aaffda18593db88) C:\windows\system32\Drivers\dfsc.sys
18:43:15.0365 15632 DfsC - ok
18:43:15.0459 15632 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
18:43:15.0505 15632 discache - ok
18:43:15.0630 15632 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
18:43:15.0646 15632 Disk - ok
18:43:15.0693 15632 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
18:43:15.0739 15632 drmkaud - ok
18:43:15.0786 15632 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\windows\System32\drivers\dxgkrnl.sys
18:43:15.0833 15632 DXGKrnl - ok
18:43:15.0880 15632 eamon (af82dc664e3d8e2cba3b95e68f6448a7) C:\windows\system32\DRIVERS\eamon.sys
18:43:15.0927 15632 eamon - ok
18:43:16.0036 15632 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
18:43:16.0114 15632 ebdrv - ok
18:43:16.0207 15632 ehdrv (686a799c1bf1b18941994daf9f45db06) C:\windows\system32\DRIVERS\ehdrv.sys
18:43:16.0254 15632 ehdrv - ok
18:43:16.0363 15632 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
18:43:16.0395 15632 elxstor - ok
18:43:16.0426 15632 epfw (39f48a0784be8465cd1ac80b36d61613) C:\windows\system32\DRIVERS\epfw.sys
18:43:16.0457 15632 epfw - ok
18:43:16.0519 15632 Epfwndis (3b47010b2425b69826004767e59045ba) C:\windows\system32\DRIVERS\Epfwndis.sys
18:43:16.0566 15632 Epfwndis - ok
18:43:16.0660 15632 epfwwfp (702a4695ca4ebdefa30235dda300c9d0) C:\windows\system32\DRIVERS\epfwwfp.sys
18:43:16.0691 15632 epfwwfp - ok
18:43:16.0753 15632 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\drivers\errdev.sys
18:43:16.0785 15632 ErrDev - ok
18:43:16.0878 15632 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
18:43:16.0909 15632 exfat - ok
18:43:16.0941 15632 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
18:43:16.0972 15632 fastfat - ok
18:43:17.0065 15632 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
18:43:17.0097 15632 fdc - ok
18:43:17.0128 15632 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
18:43:17.0128 15632 FileInfo - ok
18:43:17.0159 15632 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
18:43:17.0190 15632 Filetrace - ok
18:43:17.0221 15632 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
18:43:17.0237 15632 flpydisk - ok
18:43:17.0331 15632 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
18:43:17.0346 15632 FltMgr - ok
18:43:17.0377 15632 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
18:43:17.0377 15632 FsDepends - ok
18:43:17.0440 15632 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\windows\system32\DRIVERS\fssfltr.sys
18:43:17.0455 15632 fssfltr - ok
18:43:17.0502 15632 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
18:43:17.0518 15632 Fs_Rec - ok
18:43:17.0627 15632 fvevol (8a73e79089b282100b9393b644cb853b) C:\windows\system32\DRIVERS\fvevol.sys
18:43:17.0643 15632 fvevol - ok
18:43:17.0689 15632 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
18:43:17.0705 15632 gagp30kx - ok
18:43:17.0814 15632 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
18:43:17.0814 15632 GEARAspiWDM - ok
18:43:17.0923 15632 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
18:43:17.0970 15632 hcw85cir - ok
18:43:18.0064 15632 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\windows\system32\drivers\HdAudio.sys
18:43:18.0095 15632 HdAudAddService - ok
18:43:18.0204 15632 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\windows\system32\drivers\HDAudBus.sys
18:43:18.0235 15632 HDAudBus - ok
18:43:18.0267 15632 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
18:43:18.0298 15632 HidBatt - ok
18:43:18.0376 15632 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
18:43:18.0423 15632 HidBth - ok
18:43:18.0485 15632 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
18:43:18.0563 15632 HidIr - ok
18:43:18.0641 15632 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\windows\system32\DRIVERS\hidusb.sys
18:43:18.0688 15632 HidUsb - ok
18:43:18.0813 15632 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\drivers\HpSAMD.sys
18:43:18.0875 15632 HpSAMD - ok
18:43:18.0937 15632 HTTP (871917b07a141bff43d76d8844d48106) C:\windows\system32\drivers\HTTP.sys
18:43:18.0984 15632 HTTP - ok
18:43:19.0078 15632 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\windows\system32\drivers\hwpolicy.sys
18:43:19.0093 15632 hwpolicy - ok
18:43:19.0156 15632 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\drivers\i8042prt.sys
18:43:19.0218 15632 i8042prt - ok
18:43:19.0296 15632 iaStor (d483687eace0c065ee772481a96e05f5) C:\windows\system32\DRIVERS\iaStor.sys
18:43:19.0343 15632 iaStor - ok
18:43:19.0405 15632 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\windows\system32\drivers\iaStorV.sys
18:43:19.0452 15632 iaStorV - ok
18:43:19.0655 15632 igfx (ad626f6964f4d364d226c39e06872dd3) C:\windows\system32\DRIVERS\igdkmd32.sys
18:43:19.0827 15632 igfx - ok
18:43:19.0920 15632 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
18:43:19.0967 15632 iirsp - ok
18:43:20.0107 15632 IntcAzAudAddService (db96b8bd676bb24bd4f1dc53ca1f182c) C:\windows\system32\drivers\RTKVHDA.sys
18:43:20.0263 15632 IntcAzAudAddService - ok
18:43:20.0373 15632 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\drivers\intelide.sys
18:43:20.0419 15632 intelide - ok
18:43:20.0451 15632 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
18:43:20.0466 15632 intelppm - ok
18:43:20.0513 15632 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
18:43:20.0575 15632 IpFilterDriver - ok
18:43:20.0700 15632 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\windows\system32\drivers\IPMIDrv.sys
18:43:20.0763 15632 IPMIDRV - ok
18:43:20.0794 15632 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
18:43:20.0856 15632 IPNAT - ok
18:43:20.0965 15632 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
18:43:21.0059 15632 IRENUM - ok
18:43:21.0106 15632 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\drivers\isapnp.sys
18:43:21.0168 15632 isapnp - ok
18:43:21.0199 15632 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\windows\system32\drivers\msiscsi.sys
18:43:21.0215 15632 iScsiPrt - ok
18:43:21.0246 15632 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\drivers\kbdclass.sys
18:43:21.0277 15632 kbdclass - ok
18:43:21.0309 15632 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\windows\system32\drivers\kbdhid.sys
18:43:21.0355 15632 kbdhid - ok
18:43:21.0402 15632 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\windows\system32\Drivers\ksecdd.sys
18:43:21.0418 15632 KSecDD - ok
18:43:21.0480 15632 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\windows\system32\Drivers\ksecpkg.sys
18:43:21.0527 15632 KSecPkg - ok
18:43:21.0574 15632 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
18:43:21.0636 15632 lltdio - ok
18:43:21.0699 15632 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
18:43:21.0714 15632 LSI_FC - ok
18:43:21.0745 15632 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
18:43:21.0777 15632 LSI_SAS - ok
18:43:21.0808 15632 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
18:43:21.0839 15632 LSI_SAS2 - ok
18:43:21.0870 15632 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
18:43:21.0901 15632 LSI_SCSI - ok
18:43:21.0933 15632 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
18:43:21.0979 15632 luafv - ok
18:43:22.0104 15632 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\windows\system32\drivers\mbam.sys
18:43:22.0151 15632 MBAMProtector - ok
18:43:22.0307 15632 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
18:43:22.0323 15632 megasas - ok
18:43:22.0369 15632 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
18:43:22.0416 15632 MegaSR - ok
18:43:22.0463 15632 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
18:43:22.0525 15632 Modem - ok
18:43:22.0603 15632 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
18:43:22.0650 15632 monitor - ok
18:43:22.0697 15632 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
18:43:22.0759 15632 mouclass - ok
18:43:22.0822 15632 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
18:43:22.0900 15632 mouhid - ok
18:43:22.0993 15632 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\windows\system32\drivers\mountmgr.sys
18:43:22.0993 15632 mountmgr - ok
18:43:23.0071 15632 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\windows\system32\drivers\mpio.sys
18:43:23.0149 15632 mpio - ok
18:43:23.0181 15632 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
18:43:23.0259 15632 mpsdrv - ok
18:43:23.0305 15632 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\windows\system32\drivers\mrxdav.sys
18:43:23.0383 15632 MRxDAV - ok
18:43:23.0493 15632 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\windows\system32\DRIVERS\mrxsmb.sys
18:43:23.0586 15632 mrxsmb - ok
18:43:23.0680 15632 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\windows\system32\DRIVERS\mrxsmb10.sys
18:43:23.0711 15632 mrxsmb10 - ok
18:43:23.0774 15632 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\windows\system32\DRIVERS\mrxsmb20.sys
18:43:23.0789 15632 mrxsmb20 - ok
18:43:23.0883 15632 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\windows\system32\drivers\msahci.sys
18:43:23.0898 15632 msahci - ok
18:43:23.0914 15632 msdsm (55055f8ad8be27a64c831322a780a228) C:\windows\system32\drivers\msdsm.sys
18:43:23.0945 15632 msdsm - ok
18:43:23.0992 15632 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
18:43:24.0054 15632 Msfs - ok
18:43:24.0117 15632 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
18:43:24.0179 15632 mshidkmdf - ok
18:43:24.0226 15632 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\drivers\msisadrv.sys
18:43:24.0288 15632 msisadrv - ok
18:43:24.0366 15632 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
18:43:24.0413 15632 MSKSSRV - ok
18:43:24.0444 15632 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
18:43:24.0491 15632 MSPCLOCK - ok
18:43:24.0569 15632 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
18:43:24.0616 15632 MSPQM - ok
18:43:24.0632 15632 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
18:43:24.0647 15632 MsRPC - ok
18:43:24.0694 15632 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\drivers\mssmbios.sys
18:43:24.0710 15632 mssmbios - ok
18:43:24.0756 15632 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
18:43:24.0819 15632 MSTEE - ok
18:43:24.0850 15632 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
18:43:24.0881 15632 MTConfig - ok
18:43:24.0912 15632 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
18:43:24.0928 15632 Mup - ok
18:43:25.0037 15632 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
18:43:25.0100 15632 NativeWifiP - ok
18:43:25.0224 15632 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\windows\system32\drivers\ndis.sys
18:43:25.0271 15632 NDIS - ok
18:43:25.0318 15632 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
18:43:25.0396 15632 NdisCap - ok
18:43:25.0458 15632 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
18:43:25.0521 15632 NdisTapi - ok
18:43:25.0646 15632 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\windows\system32\DRIVERS\ndisuio.sys
18:43:25.0708 15632 Ndisuio - ok
18:43:25.0755 15632 NdisWan (38fbe267e7e6983311179230facb1017) C:\windows\system32\DRIVERS\ndiswan.sys
18:43:25.0817 15632 NdisWan - ok
18:43:25.0911 15632 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\windows\system32\drivers\NDProxy.sys
18:43:25.0989 15632 NDProxy - ok
18:43:26.0051 15632 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
18:43:26.0145 15632 NetBIOS - ok
18:43:26.0192 15632 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\windows\system32\DRIVERS\netbt.sys
18:43:26.0238 15632 NetBT - ok
18:43:26.0348 15632 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
18:43:26.0394 15632 nfrd960 - ok
18:43:26.0426 15632 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
18:43:26.0488 15632 Npfs - ok
18:43:26.0504 15632 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
18:43:26.0566 15632 nsiproxy - ok
18:43:26.0691 15632 Ntfs (81189c3d7763838e55c397759d49007a) C:\windows\system32\drivers\Ntfs.sys
18:43:26.0769 15632 Ntfs - ok
18:43:26.0831 15632 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
18:43:26.0894 15632 Null - ok
18:43:26.0956 15632 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\windows\system32\drivers\nvraid.sys
18:43:26.0987 15632 nvraid - ok
18:43:27.0050 15632 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\windows\system32\drivers\nvstor.sys
18:43:27.0112 15632 nvstor - ok
18:43:27.0159 15632 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\drivers\nv_agp.sys
18:43:27.0190 15632 nv_agp - ok
18:43:27.0237 15632 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\drivers\ohci1394.sys
18:43:27.0268 15632 ohci1394 - ok
18:43:27.0362 15632 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
18:43:27.0408 15632 Parport - ok
18:43:27.0455 15632 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\windows\system32\drivers\partmgr.sys
18:43:27.0518 15632 partmgr - ok
18:43:27.0549 15632 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
18:43:27.0596 15632 Parvdm - ok
18:43:27.0642 15632 pci (673e55c3498eb970088e812ea820aa8f) C:\windows\system32\drivers\pci.sys
18:43:27.0689 15632 pci - ok
18:43:27.0736 15632 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\drivers\pciide.sys
18:43:27.0767 15632 pciide - ok
18:43:27.0798 15632 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
18:43:27.0830 15632 pcmcia - ok
18:43:27.0861 15632 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
18:43:27.0892 15632 pcw - ok
18:43:27.0923 15632 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
18:43:27.0970 15632 PEAUTH - ok
18:43:28.0095 15632 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
18:43:28.0157 15632 PptpMiniport - ok
18:43:28.0173 15632 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
18:43:28.0204 15632 Processor - ok
18:43:28.0266 15632 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
18:43:28.0329 15632 Psched - ok
18:43:28.0391 15632 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
18:43:28.0469 15632 ql2300 - ok
18:43:28.0485 15632 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
18:43:28.0516 15632 ql40xx - ok
18:43:28.0532 15632 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
18:43:28.0563 15632 QWAVEdrv - ok
18:43:28.0610 15632 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
18:43:28.0656 15632 RasAcd - ok
18:43:28.0703 15632 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
18:43:28.0797 15632 RasAgileVpn - ok
18:43:28.0828 15632 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
18:43:28.0906 15632 Rasl2tp - ok
18:43:29.0000 15632 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
18:43:29.0078 15632 RasPppoe - ok
18:43:29.0078 15632 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
18:43:29.0124 15632 RasSstp - ok
18:43:29.0249 15632 rdbss (d528bc58a489409ba40334ebf96a311b) C:\windows\system32\DRIVERS\rdbss.sys
18:43:29.0296 15632 rdbss - ok
18:43:29.0312 15632 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
18:43:29.0358 15632 rdpbus - ok
18:43:29.0405 15632 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\windows\system32\DRIVERS\RDPCDD.sys
18:43:29.0468 15632 RDPCDD - ok
18:43:29.0561 15632 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
18:43:29.0608 15632 RDPENCDD - ok
18:43:29.0624 15632 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
18:43:29.0686 15632 RDPREFMP - ok
18:43:29.0748 15632 RDPWD (288b06960d78428ff89e811632684e20) C:\windows\system32\drivers\RDPWD.sys
18:43:29.0795 15632 RDPWD - ok
18:43:29.0904 15632 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\windows\system32\drivers\rdyboost.sys
18:43:29.0951 15632 rdyboost - ok
18:43:30.0045 15632 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\windows\system32\DRIVERS\rfcomm.sys
18:43:30.0092 15632 RFCOMM - ok
18:43:30.0154 15632 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
18:43:30.0232 15632 rspndr - ok
18:43:30.0263 15632 RTL8167 (7dfd48e24479b68b258d8770121155a0) C:\windows\system32\DRIVERS\Rt86win7.sys
18:43:30.0294 15632 RTL8167 - ok
18:43:30.0357 15632 SABI (6e5fbb7cbaec47038b945d5e9b144a64) C:\windows\system32\Drivers\SABI.sys
18:43:30.0419 15632 SABI - ok
18:43:30.0544 15632 sbp2port (05d860da1040f111503ac416ccef2bca) C:\windows\system32\drivers\sbp2port.sys
18:43:30.0591 15632 sbp2port - ok
18:43:30.0653 15632 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\windows\system32\DRIVERS\scfilter.sys
18:43:30.0684 15632 scfilter - ok
18:43:30.0840 15632 SDHookDriver (47dd7bb6b72a5f49e01f53597bcaeac7) C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
18:43:30.0903 15632 SDHookDriver - ok
18:43:30.0996 15632 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
18:43:31.0059 15632 secdrv - ok
18:43:31.0184 15632 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
18:43:31.0246 15632 Serenum - ok
18:43:31.0277 15632 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
18:43:31.0293 15632 Serial - ok
18:43:31.0355 15632 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
18:43:31.0402 15632 sermouse - ok
18:43:31.0480 15632 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\drivers\sffdisk.sys
18:43:31.0511 15632 sffdisk - ok
18:43:31.0589 15632 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\drivers\sffp_mmc.sys
18:43:31.0652 15632 sffp_mmc - ok
18:43:31.0714 15632 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\windows\system32\drivers\sffp_sd.sys
18:43:31.0776 15632 sffp_sd - ok
18:43:31.0808 15632 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
18:43:31.0839 15632 sfloppy - ok
18:43:31.0886 15632 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\drivers\sisagp.sys
18:43:31.0917 15632 sisagp - ok
18:43:31.0948 15632 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
18:43:32.0026 15632 SiSRaid2 - ok
18:43:32.0042 15632 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
18:43:32.0088 15632 SiSRaid4 - ok
18:43:32.0120 15632 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
18:43:32.0166 15632 Smb - ok
18:43:32.0213 15632 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
18:43:32.0229 15632 spldr - ok
18:43:32.0307 15632 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\windows\system32\DRIVERS\srv.sys
18:43:32.0385 15632 srv - ok
18:43:32.0478 15632 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\windows\system32\DRIVERS\srv2.sys
18:43:32.0556 15632 srv2 - ok
18:43:32.0572 15632 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\windows\system32\DRIVERS\srvnet.sys
18:43:32.0634 15632 srvnet - ok
18:43:32.0728 15632 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
18:43:32.0775 15632 stexstor - ok
18:43:32.0806 15632 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\drivers\swenum.sys
18:43:32.0822 15632 swenum - ok
18:43:32.0900 15632 SynTP (069e5728e565bd401347cb94732c4733) C:\windows\system32\DRIVERS\SynTP.sys
18:43:32.0978 15632 SynTP - ok
18:43:33.0134 15632 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\drivers\tcpip.sys
18:43:33.0258 15632 Tcpip - ok
18:43:33.0399 15632 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\DRIVERS\tcpip.sys
18:43:33.0430 15632 TCPIP6 - ok
18:43:33.0492 15632 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\windows\system32\drivers\tcpipreg.sys
18:43:33.0586 15632 tcpipreg - ok
18:43:33.0648 15632 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\windows\system32\drivers\tdpipe.sys
18:43:33.0711 15632 TDPIPE - ok
18:43:33.0758 15632 TDTCP (2c10395baa4847f83042813c515cc289) C:\windows\system32\drivers\tdtcp.sys
18:43:33.0804 15632 TDTCP - ok
18:43:33.0851 15632 tdx (b459575348c20e8121d6039da063c704) C:\windows\system32\DRIVERS\tdx.sys
18:43:33.0929 15632 tdx - ok
18:43:33.0976 15632 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\windows\system32\drivers\termdd.sys
18:43:34.0023 15632 TermDD - ok
18:43:34.0179 15632 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\windows\system32\DRIVERS\tssecsrv.sys
18:43:34.0272 15632 tssecsrv - ok
18:43:34.0366 15632 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\windows\system32\drivers\tsusbflt.sys
18:43:34.0413 15632 TsUsbFlt - ok
18:43:34.0538 15632 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\windows\system32\DRIVERS\tunnel.sys
18:43:34.0600 15632 tunnel - ok
18:43:34.0647 15632 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
18:43:34.0678 15632 uagp35 - ok
18:43:34.0725 15632 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\windows\system32\DRIVERS\udfs.sys
18:43:34.0818 15632 udfs - ok
18:43:34.0928 15632 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\drivers\uliagpkx.sys
18:43:34.0974 15632 uliagpkx - ok
18:43:35.0006 15632 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\windows\system32\drivers\umbus.sys
18:43:35.0052 15632 umbus - ok
18:43:35.0130 15632 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
18:43:35.0177 15632 UmPass - ok
18:43:35.0255 15632 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\windows\system32\Drivers\usbaapl.sys
18:43:35.0318 15632 USBAAPL - ok
18:43:35.0411 15632 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\windows\system32\DRIVERS\usbccgp.sys
18:43:35.0474 15632 usbccgp - ok
18:43:35.0583 15632 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\drivers\usbcir.sys
18:43:35.0630 15632 usbcir - ok
18:43:35.0708 15632 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\windows\system32\DRIVERS\usbehci.sys
18:43:35.0754 15632 usbehci - ok
18:43:35.0848 15632 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\windows\system32\DRIVERS\usbhub.sys
18:43:35.0942 15632 usbhub - ok
18:43:35.0973 15632 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys
18:43:36.0004 15632 usbohci - ok
18:43:36.0082 15632 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
18:43:36.0144 15632 usbprint - ok
18:43:36.0222 15632 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
18:43:36.0269 15632 usbscan - ok
18:43:36.0378 15632 USBSTOR (f991ab9cc6b908db552166768176896a) C:\windows\system32\DRIVERS\USBSTOR.SYS
18:43:36.0425 15632 USBSTOR - ok
18:43:36.0519 15632 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\windows\system32\DRIVERS\usbuhci.sys
18:43:36.0581 15632 usbuhci - ok
18:43:36.0659 15632 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\windows\System32\Drivers\usbvideo.sys
18:43:36.0706 15632 usbvideo - ok
18:43:36.0846 15632 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\drivers\vdrvroot.sys
18:43:36.0893 15632 vdrvroot - ok
18:43:36.0940 15632 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
18:43:36.0971 15632 vga - ok
18:43:36.0987 15632 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
18:43:37.0065 15632 VgaSave - ok
18:43:37.0127 15632 vhdmp (5461686cca2fda57b024547733ab42e3) C:\windows\system32\drivers\vhdmp.sys
18:43:37.0158 15632 vhdmp - ok
18:43:37.0221 15632 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\drivers\viaagp.sys
18:43:37.0268 15632 viaagp - ok
18:43:37.0299 15632 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
18:43:37.0346 15632 ViaC7 - ok
18:43:37.0392 15632 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\drivers\viaide.sys
18:43:37.0439 15632 viaide - ok
18:43:37.0455 15632 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\windows\system32\drivers\volmgr.sys
18:43:37.0533 15632 volmgr - ok
18:43:37.0595 15632 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
18:43:37.0642 15632 volmgrx - ok
18:43:37.0736 15632 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\windows\system32\drivers\volsnap.sys
18:43:37.0751 15632 volsnap - ok
18:43:37.0814 15632 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
18:43:37.0876 15632 vsmraid - ok
18:43:37.0892 15632 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
18:43:37.0938 15632 vwifibus - ok
18:43:38.0016 15632 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
18:43:38.0110 15632 vwififlt - ok
18:43:38.0188 15632 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
18:43:38.0250 15632 WacomPen - ok
18:43:38.0313 15632 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
18:43:38.0360 15632 WANARP - ok
18:43:38.0360 15632 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
18:43:38.0375 15632 Wanarpv6 - ok
18:43:38.0453 15632 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
18:43:38.0484 15632 Wd - ok
18:43:38.0516 15632 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
18:43:38.0578 15632 Wdf01000 - ok
18:43:38.0625 15632 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
18:43:38.0672 15632 WfpLwf - ok
18:43:38.0687 15632 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
18:43:38.0718 15632 WIMMount - ok
18:43:38.0828 15632 WINUSB (a67e5f9a400f3bd1be3d80613b45f708) C:\windows\system32\drivers\WinUSB.SYS
18:43:38.0859 15632 WINUSB - ok
18:43:38.0906 15632 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\drivers\wmiacpi.sys
18:43:38.0968 15632 WmiAcpi - ok
18:43:39.0046 15632 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
18:43:39.0108 15632 ws2ifsl - ok
18:43:39.0171 15632 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\windows\system32\drivers\WudfPf.sys
18:43:39.0233 15632 WudfPf - ok
18:43:39.0342 15632 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\windows\system32\DRIVERS\WUDFRd.sys
18:43:39.0405 15632 WUDFRd - ok
18:43:39.0514 15632 yukonw7 (30b73eb97218a16cbc6de535782a1b35) C:\windows\system32\DRIVERS\yk62x86.sys
18:43:39.0592 15632 yukonw7 - ok
18:43:39.0639 15632 MBR (0x1B8) (2e5debb2116b3417023e0d6562d7ed07) \Device\Harddisk0\DR0
18:43:40.0013 15632 \Device\Harddisk0\DR0 - ok
18:43:40.0029 15632 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
18:43:40.0216 15632 \Device\Harddisk1\DR1 - ok
18:43:40.0216 15632 Boot (0x1200) (35ad429c41eabd3cb5aa0c137174f74e) \Device\Harddisk0\DR0\Partition0
18:43:40.0216 15632 \Device\Harddisk0\DR0\Partition0 - ok
18:43:40.0232 15632 Boot (0x1200) (8ef57f636c3472629962a8279554bffc) \Device\Harddisk0\DR0\Partition1
18:43:40.0232 15632 \Device\Harddisk0\DR0\Partition1 - ok
18:43:40.0263 15632 Boot (0x1200) (18763aeac0ee39fec1defec9b7171ab2) \Device\Harddisk0\DR0\Partition2
18:43:40.0278 15632 \Device\Harddisk0\DR0\Partition2 - ok
18:43:40.0278 15632 Boot (0x1200) (c17c16547be32acadda8a1f42eeb1198) \Device\Harddisk1\DR1\Partition0
18:43:40.0278 15632 \Device\Harddisk1\DR1\Partition0 - ok
18:43:40.0278 15632 ============================================================
18:43:40.0278 15632 Scan finished
18:43:40.0278 15632 ============================================================
18:43:40.0294 15624 Detected object count: 0
18:43:40.0294 15624 Actual detected object count: 0

