PDA

View Full Version : redirect virus and malware please help me!!!



mrclark
2012-04-20, 02:22
Hi I have a nasty one on my pc, it started about 2 weeks ago and I beleive I got it from an email via a family member. On top of redirecting me and giving me constant Internet Explorer crashes beleive it or not I am hearing what appears to be music and advertisments playing in the background sometimes?

I produced a log via one of the downloads provided if that is ok.

I could really use some help here before I give up and reinstal.

Thank you.

18:44:02.0046 8452 TDSS rootkit removing tool 2.7.29.0 Apr 18 2012 16:44:20
18:44:03.0062 8452 ============================================================
18:44:03.0062 8452 Current date / time: 2012/04/19 18:44:03.0062
18:44:03.0062 8452 SystemInfo:
18:44:03.0062 8452
18:44:03.0062 8452 OS Version: 5.1.2600 ServicePack: 3.0
18:44:03.0062 8452 Product type: Workstation
18:44:03.0062 8452 ComputerName: ADMIN-FDC77CCCA
18:44:03.0062 8452 UserName: Administrator
18:44:03.0062 8452 Windows directory: C:\WINDOWS
18:44:03.0062 8452 System windows directory: C:\WINDOWS
18:44:03.0062 8452 Processor architecture: Intel x86
18:44:03.0062 8452 Number of processors: 2
18:44:03.0062 8452 Page size: 0x1000
18:44:03.0062 8452 Boot type: Normal boot
18:44:03.0062 8452 ============================================================
18:44:14.0453 8452 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:44:14.0468 8452 \Device\Harddisk0\DR0:
18:44:14.0468 8452 MBR partitions:
18:44:14.0468 8452 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74701AC1
18:44:14.0515 8452 C: <-> \Device\Harddisk0\DR0\Partition0
18:44:14.0515 8452 Initialize success
18:44:14.0515 8452 ============================================================
18:44:51.0609 9752 ============================================================
18:44:51.0609 9752 Scan started
18:44:51.0609 9752 Mode: Manual; TDLFS;
18:44:51.0609 9752 ============================================================
18:45:00.0562 9752 Abiosdsk - ok
18:45:00.0593 9752 abp480n5 - ok
18:45:00.0656 9752 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:45:00.0656 9752 ACPI - ok
18:45:00.0687 9752 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:45:00.0687 9752 ACPIEC - ok
18:45:00.0781 9752 Adobe Version Cue CS3 (14c23516c990dcd6052152cf034dde40) C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
18:45:00.0796 9752 Adobe Version Cue CS3 - ok
18:45:00.0906 9752 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
18:45:00.0953 9752 AdobeFlashPlayerUpdateSvc - ok
18:45:00.0968 9752 adpu160m - ok
18:45:01.0046 9752 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:45:01.0046 9752 aec - ok
18:45:01.0093 9752 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:45:01.0125 9752 AFD - ok
18:45:01.0140 9752 Aha154x - ok
18:45:01.0140 9752 aic78u2 - ok
18:45:01.0156 9752 aic78xx - ok
18:45:01.0171 9752 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:45:01.0171 9752 Alerter - ok
18:45:01.0203 9752 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:45:01.0203 9752 ALG - ok
18:45:01.0203 9752 AliIde - ok
18:45:01.0281 9752 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
18:45:01.0296 9752 Ambfilt - ok
18:45:01.0375 9752 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
18:45:01.0406 9752 AmdLLD - ok
18:45:01.0437 9752 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
18:45:01.0468 9752 AmdPPM - ok
18:45:01.0468 9752 amsint - ok
18:45:01.0609 9752 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:45:01.0640 9752 Apple Mobile Device - ok
18:45:01.0687 9752 AppleCharger (75a8b998eb259dd512f01ea25bec7f3b) C:\WINDOWS\system32\DRIVERS\AppleCharger.sys
18:45:01.0687 9752 AppleCharger - ok
18:45:01.0718 9752 AppleChargerSrv (95ef7247c50c7241fdae39a9b3aff4ae) C:\WINDOWS\system32\AppleChargerSrv.exe
18:45:01.0718 9752 AppleChargerSrv - ok
18:45:01.0750 9752 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:45:01.0750 9752 AppMgmt - ok
18:45:01.0781 9752 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
18:45:01.0781 9752 Arp1394 - ok
18:45:02.0250 9752 asc - ok
18:45:02.0359 9752 asc3350p - ok
18:45:03.0453 9752 asc3550 - ok
18:45:04.0375 9752 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
18:45:04.0406 9752 aspnet_state - ok
18:45:04.0500 9752 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:45:04.0500 9752 AsyncMac - ok
18:45:04.0531 9752 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:45:04.0531 9752 atapi - ok
18:45:05.0484 9752 Atdisk - ok
18:45:05.0890 9752 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:45:05.0906 9752 Atmarpc - ok
18:45:05.0984 9752 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:45:05.0984 9752 AudioSrv - ok
18:45:06.0156 9752 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:45:06.0156 9752 audstub - ok
18:45:07.0375 9752 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
18:45:07.0734 9752 AVGIDSAgent - ok
18:45:07.0859 9752 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
18:45:07.0875 9752 AVGIDSDriver - ok
18:45:07.0921 9752 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
18:45:07.0937 9752 AVGIDSEH - ok
18:45:07.0937 9752 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
18:45:07.0953 9752 AVGIDSFilter - ok
18:45:08.0015 9752 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
18:45:08.0078 9752 AVGIDSShim - ok
18:45:08.0187 9752 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
18:45:08.0187 9752 Avgldx86 - ok
18:45:08.0234 9752 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
18:45:08.0234 9752 Avgmfx86 - ok
18:45:08.0265 9752 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
18:45:08.0281 9752 Avgrkx86 - ok
18:45:08.0343 9752 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
18:45:08.0343 9752 Avgtdix - ok
18:45:08.0500 9752 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
18:45:08.0515 9752 avgwd - ok
18:45:08.0687 9752 BCUService (382b151daffe4a9ce9da9f564b66761e) C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
18:45:08.0718 9752 BCUService - ok
18:45:08.0828 9752 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:45:08.0828 9752 Beep - ok
18:45:08.0953 9752 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:45:09.0046 9752 BITS - ok
18:45:09.0187 9752 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
18:45:09.0281 9752 Bonjour Service - ok
18:45:09.0421 9752 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:45:09.0437 9752 Browser - ok
18:45:09.0453 9752 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:45:09.0453 9752 cbidf2k - ok
18:45:09.0468 9752 cd20xrnt - ok
18:45:09.0500 9752 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:45:09.0515 9752 Cdaudio - ok
18:45:09.0890 9752 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:45:09.0890 9752 Cdfs - ok
18:45:10.0078 9752 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:45:10.0093 9752 Cdrom - ok
18:45:10.0140 9752 Changer - ok
18:45:10.0203 9752 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:45:10.0218 9752 CiSvc - ok
18:45:10.0265 9752 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:45:10.0265 9752 ClipSrv - ok
18:45:10.0375 9752 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:45:10.0453 9752 clr_optimization_v2.0.50727_32 - ok
18:45:10.0515 9752 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
18:45:10.0750 9752 clr_optimization_v4.0.30319_32 - ok
18:45:10.0875 9752 CmdIde - ok
18:45:10.0953 9752 COMSysApp - ok
18:45:11.0031 9752 Cpqarray - ok
18:45:11.0125 9752 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:45:11.0125 9752 CryptSvc - ok
18:45:11.0156 9752 dac2w2k - ok
18:45:11.0171 9752 dac960nt - ok
18:45:11.0296 9752 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:45:11.0359 9752 DcomLaunch - ok
18:45:11.0453 9752 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:45:11.0453 9752 Dhcp - ok
18:45:11.0484 9752 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:45:11.0484 9752 Disk - ok
18:45:11.0500 9752 dmadmin - ok
18:45:11.0718 9752 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:45:11.0765 9752 dmboot - ok
18:45:11.0843 9752 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:45:11.0890 9752 dmio - ok
18:45:11.0984 9752 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:45:11.0984 9752 dmload - ok
18:45:12.0062 9752 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:45:12.0062 9752 dmserver - ok
18:45:12.0156 9752 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:45:12.0171 9752 DMusic - ok
18:45:12.0234 9752 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:45:12.0234 9752 Dnscache - ok
18:45:12.0281 9752 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:45:12.0281 9752 Dot3svc - ok
18:45:12.0281 9752 dpti2o - ok
18:45:12.0328 9752 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:45:12.0328 9752 drmkaud - ok
18:45:12.0359 9752 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:45:12.0359 9752 EapHost - ok
18:45:12.0390 9752 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:45:12.0390 9752 ERSvc - ok
18:45:12.0484 9752 ES lite Service (b8fa96995726d1fa58476e352c02ad82) C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
18:45:12.0484 9752 ES lite Service - ok
18:45:12.0515 9752 etdrv (3af0ae042afe486b22644cd3fbebf2e2) C:\WINDOWS\etdrv.sys
18:45:13.0109 9752 etdrv - ok
18:45:13.0203 9752 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:45:13.0218 9752 Eventlog - ok
18:45:13.0328 9752 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:45:13.0328 9752 EventSystem - ok
18:45:13.0390 9752 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:45:13.0406 9752 Fastfat - ok
18:45:13.0453 9752 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:45:13.0468 9752 FastUserSwitchingCompatibility - ok
18:45:13.0484 9752 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:45:13.0484 9752 Fdc - ok
18:45:13.0500 9752 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:45:13.0500 9752 Fips - ok
18:45:13.0750 9752 FLEXnet Licensing Service (227846995afeefa70d328bf5334a86a5) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
18:45:13.0875 9752 FLEXnet Licensing Service - ok
18:45:13.0921 9752 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:45:13.0921 9752 Flpydisk - ok
18:45:13.0984 9752 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:45:14.0000 9752 FltMgr - ok
18:45:14.0078 9752 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:45:14.0078 9752 FontCache3.0.0.0 - ok
18:45:14.0093 9752 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:45:14.0093 9752 Fs_Rec - ok
18:45:14.0109 9752 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:45:14.0109 9752 Ftdisk - ok