do you know if there is a log, or a way to see the traffic that was blocked by MalwareByte ?

bye
philippe

hi shelf life,


I have installed wiresharck and as soon as I started monitoring the network card

I have seen a lot of UDP packets:

192.168.0.10 Source port: 50808 226.178.217.5 Destination port: 21328

with this text as data:

Someone else out there?computer=ADMIN-PC

did a ip lookup and there is nothing for 226.178.217.5


IP: 226.178.217.5
Decimal: 3803371781
Hostname: 226.178.217.5
ISP:
Organization:
Services: None detected
Type:


no info listed, looks very suspicious as well.


bye
philippe

hi shelf life,

I found an interesting TCP stream on the W7 box:

and a quick internet search on counter.yadro.ru lead me to
http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_SIREFEF.DD

that suggest that there is indeed something on the W7 box as well...
and as it's not detected by Nod32 and Malwarebyte this suggest that there may be some rootkit hiding it...

do you agree on this deduction ?

I will try to download the trend micro trial and scan to see if it founds anything !



bye
philippe


GET /hit;icq-com?r;s1600*900*24;uhttp%3A//start.icq.com/;0.5152606634050969 HTTP/1.1

Host: counter.yadro.ru

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Connection: keep-alive

Referer: http://start.icq.com/

Cookie: VID=0sbHfc3KyH0x



HTTP/1.1 200 OK

Date: Sat, 10 Dec 2011 14:28:29 GMT

Server: 0W/0.8c

Connection: Close

Content-Type: image/gif

Content-Length: 43

Expires: Thu, 09 Dec 2010 20:00:00 GMT

Pragma: no-cache

Cache-control: no-cache



GIF89a.............!.......,...........D..;

In fact there was some TCP anomalies that catch my attention in TCP stream:


5207 1543.318621 88.212.196.77 192.168.0.10 HTTP 317 [TCP Out-Of-Order] HTTP/1.1 200 OK (GIF89a)

5205 1543.318424 88.212.196.77 192.168.0.10 TCP 64 [TCP Previous segment lost] http > 51109 [FIN, ACK] Seq=264 Ack=449 Win=8752 Len=0

5206 1543.318499 192.168.0.10 88.212.196.77 TCP 54 [TCP Dup ACK 5203#1] 51109 > http [ACK] Seq=449 Ack=1 Win=17520 Len=0

Also In Nod32 firewall logs I did notice this:

it's quite old but may have some meaning...


25/10/2011 20:54:02 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:52835 UDP
25/10/2011 20:50:05 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:59120 UDP
25/10/2011 20:48:30 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:52685 UDP
25/10/2011 20:47:00 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:53862 UDP
25/10/2011 20:46:02 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:62918 UDP
25/10/2011 20:45:43 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:55808 UDP
25/10/2011 20:43:56 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:62066 UDP
25/10/2011 20:41:57 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:51008 UDP
25/10/2011 20:39:49 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:55556 UDP
25/10/2011 20:38:24 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:55628 UDP
25/10/2011 20:38:13 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:62134 UDP
25/10/2011 20:37:16 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:54830 UDP
25/10/2011 20:36:45 Attaque par empoisonnement de cache DNS détectée 80.10.246.129:53 192.168.10.78:56861 UDP
25/10/2011 20:35:38 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:65005 UDP
25/10/2011 20:35:30 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:54643 UDP
25/10/2011 20:34:25 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:59671 UDP
25/10/2011 20:32:05 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:58150 UDP
25/10/2011 20:08:20 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:49450 UDP
25/10/2011 20:07:48 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:63506 UDP
25/10/2011 20:02:20 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:52915 UDP
25/10/2011 20:02:16 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:50123 UDP
25/10/2011 20:02:16 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:59800 UDP
25/10/2011 19:59:04 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:58612 UDP
25/10/2011 19:59:04 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:63256 UDP
25/10/2011 19:59:01 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:61158 UDP
25/10/2011 19:53:25 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:65446 UDP
25/10/2011 19:52:21 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:54771 UDP
25/10/2011 19:50:03 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:55904 UDP
25/10/2011 19:49:33 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:53274 UDP
25/10/2011 19:49:26 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:51497 UDP
25/10/2011 19:47:20 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:58861 UDP
25/10/2011 19:47:20 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:63831 UDP
25/10/2011 19:47:13 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:59952 UDP
25/10/2011 19:47:10 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:54198 UDP
25/10/2011 19:46:31 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:62620 UDP
25/10/2011 19:46:29 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:52315 UDP
25/10/2011 19:45:56 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:55329 UDP
25/10/2011 19:45:52 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:59383 UDP
25/10/2011 19:45:49 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:65071 UDP
25/10/2011 19:45:30 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:60465 UDP
25/10/2011 19:45:13 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:63475 UDP
25/10/2011 19:45:09 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:51953 UDP
25/10/2011 19:45:08 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:61423 UDP
25/10/2011 19:45:07 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:55122 UDP
25/10/2011 19:45:02 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:52435 UDP
25/10/2011 19:44:58 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:60826 UDP
25/10/2011 19:44:41 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:60840 UDP
25/10/2011 19:44:37 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:52350 UDP
25/10/2011 19:44:30 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:61943 UDP
25/10/2011 19:42:44 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:63464 UDP
25/10/2011 19:42:38 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:55821 UDP
25/10/2011 19:41:44 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:60017 UDP
25/10/2011 19:41:37 Attaque par empoisonnement de cache DNS détectée 80.10.246.2:53 192.168.10.78:56390 UDP

hi,

Sorry for the delay. this is starting to get confusing jumping from XP to W7. Lets stay with one machine at a time. As far as I know MBAM blocks ranges of ip's based on a list.
Unless you really are familiar with wireshark (https://www.wireshark.org/docs/wsug_html/#ChIntroNoFeatures) then I wouldn't depend on it to determine the presence of malware on your machine. In fact netstat could be just as useful and quicker.
Did you run combofix on the W7 box?

hi,

sorry for that, let's do the W7 one.