18:45:14.0187 9752 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
18:45:14.0187 9752 gdrv - ok
18:45:14.0265 9752 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:45:14.0296 9752 GEARAspiWDM - ok
18:45:14.0328 9752 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:45:14.0343 9752 Gpc - ok
18:45:14.0406 9752 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:45:14.0406 9752 gupdate - ok
18:45:14.0421 9752 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:45:14.0421 9752 gupdatem - ok
18:45:14.0437 9752 GVTDrv (689a8eef2a2d62b28a0a578a6196531c) C:\WINDOWS\system32\Drivers\GVTDrv.sys
18:45:14.0437 9752 GVTDrv - ok
18:45:14.0500 9752 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:45:14.0500 9752 HDAudBus - ok
18:45:14.0500 9752 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:45:14.0515 9752 helpsvc - ok
18:45:14.0546 9752 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:45:14.0546 9752 HidServ - ok
18:45:14.0640 9752 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:45:14.0640 9752 hidusb - ok
18:45:14.0718 9752 HitmanProScheduler (6ae9f23151a8f4835c6197dea77a63fb) C:\Program Files\HitmanPro\hmpsched.exe
18:45:14.0734 9752 HitmanProScheduler - ok
18:45:14.0796 9752 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:45:14.0796 9752 hkmsvc - ok
18:45:14.0812 9752 hpn - ok
18:45:14.0875 9752 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:45:14.0875 9752 HTTP - ok
18:45:14.0906 9752 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:45:14.0921 9752 HTTPFilter - ok
18:45:14.0921 9752 i2omgmt - ok
18:45:14.0937 9752 i2omp - ok
18:45:14.0984 9752 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:45:15.0000 9752 i8042prt - ok
18:45:15.0046 9752 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
18:45:15.0046 9752 IDriverT - ok
18:45:15.0109 9752 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:45:15.0140 9752 idsvc - ok
18:45:15.0187 9752 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:45:15.0187 9752 Imapi - ok
18:45:15.0265 9752 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:45:15.0265 9752 ImapiService - ok
18:45:15.0281 9752 ini910u - ok
18:45:15.0546 9752 IntcAzAudAddService (718f495096df8d94fb66c9c962646372) C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:45:15.0890 9752 IntcAzAudAddService - ok
18:45:15.0906 9752 IntelIde - ok
18:45:15.0953 9752 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:45:15.0953 9752 Ip6Fw - ok
18:45:15.0984 9752 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:45:15.0984 9752 IpFilterDriver - ok
18:45:16.0000 9752 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:45:16.0000 9752 IpInIp - ok
18:45:16.0046 9752 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:45:16.0046 9752 IpNat - ok
18:45:16.0125 9752 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
18:45:16.0140 9752 iPod Service - ok
18:45:16.0187 9752 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:45:16.0187 9752 IPSec - ok
18:45:16.0203 9752 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:45:16.0203 9752 IRENUM - ok
18:45:16.0250 9752 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:45:16.0250 9752 isapnp - ok
18:45:16.0359 9752 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
18:45:16.0375 9752 JavaQuickStarterService - ok
18:45:16.0406 9752 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:45:16.0406 9752 Kbdclass - ok
18:45:16.0421 9752 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:45:16.0421 9752 kbdhid - ok
18:45:16.0484 9752 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:45:16.0500 9752 kmixer - ok
18:45:16.0531 9752 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:45:16.0531 9752 KSecDD - ok
18:45:16.0578 9752 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:45:16.0593 9752 LanmanServer - ok
18:45:16.0656 9752 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:45:16.0671 9752 lanmanworkstation - ok
18:45:16.0671 9752 lbrtfdc - ok
18:45:16.0781 9752 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:45:16.0796 9752 LmHosts - ok
18:45:16.0828 9752 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:45:16.0828 9752 Messenger - ok
18:45:16.0921 9752 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
18:45:16.0937 9752 Microsoft Office Groove Audit Service - ok
18:45:16.0937 9752 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:45:16.0937 9752 mnmdd - ok
18:45:16.0984 9752 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:45:17.0000 9752 mnmsrvc - ok
18:45:17.0031 9752 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:45:17.0031 9752 Modem - ok
18:45:17.0109 9752 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
18:45:17.0140 9752 Monfilt - ok
18:45:17.0156 9752 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:45:17.0156 9752 Mouclass - ok
18:45:17.0203 9752 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:45:17.0203 9752 mouhid - ok
18:45:17.0218 9752 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:45:17.0218 9752 MountMgr - ok
18:45:17.0234 9752 mraid35x - ok
18:45:17.0265 9752 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:45:17.0281 9752 MRxDAV - ok
18:45:17.0312 9752 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:45:17.0328 9752 MRxSmb - ok
18:45:17.0359 9752 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:45:17.0359 9752 MSDTC - ok
18:45:17.0375 9752 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:45:17.0375 9752 Msfs - ok
18:45:17.0390 9752 MSIServer - ok
18:45:17.0406 9752 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:45:17.0406 9752 MSKSSRV - ok
18:45:17.0421 9752 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:45:17.0437 9752 MSPCLOCK - ok
18:45:17.0515 9752 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:45:17.0515 9752 MSPQM - ok
18:45:17.0578 9752 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:45:17.0593 9752 mssmbios - ok
18:45:17.0734 9752 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:45:17.0734 9752 Mup - ok
18:45:17.0812 9752 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:45:17.0828 9752 napagent - ok
18:45:17.0843 9752 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:45:17.0843 9752 NDIS - ok
18:45:17.0890 9752 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:45:17.0890 9752 NdisTapi - ok
18:45:17.0953 9752 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:45:17.0953 9752 Ndisuio - ok
18:45:18.0000 9752 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:45:18.0000 9752 NdisWan - ok
18:45:18.0031 9752 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:45:18.0031 9752 NDProxy - ok
18:45:18.0046 9752 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:45:18.0046 9752 NetBIOS - ok
18:45:18.0078 9752 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:45:18.0093 9752 NetBT - ok
18:45:18.0093 9752 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:45:18.0109 9752 NetDDE - ok
18:45:18.0109 9752 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:45:18.0125 9752 NetDDEdsdm - ok
18:45:18.0140 9752 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:45:18.0156 9752 Netlogon - ok
18:45:18.0187 9752 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:45:18.0187 9752 Netman - ok
18:45:18.0281 9752 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:45:18.0296 9752 NetTcpPortSharing - ok
18:45:18.0328 9752 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
18:45:18.0328 9752 NIC1394 - ok
18:45:18.0390 9752 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:45:18.0406 9752 Nla - ok
18:45:18.0406 9752 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:45:18.0406 9752 Npfs - ok
18:45:18.0468 9752 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:45:18.0484 9752 Ntfs - ok
18:45:18.0500 9752 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:45:18.0500 9752 NtLmSsp - ok
18:45:18.0578 9752 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:45:18.0593 9752 NtmsSvc - ok
18:45:18.0625 9752 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:45:18.0625 9752 Null - ok
18:45:19.0031 9752 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:45:19.0265 9752 nv - ok
18:45:19.0328 9752 NVSvc (0573c75a2895d973ea6ef2495620ba49) C:\WINDOWS\system32\nvsvc32.exe
18:45:19.0328 9752 NVSvc - ok
18:45:19.0453 9752 nvUpdatusService (9c84945feee40ea42d3bca5c22250d47) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
18:45:19.0500 9752 nvUpdatusService - ok
18:45:19.0562 9752 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:45:19.0562 9752 NwlnkFlt - ok
18:45:19.0578 9752 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:45:19.0578 9752 NwlnkFwd - ok
18:45:19.0734 9752 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
18:45:19.0750 9752 odserv - ok
18:45:19.0765 9752 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
18:45:19.0781 9752 ohci1394 - ok
18:45:19.0812 9752 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:45:19.0812 9752 ose - ok
18:45:19.0843 9752 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
18:45:19.0859 9752 Parport - ok
18:45:19.0859 9752 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:45:19.0859 9752 PartMgr - ok
18:45:19.0890 9752 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:45:19.0890 9752 ParVdm - ok
18:45:19.0906 9752 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:45:19.0906 9752 PCI - ok
18:45:19.0906 9752 PCIDump - ok
18:45:19.0921 9752 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:45:19.0921 9752 PCIIde - ok
18:45:19.0937 9752 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:45:19.0937 9752 Pcmcia - ok
18:45:19.0968 9752 PDCOMP - ok
18:45:19.0984 9752 PDFRAME - ok
18:45:20.0000 9752 PDRELI - ok
18:45:20.0031 9752 PDRFRAME - ok
18:45:20.0046 9752 perc2 - ok
18:45:20.0062 9752 perc2hib - ok
18:45:20.0093 9752 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:45:20.0093 9752 PlugPlay - ok
18:45:20.0140 9752 PnkBstrA (3a2bdd76e7d2a5f40a7174793d1ba794) C:\WINDOWS\system32\PnkBstrA.exe
18:45:20.0187 9752 PnkBstrA - ok
18:45:20.0203 9752 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:45:20.0203 9752 PolicyAgent - ok
18:45:20.0218 9752 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:45:20.0234 9752 PptpMiniport - ok
18:45:20.0281 9752 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
18:45:20.0281 9752 Processor - ok
18:45:20.0296 9752 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:45:20.0296 9752 ProtectedStorage - ok
18:45:20.0312 9752 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:45:20.0312 9752 PSched - ok
18:45:20.0328 9752 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:45:20.0328 9752 Ptilink - ok
18:45:20.0328 9752 ql1080 - ok