I have not run combofix on it yet, maybe I should.

bye
philippe

here is the combofix log for the W7 box:

ComboFix 11-12-10.01 - admin 11/12/2011 17:42:21.1.2 - x86
Microsoft Windows*7 Édition Familiale Premium 6.1.7601.1.1252.33.1036.18.3037.1876 [GMT 1:00]
Lancé depuis: c:\users\admin\Desktop\ComboFix.exe
AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Spybot - Search & Destroy *Disabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-11-11 au 2011-12-11 ))))))))))))))))))))))))))))))))))))
.
.
2011-12-11 15:35 . 2011-12-11 15:35 -------- d-----w- c:\program files\ESET
2011-12-11 15:28 . 2011-12-11 15:28 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5BF76D04-EEED-4CAA-A11E-563C432BDC39}\offreg.dll
2011-12-11 15:17 . 2011-12-10 23:09 319456 ----a-w- c:\windows\DIFxAPI.dll
2011-12-11 15:17 . 2011-12-10 23:09 203600 ----a-w- c:\windows\TmNSCIns.dll
2011-12-10 23:42 . 2011-12-10 23:42 -------- d-----w- C:\temp
2011-12-10 23:21 . 2011-12-11 15:14 -------- d-----w- c:\programdata\Trend Micro
2011-12-10 11:20 . 2011-12-10 11:20 -------- d-----w- c:\users\admin\AppData\Roaming\Wireshark
2011-12-10 08:40 . 2011-12-10 08:40 -------- d-----w- c:\program files\WinPcap
2011-12-10 08:38 . 2011-12-10 08:40 -------- d-----w- c:\program files\Wireshark
2011-12-09 19:19 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5BF76D04-EEED-4CAA-A11E-563C432BDC39}\mpengine.dll
2011-11-26 16:55 . 2011-12-11 15:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-26 16:55 . 2009-01-25 12:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-11-26 16:55 . 2011-11-26 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-11-26 16:51 . 2011-11-26 16:51 -------- d-----w- c:\program files\Common Files\Java
2011-11-26 16:51 . 2011-10-03 04:06 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-11-25 21:14 . 2011-11-25 21:14 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2011-11-25 21:14 . 2011-11-25 21:14 -------- d-----w- c:\programdata\Malwarebytes
2011-11-25 20:12 . 2011-11-25 20:12 -------- d-----w- c:\program files\ERUNT
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-03 15:01 . 2011-05-22 06:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 04:06 . 2010-05-11 21:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-29 16:03 . 2011-11-09 20:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 03:37 . 2011-11-09 20:04 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 20:43 . 2011-05-07 05:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-04-02 18:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-07 39408]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"ICQ"="c:\program files\ICQ7.0\ICQ.exe" [2011-01-05 133432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-01 98304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Nexus Radio"="c:\program files\Nexus Radio\Nexus Radio.exe" [2009-11-18 4745216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2011-10-05 892336]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2011-10-05 955816]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2011-10-05 169624]
R3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-08 1343400]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2011-08-04 50624]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 118104]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2011-08-04 33656]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [2011-10-05 38504]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-09-02 172032]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 163424]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2011-09-22 974944]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312]
S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [2011-10-05 130976]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Autres Services/Pilotes en mémoire ---
.
*NewlyCreated* - EAMONM
*NewlyCreated* - EPFWLWF
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contenu du dossier 'Tâches planifiées'
.
2011-12-11 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2011-11-26 14:46]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 14:43]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 14:43]
.
2011-12-01 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2011-11-26 14:46]
.
2011-12-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2011-11-26 14:46]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://start.icq.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\08dxgdyg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.1.2&q=
.
- - - - ORPHELINS SUPPRIMES - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Heure de fin: 2011-12-11 17:54:19
ComboFix-quarantined-files.txt 2011-12-11 16:54
.
Avant-CF: 204*131*610*624 octets libres
Après-CF: 206*505*635*840 octets libres
.
- - End Of File - - 51FA2F51D2B79B559F9CDEB185132E04

hi,

thanks for the info. Log looks ok. I think you already ran aswmbr, tdsskiller and MBRcheck on the W7 machine? If not, run them now and paste the log in.

hi shelf life

I did all this scans, but I can re-scan tonight.

also do you know a web tutorial that explains how to track malware using netsat or wiresharck ?

also still looking with wiresharck I found this TCP stream that suggest that I am visiting some Host: ad.mail.ru

my box has a lot of contact with russia this days, when I am not doing any surfing....

GET /adj/189?a=0&g=1&di=30009&lsp=0&rnd=249930086 HTTP/1.1

Accept: */*

Accept-Language: fr-FR

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0)

Host: ad.mail.ru

Connection: Keep-Alive

Cookie: p=iBwZADTP+AAA; b=rTsCAABjigIAAQBKgMYA



HTTP/1.1 200 OK

Server: nginx/1.1.7

Date: Mon, 12 Dec 2011 06:38:28 GMT

Content-Type: application/x-javascript; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: private, no-cache, no-store

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"



aca

document.write("\r\n<div id=\"rb_flash_div_500346\" class=\"rb_div\"></div>\n<script type=\"text/javascript\">\n(function() {\n var rb_link1 = \"http://r.mail.ru/n74195990?sz=1\";\n\n var rb_swf = \"http://rs.mail.ru/b14070641.swf\";\n var rb_fver = \"8\";\n var rb_width = \"234\";\n var rb_height = \"60\";\n var rb_allowscriptaccess = 0;\n var rb_wmode = \"window\";\n var rb_flash = 0;\n\n var rb_innerhtml = (typeof(window[\'rb_innerhtml\']) != \'undefined\' \&\& window[\'rb_innerhtml\']);\n if (navigator.mimeTypes \&\& navigator.mimeTypes[\"application/x-shockwave-flash\"] ) {\n var plugin = navigator.mimeTypes[\"application/x-shockwave-flash\"].enabledPlugin;\n if (plugin \&\& parseInt(plugin.description.match(/\\d+/)[0]) >= rb_fver)\n rb_flash = 1;\n } else if (typeof window.ActiveXObject != \"undefined\") {\n try {\n var object = new ActiveXObject(\"ShockwaveFlash.ShockwaveFlash\");\n if (object \&\& object.GetVariable(\"$version\") \&\& parseInt(object.GetVariable(\"$version\").match(/\\d+/)[0]) >= rb_fver)\n rb_flash = 1;\n } catch (e) {}\n }\n if (rb_flash) {\n var rb_rnd = Math.round(Math.random() * 1000000000);\n var rb_vars_arr = Array();\n rb_vars_arr.push(\'link1=\'+escape(rb_link1).replace(/\\+/g,\'%2B\'));\n var rb_vars = rb_vars_arr.join(\'\&\');\n var rb_html = \'<div class=\"rb_banner\"><object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" codebase=\"http://active.macromedia.com/flash2/cabs/swflash.cab#version=\'+rb_fver+\',0,0,0\" id=\"getmov\'+rb_rnd+\'\" width=\"\'+rb_width+\'\" height=\"\'+rb_height+\'\">\'+(rb_allowscriptaccess?\'<param name=\"allowscriptaccess\" value=\"always\" />\':\'\')+\'<param name=\"movie\" value=\"\'+rb_swf+\'\" /><param name=\"quality\" value=\"high\" /><param name=\"wmode\" value=\"\'+rb_wmode+\'\" /><param name=\"FlashVars\" value=\"\'+rb_vars+\'\" /><embed name=\"embed_getmov\'+rb_rnd+\'\" flashvars=\"\'+rb_vars+\'\" \'+(rb_allowscriptaccess?\'allowscriptaccess=\"always\" \':\'\')+\'src=\"\'+rb_swf+\'\" quality=\"high\" wmode=\"\'+rb_wmode+\'\" width=\"\'+rb_width+\'\" height=\"\'+rb_height+\'\" type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/shockwave/download/index.cgiP1_Prod_Version=ShockwaveFlash\" /></object></div>\';\n if (rb_innerhtml) {\n var rb_flash_div = document.getElementById(\"rb_flash_div_500346\");\n rb_flash_div.innerHTML = rb_html;\n }\n else document.write(rb_html);\n }\n else {\n var rb_img_html = \'\';\n if (rb_innerhtml) {\n var rb_flash_div = document.getElementById(\"rb_flash_div_500346\");\n rb_flash_div.innerHTML = rb_img_html;\n }\n else document.write(rb_img_html);\n };\n})();\n</script>\n\n

3

");

0

here are the latest run for the W7 box:

17:58:18.0942 27412 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
17:58:19.0085 27412 ============================================================
17:58:19.0085 27412 Current date / time: 2011/12/12 17:58:19.0085
17:58:19.0085 27412 SystemInfo:
17:58:19.0085 27412
17:58:19.0085 27412 OS Version: 6.1.7601 ServicePack: 1.0
17:58:19.0085 27412 Product type: Workstation
17:58:19.0085 27412 ComputerName: ADMIN-PC
17:58:19.0086 27412 UserName: admin
17:58:19.0086 27412 Windows directory: C:\windows
17:58:19.0086 27412 System windows directory: C:\windows
17:58:19.0086 27412 Processor architecture: Intel x86
17:58:19.0086 27412 Number of processors: 2
17:58:19.0086 27412 Page size: 0x1000
17:58:19.0086 27412 Boot type: Normal boot
17:58:19.0086 27412 ============================================================
17:58:19.0868 27412 Initialize success
17:58:21.0177 27680 ============================================================
17:58:21.0177 27680 Scan started
17:58:21.0177 27680 Mode: Manual;
17:58:21.0177 27680 ============================================================
17:58:22.0897 27680 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\windows\system32\drivers\1394ohci.sys
17:58:22.0902 27680 1394ohci - ok
17:58:22.0978 27680 ACPI (cea80c80bed809aa0da6febc04733349) C:\windows\system32\drivers\ACPI.sys
17:58:22.0983 27680 ACPI - ok
17:58:23.0121 27680 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\windows\system32\drivers\acpipmi.sys
17:58:23.0123 27680 AcpiPmi - ok
17:58:23.0187 27680 AdfuUd (9ed5d777a31ee654b0899cd1d2e778ba) C:\windows\system32\Drivers\AdfuUd.sys
17:58:23.0188 27680 AdfuUd - ok
17:58:23.0352 27680 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
17:58:23.0361 27680 adp94xx - ok
17:58:23.0510 27680 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
17:58:23.0517 27680 adpahci - ok
17:58:23.0632 27680 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
17:58:23.0636 27680 adpu320 - ok
17:58:23.0748 27680 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\windows\system32\drivers\afd.sys
17:58:23.0760 27680 AFD - ok
17:58:23.0922 27680 AgereSoftModem (07758c2196a62f207f77556311e7459a) C:\windows\system32\DRIVERS\AGRSM.sys
17:58:23.0957 27680 AgereSoftModem - ok
17:58:24.0012 27680 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\drivers\agp440.sys
17:58:24.0015 27680 agp440 - ok
17:58:24.0065 27680 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
17:58:24.0067 27680 aic78xx - ok
17:58:24.0243 27680 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\drivers\aliide.sys
17:58:24.0247 27680 aliide - ok
17:58:24.0319 27680 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\drivers\amdagp.sys
17:58:24.0324 27680 amdagp - ok
17:58:24.0497 27680 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\drivers\amdide.sys
17:58:24.0498 27680 amdide - ok
17:58:24.0543 27680 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
17:58:24.0547 27680 AmdK8 - ok
17:58:24.0565 27680 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
17:58:24.0568 27680 AmdPPM - ok
17:58:24.0624 27680 amdsata (d320bf87125326f996d4904fe24300fc) C:\windows\system32\drivers\amdsata.sys
17:58:24.0627 27680 amdsata - ok
17:58:24.0655 27680 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
17:58:24.0660 27680 amdsbs - ok
17:58:24.0708 27680 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\windows\system32\drivers\amdxata.sys
17:58:24.0709 27680 amdxata - ok
17:58:24.0770 27680 AppID (aea177f783e20150ace5383ee368da19) C:\windows\system32\drivers\appid.sys
17:58:24.0773 27680 AppID - ok
17:58:24.0953 27680 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
17:58:24.0957 27680 arc - ok
17:58:24.0974 27680 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
17:58:24.0978 27680 arcsas - ok
17:58:25.0017 27680 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
17:58:25.0019 27680 AsyncMac - ok
17:58:25.0137 27680 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\drivers\atapi.sys
17:58:25.0138 27680 atapi - ok
17:58:25.0225 27680 athr (7d0a662d7b116169854b4ec941a7822d) C:\windows\system32\DRIVERS\athr.sys
17:58:25.0260 27680 athr - ok
17:58:25.0544 27680 atikmdag (745c79700646c3f285cd09775618a04b) C:\windows\system32\DRIVERS\atikmdag.sys
17:58:25.0658 27680 atikmdag - ok
17:58:25.0823 27680 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
17:58:25.0831 27680 b06bdrv - ok
17:58:25.0868 27680 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
17:58:25.0874 27680 b57nd60x - ok
17:58:26.0004 27680 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
17:58:26.0007 27680 Beep - ok
17:58:26.0045 27680 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
17:58:26.0047 27680 blbdrive - ok
17:58:26.0117 27680 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\windows\system32\DRIVERS\bowser.sys
17:58:26.0118 27680 bowser - ok
17:58:26.0173 27680 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
17:58:26.0175 27680 BrFiltLo - ok
17:58:26.0192 27680 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
17:58:26.0195 27680 BrFiltUp - ok
17:58:26.0222 27680 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
17:58:26.0228 27680 Brserid - ok
17:58:26.0248 27680 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
17:58:26.0251 27680 BrSerWdm - ok
17:58:26.0271 27680 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
17:58:26.0274 27680 BrUsbMdm - ok
17:58:26.0289 27680 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
17:58:26.0292 27680 BrUsbSer - ok
17:58:26.0377 27680 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\windows\system32\drivers\BthEnum.sys
17:58:26.0379 27680 BthEnum - ok
17:58:26.0444 27680 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
17:58:26.0446 27680 BTHMODEM - ok
17:58:26.0525 27680 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\windows\system32\DRIVERS\bthpan.sys
17:58:26.0529 27680 BthPan - ok
17:58:26.0621 27680 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\windows\System32\Drivers\BTHport.sys
17:58:26.0630 27680 BTHPORT - ok
17:58:26.0747 27680 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\windows\System32\Drivers\BTHUSB.sys
17:58:26.0751 27680 BTHUSB - ok
17:58:26.0848 27680 catchme - ok
17:58:26.0963 27680 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
17:58:26.0964 27680 cdfs - ok
17:58:27.0121 27680 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\windows\system32\drivers\cdrom.sys
17:58:27.0124 27680 cdrom - ok
17:58:27.0270 27680 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
17:58:27.0272 27680 circlass - ok
17:58:27.0303 27680 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
17:58:27.0308 27680 CLFS - ok
17:58:27.0383 27680 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
17:58:27.0386 27680 CmBatt - ok
17:58:27.0449 27680 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\drivers\cmdide.sys
17:58:27.0451 27680 cmdide - ok
17:58:27.0478 27680 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
17:58:27.0484 27680 CNG - ok
17:58:27.0503 27680 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
17:58:27.0504 27680 Compbatt - ok
17:58:27.0773 27680 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\windows\system32\drivers\CompositeBus.sys
17:58:27.0778 27680 CompositeBus - ok
17:58:27.0908 27680 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
17:58:27.0910 27680 crcdisk - ok
17:58:27.0986 27680 DfsC (f024449c97ec1e464aaffda18593db88) C:\windows\system32\Drivers\dfsc.sys
17:58:27.0988 27680 DfsC - ok
17:58:28.0148 27680 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
17:58:28.0150 27680 discache - ok
17:58:28.0209 27680 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
17:58:28.0212 27680 Disk - ok
17:58:28.0252 27680 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
17:58:28.0254 27680 drmkaud - ok
17:58:28.0330 27680 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\windows\System32\drivers\dxgkrnl.sys
17:58:28.0353 27680 DXGKrnl - ok
17:58:28.0501 27680 eamonm (04238864710460c5682e260207d06192) C:\windows\system32\DRIVERS\eamonm.sys
17:58:28.0506 27680 eamonm - ok
17:58:28.0718 27680 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
17:58:28.0821 27680 ebdrv - ok
17:58:29.0060 27680 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\windows\system32\DRIVERS\ehdrv.sys
17:58:29.0067 27680 ehdrv - ok
17:58:29.0275 27680 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
17:58:29.0285 27680 elxstor - ok
17:58:29.0436 27680 epfw (5ba193ca0ae31209aaa39939ce6736b2) C:\windows\system32\DRIVERS\epfw.sys
17:58:29.0440 27680 epfw - ok
17:58:29.0626 27680 EpfwLWF (9cefd59c8e5ebfb48165aef54617f539) C:\windows\system32\DRIVERS\EpfwLWF.sys
17:58:29.0629 27680 EpfwLWF - ok
17:58:29.0791 27680 epfwwfp (7144a06ac105a2a7302944602e415ec1) C:\windows\system32\DRIVERS\epfwwfp.sys
17:58:29.0792 27680 epfwwfp - ok
17:58:29.0834 27680 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\drivers\errdev.sys
17:58:29.0836 27680 ErrDev - ok
17:58:29.0972 27680 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
17:58:29.0976 27680 exfat - ok
17:58:30.0002 27680 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
17:58:30.0007 27680 fastfat - ok
17:58:30.0126 27680 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
17:58:30.0129 27680 fdc - ok
17:58:30.0176 27680 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
17:58:30.0178 27680 FileInfo - ok
17:58:30.0195 27680 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
17:58:30.0198 27680 Filetrace - ok
17:58:30.0216 27680 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
17:58:30.0219 27680 flpydisk - ok
17:58:30.0249 27680 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
17:58:30.0253 27680 FltMgr - ok
17:58:30.0295 27680 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
17:58:30.0298 27680 FsDepends - ok
17:58:30.0362 27680 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\windows\system32\DRIVERS\fssfltr.sys
17:58:30.0365 27680 fssfltr - ok
17:58:30.0469 27680 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
17:58:30.0472 27680 Fs_Rec - ok
17:58:30.0546 27680 fvevol (8a73e79089b282100b9393b644cb853b) C:\windows\system32\DRIVERS\fvevol.sys
17:58:30.0551 27680 fvevol - ok
17:58:30.0690 27680 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
17:58:30.0693 27680 gagp30kx - ok
17:58:30.0754 27680 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
17:58:30.0756 27680 GEARAspiWDM - ok
17:58:30.0925 27680 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
17:58:30.0928 27680 hcw85cir - ok
17:58:30.0987 27680 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\windows\system32\drivers\HdAudio.sys
17:58:30.0993 27680 HdAudAddService - ok
17:58:31.0062 27680 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\windows\system32\drivers\HDAudBus.sys
17:58:31.0066 27680 HDAudBus - ok
17:58:31.0106 27680 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
17:58:31.0108 27680 HidBatt - ok
17:58:31.0137 27680 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
17:58:31.0139 27680 HidBth - ok
17:58:31.0164 27680 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
17:58:31.0167 27680 HidIr - ok
17:58:31.0239 27680 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\windows\system32\DRIVERS\hidusb.sys
17:58:31.0241 27680 HidUsb - ok
17:58:31.0350 27680 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\drivers\HpSAMD.sys
17:58:31.0355 27680 HpSAMD - ok
17:58:31.0429 27680 HTTP (871917b07a141bff43d76d8844d48106) C:\windows\system32\drivers\HTTP.sys
17:58:31.0438 27680 HTTP - ok
17:58:31.0483 27680 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\windows\system32\drivers\hwpolicy.sys
17:58:31.0484 27680 hwpolicy - ok
17:58:31.0564 27680 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\drivers\i8042prt.sys
17:58:31.0567 27680 i8042prt - ok
17:58:31.0614 27680 iaStor (d483687eace0c065ee772481a96e05f5) C:\windows\system32\DRIVERS\iaStor.sys
17:58:31.0616 27680 iaStor - ok
17:58:31.0709 27680 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\windows\system32\drivers\iaStorV.sys
17:58:31.0715 27680 iaStorV - ok
17:58:31.0959 27680 igfx (ad626f6964f4d364d226c39e06872dd3) C:\windows\system32\DRIVERS\igdkmd32.sys
17:58:32.0082 27680 igfx - ok
17:58:32.0221 27680 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
17:58:32.0224 27680 iirsp - ok
17:58:32.0368 27680 IntcAzAudAddService (db96b8bd676bb24bd4f1dc53ca1f182c) C:\windows\system32\drivers\RTKVHDA.sys
17:58:32.0465 27680 IntcAzAudAddService - ok
17:58:32.0616 27680 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\drivers\intelide.sys
17:58:32.0617 27680 intelide - ok
17:58:32.0657 27680 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
17:58:32.0658 27680 intelppm - ok
17:58:32.0769 27680 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
17:58:32.0772 27680 IpFilterDriver - ok
17:58:32.0837 27680 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\windows\system32\drivers\IPMIDrv.sys
17:58:32.0841 27680 IPMIDRV - ok
17:58:32.0894 27680 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
17:58:32.0897 27680 IPNAT - ok
17:58:33.0052 27680 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
17:58:33.0054 27680 IRENUM - ok
17:58:33.0103 27680 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\drivers\isapnp.sys
17:58:33.0106 27680 isapnp - ok
17:58:33.0131 27680 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\windows\system32\drivers\msiscsi.sys
17:58:33.0137 27680 iScsiPrt - ok
17:58:33.0299 27680 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\drivers\kbdclass.sys
17:58:33.0304 27680 kbdclass - ok
17:58:33.0363 27680 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\windows\system32\drivers\kbdhid.sys
17:58:33.0368 27680 kbdhid - ok
17:58:33.0439 27680 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\windows\system32\Drivers\ksecdd.sys
17:58:33.0442 27680 KSecDD - ok
17:58:33.0477 27680 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\windows\system32\Drivers\ksecpkg.sys
17:58:33.0481 27680 KSecPkg - ok
17:58:33.0550 27680 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
17:58:33.0552 27680 lltdio - ok
17:58:33.0622 27680 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
17:58:33.0625 27680 LSI_FC - ok
17:58:33.0681 27680 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
17:58:33.0683 27680 LSI_SAS - ok
17:58:33.0701 27680 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
17:58:33.0703 27680 LSI_SAS2 - ok
17:58:33.0733 27680 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
17:58:33.0736 27680 LSI_SCSI - ok
17:58:33.0769 27680 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
17:58:33.0773 27680 luafv - ok
17:58:33.0931 27680 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
17:58:33.0934 27680 megasas - ok
17:58:33.0966 27680 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
17:58:33.0971 27680 MegaSR - ok
17:58:33.0992 27680 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
17:58:33.0993 27680 Modem - ok
17:58:34.0031 27680 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
17:58:34.0032 27680 monitor - ok
17:58:34.0172 27680 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
17:58:34.0175 27680 mouclass - ok
17:58:34.0224 27680 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
17:58:34.0226 27680 mouhid - ok
17:58:34.0359 27680 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\windows\system32\drivers\mountmgr.sys
17:58:34.0364 27680 mountmgr - ok
17:58:34.0425 27680 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\windows\system32\drivers\mpio.sys
17:58:34.0429 27680 mpio - ok
17:58:34.0458 27680 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
17:58:34.0461 27680 mpsdrv - ok
17:58:34.0514 27680 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\windows\system32\drivers\mrxdav.sys
17:58:34.0518 27680 MRxDAV - ok
17:58:34.0570 27680 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\windows\system32\DRIVERS\mrxsmb.sys
17:58:34.0575 27680 mrxsmb - ok
17:58:34.0634 27680 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\windows\system32\DRIVERS\mrxsmb10.sys
17:58:34.0638 27680 mrxsmb10 - ok
17:58:34.0686 27680 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\windows\system32\DRIVERS\mrxsmb20.sys
17:58:34.0689 27680 mrxsmb20 - ok
17:58:34.0732 27680 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\windows\system32\drivers\msahci.sys
17:58:34.0734 27680 msahci - ok
17:58:34.0757 27680 msdsm (55055f8ad8be27a64c831322a780a228) C:\windows\system32\drivers\msdsm.sys
17:58:34.0761 27680 msdsm - ok
17:58:34.0888 27680 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
17:58:34.0889 27680 Msfs - ok
17:58:34.0908 27680 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
17:58:34.0911 27680 mshidkmdf - ok
17:58:34.0964 27680 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\drivers\msisadrv.sys
17:58:34.0965 27680 msisadrv - ok
17:58:35.0084 27680 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
17:58:35.0087 27680 MSKSSRV - ok
17:58:35.0103 27680 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
17:58:35.0105 27680 MSPCLOCK - ok
17:58:35.0128 27680 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
17:58:35.0129 27680 MSPQM - ok
17:58:35.0153 27680 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
17:58:35.0157 27680 MsRPC - ok
17:58:35.0286 27680 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\drivers\mssmbios.sys
17:58:35.0287 27680 mssmbios - ok
17:58:35.0343 27680 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
17:58:35.0346 27680 MSTEE - ok
17:58:35.0386 27680 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
17:58:35.0389 27680 MTConfig - ok
17:58:35.0424 27680 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
17:58:35.0426 27680 Mup - ok
17:58:35.0554 27680 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
17:58:35.0560 27680 NativeWifiP - ok
17:58:35.0634 27680 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\windows\system32\drivers\ndis.sys
17:58:35.0659 27680 NDIS - ok
17:58:35.0775 27680 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
17:58:35.0778 27680 NdisCap - ok
17:58:35.0803 27680 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
17:58:35.0806 27680 NdisTapi - ok
17:58:35.0952 27680 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\windows\system32\DRIVERS\ndisuio.sys
17:58:35.0962 27680 Ndisuio - ok
17:58:36.0015 27680 NdisWan (38fbe267e7e6983311179230facb1017) C:\windows\system32\DRIVERS\ndiswan.sys
17:58:36.0018 27680 NdisWan - ok
17:58:36.0065 27680 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\windows\system32\drivers\NDProxy.sys
17:58:36.0069 27680 NDProxy - ok
17:58:36.0111 27680 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
17:58:36.0113 27680 NetBIOS - ok
17:58:36.0260 27680 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\windows\system32\DRIVERS\netbt.sys
17:58:36.0264 27680 NetBT - ok
17:58:36.0395 27680 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
17:58:36.0398 27680 nfrd960 - ok
17:58:36.0575 27680 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\windows\system32\drivers\npf.sys
17:58:36.0578 27680 NPF - ok
17:58:36.0622 27680 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
17:58:36.0624 27680 Npfs - ok
17:58:36.0646 27680 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
17:58:36.0648 27680 nsiproxy - ok
17:58:36.0755 27680 Ntfs (81189c3d7763838e55c397759d49007a) C:\windows\system32\drivers\Ntfs.sys
17:58:36.0789 27680 Ntfs - ok
17:58:37.0020 27680 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
17:58:37.0021 27680 Null - ok
17:58:37.0210 27680 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\windows\system32\drivers\nvraid.sys
17:58:37.0216 27680 nvraid - ok
17:58:37.0357 27680 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\windows\system32\drivers\nvstor.sys
17:58:37.0362 27680 nvstor - ok
17:58:37.0418 27680 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\drivers\nv_agp.sys
17:58:37.0421 27680 nv_agp - ok
17:58:37.0579 27680 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\drivers\ohci1394.sys
17:58:37.0584 27680 ohci1394 - ok
17:58:37.0630 27680 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
17:58:37.0632 27680 Parport - ok
17:58:37.0676 27680 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\windows\system32\drivers\partmgr.sys
17:58:37.0678 27680 partmgr - ok
17:58:37.0694 27680 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
17:58:37.0696 27680 Parvdm - ok
17:58:37.0757 27680 pci (673e55c3498eb970088e812ea820aa8f) C:\windows\system32\drivers\pci.sys
17:58:37.0760 27680 pci - ok
17:58:37.0804 27680 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\drivers\pciide.sys
17:58:37.0806 27680 pciide - ok
17:58:37.0838 27680 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
17:58:37.0843 27680 pcmcia - ok
17:58:37.0864 27680 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
17:58:37.0866 27680 pcw - ok
17:58:37.0900 27680 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
17:58:37.0909 27680 PEAUTH - ok
17:58:38.0065 27680 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
17:58:38.0069 27680 PptpMiniport - ok
17:58:38.0094 27680 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
17:58:38.0097 27680 Processor - ok
17:58:38.0165 27680 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
17:58:38.0168 27680 Psched - ok
17:58:38.0206 27680 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
17:58:38.0240 27680 ql2300 - ok
17:58:38.0265 27680 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
17:58:38.0269 27680 ql40xx - ok
17:58:38.0295 27680 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
17:58:38.0297 27680 QWAVEdrv - ok
17:58:38.0332 27680 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
17:58:38.0334 27680 RasAcd - ok
17:58:38.0468 27680 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
17:58:38.0471 27680 RasAgileVpn - ok
17:58:38.0619 27680 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
17:58:38.0622 27680 Rasl2tp - ok
17:58:38.0750 27680 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
17:58:38.0753 27680 RasPppoe - ok
17:58:38.0778 27680 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
17:58:38.0781 27680 RasSstp - ok
17:58:38.0842 27680 rdbss (d528bc58a489409ba40334ebf96a311b) C:\windows\system32\DRIVERS\rdbss.sys
17:58:38.0847 27680 rdbss - ok
17:58:38.0883 27680 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
17:58:38.0886 27680 rdpbus - ok
17:58:38.0938 27680 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\windows\system32\DRIVERS\RDPCDD.sys
17:58:38.0939 27680 RDPCDD - ok
17:58:38.0998 27680 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
17:58:39.0000 27680 RDPENCDD - ok
17:58:39.0019 27680 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
17:58:39.0021 27680 RDPREFMP - ok
17:58:39.0105 27680 RDPWD (288b06960d78428ff89e811632684e20) C:\windows\system32\drivers\RDPWD.sys
17:58:39.0110 27680 RDPWD - ok
17:58:39.0256 27680 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\windows\system32\drivers\rdyboost.sys
17:58:39.0261 27680 rdyboost - ok
17:58:39.0400 27680 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\windows\system32\DRIVERS\rfcomm.sys
17:58:39.0403 27680 RFCOMM - ok
17:58:39.0573 27680 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
17:58:39.0574 27680 rspndr - ok
17:58:39.0601 27680 RTL8167 (7dfd48e24479b68b258d8770121155a0) C:\windows\system32\DRIVERS\Rt86win7.sys
17:58:39.0606 27680 RTL8167 - ok
17:58:39.0733 27680 SABI (6e5fbb7cbaec47038b945d5e9b144a64) C:\windows\system32\Drivers\SABI.sys
17:58:39.0736 27680 SABI - ok
17:58:39.0793 27680 sbp2port (05d860da1040f111503ac416ccef2bca) C:\windows\system32\drivers\sbp2port.sys
17:58:39.0797 27680 sbp2port - ok
17:58:39.0847 27680 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\windows\system32\DRIVERS\scfilter.sys
17:58:39.0849 27680 scfilter - ok
17:58:40.0000 27680 SDHookDriver (47dd7bb6b72a5f49e01f53597bcaeac7) C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
17:58:40.0003 27680 SDHookDriver - ok
17:58:40.0140 27680 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
17:58:40.0141 27680 secdrv - ok
17:58:40.0290 27680 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
17:58:40.0619 27680 Serenum - ok
17:58:40.0859 27680 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
17:58:40.0863 27680 Serial - ok
17:58:40.0915 27680 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
17:58:40.0923 27680 sermouse - ok
17:58:41.0007 27680 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\drivers\sffdisk.sys
17:58:41.0010 27680 sffdisk - ok
17:58:41.0034 27680 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\drivers\sffp_mmc.sys
17:58:41.0037 27680 sffp_mmc - ok
17:58:41.0055 27680 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\windows\system32\drivers\sffp_sd.sys
17:58:41.0058 27680 sffp_sd - ok
17:58:41.0086 27680 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
17:58:41.0089 27680 sfloppy - ok
17:58:41.0149 27680 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\drivers\sisagp.sys
17:58:41.0151 27680 sisagp - ok
17:58:41.0289 27680 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
17:58:41.0293 27680 SiSRaid2 - ok
17:58:41.0313 27680 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
17:58:41.0316 27680 SiSRaid4 - ok
17:58:41.0351 27680 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
17:58:41.0353 27680 Smb - ok
17:58:41.0394 27680 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
17:58:41.0395 27680 spldr - ok
17:58:41.0460 27680 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\windows\system32\DRIVERS\srv.sys
17:58:41.0464 27680 srv - ok
17:58:41.0500 27680 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\windows\system32\DRIVERS\srv2.sys
17:58:41.0506 27680 srv2 - ok
17:58:41.0535 27680 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\windows\system32\DRIVERS\srvnet.sys
17:58:41.0538 27680 srvnet - ok
17:58:41.0580 27680 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
17:58:41.0582 27680 stexstor - ok
17:58:41.0629 27680 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\drivers\swenum.sys
17:58:41.0631 27680 swenum - ok
17:58:41.0775 27680 SynTP (069e5728e565bd401347cb94732c4733) C:\windows\system32\DRIVERS\SynTP.sys
17:58:41.0780 27680 SynTP - ok
17:58:41.0892 27680 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\drivers\tcpip.sys
17:58:41.0927 27680 Tcpip - ok
17:58:42.0101 27680 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\windows\system32\DRIVERS\tcpip.sys
17:58:42.0114 27680 TCPIP6 - ok
17:58:42.0263 27680 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\windows\system32\drivers\tcpipreg.sys
17:58:42.0266 27680 tcpipreg - ok
17:58:42.0326 27680 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\windows\system32\drivers\tdpipe.sys
17:58:42.0329 27680 TDPIPE - ok
17:58:42.0378 27680 TDTCP (2c10395baa4847f83042813c515cc289) C:\windows\system32\drivers\tdtcp.sys
17:58:42.0379 27680 TDTCP - ok
17:58:42.0432 27680 tdx (b459575348c20e8121d6039da063c704) C:\windows\system32\DRIVERS\tdx.sys
17:58:42.0437 27680 tdx - ok
17:58:42.0497 27680 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\windows\system32\drivers\termdd.sys
17:58:42.0499 27680 TermDD - ok
17:58:42.0696 27680 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\windows\system32\DRIVERS\tssecsrv.sys
17:58:42.0701 27680 tssecsrv - ok
17:58:42.0768 27680 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\windows\system32\drivers\tsusbflt.sys
17:58:42.0772 27680 TsUsbFlt - ok
17:58:42.0843 27680 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\windows\system32\DRIVERS\tunnel.sys
17:58:42.0847 27680 tunnel - ok
17:58:42.0874 27680 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
17:58:42.0877 27680 uagp35 - ok
17:58:42.0930 27680 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\windows\system32\DRIVERS\udfs.sys
17:58:42.0935 27680 udfs - ok
17:58:42.0987 27680 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\drivers\uliagpkx.sys
17:58:42.0991 27680 uliagpkx - ok
17:58:43.0061 27680 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\windows\system32\drivers\umbus.sys
17:58:43.0066 27680 umbus - ok
17:58:43.0194 27680 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
17:58:43.0197 27680 UmPass - ok
17:58:43.0264 27680 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\windows\system32\Drivers\usbaapl.sys
17:58:43.0267 27680 USBAAPL - ok
17:58:43.0336 27680 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\windows\system32\DRIVERS\usbccgp.sys
17:58:43.0341 27680 usbccgp - ok
17:58:43.0447 27680 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\drivers\usbcir.sys
17:58:43.0450 27680 usbcir - ok
17:58:43.0589 27680 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\windows\system32\DRIVERS\usbehci.sys
17:58:43.0592 27680 usbehci - ok
17:58:43.0660 27680 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\windows\system32\DRIVERS\usbhub.sys
17:58:43.0665 27680 usbhub - ok
17:58:43.0777 27680 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys
17:58:43.0779 27680 usbohci - ok
17:58:43.0808 27680 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
17:58:43.0811 27680 usbprint - ok
17:58:43.0895 27680 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
17:58:43.0898 27680 usbscan - ok
17:58:43.0962 27680 USBSTOR (f991ab9cc6b908db552166768176896a) C:\windows\system32\DRIVERS\USBSTOR.SYS
17:58:43.0968 27680 USBSTOR - ok
17:58:44.0031 27680 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\windows\system32\DRIVERS\usbuhci.sys
17:58:44.0033 27680 usbuhci - ok
17:58:44.0183 27680 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\windows\System32\Drivers\usbvideo.sys
17:58:44.0188 27680 usbvideo - ok
17:58:44.0253 27680 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\drivers\vdrvroot.sys
17:58:44.0256 27680 vdrvroot - ok
17:58:44.0300 27680 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
17:58:44.0303 27680 vga - ok
17:58:44.0321 27680 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
17:58:44.0324 27680 VgaSave - ok
17:58:44.0383 27680 vhdmp (5461686cca2fda57b024547733ab42e3) C:\windows\system32\drivers\vhdmp.sys
17:58:44.0389 27680 vhdmp - ok
17:58:44.0532 27680 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\drivers\viaagp.sys
17:58:44.0536 27680 viaagp - ok
17:58:44.0571 27680 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
17:58:44.0575 27680 ViaC7 - ok
17:58:44.0643 27680 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\drivers\viaide.sys
17:58:44.0646 27680 viaide - ok
17:58:44.0672 27680 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\windows\system32\drivers\volmgr.sys
17:58:44.0674 27680 volmgr - ok
17:58:44.0697 27680 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
17:58:44.0703 27680 volmgrx - ok
17:58:44.0754 27680 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\windows\system32\drivers\volsnap.sys
17:58:44.0760 27680 volsnap - ok
17:58:44.0806 27680 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
17:58:44.0811 27680 vsmraid - ok
17:58:44.0917 27680 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
17:58:44.0918 27680 vwifibus - ok
17:58:44.0942 27680 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
17:58:44.0945 27680 vwififlt - ok
17:58:44.0985 27680 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
17:58:44.0988 27680 WacomPen - ok
17:58:45.0056 27680 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
17:58:45.0060 27680 WANARP - ok
17:58:45.0065 27680 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\windows\system32\DRIVERS\wanarp.sys
17:58:45.0067 27680 Wanarpv6 - ok
17:58:45.0155 27680 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
17:58:45.0156 27680 Wd - ok
17:58:45.0190 27680 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
17:58:45.0197 27680 Wdf01000 - ok
17:58:45.0354 27680 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
17:58:45.0356 27680 WfpLwf - ok
17:58:45.0372 27680 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
17:58:45.0375 27680 WIMMount - ok
17:58:45.0570 27680 WINUSB (a67e5f9a400f3bd1be3d80613b45f708) C:\windows\system32\drivers\WinUSB.SYS
17:58:45.0576 27680 WINUSB - ok
17:58:45.0647 27680 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\drivers\wmiacpi.sys
17:58:45.0650 27680 WmiAcpi - ok
17:58:45.0812 27680 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
17:58:45.0815 27680 ws2ifsl - ok
17:58:45.0912 27680 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\windows\system32\drivers\WudfPf.sys
17:58:45.0915 27680 WudfPf - ok
17:58:45.0978 27680 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\windows\system32\DRIVERS\WUDFRd.sys
17:58:45.0982 27680 WUDFRd - ok
17:58:46.0128 27680 yukonw7 (30b73eb97218a16cbc6de535782a1b35) C:\windows\system32\DRIVERS\yk62x86.sys
17:58:46.0135 27680 yukonw7 - ok
17:58:46.0180 27680 MBR (0x1B8) (2e5debb2116b3417023e0d6562d7ed07) \Device\Harddisk0\DR0
17:58:46.0420 27680 \Device\Harddisk0\DR0 - ok
17:58:46.0426 27680 Boot (0x1200) (35ad429c41eabd3cb5aa0c137174f74e) \Device\Harddisk0\DR0\Partition0
17:58:46.0428 27680 \Device\Harddisk0\DR0\Partition0 - ok
17:58:46.0478 27680 Boot (0x1200) (8ef57f636c3472629962a8279554bffc) \Device\Harddisk0\DR0\Partition1
17:58:46.0480 27680 \Device\Harddisk0\DR0\Partition1 - ok
17:58:46.0511 27680 Boot (0x1200) (18763aeac0ee39fec1defec9b7171ab2) \Device\Harddisk0\DR0\Partition2
17:58:46.0515 27680 \Device\Harddisk0\DR0\Partition2 - ok
17:58:46.0515 27680 ============================================================
17:58:46.0515 27680 Scan finished
17:58:46.0515 27680 ============================================================
17:58:46.0531 27692 Detected object count: 0
17:58:46.0531 27692 Actual detected object count: 0
17:59:27.0807 27284 Deinitialize success