18:45:20.0343 9752 Ql10wnt - ok
18:45:20.0343 9752 ql12160 - ok
18:45:20.0375 9752 ql1240 - ok
18:45:20.0390 9752 ql1280 - ok
18:45:20.0421 9752 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:45:20.0421 9752 RasAcd - ok
18:45:20.0453 9752 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:45:20.0453 9752 RasAuto - ok
18:45:20.0500 9752 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:45:20.0500 9752 Rasl2tp - ok
18:45:20.0531 9752 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:45:20.0546 9752 RasMan - ok
18:45:20.0609 9752 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:45:20.0609 9752 RasPppoe - ok
18:45:20.0625 9752 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:45:20.0625 9752 Raspti - ok
18:45:20.0640 9752 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:45:20.0656 9752 Rdbss - ok
18:45:20.0671 9752 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:45:20.0671 9752 RDPCDD - ok
18:45:20.0734 9752 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:45:20.0734 9752 rdpdr - ok
18:45:20.0781 9752 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
18:45:20.0796 9752 RDPWD - ok
18:45:20.0828 9752 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:45:20.0843 9752 RDSessMgr - ok
18:45:20.0859 9752 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:45:20.0875 9752 redbook - ok
18:45:20.0906 9752 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:45:20.0906 9752 RemoteAccess - ok
18:45:20.0937 9752 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
18:45:20.0953 9752 RemoteRegistry - ok
18:45:21.0000 9752 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:45:21.0000 9752 RpcLocator - ok
18:45:21.0062 9752 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:45:21.0062 9752 RpcSs - ok
18:45:21.0109 9752 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:45:21.0125 9752 RSVP - ok
18:45:21.0203 9752 RTCore32 (2c293f0f3295a599fb50d8fcf1fa6ded) C:\Program Files\EVGA Precision\RTCore32.sys
18:45:21.0218 9752 RTCore32 - ok
18:45:21.0265 9752 RTLE8023xp (c48e7bbc6a17a0676079e11a13e82549) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
18:45:21.0281 9752 RTLE8023xp - ok
18:45:21.0281 9752 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:45:21.0296 9752 SamSs - ok
18:45:21.0328 9752 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:45:21.0343 9752 SCardSvr - ok
18:45:21.0406 9752 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:45:21.0421 9752 Schedule - ok
18:45:21.0578 9752 SDScannerService (8dcd2c2aa1debe7edaac90e398765976) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
18:45:21.0656 9752 SDScannerService - ok
18:45:21.0734 9752 SDUpdateService (5de1be0423c8cc00e8c47dbf4f987dd4) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
18:45:21.0765 9752 SDUpdateService - ok
18:45:21.0812 9752 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:45:21.0812 9752 Secdrv - ok
18:45:21.0828 9752 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:45:21.0828 9752 seclogon - ok
18:45:21.0843 9752 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:45:21.0843 9752 SENS - ok
18:45:21.0875 9752 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:45:21.0875 9752 serenum - ok
18:45:21.0890 9752 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:45:21.0890 9752 Serial - ok
18:45:22.0031 9752 sfdrv01 (56250672235bbe54ba8a4963b1ac997c) C:\WINDOWS\system32\drivers\sfdrv01.sys
18:45:22.0031 9752 sfdrv01 - ok
18:45:22.0078 9752 sfhlp02 (3ad2b15ccc03febfbaf5ff057822aa75) C:\WINDOWS\system32\drivers\sfhlp02.sys
18:45:22.0078 9752 sfhlp02 - ok
18:45:22.0125 9752 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:45:22.0125 9752 Sfloppy - ok
18:45:22.0171 9752 sfsync02 (798d918d8f20380008277ce3ce5319d1) C:\WINDOWS\system32\drivers\sfsync02.sys
18:45:22.0171 9752 sfsync02 - ok
18:45:22.0218 9752 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:45:22.0218 9752 SharedAccess - ok
18:45:22.0281 9752 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:45:22.0281 9752 ShellHWDetection - ok
18:45:22.0296 9752 Simbad - ok
18:45:22.0312 9752 Sparrow - ok
18:45:22.0390 9752 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:45:22.0390 9752 splitter - ok
18:45:22.0421 9752 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:45:22.0421 9752 Spooler - ok
18:45:22.0453 9752 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:45:22.0453 9752 sr - ok
18:45:22.0468 9752 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:45:22.0484 9752 srservice - ok
18:45:22.0531 9752 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:45:22.0546 9752 Srv - ok
18:45:22.0609 9752 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:45:22.0609 9752 SSDPSRV - ok
18:45:22.0703 9752 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:45:22.0718 9752 stisvc - ok
18:45:22.0750 9752 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:45:22.0750 9752 swenum - ok
18:45:22.0796 9752 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:45:22.0812 9752 swmidi - ok
18:45:22.0812 9752 SwPrv - ok
18:45:22.0828 9752 symc810 - ok
18:45:22.0843 9752 symc8xx - ok
18:45:22.0859 9752 sym_hi - ok
18:45:22.0859 9752 sym_u3 - ok
18:45:22.0953 9752 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:45:22.0953 9752 sysaudio - ok
18:45:23.0031 9752 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:45:23.0046 9752 SysmonLog - ok
18:45:23.0093 9752 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:45:23.0093 9752 TapiSrv - ok
18:45:23.0125 9752 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:45:23.0140 9752 Tcpip - ok
18:45:23.0171 9752 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:45:23.0171 9752 TDPIPE - ok
18:45:23.0234 9752 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:45:23.0250 9752 TDTCP - ok
18:45:23.0281 9752 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:45:23.0296 9752 TermDD - ok
18:45:23.0328 9752 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:45:23.0343 9752 TermService - ok
18:45:23.0359 9752 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:45:23.0359 9752 Themes - ok
18:45:23.0375 9752 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
18:45:23.0375 9752 TlntSvr - ok
18:45:23.0390 9752 TosIde - ok
18:45:23.0437 9752 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:45:23.0437 9752 TrkWks - ok
18:45:23.0484 9752 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:45:23.0500 9752 Udfs - ok
18:45:23.0531 9752 ultra - ok
18:45:23.0640 9752 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:45:23.0656 9752 Update - ok
18:45:23.0703 9752 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:45:23.0718 9752 upnphost - ok
18:45:23.0750 9752 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:45:23.0750 9752 UPS - ok
18:45:23.0796 9752 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
18:45:23.0812 9752 USBAAPL - ok
18:45:23.0890 9752 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
18:45:23.0890 9752 usbaudio - ok
18:45:23.0937 9752 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:45:23.0937 9752 usbccgp - ok
18:45:23.0968 9752 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:45:23.0968 9752 usbehci - ok
18:45:24.0000 9752 usbfilter (e5b14557793164db879ee56f5b59c3e2) C:\WINDOWS\system32\DRIVERS\usbfilter.sys
18:45:24.0015 9752 usbfilter - ok
18:45:24.0046 9752 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:45:24.0046 9752 usbhub - ok
18:45:24.0078 9752 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
18:45:24.0078 9752 usbohci - ok
18:45:24.0156 9752 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:45:24.0156 9752 usbscan - ok
18:45:24.0203 9752 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:45:24.0203 9752 USBSTOR - ok
18:45:24.0250 9752 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:45:24.0250 9752 VgaSave - ok
18:45:24.0265 9752 ViaIde - ok
18:45:24.0312 9752 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:45:24.0328 9752 VolSnap - ok
18:45:24.0343 9752 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:45:24.0343 9752 VSS - ok
18:45:24.0406 9752 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:45:24.0421 9752 W32Time - ok
18:45:24.0453 9752 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:45:24.0453 9752 Wanarp - ok
18:45:24.0468 9752 WDICA - ok
18:45:24.0484 9752 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:45:24.0484 9752 wdmaud - ok
18:45:24.0515 9752 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:45:24.0531 9752 WebClient - ok
18:45:24.0578 9752 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:45:24.0578 9752 winmgmt - ok
18:45:24.0718 9752 WinRing0_1_2_0 - ok
18:45:24.0890 9752 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
18:45:24.0937 9752 wlidsvc - ok
18:45:25.0031 9752 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
18:45:25.0031 9752 WmdmPmSN - ok
18:45:25.0140 9752 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
18:45:25.0156 9752 Wmi - ok
18:45:25.0171 9752 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
18:45:25.0187 9752 WmiAcpi - ok
18:45:25.0218 9752 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:45:25.0218 9752 WmiApSrv - ok
18:45:25.0375 9752 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:45:25.0390 9752 WMPNetworkSvc - ok
18:45:25.0578 9752 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
18:45:25.0625 9752 WPFFontCache_v0400 - ok
18:45:25.0718 9752 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:45:25.0734 9752 wscsvc - ok
18:45:25.0812 9752 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:45:25.0828 9752 wuauserv - ok
18:45:25.0921 9752 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:45:25.0921 9752 WudfPf - ok
18:45:25.0984 9752 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:45:25.0984 9752 WudfRd - ok
18:45:26.0046 9752 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:45:26.0046 9752 WudfSvc - ok
18:45:26.0093 9752 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:45:26.0109 9752 WZCSVC - ok
18:45:26.0171 9752 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:45:26.0250 9752 xmlprov - ok
18:45:26.0281 9752 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:45:26.0593 9752 \Device\Harddisk0\DR0 - ok
18:45:26.0609 9752 Boot (0x1200) (ac10c40af69a59902fe4b1a111b104f1) \Device\Harddisk0\DR0\Partition0
18:45:26.0609 9752 \Device\Harddisk0\DR0\Partition0 - ok
18:45:26.0609 9752 ============================================================
18:45:26.0609 9752 Scan finished
18:45:26.0609 9752 ============================================================
18:45:26.0625 6648 Detected object count: 0
18:45:26.0625 6648 Actual detected object count: 0

oldman960
2012-04-20, 03:14
Hi mrclark, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.




Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following


netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.līk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s >
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


Next

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double click the aswMBR.exe to run it. If asked to download Avast's database please do so.

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Please post back with
both OTL logs
aswMBR log

mrclark
2012-04-22, 02:41
hi heres the first part of the OTL log, its been difficult posting it due to its size.



OTL logfile created on: 4/19/2012 8:34:35 PM - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 66.08% Memory free
5.09 Gb Paging File | 4.16 Gb Available in Paging File | 81.84% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 379.37 Gb Free Space | 40.73% Space Free | Partition Type: NTFS

Computer Name: ADMIN-FDC77CCCA | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Steam\Steam.exe (Valve Corporation)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Documents and Settings\Administrator\Desktop\CPU Thermometer\CPUThermometer.exe ()
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe (DeviceVM, Inc.)
PRC - C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe (DeviceVM, Inc.)
PRC - C:\Program Files\Gigabyte\EasySaver\essvr.exe ()
PRC - C:\Program Files\EVGA Precision\EVGAPrecision.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe (Adobe Systems Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\Administrator\Local Settings\Temp\~10.tmp ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\67b05b57919dfc3a1521f33198495f5b\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\9ac7922025e72297069a82a403cb59fa\System.Drawing.ni.dll ()
MOD - C:\Program Files\Steam\bin\libcef.dll ()
MOD - C:\Program Files\Steam\bin\chromehtml.dll ()
MOD - C:\Program Files\Steam\bin\avcodec-53.dll ()
MOD - C:\Program Files\Steam\bin\avformat-53.dll ()
MOD - C:\Program Files\Steam\bin\avutil-51.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Management\b1b57351a88c0c9c46bd9424347336ea\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuratio#\8e28c1bf907bc67c6685db26050c19bd\System.Configuration.Install.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\21071fcc838660d96f10920c4c3cd206\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\3ff4657a86a0e14b4be577969e0ec762\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\52f4f785f7cf45a64606a8e13c8cf04c\mscorlib.ni.dll ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\JSDialogPack150.bpl ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll ()
MOD - C:\Documents and Settings\Administrator\Desktop\CPU Thermometer\CPUThermometer.exe ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()
MOD - C:\Program Files\Gigabyte\EasySaver\essvr.exe ()
MOD - C:\Program Files\DeviceVM\Browser Configuration Utility\sqlite3.dll ()
MOD - C:\Program Files\Gigabyte\EasySaver\ycc.dll ()
MOD - C:\Program Files\EVGA Precision\EVGAPrecision.exe ()
MOD - C:\Program Files\EVGA Precision\RTCore.dll ()
MOD - C:\Program Files\EVGA Precision\RTUI.dll ()
MOD - C:\Program Files\EVGA Precision\RTFC.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (HitmanProScheduler) -- C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (AppleChargerSrv) -- C:\WINDOWS\system32\AppleChargerSrv.exe ()
SRV - (BCUService) -- C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe (DeviceVM, Inc.)
SRV - (ES lite Service) -- C:\Program Files\Gigabyte\EasySaver\essvr.exe ()
SRV - (Adobe Version Cue CS3) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (Adobe Systems Incorporated)