here are the latest run for the W7 box:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
BIOS Manufacturer: Phoenix Technologies Ltd.
System Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
System Product Name: R720
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 156):
0x8301B000 \SystemRoot\system32\ntoskrnl.exe
0x8341E000 \SystemRoot\system32\halmacpi.dll
0x80BD2000 \SystemRoot\system32\kdcom.dll
0x8B824000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8B8A9000 \SystemRoot\system32\PSHED.dll
0x8B8BA000 \SystemRoot\system32\BOOTVID.dll
0x8B8C2000 \SystemRoot\system32\CLFS.SYS
0x8B904000 \SystemRoot\system32\CI.dll
0x8B9AF000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8BA20000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8BA2E000 \SystemRoot\system32\drivers\ACPI.sys
0x8BA76000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8BA7F000 \SystemRoot\system32\drivers\msisadrv.sys
0x8BA87000 \SystemRoot\system32\drivers\pci.sys
0x8BAB1000 \SystemRoot\system32\drivers\vdrvroot.sys
0x8BABC000 \SystemRoot\System32\drivers\partmgr.sys
0x8BACD000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8BAD5000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8BAE0000 \SystemRoot\system32\drivers\volmgr.sys
0x8BAF0000 \SystemRoot\System32\drivers\volmgrx.sys
0x8BB3B000 \SystemRoot\System32\drivers\mountmgr.sys
0x8BC14000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x8BCEE000 \SystemRoot\system32\drivers\atapi.sys
0x8BCF7000 \SystemRoot\system32\drivers\ataport.SYS
0x8BD1A000 \SystemRoot\system32\drivers\msahci.sys
0x8BD24000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8BD32000 \SystemRoot\system32\drivers\amdxata.sys
0x8BD3B000 \SystemRoot\system32\drivers\fltmgr.sys
0x8BD6F000 \SystemRoot\system32\drivers\fileinfo.sys
0x8BD80000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BEAF000 \SystemRoot\System32\Drivers\msrpc.sys
0x8BEDA000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8BEED000 \SystemRoot\System32\Drivers\cng.sys
0x8BF4A000 \SystemRoot\System32\drivers\pcw.sys
0x8BF58000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8C039000 \SystemRoot\system32\drivers\ndis.sys
0x8C0F0000 \SystemRoot\system32\drivers\NETIO.SYS
0x8C12E000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C153000 \SystemRoot\System32\drivers\tcpip.sys
0x8C29D000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C2CE000 \SystemRoot\system32\DRIVERS\epfwwfp.sys
0x8C2DF000 \SystemRoot\system32\drivers\volsnap.sys
0x8C31E000 \SystemRoot\System32\Drivers\spldr.sys
0x8C326000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C353000 \SystemRoot\System32\Drivers\mup.sys
0x8C363000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C36B000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C39D000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C3AE000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x920F9000 \SystemRoot\system32\drivers\cdrom.sys
0x92118000 \SystemRoot\System32\Drivers\Null.SYS
0x9211F000 \SystemRoot\System32\Drivers\Beep.SYS
0x92126000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0x92146000 \SystemRoot\System32\drivers\vga.sys
0x92152000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x92173000 \SystemRoot\System32\drivers\watchdog.sys
0x92180000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x92188000 \SystemRoot\system32\drivers\rdpencdd.sys
0x92190000 \SystemRoot\system32\drivers\rdprefmp.sys
0x92198000 \SystemRoot\System32\Drivers\Msfs.SYS
0x921A3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x921B1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x921C8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x921D4000 \SystemRoot\system32\drivers\afd.sys
0x9222E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x92260000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x92267000 \SystemRoot\system32\DRIVERS\pacer.sys
0x92286000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x92297000 \SystemRoot\system32\DRIVERS\EpfwLWF.sys
0x922A3000 \SystemRoot\system32\DRIVERS\netbios.sys
0x922B1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x922C4000 \SystemRoot\system32\drivers\termdd.sys
0x922D5000 \??\C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
0x922DD000 \??\C:\windows\system32\Drivers\SABI.sys
0x922E5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x92326000 \SystemRoot\system32\drivers\nsiproxy.sys
0x92330000 \SystemRoot\system32\drivers\mssmbios.sys
0x9233A000 \SystemRoot\System32\drivers\discache.sys
0x92346000 \SystemRoot\System32\Drivers\dfsc.sys
0x9235E000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x9236C000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x9380E000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x93D4E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x93E05000 \SystemRoot\System32\drivers\dxgmms1.sys
0x93E3E000 \SystemRoot\system32\drivers\HDAudBus.sys
0x93E5D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x93E68000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x93EB3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x93EC2000 \SystemRoot\system32\DRIVERS\athr.sys
0x93FF6000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x9238D000 \SystemRoot\system32\DRIVERS\yk62x86.sys
0x93800000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x923DE000 \SystemRoot\system32\drivers\i8042prt.sys
0x92000000 \SystemRoot\system32\drivers\kbdclass.sys
0x8BF61000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x93804000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8C3E0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x93806000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8C3ED000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8C000000 \SystemRoot\system32\drivers\CompositeBus.sys
0x8C00D000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8C01F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8BF9B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8BFA6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8BFC8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8BFE0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8BB51000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x9380C000 \SystemRoot\system32\drivers\swenum.sys
0x8BB68000 \SystemRoot\system32\drivers\ks.sys
0x8BC00000 \SystemRoot\system32\drivers\umbus.sys
0x8BB9C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8BBE0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9401C000 \SystemRoot\system32\drivers\HdAudio.sys
0x9406C000 \SystemRoot\system32\drivers\portcls.sys
0x9409B000 \SystemRoot\system32\drivers\drmk.sys
0x940B4000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x94359000 \SystemRoot\system32\DRIVERS\udfs.sys
0x94399000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x943A4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x943B7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x943BE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x943C9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x9200D000 \SystemRoot\System32\Drivers\usbvideo.sys
0x943E0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9740B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x974E5000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x97870000 \SystemRoot\System32\win32k.sys
0x974F6000 \SystemRoot\System32\drivers\Dxapi.sys
0x97500000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97AD0000 \SystemRoot\System32\TSDDD.dll
0x97B00000 \SystemRoot\System32\cdd.dll
0x9750B000 \SystemRoot\system32\drivers\luafv.sys
0x97526000 \SystemRoot\system32\DRIVERS\eamonm.sys
0x975F4000 \SystemRoot\system32\drivers\WudfPf.sys
0x9760E000 \SystemRoot\system32\DRIVERS\epfw.sys
0x97636000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x97646000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9768C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9769C000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x976AF000 \SystemRoot\system32\drivers\HTTP.sys
0x97734000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9774D000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9775F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x97782000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x977BD000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x977F0000 \SystemRoot\system32\drivers\npf.sys
0x92031000 \SystemRoot\system32\drivers\peauth.sys
0x97400000 \SystemRoot\System32\Drivers\secdrv.SYS
0x920C8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x977D8000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA1C23000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA1C73000 \SystemRoot\System32\DRIVERS\srv.sys
0xA1D2F000 \??\C:\Users\admin\AppData\Local\Temp\aswMBR.sys
0x77BA0000 \Windows\System32\ntdll.dll
0x483A0000 \Windows\System32\smss.exe
0x77DE0000 \Windows\System32\apisetschema.dll

Processes (total 74):
0 System Idle Process
4 System
312 C:\Windows\System32\smss.exe
476 csrss.exe
548 C:\Windows\System32\wininit.exe
556 csrss.exe
604 C:\Windows\System32\services.exe
620 C:\Windows\System32\lsass.exe
628 C:\Windows\System32\lsm.exe
736 C:\Windows\System32\svchost.exe
800 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\atiesrxx.exe
904 C:\Windows\System32\winlogon.exe
952 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\svchost.exe
1288 C:\Windows\System32\atieclxx.exe
1312 C:\Windows\System32\svchost.exe
1628 C:\Windows\System32\spoolsv.exe
1672 C:\Windows\System32\svchost.exe
1760 C:\Program Files\LSI SoftModem\agrsmsvc.exe
1796 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1852 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
1900 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
1920 C:\Program Files\ICQ6Toolbar\ICQ Service.exe
2008 C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
424 C:\Windows\System32\Rezip.exe
492 C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe
428 C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
1936 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
468 C:\Windows\System32\svchost.exe
1564 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
1328 C:\Windows\System32\svchost.exe
2112 C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
2656 C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
2828 C:\Windows\System32\svchost.exe
3608 C:\Windows\System32\taskhost.exe
3644 C:\Windows\System32\taskeng.exe
3684 C:\Windows\System32\dwm.exe
3964 C:\Windows\explorer.exe
3136 C:\Windows\System32\svchost.exe
3400 C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
3412 C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
1860 C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
1988 C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
2564 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
1688 C:\Windows\System32\SearchIndexer.exe
2024 C:\Program Files\Windows Media Player\wmpnetwk.exe
2688 C:\Windows\System32\svchost.exe
3712 C:\Windows\System32\svchost.exe
2464 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
3524 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4696 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
5300 C:\Windows\WindowsMobile\wmdc.exe
2644 C:\Program Files\iTunes\iTunesHelper.exe
4308 C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
4576 C:\Program Files\ESET\ESET Smart Security\egui.exe
4480 C:\Program Files\iPod\bin\iPodService.exe
6560 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
7996 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
9152 C:\Program Files\ICQ7.0\ICQ.exe
11168 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
16316 C:\Program Files\OpenOffice.org 3\program\soffice.exe
18656 C:\Program Files\OpenOffice.org 3\program\soffice.bin
19324 C:\Windows\System32\audiodg.exe
10008 C:\Program Files\Mozilla Firefox\firefox.exe
20692 C:\Program Files\Mozilla Firefox\plugin-container.exe
24084 C:\Windows\explorer.exe
28628 C:\Windows\System32\notepad.exe
28584 dllhost.exe
24528 dllhost.exe
26384 C:\Users\admin\Desktop\MBRCheck.exe
26828 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`c6500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000068`0bf00000 (NTFS)

PhysicalDrive0 Model Number: ST9500325AS, Rev: 0001SDM1

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F5C09ACABD4A5370BDD907E8EDFE0C1DA0F9D3F5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

here is the aswMBR log I did 4 days ago, (took me a day to scan,) I can re-do it if you whant.

bye
philippe

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-08 21:23:06
-----------------------------
21:23:06.569 OS Version: Windows 6.1.7601 Service Pack 1
21:23:06.569 Number of processors: 2 586 0x170A
21:23:06.569 ComputerName: ADMIN-PC UserName: admin
21:23:28.690 Initialize success
21:23:34.540 AVAST engine defs: 11120701
21:27:17.873 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:27:17.873 Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 3
21:27:17.904 Disk 0 MBR read successfully
21:27:17.904 Disk 0 MBR scan
21:27:17.904 Disk 0 unknown MBR code
21:27:17.904 Disk 0 scanning sectors +976771072
21:27:18.013 Disk 0 scanning C:\windows\system32\drivers
21:27:41.007 Service scanning
21:27:42.552 Modules scanning
21:27:52.505 Disk 0 trace - called modules:
21:27:52.520 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
21:27:52.520 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dac030]
21:27:52.536 3 CLASSPNP.SYS[8c38759e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85f5e028]
21:27:54.127 AVAST engine scan C:\
15:42:06.632 Scan finished successfully
18:41:46.532 Disk 0 MBR has been saved successfully to "C:\Users\admin\Desktop\MBR.dat"
18:41:46.532 The log file has been saved successfully to "C:\Users\admin\Desktop\aswMBR-log-9-12-2012.txt"

hi,

Are you getting re-directs when you are browsing the internet? Do you have W7 install DVD? Prior to writing a new mbr, I would pull off anything you dont want to lose. Not that it will wipe your drive but because something could go wrong leaving a non-bootable machine.