========== Driver Services (SafeList) ==========

DRV - (WinRing0_1_2_0) -- C:\Documents and Settings\Administrator\Local Settings\Temp\tmp9.tmp File not found
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows (R) 2000 DDK provider)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (GVTDrv) -- C:\WINDOWS\system32\drivers\GVTDrv.sys ()
DRV - (etdrv) -- C:\WINDOWS\etdrv.sys (Windows (R) 2000 DDK provider)
DRV - (AppleCharger) -- C:\WINDOWS\system32\drivers\AppleCharger.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (usbfilter) -- C:\WINDOWS\system32\drivers\usbfilter.sys (Advanced Micro Devices)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (AmdLLD) -- C:\WINDOWS\system32\drivers\AmdLLD.sys (AMD, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (RTCore32) -- C:\Program Files\EVGA Precision\RTCore32.sys ()
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\system32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfhlp02.sys (Protection Technology)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {67B304DA-6278-40b3-B8E8-D46F814D6BFB}
IE - HKCU\..\SearchScopes\{0A4D1FD6-14A6-42b7-B9E4-A9A86BA9C833}: "URL" = http://www.google.com/cse?cx=partner-pub-3794288947762788%3A2938615334&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A2938615334&q={searchTerms}
IE - HKCU\..\SearchScopes\{0C0AD665-632E-4818-A02A-A810DEFFC693}: "URL" = http://search.avg.com/route/?d=$instd$&v=$ver$&i=$dchid$&tp=chrome&q={searchTerms}&lng={moz:locale}&iy=&ychte=ca
IE - HKCU\..\SearchScopes\{67B304DA-6278-40b3-B8E8-D46F814D6BFB}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBD
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.0: C:\Program Files\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=0.80.0: C:\Program Files\Battlelog Web Plugins\0.80.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@fileplanet.com/fpdlm: C:\Program Files\Download Manager\npfpdlm.dll (IGN Entertainment)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2012/04/18 18:26:19 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/01/31 21:04:43 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/04/15 22:29:42 | 000,000,019 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCU] C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe (DeviceVM, Inc.)
O4 - HKLM..\Run: [EVGAPrecision] C:\Program Files\EVGA Precision\EVGAPrecision.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [Spybot-S&D Cleaning] C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKCU..\Run: [CPUThermometer] C:\Documents and Settings\Administrator\Desktop\CPU Thermometer\CPUThermometer.exe ()
O4 - HKCU..\Run: [dabebdbdaafdct] C:\Documents and Settings\All Users\Application Data\dabebdbdaafdct.exe ()
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe (IGN Entertainment)
O4 - HKCU..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent File not found
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab (CDownloadCtrl Object)
O16 - DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} http://www.gunbroker.com/WebResource.axd?d=Qydpf0KIwF1Fr6RRPI2vp09Qx7960W1PefrwdgTL1YWRWyUo6in6PN6VS7m59gst6zjhnPK4xtevtkkiPAeNbVdLz1lm1BKvO-eVx_B2d1Lb7EFrywmMr-EfCQUqniwFPL_qr5-6LT50B9lSJqZDgme2Vksu6ajL4Qvm6a-2VX8ROm8K0&t=634230999680000000 (Image Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} https://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.66.2.cab (Battlefield Play4Free Updater)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AB79E8E6-3A4E-4955-9F00-0C1D77D8038C}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/09/06 02:55:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/04/19 20:31:31 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/04/17 17:54:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Download Manager
[2012/04/17 17:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Download Manager
[2012/04/16 19:26:48 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2012/04/16 19:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/04/16 19:21:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2012/04/16 19:20:17 | 000,000,000 | ---D | C] -- C:\Program Files\New Folder
[2012/04/15 21:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/04/15 21:48:21 | 007,245,976 | ---- | C] (SurfRight B.V.) -- C:\Program Files\HitmanPro36.exe
[2012/04/15 21:46:24 | 008,250,768 | ---- | C] (SurfRight B.V.) -- C:\Program Files\HitmanPro36_x64.exe
[2012/04/15 18:36:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/04/15 15:19:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/04/15 15:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
[2012/04/15 15:19:47 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\WINDOWS\System32\sdnclean.exe
[2012/04/15 15:19:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2012/04/15 15:17:03 | 000,325,200 | ---- | C] (OpenInstall ) -- C:\Program Files\spybotsd-2.exe
[2012/04/08 21:27:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/04/08 21:25:52 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/04/07 22:10:02 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/03/21 21:17:42 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/01/19 22:00:20 | 003,147,344 | ---- | C] (Macroplant, LLC ) -- C:\Program Files\iExplorer_Setup.exe
[2011/12/22 18:43:38 | 039,401,336 | ---- | C] (Apple Inc.) -- C:\Program Files\QuickTimeInstaller.exe
[2011/11/01 18:16:13 | 063,084,671 | ---- | C] (NovaLogic ) -- C:\Program Files\c4demo.exe
[2011/10/25 18:07:45 | 089,643,496 | ---- | C] (NVIDIA Corporation) -- C:\Program Files\285.58-desktop-winxp-32bit-english-whql.exe
[2011/09/21 17:23:35 | 047,963,312 | ---- | C] (Electronic Arts, Inc.) -- C:\Program Files\OriginSetup.exe
[2011/04/23 13:22:32 | 088,715,952 | ---- | C] (NVIDIA Corporation) -- C:\Program Files\270.61-desktop-winxp-32bit-english-whql.exe
[2011/03/21 17:36:17 | 038,191,344 | ---- | C] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSAudioEditor.exe
[2011/03/21 17:36:16 | 150,895,952 | ---- | C] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSVideoEditor.exe
[2010/11/06 12:47:43 | 034,226,736 | ---- | C] (Cisco Systems, Inc.) -- C:\Program Files\nmsetup.exe
[2010/10/19 11:41:31 | 004,290,744 | ---- | C] (AVG Technologies) -- C:\Program Files\avg_free_stb_all_2011_1136_upgrade.exe
[2010/10/16 16:10:34 | 002,129,648 | ---- | C] (Beepa Pty Ltd) -- C:\Program Files\fraps.exe
[2010/10/10 22:55:19 | 000,874,272 | ---- | C] (Sun Microsystems, Inc.) -- C:\Program Files\JavaSetup6u21.exe
[2010/10/07 20:09:26 | 000,589,640 | ---- | C] (Google Inc.) -- C:\Program Files\GoogleEarthSetup.exe
[2010/09/13 12:54:17 | 069,316,464 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2010/09/06 18:52:56 | 002,133,536 | ---- | C] (AVG Technologies) -- C:\Program Files\avg_free_stb_all_9_115_cnet.exe
[2010/09/06 01:30:18 | 016,883,056 | ---- | C] (Microsoft Corporation) -- C:\Program Files\IE8-WindowsXP-x86-ENU.exe
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/19 20:32:37 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/04/19 20:29:37 | 000,000,267 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Malware redirects Google Search Results - Safer-Networking Forums.url
[2012/04/19 19:56:02 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/19 19:56:02 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/19 19:56:01 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/19 19:29:25 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\play in right rear wheel of 08 ren x, is it bearings - can-am ATV Forums - can-amtalk.com.url
[2012/04/19 18:48:13 | 095,645,533 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/04/19 18:47:14 | 000,225,792 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/04/19 18:00:00 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\PC Unleashed Registration3.job
[2012/04/19 06:17:33 | 000,000,598 | ---- | M] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2012/04/19 06:17:19 | 000,001,048 | -H-- | M] () -- C:\Documents and Settings\Administrator\Desktop\magicJack.lnk
[2012/04/19 06:17:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/19 06:16:29 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2012/04/19 06:16:16 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2012/04/19 06:16:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/18 22:02:24 | 000,000,578 | ---- | M] () -- C:\WINDOWS\M3JPEG.INI
[2012/04/18 21:38:32 | 000,202,752 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/18 21:08:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/04/18 19:18:28 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/18 18:53:09 | 000,138,520 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2012/04/18 18:50:41 | 000,234,536 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2012/04/18 18:44:09 | 000,002,353 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Download Manager.lnk
[2012/04/17 19:30:40 | 000,054,405 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\11881200.m792003.jpg
[2012/04/17 17:52:26 | 000,000,172 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/04/17 17:41:59 | 000,000,257 | RHS- | M] () -- C:\boot.ini
[2012/04/16 19:26:48 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2012/04/16 19:21:35 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2012/04/15 22:29:42 | 000,000,019 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/04/15 21:48:31 | 007,245,976 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36.exe
[2012/04/15 21:46:37 | 008,250,768 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36_x64.exe
[2012/04/15 20:34:58 | 000,003,204 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\What is this Russian Weapon Military.com.url
[2012/04/15 20:34:26 | 000,070,302 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\pix594976204.jpg
[2012/04/15 18:03:19 | 000,000,656 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Recommended Upgrades for 08 Renegade 800X - can-am ATV Forums - can-amtalk.com.url
[2012/04/15 15:19:59 | 000,000,594 | ---- | M] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2012/04/15 15:19:59 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2012/04/15 15:19:52 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/04/15 15:17:08 | 000,325,200 | ---- | M] (OpenInstall ) -- C:\Program Files\spybotsd-2.exe
[2012/04/15 14:51:22 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dabebdbdaafdct.exe
[2012/04/15 13:15:25 | 000,000,683 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Another Renegade SUBSEA snorkel kit is created! - can-am ATV Forums - can-amtalk.com - Page 2.url
[2012/04/15 13:14:57 | 000,000,318 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\4 x Cases (Military Boxes) for .22.url
[2012/04/15 12:04:44 | 000,000,882 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.hitmanpro
[2012/04/15 12:04:44 | 000,000,882 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120415-183150.backup
[2012/04/13 20:56:05 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/13 20:56:04 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/11 19:17:09 | 000,234,536 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.ex0
[2012/04/11 06:55:30 | 000,573,400 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/11 06:55:30 | 000,108,130 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/11 06:45:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/10 18:10:12 | 000,000,428 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Trance on guitar - YouTube.url
[2012/04/08 21:27:47 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/08 15:20:06 | 000,000,182 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\EHS Racing Contact Information.url
[2012/04/04 19:16:57 | 000,000,404 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Extreme Idiots Compilation 2 - YouTube.url
[2012/04/04 17:51:43 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\PC Unleashed.job
[2012/04/03 21:12:24 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Flight.url
[2012/03/26 19:02:46 | 001,563,640 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/24 17:55:49 | 008,892,928 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2012/03/24 17:54:33 | 034,226,736 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\nmsetup.exe
[2012/03/24 17:17:42 | 000,033,745 | ---- | M] () -- C:\WINDOWSHvc_____.pfb
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/17 19:39:18 | 000,065,625 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\r152055_543356.jpg
[2012/04/17 19:37:01 | 000,222,682 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\goodhousekeepingqe0.jpg
[2012/04/17 18:58:10 | 000,000,267 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Malware redirects Google Search Results - Safer-Networking Forums.url
[2012/04/17 17:54:55 | 000,002,353 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Download Manager.lnk
[2012/04/16 19:21:35 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2012/04/15 18:26:43 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\play in right rear wheel of 08 ren x, is it bearings - can-am ATV Forums - can-amtalk.com.url
[2012/04/15 18:03:19 | 000,000,656 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Recommended Upgrades for 08 Renegade 800X - can-am ATV Forums - can-amtalk.com.url
[2012/04/15 17:42:23 | 000,000,172 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/04/15 15:19:58 | 000,000,594 | ---- | C] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2012/04/15 15:19:58 | 000,000,462 | ---- | C] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2012/04/15 15:19:57 | 000,000,598 | ---- | C] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2012/04/15 15:19:52 | 000,001,842 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2012/04/15 15:19:52 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/04/15 13:31:34 | 000,070,302 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\pix594976204.jpg
[2012/04/15 13:04:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dabebdbdaafdct.exe
[2012/04/08 21:27:47 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/08 15:20:05 | 000,000,182 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\EHS Racing Contact Information.url
[2012/04/07 23:14:26 | 000,000,428 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Trance on guitar - YouTube.url
[2012/04/07 22:10:03 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/04 21:28:35 | 000,409,738 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-682003330-308236825-725345543-500-0.dat
[2012/04/03 21:12:23 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Flight.url
[2012/03/24 17:17:42 | 000,033,745 | ---- | C] () -- C:\WINDOWSHvc_____.pfb
[2012/02/14 18:50:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/30 23:47:35 | 000,345,706 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/10/11 22:05:39 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/28 18:44:14 | 000,179,271 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2011/09/28 18:35:17 | 003,815,360 | ---- | C] () -- C:\Program Files\battlelog-web-plugins-0.80.0-retail-ob.exe
[2011/06/13 15:16:33 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/06/04 20:48:52 | 000,291,539 | ---- | C] () -- C:\Program Files\cputhermometer_setup.exe
[2011/04/23 13:14:57 | 000,203,792 | ---- | C] () -- C:\Program Files\EVGAPrecision.exe
[2011/04/23 13:14:57 | 000,044,048 | ---- | C] () -- C:\Program Files\EVGAPrecisionWrapper.exe
[2010/12/04 01:27:07 | 000,003,217 | ---- | C] () -- C:\WINDOWS\pi2000.ini
[2010/12/04 01:27:06 | 000,000,021 | ---- | C] () -- C:\WINDOWS\arcsuite.ini
[2010/11/29 02:16:18 | 000,056,844 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/11/28 18:37:42 | 002,250,024 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe
[2010/11/06 12:50:38 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/10/16 18:18:57 | 000,000,578 | ---- | C] () -- C:\WINDOWS\M3JPEG.INI
[2010/10/12 15:18:39 | 002,601,752 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_moh.exe
[2010/09/13 13:13:32 | 000,000,026 | ---- | C] () -- C:\WINDOWS\GeoLan.ini
[2010/09/13 13:11:28 | 000,229,376 | R--- | C] () -- C:\WINDOWS\System32\GXGM20.dll
[2010/09/13 13:11:25 | 000,745,984 | R--- | C] () -- C:\WINDOWS\ir50_32.dll
[2010/09/13 13:11:19 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\GODDNIF.ini
[2010/09/06 20:32:02 | 000,202,752 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/06 16:53:10 | 000,138,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/09/06 16:53:10 | 000,022,328 | -H-- | C] () -- C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
[2010/09/06 16:52:28 | 000,234,536 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2010/09/06 16:52:27 | 002,434,856 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_bc2.exe
[2010/09/06 16:52:27 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2010/09/06 16:06:01 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/09/06 15:38:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/09/06 14:52:38 | 001,364,522 | ---- | C] () -- C:\Program Files\winrar-x64-393.exe
[2010/09/06 03:39:30 | 000,080,416 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2010/09/06 03:33:41 | 000,207,400 | R--- | C] () -- C:\WINDOWS\GSetup.exe
[2010/09/06 03:33:41 | 000,000,010 | ---- | C] () -- C:\WINDOWS\GSetup.ini
[2010/09/06 03:18:17 | 001,588,224 | ---- | C] () -- C:\Program Files\SteamInstall.msi
[2010/09/06 02:56:39 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/09/06 02:52:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/09/06 02:42:09 | 000,194,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/06 00:55:07 | 000,286,760 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/09/06 00:55:06 | 000,286,760 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/09/06 00:55:06 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/09/06 00:47:59 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/06 00:47:58 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/09/06 00:47:03 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2010/09/06 00:39:52 | 000,031,272 | ---- | C] () -- C:\WINDOWS\System32\AppleChargerSrv.exe
[2010/09/06 00:39:52 | 000,019,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\AppleCharger.sys
[2010/09/05 19:41:11 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/09/05 19:40:07 | 001,563,640 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2011/01/01 22:10:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ACD Systems
[2011/10/13 19:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AVG2012
[2012/03/11 20:17:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DarknessIIDemo
[2011/09/14 22:06:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DriverCure
[2011/01/02 22:04:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Helios
[2012/04/19 06:17:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data\mjusbsp
[2011/03/25 23:05:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
[2011/10/23 13:37:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Origin
[2011/09/14 22:06:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC Unleashed Online
[2011/01/01 20:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACD Systems
[2011/10/13 19:22:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2010/10/19 11:48:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/10/19 11:53:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/10/12 15:29:00 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\DSS
[2011/09/21 17:24:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2012/04/16 19:26:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2010/09/07 20:46:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
[2012/04/19 18:48:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/09/21 17:28:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Origin
[2011/09/14 22:06:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Unleashed Online
[2011/03/26 13:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Solidshield
[2010/09/13 12:58:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/04/19 06:17:33 | 000,000,598 | ---- | M] () -- C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
[2012/03/09 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\PC Unleashed Defrag.job
[2012/04/19 18:00:00 | 000,000,492 | ---- | M] () -- C:\WINDOWS\Tasks\PC Unleashed Registration3.job
[2012/03/09 01:50:02 | 000,000,454 | ---- | M] () -- C:\WINDOWS\Tasks\PC Unleashed Update Version3.job
[2012/04/04 17:51:43 | 000,000,398 | ---- | M] () -- C:\WINDOWS\Tasks\PC Unleashed.job
[2012/04/15 15:19:59 | 000,000,594 | ---- | M] () -- C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
[2012/04/15 15:19:59 | 000,000,462 | ---- | M] () -- C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/12/13 18:26:55 | 000,499,843 | ---- | M] () -- C:\AnalysisLog.sr0
[2010/09/06 02:55:01 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/04/17 17:41:59 | 000,000,257 | RHS- | M] () -- C:\boot.ini
[2010/09/06 02:55:01 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/09/06 00:43:06 | 000,000,156 | ---- | M] () -- C:\csb.log
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2007/11/07 09:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2010/09/06 03:39:35 | 000,000,197 | ---- | M] () -- C:\Install.log
[2007/11/07 09:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 09:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 09:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 09:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 09:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 09:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 09:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2010/09/06 02:55:01 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/09/06 02:55:01 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/13 22:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 00:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/04/19 06:16:02 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/09/06 03:37:52 | 000,002,944 | ---- | M] () -- C:\RHDSetup.log
[2012/04/19 06:17:16 | 000,000,144 | ---- | M] () -- C:\service.log
[2012/04/19 19:00:17 | 000,083,120 | ---- | M] () -- C:\TDSSKiller.2.7.29.0_19.04.2012_18.44.02_log.txt
[2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 09:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI
[2012/03/24 17:17:42 | 000,033,745 | ---- | M] () -- C:\WINDOWSHvc_____.pfb

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/09/06 02:54:44 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2011/04/23 13:22:43 | 088,715,952 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\270.61-desktop-winxp-32bit-english-whql.exe
[2011/10/25 18:32:25 | 089,643,496 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\285.58-desktop-winxp-32bit-english-whql.exe
[2010/10/19 11:41:53 | 004,290,744 | ---- | M] (AVG Technologies) -- C:\Program Files\avg_free_stb_all_2011_1136_upgrade.exe
[2010/09/06 18:53:03 | 002,133,536 | ---- | M] (AVG Technologies) -- C:\Program Files\avg_free_stb_all_9_115_cnet.exe
[2011/03/21 17:57:25 | 038,191,344 | ---- | M] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSAudioEditor.exe
[2011/03/21 17:41:09 | 150,895,952 | ---- | M] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSVideoEditor.exe
[2011/09/28 18:35:30 | 003,815,360 | ---- | M] () -- C:\Program Files\battlelog-web-plugins-0.80.0-retail-ob.exe
[2011/11/01 18:16:20 | 063,084,671 | ---- | M] (NovaLogic ) -- C:\Program Files\c4demo.exe
[2011/06/04 20:48:56 | 000,291,539 | ---- | M] () -- C:\Program Files\cputhermometer_setup.exe
[2008/06/04 12:27:16 | 000,203,792 | ---- | M] () -- C:\Program Files\EVGAPrecision.exe
[2008/06/04 12:27:16 | 000,044,048 | ---- | M] () -- C:\Program Files\EVGAPrecisionWrapper.exe
[2010/10/16 16:10:39 | 002,129,648 | ---- | M] (Beepa Pty Ltd) -- C:\Program Files\fraps.exe
[2011/06/12 16:48:37 | 000,589,640 | ---- | M] (Google Inc.) -- C:\Program Files\GoogleEarthSetup.exe
[2012/04/15 21:48:31 | 007,245,976 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36.exe
[2012/04/15 21:46:37 | 008,250,768 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36_x64.exe
[2010/09/06 01:30:36 | 016,883,056 | ---- | M] (Microsoft Corporation) -- C:\Program Files\IE8-WindowsXP-x86-ENU.exe
[2012/01/19 22:00:26 | 003,147,344 | ---- | M] (Macroplant, LLC ) -- C:\Program Files\iExplorer_Setup.exe
[2012/02/25 19:41:02 | 069,316,464 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2010/10/10 22:55:28 | 000,874,272 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\JavaSetup6u21.exe
[2012/03/24 17:54:33 | 034,226,736 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\nmsetup.exe
[2011/09/21 17:23:44 | 047,963,312 | ---- | M] (Electronic Arts, Inc.) -- C:\Program Files\OriginSetup.exe
[2012/01/07 20:26:28 | 039,401,336 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTimeInstaller.exe
[2012/04/15 15:17:08 | 000,325,200 | ---- | M] (OpenInstall ) -- C:\Program Files\spybotsd-2.exe
[2010/09/06 03:18:21 | 001,588,224 | ---- | M] () -- C:\Program Files\SteamInstall.msi
[2010/09/06 14:53:40 | 001,364,522 | ---- | M] () -- C:\Program Files\winrar-x64-393.exe

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/09/05 19:39:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2010/09/05 19:39:24 | 001,089,536 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2010/09/05 19:39:23 | 000,925,696 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.līk /x >
[2010/09/06 02:55:06 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
[2010/09/06 15:38:12 | 000,001,992 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\New Office Document.lnk
[2010/09/06 15:38:12 | 000,002,002 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Open Office Document.lnk
[2010/09/06 00:39:52 | 000,001,717 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Program Updates.lnk
[2011/09/14 22:09:32 | 000,001,607 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
[2010/09/06 02:55:06 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
[2011/09/14 22:09:32 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Desktop\*.exe >
[2012/04/19 20:32:37 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-04-11 10:57:16