Hi shelf life,

>Are you getting re-directs when you are browsing the internet?
Not really, but in fact I am not really using my W7 box anymore, just to do security scans...

>Do you have W7 install DVD?

I do not have any install DVD, the W7 have been shipped with the OS pre-installed… and when I phone up Samsung, the answer is No we do not ship W7 install CDs… and on MSFT site it’s not possible to download it. All I have Is the rescue/re-install CD I bruned a couple of days ago and I believe the malware have been back up with it.

So I plan to download an ISO image of the official install from digitalrivercontent.net I have seen a couple of links on the web to this site and use my OEM licence to activate it.

I did not believe how ridiculous this situation can be…. !!!!

>Prior to writing a new mbr, I would pull off anything you dont want to lose. >Not that it will wipe your drive but because something could go wrong >leaving a non-bootable machine.

I will move all my content to a NAS (I will try to do it only with FTP if
possible) the NAS is running a Linux OS.
I have ordered the NAS this Week end I am waiting for it.


bye
philippe

hi,

I guess the good news is that I dont recognize any malware in any of the logs, they all look ok and the three tools you ran are the best tools for removing current rootkits. Based on the logs and the fact you are not getting re-directed I would say you are malware free.
The only thing Iam going on is the unknown MBR code, which doesn't mean malware is present. It could be Samsung custom MBR code.

hi shelf life


>I guess the good news is that I dont recognize any malware in any of the >logs, they all look ok and the three tools you ran are the best tools for >removing current rootkits. Based on the logs and the fact you are not >getting re-directed I would say you are malware free.

I see your point, but how do you explain that there is something on the box, that connects to

Host: rs.mail.ru

and this thing downloads flash files ??? this still looks extremely suspicious to me...


I did a search on the IP that my box is connecting to and it's a mail server in Russia:

General IP Information
IP: 94.100.187.197
Decimal: 1583659973
Hostname: rf7-reklama.mail.ru
ISP: Limited liability company Mail.Ru
Organization: Mail.Ru
Services: None detected
Type:
Assignment: Static IP
Blacklist:
Geolocation Information
Country: Russian Federation ru flag



here is the TCP stream I captured using wiresharck:




GET /b14070641.swf HTTP/1.1

Accept: */*

Accept-Language: fr-FR

x-flash-version: 11,1,102,55

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0)

Host: rs.mail.ru

Connection: Keep-Alive

Cookie: p=iBwZADTP+AAA; b=rTsCAABjigIAAQBKgMYA



HTTP/1.1 200 OK

Server: nginx/1.1.7

Date: Mon, 12 Dec 2011 06:38:28 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 28828

Connection: keep-alive

Expires: Mon, 19 Dec 2011 06:38:28 GMT

Cache-Control: max-age=604800

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"