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s > >

< MD5 for: EXPLORER.EXE >
[2012/02/07 17:19:30 | 003,149,736 | ---- | M] (Safer-Networking Ltd.) MD5=511D1BEF41D4A018501139F409DE5ED6 -- C:\Program Files\Spybot - Search & Destroy 2\explorer.exe
[2008/04/14 05:42:10 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=86B13BD2DAC4D331B0B6406E632AB086 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:10 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=86B13BD2DAC4D331B0B6406E632AB086 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2012/04/19 20:43:49 | 000,062,734 | ---- | M] () MD5=56B6034DAF18ADD6340EC2A13E62339C -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2004/08/04 08:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: EXPLORER.ZIP >
[2006/03/06 22:48:08 | 000,020,394 | ---- | M] () MD5=B469409C2B2A33C542190B720E11BD79 -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip

< MD5 for: IEXPLORE.CHM >
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\Help\iexplore.chm
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\ie8\iexplore.chm

< MD5 for: IEXPLORE.EXE >
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\ie8\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\system32\dllcache\iexplore.exe

< MD5 for: IEXPLORE.EXE.20120415-005624-00.HDMP >
[2012/04/14 20:56:25 | 005,151,992 | ---- | M] () MD5=7E2233C5A4124E0F11C2DCD7831A140A -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120415-005624-00.hdmp

< MD5 for: IEXPLORE.EXE.20120415-170611-00.HDMP >
[2012/04/15 13:06:14 | 005,760,621 | ---- | M] () MD5=47D27958EC065B4E406D327897FB527F -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120415-170611-00.hdmp

< MD5 for: IEXPLORE.EXE.20120415-190207-00.HDMP >
[2012/04/15 15:02:08 | 004,895,483 | ---- | M] () MD5=31455F4E281B23FBC24F334BCB786868 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120415-190207-00.hdmp

< MD5 for: IEXPLORE.EXE.20120416-221911-00.HDMP >
[2012/04/16 18:19:14 | 066,354,636 | ---- | M] () MD5=A49FEC903CA66EF601AF94C993CD6A25 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120416-221911-00.hdmp

< MD5 for: IEXPLORE.EXE.20120417-195735-00.HDMP >
[2012/04/17 15:57:36 | 003,755,088 | ---- | M] () MD5=D4C47D86116513F01E0DE0F130287FA0 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120417-195735-00.hdmp

< MD5 for: IEXPLORE.EXE.20120417-205807-00.HDMP >
[2012/04/17 16:58:09 | 004,768,148 | ---- | M] () MD5=31BD9C09AB41B641F5E93490622CBD37 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120417-205807-00.hdmp

< MD5 for: IEXPLORE.EXE.20120418-231829-00.HDMP >
[2012/04/18 19:18:31 | 005,158,988 | ---- | M] () MD5=EB1A7F9BB3429B120C52655574F6FC63 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120418-231829-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003217-00.HDMP >
[2012/04/18 20:32:20 | 028,412,148 | ---- | M] () MD5=ABCFC04C679AE52F2C2F883B8ACA2FD4 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003217-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003220-00.HDMP >
[2012/04/18 20:32:22 | 023,110,752 | ---- | M] () MD5=EBF771652E7238F89F980F27A45C4674 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003220-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003222-00.HDMP >
[2012/04/18 20:32:24 | 023,114,748 | ---- | M] () MD5=BFAE73FC417420C71B1215FEB1BBD82D -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003222-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003224-00.HDMP >
[2012/04/18 20:32:26 | 023,118,744 | ---- | M] () MD5=8FB475EB75DFD19025D4F08B780F8163 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003224-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003226-00.HDMP >
[2012/04/18 20:32:27 | 023,122,740 | ---- | M] () MD5=676627949D33DA56784F63DC1C98C4E0 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003226-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003227-00.HDMP >
[2012/04/18 20:32:29 | 023,126,736 | ---- | M] () MD5=4237D2E8314F45E87B5EA49BF88B5780 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003227-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003229-00.HDMP >
[2012/04/18 20:32:32 | 023,130,732 | ---- | M] () MD5=247F37F045B1BCBCA91E5FAA63BFD75F -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003229-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003232-00.HDMP >
[2012/04/18 20:32:36 | 023,134,728 | ---- | M] () MD5=1C3C1C0AC6620410AF27704620474B16 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003232-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003236-00.HDMP >
[2012/04/18 20:32:40 | 023,155,092 | ---- | M] () MD5=8CC9A5D662F7565A6C1D4566B31A889A -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003236-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003240-00.HDMP >
[2012/04/18 20:32:42 | 023,157,796 | ---- | M] () MD5=0C2FAF782D29B6259F224B71039457E2 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003240-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003242-00.HDMP >
[2012/04/18 20:32:44 | 023,161,792 | ---- | M] () MD5=00A73DA855B2129AFFEC49503ED7F2B0 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003242-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003244-00.HDMP >
[2012/04/18 20:32:45 | 023,165,788 | ---- | M] () MD5=F54DA30F7794DD55013820CB335FD2FE -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003244-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003245-00.HDMP >
[2012/04/18 20:32:47 | 023,169,784 | ---- | M] () MD5=D211A582A7100C1F63DED176BF646385 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003245-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003247-00.HDMP >
[2012/04/18 20:32:49 | 023,177,876 | ---- | M] () MD5=68CAF2BE38824D41D1DCCA75FA22542E -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003247-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003249-00.HDMP >
[2012/04/18 20:32:50 | 023,185,968 | ---- | M] () MD5=0344D7AFA41A59C06A7E40DBFBA0BF90 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003249-00.hdmp

< MD5 for: IEXPLORE.EXE.20120419-003250-00.HDMP >
[2012/04/18 20:32:52 | 023,194,060 | ---- | M] () MD5=94AF3D010602231D3A96AE0530FCDB29 -- C:\WINDOWS\pchealth\ERRORREP\UserDumps\iexplore.exe.20120419-003250-00.hdmp

mrclark
2012-04-22, 02:53
this doesnt seem to be working the OTL text file is too big lets see if I can post it as an attachement?

mrclark
2012-04-22, 02:56
heres the other let me know of posting these this way is ok,

mrclark
2012-04-22, 04:32
sorry and you stated you needed this as well I believe

oldman960
2012-04-22, 10:07
Hi mrclark,

Please read through these instructions to familarize yourself with what to expect when this tool runs