CWS.....x...u\U..7:...%....4(..iD.....Y.
J*.(%
....()...t..Z.N<{.s........s..s....c>....c........
hG...)..A..
.....u-9..?.gW....M6{oo.......|.B|n.v...........y!
^/.Wo.?^W.KlR,.8..xYy:.{;....?[X..x.dc......_l]..,..,m...\..,................v..qss..9.bQp...g..t......[8.......w.....A...5..^.k...t....._....&x.........P5.o.k.o....
\.....
._h...Y;.......,.........._.t..t..F.V.6.6.6..^.K.~...................9C~?^/{7+'_.{6.......'..]. ....."....I...ec....t..m..l..|<.l .K.........=.k.O7._..[xz....d..pN.K.u.W/o.W+.e9)....`}]APTTTPA^XNAV.Z-.k........."2.B.B.
.'7k7+.s'...................'77O.;.(....U@\\NANT....p.....%'$ /. $,($.'.....W...~.....JXD.........d....rS..s.....:..S..O..?...!..G..b..0.h4.S.*.....0.ts..Vn>.. ......B.....\..LB..;W@...&a......{..H..GI...cC.VVV .h@JU\_..#.O.....c.....U...F....?@.z.;.c..x..."..w.....`..<s.o.....N........a......1...DTob...\.~rO..xV.{..p.p.(...{.!.'....
...l..z.N...X......].;.f[...WK..{.&]2A'...e6..r....+..w/.d=...5-@J.iX....u...*..A.X.p
. O{.....$K.7.s,.$
L.T.{o).?..A....U....7.....2.X...v.OU...S..jUgL.+^..R.SL.. ....5".....fA
...|./......j.'.{..r.....|.s......[........
...'1....P....'...(...*..<.{v...i.A..!.a+..2#........P.....t...bQ.....}|)Vz.j"/.$!...$5{M...Q....}#..}U...c..(..{On..D.n...M<...$..Ey..Km$...9.....fD.yp.:.t..4#.^a.W...B.~.-.s..$...b..M[...P..S.......C%..U...+Y+.....|....q..G/.....F.....
..q...8!...b........CoZ.(./i)]...g......&yw..
n..6..k.B.....E./..t.O..
O..+......
.z..)....f8.:;.:..;)x.......H..#.x!lO..?.N.R..\,.d.....G~.W..Xe......?..kK...K..%h........q....W...W..........zF.....<.. ....$.]..
..*....=..Jm.
zN
A.......6....i..W.O...a..../.L..Q.M.V..q'..]..*.......m....7..|.=..6......-.....W......6LC..*.../T..T.m9o./...o$...H.I...O$i(.&..[...+O(z.....U.*..b=Xi.;.6.....-=iIC*.t..d
9~sMz:...;.....r..d.`....M....l.....r...f.f....>In....N.....9.E....(8*w.......Eg.}.;.}..Q......F...C.G.....`$...Y7gk^-7..W@...(T..`....T....X4.X8.p,p..\.............V^. .#r ."!.z.Z@(.d..
....4...ok-o.16.d..6k..)..X..`\gQH....m...n.v\....u..%|w..@.0..#..,..Q.(.m....U6....I*P.{.........x@.b/}..I....v/4.....r..l..,C/|k..0O..".
....&@....
.....W..I.E.(L.0|...3!.BQT....%jz...N.....S.UP}c.....^..r.g..RI......e...5U.....y.~8.Pc..ZR.g.Y.F>..|..|.b...S..c).........}"e.k.0..P.S..!O]$...~...g.....
./}...cQ...~...v.........EKZ.|..f$..~.B.!&... ...75.Lvv.....>i...u,[..4...92...[8>....g.^CF,.Y.|u.Z..LR.i...h...a}j...i
hY.)7.m.....%...n(..}.i.+tK...*I...@'1.<R.....za..m;VL..}..Q(...E..?LU:D.,...x...z...0.....J.B.P...#..2..\..........LI7..R6..b.........n.}<.{..z... .....z...O.e........J{.......m..(].5.;...D.eH.....~.`....1Q_.;oqw.....-.oHk..(....I.l..3....F...E.P...w\E4...u}/.$3.z......4 H.....EJqc.....G_.L=C.o.7r.........5........8.....#.wr........[.9.E....+..%.......>.......[...T....Z%...)..eB.....%.x@Pd/]]!.Px*2X..}..........!<..!...H..........f8...m...f.e"..y ^...H%..A_`..l.............yO........b#............0..X...;.av...M.*]eRz1u(.c......._+..Ee..1...)IU.......2..@n.<......Ju.55...Y.<b.R...};4..N.0._..'....V..Y.!......J*.u..<tM..p;.
.U.C>.!K.^.h.u.f..`..2Ge^.Q.n
..=.< .o..=ZO.u....S.......ZM......./..`$....q.Qq.#....6..6.....a..jBI.Ht...V.5e....0/<}|gI_T.`ae... pc........;#...Y..]".5..<..$El.......|o..w.\M........=..Ez...p.F..A].F.<&.f.C...!........|.B...D.Q^*....$...>,0
.e..Fy..0.#RB........Ook{.GY............Q..^.\..0
on.HqY....a..j...a..~M.xY.|,.7y......l..
...Pl1{...,o.j.I,6W.ub......,9..n..Q.W....nJg.cD..hT.......j...t.......5O)@`/
z....
.....j5..Z...(..V........Sl?..r.EcaR....4...G..=..j......].z.m.....F....~..pg.3i.yO.`>..........o...6O=.p.Pq^{.e....}8......k<H.a&...........{4+.......J......n.....{.N.P.7......../.........y...g...__O..:.........@!....p...He.E..i3.k...@...H..9I....CA.....O......L.. .(g.a9M...:.ttvK.W.D.......P2......#>.S......j.}v&.vL.Rzt...x......t..q..;D.o..|...A....-..x.+..5/......\...:..%O.Ge..........k...].v.^.9`.....b_.&........n".........0...1.gL.....&Y...W.g...J
p..4..e.[...CaW...,z.0...2m....
........w.-...uX!.....C...%[..../...)..EDW.3..62i...+..].o|.s....Mq....~..~?..n..._.>..3.3e.vT...&...C...4../.0.=...G...2I....h...A......q6b.......C9.D.`=...<6.!......l..../..N.Ca?...-.r
..........0E.........y.m.P..Y@...z,...h...*Zd..2t?.A.8..-.@.#u.3U..Pe..j.=.C..A 2.0h.....bS>.....
...._...)]6;G..8...H@M..t..lz..`...z..}J.v....K..ts..\+..H......Rr.y......(.]!.5HK"{...7..Q;.n!.i..u..O.......P..)Hc$=..4.....\/....)=..|I..j......1i..-..P68..1....^..AD.^H...k..C..C./.i.P.n.h...Q+..L..T......K..(.P.K\&.v{.P\{.-.o.%C...p.h..J....;Jc..P]...n^....P..%...J..Y..p........Q..|g...X'...y.@"J.R{...^..q.k/B..:`.z[;t2.@...].....`..[.....,...;.nB.2-@..vS'#g........Wy...../....q...w!+e3{.%..lk..h1.f1.R.}..T.E....,.1.`.!.e.v.)..*..[..]ct..g@.Q..M! ,....m..w0^..|...8...&N.a7.!-s.y(...P.,.X.8....<.Um.y...a..
t0{.....A
T...o..
.}c.+........Z..ZI..
o]...y...l.y1....F..F6)./.=..$].....;...@.
..........."..:..;..K.....}...........M.l....'].I<.......u.. H.........,...C.7...ps#(.[q...3q../...+.A{..D..a.".....{e%p.h..
.z.q....N.._.........5. H...F3
m..r.q...\.0.-.
@q.).x...4.....r..S.Pl.k0q..;.W.r...(.rZ%..F..EV:.28FIZy...e4..SA...
.K0{...{.............A_...
.il...`..Z...........a...R..u.\ .r...d..'nP=].....$.
.%...*...U...P.o...{.. .'.eC
k............4......a.|...../..T...G.Z).9.B&w...^.U*9.T..,..\...1I.....>..o..dC...qha^4@ee!.>.H...* .w......kwW.Il. v.....4.`..s'.`.:.b.e.H=u.....5..G....R
.i.....\P.........^^.[w..B.g.yz.*...B...Y.B........m:..d...............j..x
..3...y.-.....7 ..8..3....(."....2...*.........]y..Io.X.@.>.I.l.0U...lY...k~Y..<.X...a.2Y........5Y'
...eeDS.|..>"R.?../...5m...I.............9.*.8.2%B..,.k..?W..........;..!Y.[...<.
...s. ...Oj........2I...+|..<........n.....v....f..._.M ......]..(9.-..Ea.......Y...i.1R.;S._...f....T...}f.@.!...,..f@.....G.q....+@...
@.(.M`.,....6....{....3p.n..x.o....g..,.....0.D.......Q...#.......T........#o..9"h$.............5w./....nBszR.#...r.5R..W..~..B.._....N..sp.._...."$Y.\m..m.\..o>k..).[n....v..,...N,...6N6....U......,.B.-....c...eoc.b....1..wsgQv...t..[..3...'..w.7.......
. ..\.../...oO.k...O'.7[..m._...Wk.m7[o_.O..E.K%>....._+..qZ.A.O.~...6..\.z..F(...[......U.......;y..Yx...:)Ec}.R1.........e.x|.{.....H}.8.......J.J.......I.`.mdW.....F......o....c._....^.= .o.9_...o.y;....7.".....D)...b.M...9..o.......9...1...
.....U..SG.W.h....?..)C...3P-.8.`.....L.,L...............' ".'.@..GHBx................3.a`.Baa........_.n...~..u.Y)!.X.8.....A
)..abb`aB.aAo........U@..B.....R0.i6.%...*..;.B......4.i.._...........~KN^AQIYE[GWO...............=_?.....FD>z.........y.........E.U.5.u.
..].=.}o......OL~..^X\..my..............s.`......."........=....{N@...*.C...k.A.&..G).4...........G.jv..............e._....)(z........O....../..v@.....0al....I...C..c!6
.`....$.p.B.o.A.\E..)...b.&..."L
6.u...}..sLRu.3*..`.......t..f.Q.{*.........H.W.. ..\..d..k.$.L.j.......D...r..[...%..en..=.tAw...$.~.........'..,..v..........HLPfa<.
;!..$.s......9R.t.=..M._$....a.z~1^[W2.S"..b7..J..<-,O.RX.f.;b..8#....H.M............B]....-./n7..'...e...<..:[..[..F... ..kHw......,.T..75&.
e4..YD....Q:..g......p+"E......sT.?..G.....
...6..t.h.*..X.Q.G!kSSEK.q.-.....%....n]
..."..=Ko...R@.
.M..b<)6..7..4..@.......nA.~.f...v..d(L?.E..e%I.l.5........24..&..... X.wQ..........E.
._ (..\...n.T.lv..*Z.j..F....\.5....J..4(.....g>..'+.........P8[[M.1..p...A(.b..a.j..yW?T......$..7.4u..-..e.).!R.%................./.`..s. n.............g}h.U.s....5...6.{.|...GJ.vUkm...C...Qsb\.W..c............0F<.$....[g.?..^.....V.f.2;.$rM.l......s@?.U.
...)W<j...bMv....i..........;..l.x....(.*..V....#J......z8..k...:.@... .....i.Nf.)r.J8................bz..:..-.p.....X...........N....(.}.9......6...<S.=xN...,`r..)..z8b~n.z...b..Yw7..I.....P4..._.........G8.W...*..w......Rx.$........E.&.......l_O..7...s......?.X.........H...SV....9.]...|F...<Oh........W\. .&"Zy..V...{PPW.......|..".z...ve.Mw>....D4...1.....7...9$..)......Efb..u*T....N....?y.&...;.^..~y..u.8..!`.I.d..|.H.Pe.....e....>...S'.3....h.E.....-A.....fSIy..U....+....*....l.Di..Y.&...W...8m/._.0..lR...?.O(Ns.......S..+|.....F.`...Z.d..S2..T..........a..$..*.P)....F....p.s.Yi.8............<h0.8..^....
pvP..".}..lm3.....y:m.x-........y.....P~_@>.[.q`y.?.*^.1..<d..$....f.U"..]...(`.&....."6...o.s...,.4...>c...+7DT..r.7..v...m...K..m.Sn.._c3C..../. ...........j.A..B......S....L........~........A.~...IM8.<Qoav..E..i._.."5..8...3.. g..a....af.X..8...8..V.m.>.W.?4;5@.|.3...Y...{..E....n~.W.o...id.$..}.... ?..b.A....).|.M.<.i>.F{.c..]Tyw......$....&V..+!..L3......;.(<.y.aRu..R..h.E.+7.
.y....i.>....aO`.+,B..'...`...Hk...4...$b....S........g...b.7.Y.YN%.....c..&.a(...`)..E..d>p..D.v.6....5S....2... ...7.{....w2f...........9..&...j.........<n........=.W........._......e.
.....8L..{...Ms..kk+U~N..z...o......d.g..kTS...........c17Z.<...g<.rnz..;..@....C...p*\0q.=.2G.../4....."d.)..Okgs......P5..0xH\7.2.d=>..PJ.f.wC,a5...-Nik.A..'S.M..XV"..u........9.......$.?Yi=t0.F...X......A..n&
....q.....55....;...-g.iL.?...s..A............D.X V...@...=>]@..w?....&..
.K...P...o)..?.au...B..)C...n+&.hg..\...X1H...{5......!......L.w....ShTwmi]....
...]O..q).#....6....7o.{A.C.=0H..4~.m0....~.~.|........AX.<.3....:1.!...t.R'..d.T.9....!=Hs!d#.k.aO.ol..a...q[.M.~........m
M."'.|}sz. .......f..f.K#!.f_N.>.Y.r!..K*. u"[.r..u.V0.....{...V......n.h...d...Dl..*........!...6.G..y@._..@B..?..V/.8&.8..[P<.#bF.C%2...}.4;B.....*..`.}...*d.e>........J16...(u....m......2L..!.kW...al
..[t.`e..&5.....3A
.....W7m;.K....X.txj.3dr).<!q{.)..-]\......3.
.\....%I..hM)..
..].
_..f...5.....v......d.....<.......>4.....7.9.....k6Yhq.......n..w.g.a.s.U...7.).2..<.....EV..r\=.4..i.....[(........e.[....G....N.......Z.)b.O.:p?......Cja=h..<m.1.hnr...T.w.............._cB|.<NT..P...h`3......B._..W..b]..q.4T".N..v..g..T.F..-...D.j....r.Z.s.->E...y4.<.:..#......8.;..].j.......T^}.....|.nA9.w.c......cy."...h.[.J...b....w..i.i...J...O..eqL...^......%.3<y..b..S..6.=}.m..........p?....U7.i..c+..^..>9.Wz<.%X.....%.~......A.u.~5...
Se..s...._-..IZ........{.{.L.s.5......VjtJ.z[.E.O-eyk........h....^..h..a.#.{....e..JO......N!7....R...q.'..XW....K..3.//|M...`...6..K.T..u.U}..&l>YC.X_.......;.......\l......{(..0.........$.u..}n.oY.qUY.....p.W_..r.[B..e.......u.-.p.UJ.y......]ezVy/C.^.).m..}........t...^.p...yx....&...9.....u..O.....m.r.v..;....l...5...zq./..+..
8<u.K.....z)..P....o..................4k..?....!....f.....u..k...7.c|E+T.|.)...h..5..
..!Kk..i...>V..T..};.....~B"....s..Q.3z......Vj.5.5u5_j<k'F&[.'>..D:....|t9.A+..oim9_6v..F.......7b..(+.J...r.(3@.L.
..7..>.v.qb..............WM%(9%n..:.5[...nn.p...]S-.0..`.....\....AH..t.O"m.I1..>2.d....w.-.......3.X..X.....~.^......*.....?1....8../E.....W..|...1m..._..u?A(.....c.{......26....p..9#E.U.."..........7..-.K....u.Y...9.|.v..aa.h.p;.U..{....Q.....x.S..T..?F8gn....L<.=....E.......|.\....Jq...I3.S>5+H4.l.....r..}W.Yu.v'.&0..ua.Sm.,..z]*.vPe?.._...<.xj.i4..R...........1Rc.K..k.......]^.x.IxW.[5../n.F........L(/.Z...t...8m.........._...~...|...6!......Z"..n...0r...t2.X..{.v#O...a.e..d.l.4r..9T!..WPN|.......4.y.;.o.....|...Fa.D.A..HxUK.C...^....n.......Uo.../.;-..l..<.h`.+vg.>_.|....Z.x.Q,..p....|.&=B7.....e*3i...&
.t.H..^.~'3i...........a.....h.../1........g.Rk...]..Q.Q[..y..{[.....e...'.R.A....v..f[..V]..J...<...i.x7|...:5.!}.....iC^.....K.w..)t.z5..W..7.>e..F.....~..@..v....F......v...lv....*OH*...e...I)C.x..u...#.;..h@.x...iv.~
......Q.?QT..m+..(.6..i.B&..5.~=.P...(..v.U=.'.....` .r.x..=)..c..w.i.g.p.
..d........W...`..T.........ia...
.
.|
..-..;G..=...........S.9".0}.)!b7._.|...|....7GBT.]...(F4...|*..uR..]f..+h.1wj....P~....an(.`c~...f;.......m..9.,r..d3Sh.Zv&Ow...f.....L.N(....PU.e.'.....w........+...)y..t.O........+b..
z.H...
.D$..A..........t3c#..O.;.r..-..{..s...2...".........\...-.?.....n...X"}.&....R.#...g....uM||...eh.d.l..<VX...;;..5.8.z#|8..M:..M.....].H....U.J..V....7..L...3..4.
.......>...w..t%{^....C...L`z|/.....S.].....N.%....f.....t..0'8.[2..;%..@.q....].u3. .....jd..>.=.....*.a.. ...|...t-.E.L.E.eIq.T..C..z_..#.E....bv&...:ncMC;.. .tS_.J++~'I
.X...!.4Y....*.6...2.s<.>s........5.ff...Y.z.|>..l..!....$~.j..Co....;.....*8m.n.'n....l....^4.j...v.....qs+o....`.H\.....cj.y.x.......G].#_..
..N...+..b..................t..yB
.5m.....;+.bQ.....}.....zj...vj...y....@5.p.s.o.f.f..~.............<........
.y.7.....K..n......r...K...c.!5_[.....7./U@...gf......]............FOA.{..Og.\..^.k..t.bH.'K}/..SsKl...E{k..QV.\.....zq(.5.n^....I.&.P.....^ .X..... Y.DlC....H".(f.9.W.../.>g....Q.0.....my.....Cc6..:./ISs.g.V..W.|.;'.......#.....gbwj.....v..._.9.j.)8...J.b.rT.S....ql1....i7..B..Z...V.(.O_.2+3.......sP.r}pe.....g...y.&b.G.....[.B.q<..|. .....02w.`4\.]H.#.I.!eTb)b.?X....^f....;..vi...H...w1Fn.m.5.....9..&........z..<.../...."
Og.=.U.1Z...B..0..]....nC.-...-8..T.1....EO....]..O.3|#....Z.s.z...h
...Z.....O.....
AI%<aVw.7....U...... .k...[<h...h>. s7{.a.
D.IN.^..":...M......../....d..t....|1..&............m..N9.).......o\{*..B......RB.f9...L.....U...Q..^4.\-v....L....&.Gwc|*!.S...e...G...J...7.....c..6SsU....nuA].T.r.S.T.+e.[.:.....Z...9...h....X.N..(...]0...y:c&.....k...N..i...$........}T..JfX[us........L.:...u.......{.]..O.....*S...........
......-Y..;..G.7.=..T%l>.....#X.......o.Z..z...Y...f,..]..nNT..+f.%..(..*....|.Jv.q....i.j"tZT....z...\L..'....5..>(.......$&M=.<.7....&..?O..........N.........pg.Y'.L.,.../z.6~.u1........H..NE5.j=.....c.8D_...............,..A+.[....(i...N.. ...B..?...p....+.SK....?.L.. .IH.N.N..t.R..r[...4.HA T%...3.....-^..M.e.......:_Ad\s......'.b`oL.#..h.V.b..%F.(>./.....v.......p.2.qC$h.....&v.
...qz}....lE.....O?/.k.......8....^.*aq.{.%...4.*.%..R...T{....>.....Kiv.-n.gf^..........:,W.kV.)...gO.Ap.......{...i.7......Gk\$.8_......l..s...nUa........ ..}.`y..'Q.47..ru....tr.1......+.R;5...>..L.f......vUq.O....w.....wNw.o=.q*.K...g.Z.#....3.c.)...?..l#.........}..9......#.....XZ/..t...kuT{'.Od.......'
....a....9|8....d&........'f.J...T../oJ...8...@[..d...n..h.q;...r..$.@.vWBM......-..+.Z~v..)....."S.u..A..r.....)s...*..K...%."l..`t8....v.#.!..)..#..S.e;..bH...q.Y.....&(
.....z.D.....(..ghs.&..;3P{.0IC...m.~..-...m......l....wa.p.v..Pl.O..a...fb.]*......&.~l..~......_..E..._C.5}...%.;.Td.......Y...;.+..|..$.b...O.(..]...N...../'.....]@..l..V
...../.NO.....n[.q+M..........XluG..h!...7-.O.|.&!5Z.3.~.b.6..P..g9...R.....",*yx..
.j......dB....S.....Nz.
xW.....By".pbL.b..S.........&.7.U(.>t8.........8..1......#v..C..<iJ4..a..;...-e...?.k......x\.........&.-
........;....E1I.*.....F]......<...lT...c.aY.
.....Z I..k.|...
&.]O..j......[...............V.....K??...xS.B2n...N.M..9|..3..!....B....}Qd..........wW2.%../R$._...&...M6.).-a\...} _|.u>...d......F<.3......KNAv..A5.R..m.s..hP...?R.o*v.<.{J.tx.)..g..?.%.......+D..8...........+..Y...c.......hP.6;...s/.&T.._.-7c(...Q..
.......R....v.Q.s...Y$klh.P...EB.X.TTl1#].m,......Li..*c.H.
. ......0N.?..2|<.........6}<}qWo....b.d...!4..3.....;..H.....q,....g.....c....:....E...68.8.T.....0.98zh...V}cu1......RS.z...U. ..>....I.J.:.Yg.I^j....E.., .u.N...C).GS.....j.=b..N>.w.J.v.c....&G...,(.W,.>..C......8.m...oPC....~.t.......(.,....R..u....dY.........oh{.P4g......cn.....S.5.....c85...........N$U}..x....T|W...;..A.....b....t.\Dud'...5...6Q....3]i.*.....Q...n`r)..~$x...-m........N.l.[.._L_.| vkb.....J.............:..........#g...@..F[..,.=L...4,...r....C..(..GO...2Qv.TT..#y[...]..>.O..'.lBea.
q=#
..s......$,..#E......e..[..Rk....b..|+...I..G2n...Nd."Gd3......7?.|N=;..F..%..(fG.........^....N......6'W3.@.Qof".^....../..Y.[./.d!....9......o..Ia".w...=^...u9X.v....|....kw1..F..;.iW/z1....M.....7.&.....*..*.D.9E.'.)_noX.%`......X].. y.>~..[GZ.b..........Kf..,!.......t......z.......P.`..e.I......A.Q.L.6.p.h;K..mvc.7..&A..8...C.._.^...+7.<...z~..)..=.y.m..............X8..j.,F..^k...........1.....C.N...F.....%...W.B.9...w...v..M....I..w.5'.7M..{W...EB..]N.4.|.-v.).;..m.!.Cm............b.-%../....ny.......?...X{.6
.^.L....d..._0Y..me.sYn.=x^C..T..}9.3..Gm.!..iR.mife.w4....7T...~....n...m.n.f"..PCx-...s..K...p..... ...I..D.>Q:.Q...5y...1.e.T_dt .|.....?}.../u...1
.K_.u.S..0h.}./....;].*........a.e........C.T..j..?...fbH.r.2...$...f.zoNn...5d.3....B.0.G2W.w....;..;L..iM..Lj....2....m........8.h.....,..'.sK.r.....i..+.S..O...].Q....K...%
t.......>....?....I?.::P..e.........Se...o.I.5'..m#?.m/!b...uy.C.`z.J..........Djj.4...K.....t ........T.G[K..p.....z.IZ..... .z.
.._.o.........'....u..T.....u..GNiw..I....U..>..$.Xu...0/.X;...Y....S..!..)..~~2....._..-.rMgO
Q}.....V,m).....yt....*f..m.q......Ys....$.....\t.Z....EY.y......
...w(...._%'.....s..\:.>..........`Hu.~..x.F..
:Z....s.~l?Z..p..A.H...^.<6.gF^Kk..V.D.U.i.>m;o...2....H3.C.gv.h[6../D.........Q.c...n..<.f......t..t.....rJ~......g...Uh......j%!R.3$w.#.....kv.......F..qJ.Re.>f,...=...V5.j..K.9W...N..g.bA>.X.~a.+..
.........q4.N..'~,,fh.H..O...=e.....X..E.L.pl.k^[.....R..|..x
..v.i..[.....g,...W....
..2.w*.B.r. q........}..JT.....&3..".<....m.@.....Kw...KJR..X...*.%oS~MH.qj5....R....?.?.hs..G.#.O.w...gYwP....oj....f...M......}W...9..~...e...:.J..0.q.....W.SB.....
.c..t+......wn...\...I.G.W.y....Eq..4F..z............k<.....
.....+Wi....._....s.z.T.;K...$y...x...........y.O...V.R...s..pb....y.\z?WSQ.,.%2.d.f.wL..j.......'.w..../...q.T>..%..^{...,..CJ..Y..=.X9H.J...RD..I]......
...'.U..........'G....z.D.b.c.5{..?.IH.J.Q_..m6.R.L.Yu.._..J..o~....2..;..&%....C...bj.#.a.4....!MN4.g......0UZk.....n.~HN..S.M..............
...)..@O.q.4...3.EJl..C.......Ww......=$.......$A@..Y...T.,.H^X..A2...3(9.%..3J.9,y.e..D..9.^....|..>..........w...&.<...c9.....R...y........Q.%.
d2.....n......5.....z..~.
np..^ET..6...j....)>......`.R~.|*G.a........_.V.........3.%..v.n(.Wf..':{...U.y.R.zoQ.iN.C.X..PZ.:|..l!.|..pU.Z._HS>.....b,r..........f.*.B.U.V?.s...jU.s+}....kG......\_Fs.7..Ag.".3S=.v]G...}8h..... K.pt...
p/..t.[%..7E.0@...e..5..
.hN.....L...we2}...R.E_.......-...1U._..!..UQ..Yv.+rE.[.h....GZo..M..F(*e..;B~1...{.O.............|.......(.5....s-0..Ik....g.(
....v.@..
.....;,ma.4.6g_+f ...b....g.O..[..$u.q.G.+.....?I
....%C......g.?Hk:..?.8oCfQ.....!O....w..^i...{].KI."...E...:.....l..]h.*b.l..2FCE.....93.....W9%..4u..p@.7.".,....H.g!Z$_.9..X
...j..o.d>..).#......S.CtMC>.u.. .\D..UD..3..gY.).v.]...#zV[..[O........d.....E......,..%.>=L'..IE...i.A...z.P.....MY.QC.>m......|UW............(3.Hqs..5l.1.f...P..6...V.'...i...,..1..#..#ZI.-q:a....a.R.S.i..%n>.CV....%../.....h.G<z........\..I.<..$.|..Ah|..=..e{.3W4.j.D..rY>.>.ok.PWk^..DI........yZA*&v|M..gE[.G.......E..@s.ZQ.s.....l..W9P-k..Pk..(..~./.[.+....}aC...'&0.....i.Y.G...;...d.G...........E.n.I.K.....L.v.....bD..V..tf..c.l.I....2..i...8\..>.UL......BKc.s..D2...?\.}.\...Fn.....Y...x....|.......j..D.J.%..iL..>|...2....9..u.A.w..d...k.mY%.....].%.....O./(.......3.S.....ienwXv.R.o.j..r.XPI..p..R...HP.e-(...Wp....#.+.8.*It{.... ...$@c1."D..u.vwa.j..c.......=#D...H..#i....cT..3i*...d.5*.].OH....1.....i_'..4..du`..F(
{q...$G..,.Q....,A4.8y...@...@,x.~......!...Z..#:.@...Pt..M[e.
Dc..A...w...........i.$.....8..n..=X=....v+...zMeT.....7d...........2...AgA.p.@{.`...82KP..*.B{...z...Xi.Q..f..o,..k3.,
..k.z.V.'v.T.......49f.)...Z.........f...$g..eP.......'.a.j.<-7].............U..+.Y..a=j.8...$.x..t97w....w..F}....
....*.Sw.NgX..L...Mx..[..1.P.|f.s...{..9k.C?.j.T>c"k..w.....i..(..;.......oZ..66u..&...!....9(..@&b.t.O.#..u.....~~Ez.......Q...=9.N
3\..........,..X$.....W[..?..F..a`Gb.*@.w.......:......VUG.....5.t.y......z...y.......1i.].s2-.+....F..h"^.p..b.7......[2a......-...(...?.*.......*.........8j.'!.
.[.:.o..^4......`k3.R}..
..e.F.&>'.q*.....&"D.6..P...r"b..a..=.U.gcy....$...LM..CRO......%..).Ef.v.T.m.M+.4...G.. c.u.
..t..R..i..4....
..a.E..
U]Da.U....$..>..F.5..M...R.g....
t^k......"e..=WeY.=|.m...........;.E.r."......o&D.....X.Je..F.'Tl.R}..Z7y.f...L>y...@s...sT.O...R$..[...S.../r>......
...+.....Y
...$...i.{....X.*..Xsk..>.Y. ....../......I.....)H}.J.e.N..q,w...W.eV..E......j..=_.OZ$cA..xp"......&u...l........F..`e.9.4...Uv.d.~./.BO.........v..?j...).D..q!..H.p..
....K<>.;.5..M.}g....Q....M...I...I:.@...4<!]qvS.}...v...;t...&a...w.'H.....da.{..oF..#5..6..P.F^.mm...u....9w..)..y.....2...S...........G.l/(_$_V.oG.nD..@hOk3.l%.M.[.r....>....,..V..<K.a.>
2~.......H.<...!5IV..:..?.O.(....?i..*......\F.p.M[3''.=8..h..:l....p....1....Q....T...,.t..|.!9xPi.fL3.-.;'..e..................B........_X..3.W.+!*..Rf...`.kp..1<....o.,...}UQ.nA.|Qn}.....%...._I....'...%,)...M~.....+.$.....n.5L.....g.w.HD.2..W..r.....7...4...
:.8.
....vYX............ .g.ml.p.A....6...6...}.%...g..0..p.i>/........p <xm.z...Q~O..(...1..s..at.>jQ...j.;...i.,I....z...S..b...u.^6.../.......f.....d..Z.`?.w....).7.B(..Xw2D0.W...../..........z...Msi...d6u.B...M.......Q....f/_f..V......hZ...X....x.>2.....i.UUz...s.)}.:.Y#..
..I.J~.1..P#....~......F..0...|.@.^.(QFd.5.../x..^^.<....[4f.4.h.\`.......:..A.i.#.a...!..l.....)VV.N0..{..7...Y..\rw.."...C.............V...G=d.-.C...E.\....?..x}..............FG.,..o...2.DL.*}..H.?.|....Cj.....r..(V.3..4.=.........U.....).......6.Oa.$.L.m
...30@..|...b<.Jc..`.:.r]...2.....y_./8l......s...l.....R*F..1..1J.KZ=..z.^k-/
>...h...\R..8+..CS.x....z.b.0..&X.F.......l.s...m.-. .=..[...bb?.....t{.@....zD.... :.e.m.g`...Y.(.....R.ViJ%i..~O..,p......).5&:....I.....%q.+.lE.......>@..3..F....Sn.......pN..q.$;_....<.L3........k0.>......5o.i.X..!_5....f.[....*+...C.0Lwa!..2.A..H_7NY.[...nM9.3@Rt.kF5.%EV.u.o../..=h..._.-.........f.]."..^..x...59.]D.....!.R.L..B].....N..d...g'...9.1...b.
.R.%.9y9.%q......+..q...E.`.B|..kH.... {Qd..eV.d.j.|...........U.6.p...Y..n...o...a;..~S...|.^..Q(.pT'.xt......./U6_....@..........r.p=o]...pLBH.x.<....5e)V>U....;.h.w.+..B...=.....CnG#.{.....J...n.....$...&..3..%m..}g&.-...N}.i.*..Um@..\.Kk.QT....Y{#.s....S...V.....]rx.d.J.0..Y......'..G%e.,B..!........I.b....J..z:.:.E....P 1]~..[.f!.*l^.....NOY+.3a.j..\7...........n.A+.yc%..x.k....p..^F...=?.*..OA5.0...?.[.Gw...W..,..5.@..iPj...?.... ....(LC&.....`H.~0...H..u.4JO:.=...^.T..,.W\.e4$.. ._y..k.....l..y...
....*....6FS....P.ye5wDf.......w1.
.
~...K...??.;...B...eRC.t.j7.F[9=\Q]....g.RE8.l..m.c....i..d..Q...w.....a..6...s..7h.....]y.....u...N..fN.....=.....u...0.]"N....m..!d`..3.i...v.v..{*.....J}.$m..u=[...........C....;..,..T?X:>..k......w)J..P=.}..
....NMG<....~\....B..x......}...c.B3.<...C1m2T...'m>.....s.;|z!...".i..j3.. kz./.......G.....vR.F.)...2wb..%..Y/.J.u.j.<..gAw7..s.}.......,.4.7.)...ao.....`.2.]?Jl*..a...3.B.U.^G.G......R...V...z.|3.......Q.........e.AC......FgFkb..Mp.v=
R..?.&.'..W..de..{.(7iTuP.Bv(..6.D'siC.g}6Pl.-..%..g.$.bg]YHU.G>dr..`......L....p..O....t"..W.C.yj.1@.3....H7...1..V..y....,EF.Fx.D......n.
U4.*.jB.N!+...._....
.<.3.O..||+}=....~...P..}...F......o....l^..\h.
.......
.8..obn.E......2p....,.n>.'X.......7..X.!.......OnP..T.5.V]..+9!...IW......7...T,........X<..(.*.($+"...gpiT.3...UP...MB...W...QA
/R..N.%CDL^J..F.L..<..Q.
;*v.dp`V.V85.
.ZwOs....=`....=......e.A.P...SK.x.2.,.-....."..j........ B}I ........;Jx..A....S.o.}..........iX^..c.....)v.?.........jhz...u..qK...a.......Wd.A...:,H_F.4..
..0?.4...j.:x.....|........."W*....8..:...=E-OC...!.."X.3[t.N.Y!dR...)j....1N..?z.......T......,.....2_.,...A.....?y.X.?.9....Z..<e.d$X......#o......r}..U.h.g.._..l*.].....I'... .Y`..sLd.Z.l..No)....13.>......].......x....et?.....P........#.@......}.......:|I...O
`......^...6b~...D....'..}...D.2y.2..;....B...#>.O.)t.._...p......^<c....L..K.J~u.~.n....!..q..."]ZC..x....x..j.M....Xq.R....F/7....\...1K#j(V....=.[[.&K.-.O;......Q..L.8.(..v..U.....AS.u.t.T.]....h$..^/j?..=..'B{p..:..\......>T...uO.Y../...#.5.....[..s0....cT|.'....)8}....h.r.X~..}... ..Y]....P..Q..e1.k...:..(.2.p..J~...... ..n.:.7+..T.U\..WE`..W
...".m.r..t9...7.[.O...}<:...
..K.
?.]..`.....v...T..X.A....UP..`w.l.}{0 .P.0.......[.c....f.n..p.f......H..|s.Z.....24..U.6.%a..ji.fEW...{..u..Y)......n..(..~j.[.B14A./..Di<x.?.{Q......%x8......U..c..|....AM.V..K.d..J.....y..-.x.g...j........r.d......P]....o............1.mCS....9q.qz8.H{H.._UP...B{k...~......h..-Sw....1#n.d.wQ.....I}...L......;2...0N{H..}.*-S....].....S.3R9...E....s.......n9..{...."...m..-{...zG..Pb.pA./.5.F0yD.$......9 .Q:d[.4.......DE.B.}.z....n.....d.<.xD....mM..0tl....M.......a.@S..x.A'.:.N....s......'E...`5.scF^d.um.A8...}...x...].....'..2.#....0.).!.!zQt|....7E<_.5......N..W.......l[.!...s....e.../..........a.0*...Z...l.N..5../.Ms6c.....F.?
G.....v...N.P.9}.U#/:~........y.......w....g......J~...s.......b.=..[Ku.C.....W=g.k^PUV?...]..6.T[7P^..4*w...ku=..P.A...1..\z..e}...........>jd.......8o..P{.{......-&G%U........;:........yt..6.#...v"........L...+...P.xd..;..P#5.. ..TB.....\.......6.C.j?S$....z.Jx.c..}+E......cc........D.:./....4Bm..T..mRQQ].U.y..m..t-..r.}...j...&^..k'V...W.F..qa.]{e....7.o...b..|.=..^......M-..i'....}AU......m..]~|......&..,$.WP=.....n.....)......9.....1Wv....N.n.3.....2Hv|.....,N.....................p.a..LT.3_g.fD^..e.o....F...2o...A.e7.E.;..{..5..my...........<r..?..XRn.=b...H......<..%XC..<......L..|.>..........
.m~.........nDc.z.M....a.71.
.26..;|]..Ju.v..%.V?..U.d..e.s..w.jJ9.....5......>...,....%_...T8.(Vh.dUj..m.=.q......KT..L.u.u.....Zu...u..02.I2|..aS....X.....el^....1....[...kdxn!Lk++...)..../..6S5...^.k..5.)....LWwf.T...&.d..x..........G.%.3..E....D.......8...:.0......*.n..L<..... .q.....).Lx..P..w{Yr...R..."......~f..W".....ln......:..v.E........|R........!./..3J.....r.f..h...x.U...........+i....m\.:.m....).......C...[.4....5.w>I..Xd...[.1....,Nk9.....Kr.%x..9.k..d..,E}.%.A?qL]...........w.8pV...'..{Z....b.=_....so...V.x.....h........X......!s.,r....7...=
...5. q...../t.....l{n*=)t.y.P'..x4Q..'<......z...7q.....l..*.g&=...m..ES,.=?...+N.a..&..RkPu..........K..z...........T8xyx.j...~.#e..I.U.e..y..s.....yv....x..Sj...c"..kv..n...[....._6.W7.x...U#.jJ.#....I...'.Y..1.......p...e...".;.M...<.=..#...X\.xCi..Zk.+..2........L-w^6..e..}...../.....E..|1!
...)b..2..4tZ*.B..m....:.+3.....fW.g|..].."A.
/.E.M..._....W.@WH.L....D...;[..|y.C.{4....*......aYs}......J.X?%y.(..`_.`...x...D......j.`.I.5{.M...U..k..g.:.....O.y...e.o....P....q...(..{.g.)<...I_.I[..SG...'.'m.o.....].?i...)....r?}..|
..].._....IL..c....$...c.....K.9q..?...\....$......g.d....lk..i...a
...I.......+.u...Z.edN..]..>..[,..2:.gn.n.....j.).\.I...w...MC\.[_.Q........,.yj....op?.]r|...%G.. .....?..=
0.0"..H...x..&;D...\...C}............O.....kv2`.>./.))...."..`..0.[..AZJ.......b....OG..2....x....oN.>.|X......../ ..I......
}.w -.?.............HS....e..^L.T#M.;.z./ ..e...I.>
z......O....w.6X.D..x..1...<.'..0....JK....R..i........*....._..l...../.WK..@.....J..
..C.q...f?.*..X..xz.`....C}...~.ql...S....BO....J........d.....EW..}.....d.../..S......9l.m.6t.na-vk..D...U9..h.G...._..\..Y........9....F-...15.x.e.D.....@.....{..p{F.!.`...S.U.......S?.._....7@....M.q......\...W......\.gNG..:P.....
0bg.,W....C..98<..y..u.
...C.."..6.g...T....m..X...&@Jm....?yS..>.K._..'l......Z,5..N.....4-.%...A7...S. =}j....E..V.)KG...O5NL.Z..L...w.w3...Sy..
t9...l=.B.O\....Z.D._...Y/v........x.....p......Y."Od.<.F8...|....t7..._..P...SAS....E......lO.ER.s.........:%?.W...
.(..f..U.7>.18tQ};.7.....RG9.~!%..^SU.^.+..*..
..L.VT...;.C...."..9........"..;.....K...
...`.=..r...i2.@...c..H...W
......v.G.r.j.A&.J.
/D|..a!...q..)f.....<c....f......=...C#.Z2r.........:.c)~...7..$...3.Db..IG$p...F......p.q......~....,<w...Ij.y.J.....=.X.....^ ..Ua_"..0......`{|L.KRo..)Ht..Psb....Z.`....7..4.`...PPV,.....>o..S......aLC."8...#.i.H...3.#...'.....~.j....tN..W.K...3..o%..-...-......_....yZ3.....s....w.>(~...6.:ml^.T{....~gH.,.F,.V.....<..3..i.........i...4$.?.....qA...-.".y...l....t.$.S9......$.....)..;I2H.ErL.3.~LE........m.=.
=>Q..{......%...c?..H....8....2.x.......*]......'%">P....ox.1T...o..wW.}..?q.1T.!.o...="tg..~..<.ap..?.xP.@...Z.+..p......KD.._.o..f.g....y.....F......j....z....q....V..p..R.m......Uc......>........n....3W.?....@...U...U._:...........:......h....../..h.|`..%..n..............Jn...N\..l.x.!.G.J...(p..Z
.$K..K.r\YFeV.q...(.;....:[
q...].w}.8.A<.....R ...\....D[f..k@%. !.*6;..H.7.d.......P<.8vPa._...Q}e.._>].}.'Q..|...bc..c.@J.....fS
M&..xW.
.BES ...O<..1.N...d..D_.
.hV0.d....Et.o.:.f.....@.g.wA.d..%Q.L.9.'.V...Z..$c.{wg.'I.......g......aZ.u+.t..k2FX..R.......y...6.G3........V.$*n...iV(E..J....g[.=...8.K
}v.O...^..5.x....".g.......T....sss...h.8.1..F....5...w.\.o..X.w.:L
.xU....?.<.".....7.2kawe'.=...\G..1..|.l<q&6.......0D}...Gw........q.....j..BuO..C.!=Q..>Z........^6~.:...z..@..a..D yZ..,u.)p.M......IY%C...I.9..m..`.p...K~.c.6P"..w.fe..........Jz..........K....
.}...t.1..:...j#..K.|o7
.#.'ID8.....8.a...H...wj..#C_..xt...i.........T..0.l.R...
...Z.{....F[t.>...u........Q.............XYl.........8."..kd2.).A.e._.7r....*..$[%,..X"...iJ.....)....":.s&.......^R..G..q..I......8&.=.1.-A.3......O...=..................!...X.0...J.S......q......g..c8.....~....W...........g............?;._..n...q.......('....wo..s3.....!~9........:..`.....]....t...l..~..;..~.DS....c...yq...{..G...2.s_8..z~+=.O..%*o=.2........7...I..`5.....5....j.7..,.j}.L..{..+].i...>J.....F.......M.....q...(g...'I.@...:....).VA.c.ov........D....e..".j..:......j........i.h......25....v.Y>..2Wd.....,...,....e..~....OW......k.d...cZq.......o:_.-[$.......t..![..;../.Ap..BF.......3.........p;
..?...H..
.....N...C{S...[16/...xe...P.'o.n.Zy.k...
....{.V..Z......k....._+._*8..V...T....T.%.8E'........0.yfs.........3..@.6@........(..
.g...........Q$'....B...6.]....-.E...~....{..8e./.{....,8`...>XH.....06.........N0..?6..j

Then we will assume the unknown mbr code is not from Samsung and or you still have other malware present and proceed with writing a new mbr to disk.

Let me see if I can find a source for a W7 RE iso image. You can download it, burn to CD and boot off of it and have it to keep.

go to start/search and type in diskmgmt.msc The disk managment windows will open up. Maximize the window and take a screenshot of it and post the screenshot.

hi shelf life

here is the screen cap:

bye
philippe

there is a 100 Mb partition that is not attached to any disk, I check the security settings for it and it says:

\\?\Volume{1057A64E-B3AC-11DE-B77D-806E6F6E6963}\

looks strange ?

bye
philippe

I did my homework and this 100m partition is a standard part of W7

bye
philippe

today I booted up the XP box, and farly quicly after the boot my Modem firewall reported this :

TCP- or UDP-based Port Scan 4 Jeudi 15 Décembre 2011 22:53:01 public myIP:50373 source: 89.2.0.1:53

I will PM you a link to a W7 recovery/repair iso image. Burn it to cd and boot from it to enter the W7 RE. Its from there we will write a new mbr. This will take care of the problem assuming its a mbr rootkit. Also pull off any files you dont want to lose as a precaution and i will find a good set of instructions to follow.
Did you get this:
ISO image of the official install from digitalrivercontent.net

hi shelf life,

thanks for the link and all your help here.

In fact given all the problems I did get, what I plan is migrate to Linux for both W7 and XP box.

I will install a CentOS 5 distribution (that I know already a bit), and use a vitrual environement like Xen or VM virtual Box to install windows if I need it.

Once my data are backed-up on the NAS I will do a low level format of the disks I dont' trust, and install from there uising Ext3 file system.

Do you have any recomendations ?

>Did you get this:
>ISO image of the official install from digitalrivercontent.net
Not yet. do you have anything to say about this ?


bellow is a link to a very interesting tool to do in-depth live memory analysis
http://www.mandiant.com/products/free_software/redline/
I did an analysis with it on my W7 box, but I am not experienced enought to really analyse the results.

If you are interested I can send you a download link to get the result of the run it's a 100Mb zip.

bye
philippe

Your Welcome. Not familiar with CentOS. I am somewhat of a distro hopper and I am using Fedora right now.
Sounds like a good plan. Malware is going deeper and deeper in to the OS and becoming increasingly difficult to detect and remove. Seeing more and more rootkits now also.

HD vendors make tools you can download and use for diagnostics and to do a low level reformat. (http://www.ariolic.com/activesmart/low-level-format.html)
I've used Western Digitals utilities to wipe a drive. G-parted will also wipe a drive but I dont think its a 'low level'.

I asked about the official iso image because I didnt want you to do anything until you had that. Just in case the fixmbr failed then you at least would have a reinstall disk to use.

Sure send the link to your results, I would like to see them.

hi shelf life,

>Your Welcome. Not familiar with CentOS.
CentOS is used by some hosting providers and I use it in a server context.

>Sure send the link to your results, I would like to see them.

hi here is the link to the result:
http://oron.com/vcsgs4tmyuqo

>HD vendors make tools you can download and use for diagnostics and to do a >low level reformat.
Ok, I got it. will this process erase the MBR or do I need to erase it manually ?

>I asked about the official iso image because I didnt want you to do anything >until you had that. Just in case the fixmbr failed then you at least would have >a reinstall disk to use.

So I can safely dowload it to use it for the VM.

bye
philippe

hi,

A low level format or writing zeros to a drive will wipe out the MBR.
I saw your results, didn't sift through all of it, but didn't see anything conclusive. Had to install .NET framework to use it. Good Luck