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

mrclark
2012-04-22, 21:56
here it is, thanks

ComboFix 12-04-22.01 - Administrator 04/22/2012 14:38:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2579 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Recent\Thumbs.db
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\dabebdbdaafdct.exe
c:\documents and settings\All Users\Application Data\iiaraaa.tmp
C:\install.exe
c:\program files\270.61-desktop-winxp-32bit-english-whql.exe
c:\program files\285.58-desktop-winxp-32bit-english-whql.exe
c:\program files\avg_free_stb_all_2011_1136_upgrade.exe
c:\program files\iexplorer
c:\program files\iexplorer\AxInterop.QTOControlLib.dll
c:\program files\iexplorer\ICSharpCode.SharpZipLib.dll
c:\program files\iexplorer\iExplorer.exe
c:\program files\iexplorer\Interop.QTOControlLib.dll
c:\program files\iexplorer\Interop.QTOLibrary.dll
c:\program files\iexplorer\isxdl.dll
c:\program files\iexplorer\MPCrashReporter.dll
c:\program files\iexplorer\MPUpdater.dll
c:\program files\iexplorer\msvcr71.dll
c:\program files\iexplorer\PodPhone2.dll
c:\program files\iexplorer\unins000.dat
c:\program files\iexplorer\unins000.exe
c:\program files\iexplorer\unins000.msg
c:\windows\expl.dat
c:\windows\system32\dllc.dat
c:\windows\system32\SET5C.tmp
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-22 to 2012-04-22 )))))))))))))))))))))))))))))))
.
.
2012-04-18 22:46 . 2012-04-18 22:47 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2012-04-17 21:54 . 2012-04-17 21:54 -------- d-----w- c:\program files\Microsoft Download Manager
2012-04-16 23:26 . 2012-04-16 23:26 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-04-16 23:21 . 2012-04-16 23:21 -------- d-----w- c:\program files\HitmanPro
2012-04-16 23:20 . 2012-04-16 23:20 -------- d-----w- c:\program files\New Folder
2012-04-16 01:48 . 2012-04-16 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-04-15 19:19 . 2012-04-15 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-04-15 19:19 . 2009-01-25 16:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-04-15 19:19 . 2012-04-15 19:20 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-04-15 19:17 . 2012-04-15 19:17 325200 ----a-w- c:\program files\spybotsd-2.exe
2012-04-15 00:32 . 2012-04-15 00:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-15 00:31 . 2012-04-15 00:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-04-09 01:25 . 2012-04-09 01:25 -------- d-----w- c:\program files\iPod
2012-04-08 02:10 . 2012-04-14 00:56 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-24 22:15 . 2012-03-24 22:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-22 17:26 . 2010-09-06 04:46 17488 ----a-w- c:\windows\gdrv.sys
2012-04-22 00:11 . 2010-09-06 20:53 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-04-22 00:10 . 2010-09-06 20:53 234536 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-04-22 00:10 . 2010-09-06 20:52 234536 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-04-18 22:50 . 2010-09-06 20:52 234536 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-04-14 00:56 . 2011-05-14 23:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-24 21:55 . 2010-11-06 16:50 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2012-03-24 21:54 . 2010-11-06 16:47 34226736 ----a-w- c:\program files\nmsetup.exe
2012-03-01 11:01 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2008-04-14 09:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 09:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-29 14:10 . 2008-04-14 09:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 09:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 04:07 385024 ----a-w- c:\windows\system32\html.iec
2012-02-25 23:41 . 2010-09-13 16:54 69316464 ----a-w- c:\program files\iTunesSetup.exe
2012-02-15 15:01 . 2010-09-13 16:56 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 15:01 . 2010-09-13 16:56 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2008-04-14 05:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-20 02:00 . 2012-01-20 02:00 3147344 ----a-w- c:\program files\iExplorer_Setup.exe
2012-01-08 00:26 . 2011-12-22 22:43 39401336 ----a-w- c:\program files\QuickTimeInstaller.exe
2011-11-01 22:16 . 2011-11-01 22:16 63084671 ----a-w- c:\program files\c4demo.exe
2011-09-28 22:35 . 2011-09-28 22:35 3815360 ----a-w- c:\program files\battlelog-web-plugins-0.80.0-retail-ob.exe
2011-09-21 21:23 . 2011-09-21 21:23 47963312 ----a-w- c:\program files\OriginSetup.exe
2011-06-12 20:48 . 2010-10-08 00:09 589640 ----a-w- c:\program files\GoogleEarthSetup.exe
2011-06-05 00:48 . 2011-06-05 00:48 291539 ----a-w- c:\program files\cputhermometer_setup.exe
2011-03-21 21:57 . 2011-03-21 21:36 38191344 ----a-w- c:\program files\AVSAudioEditor.exe
2011-03-21 21:41 . 2011-03-21 21:36 150895952 ----a-w- c:\program files\AVSVideoEditor.exe
2010-10-16 20:10 . 2010-10-16 20:10 2129648 ----a-w- c:\program files\fraps.exe
2010-10-11 02:55 . 2010-10-11 02:55 874272 ----a-w- c:\program files\JavaSetup6u21.exe
2010-09-06 22:53 . 2010-09-06 22:52 2133536 ----a-w- c:\program files\avg_free_stb_all_9_115_cnet.exe
2010-09-06 18:53 . 2010-09-06 18:52 1364522 ----a-w- c:\program files\winrar-x64-393.exe
2010-09-06 07:18 . 2010-09-06 07:18 1588224 ----a-w- c:\program files\SteamInstall.msi
2010-09-06 05:30 . 2010-09-06 05:30 16883056 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe
2008-06-04 16:27 . 2011-04-23 17:14 44048 ----a-w- c:\program files\EVGAPrecisionWrapper.exe
2008-06-04 16:27 . 2011-04-23 17:14 203792 ----a-w- c:\program files\EVGAPrecision.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . E12A7DF6EFB606316DBC801C473F1FE7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2008-04-14 . E5900F36F2BD2335433334B56ECA9FDD . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-04-14 . 86B13BD2DAC4D331B0B6406E632AB086 . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-02 1242448]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2011-08-23 50592]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"CPUThermometer"="c:\documents and settings\Administrator\Desktop\CPU Thermometer\CPUThermometer.exe" [2011-01-14 127488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2008-06-04 203792]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-02-07 3865504]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-02-07 2972056]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-9-6 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv episodes from liberty city\\EFLC\\EFLC.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJackLoader.exe"=
"c:\\Program Files\\Steam\\steamapps\\hicks439\\half-life 2 lostcoast\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\forgottenhope2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2BenchmarkTool.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2ServerLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_DX11.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv episodes from liberty city\\EFLC\\LaunchEFLC.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\medal of honor\\Binaries\\moh.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\medal of honor\\MP\\mohmpgame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\medal of honor\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\battle los angeles\\bin\\BattleLA.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\hydrophobia\\HydroPC.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crysis 2\\bin32\\Crysis2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crysis 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Battlelog Web Plugins\\Sonar\\0.70.0\\SonarHost.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOps.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOpsMP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dcs a10c warthog trailer\\smp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\driver san francisco\\Driver.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\batman2\\Binaries\\Win32\\BatmanAC.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\batman2\\RunLauncher.bat"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sniper ghost warrior\\Sniper_x86.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\microsoft flight\\Flight.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 3\\iw5sp.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 3\\iw5mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [9/6/2010 12:39 AM 19496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 5:06 PM 223464]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [9/6/2010 3:34 AM 68136]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [4/23/2011 1:24 PM 2253120]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [4/15/2012 3:19 PM 1181104]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [4/15/2012 3:19 PM 1185704]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 16720]
R3 RTCore32;RTCore32;c:\program files\EVGA Precision\RTCore32.sys [5/25/2005 2:39 PM 4608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [9/6/2010 3:39 AM 30392]
R3 WinRing0_1_2_0;WinRing0_1_2_0;\??\c:\documents and settings\Administrator\Local Settings\Temp\tmp4.tmp --> c:\documents and settings\Administrator\Local Settings\Temp\tmp4.tmp [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2010 8:09 PM 136176]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [4/16/2012 7:21 PM 105288]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/7/2012 10:10 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/6/2010 3:37 AM 1691480]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 etdrv;etdrv;c:\windows\etdrv.sys [9/6/2010 1:06 AM 17488]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2010 8:09 PM 136176]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [9/6/2010 12:47 AM 24944]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO35
*NewlyCreated* - WINRING0_1_2_0
*Deregistered* - hitmanpro35
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 00:56]
.
2012-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-04-22 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-04-15 21:19]
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 00:09]
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 00:09]
.
2012-03-09 c:\windows\Tasks\PC Unleashed Defrag.job
- c:\program files\PC Unleashed Online\Suite\pcu.exe [2011-09-06 18:27]
.
2012-04-21 c:\windows\Tasks\PC Unleashed Registration3.job
- c:\program files\Common Files\PC Unleashed Online\UUS3\UUS3.dll [2011-09-06 18:27]
.
2012-03-09 c:\windows\Tasks\PC Unleashed Update Version3.job
- c:\program files\Common Files\PC Unleashed Online\UUS3\Update3.exe [2011-09-06 18:27]
.
2012-04-04 c:\windows\Tasks\PC Unleashed.job
- c:\program files\PC Unleashed Online\Suite\pcu.exe [2011-09-06 18:27]
.
2012-04-15 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-04-15 21:19]
.
2012-04-15 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-04-15 21:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.gunbroker.com/WebResource.axd?d=Qydpf0KIwF1Fr6RRPI2vp09Qx7960W1PefrwdgTL1YWRWyUo6in6PN6VS7m59gst6zjhnPK4xtevtkkiPAeNbVdLz1lm1BKvO-eVx_B2d1Lb7EFrywmMr-EfCQUqniwFPL_qr5-6LT50B9lSJqZDgme2Vksu6ajL4Qvm6a-2VX8ROm8K0&t=634230999680000000
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-RGSC - c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe
HKCU-Run-dabebdbdaafdct - c:\documents and settings\All Users\Application Data\dabebdbdaafdct.exe
HKU-Default-Run-dabebdbdaafdct - c:\documents and settings\All Users\Application Data\dabebdbdaafdct.exe
Notify-SDWinLogon - SDWinLogon.dll
AddRemove-BattlEye - c:\program files\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
AddRemove-N.A.W 6..0 MAP Pack 16.0 - c:\program files\EA GAMES\Battlefield 2\mods\naw\Uninstall\MP1\N.A.W
AddRemove-N.A.W 6..0 MAP Pack 26.0 - c:\program files\EA GAMES\Battlefield 2\mods\naw\Uninstall\MP1\N.A.W
AddRemove-N.A.W 6..0 MAP Pack 36.0 - c:\program files\EA GAMES\Battlefield 2\mods\naw\Uninstall\MP1\N.A.W
AddRemove-N.A.W 6..0 MAP Pack 46.0 - c:\program files\EA GAMES\Battlefield 2\mods\naw\Uninstall\MP1\N.A.W
AddRemove-Nations at War6.0 - c:\program files\EA GAMES\Battlefield 2\mods\\naw\\Uninstall\MOD\N.A.W
AddRemove-Precision - c:\program files\EVGA Precision\uninstall.exe
AddRemove-{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1 - c:\program files\iExplorer\unins000.exe
AddRemove-XWW2_BF2_1.0 - 0:\program files\EA GAMES\Battlefield 2\Uninstal.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-22 14:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinRing0_1_2_0]
"ImagePath"="\??\c:\documents and settings\Administrator\Local Settings\Temp\tmp4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,6f,f1,63,32,e5,bc,45,89,bf,b0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,6f,f1,63,32,e5,bc,45,89,bf,b0,\
.
[HKEY_USERS\S-1-5-21-682003330-308236825-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,66,85,47,9d,ef,52,ba,43,a7,e7,2e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,45,f0,cc,f9,29,c5,4d,9e,6c,27,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,45,f0,cc,f9,29,c5,4d,9e,6c,27,\
.
[HKEY_USERS\S-1-5-21-682003330-308236825-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:b0,92,5d,7f,74,6f,64,2e,f2,07,94,8b,39,bb,2f,90,78,3b,d3,9a,b3,5d,1c,
d7,63,8c,72,e2,a3,26,59,a8,a9,72,5e,5c,4e,6e,f4,6b,47,95,f8,a3,84,f4,45,d6,\
"??"=hex:c4,eb,46,72,21,b0,9f,a8,fb,ea,d5,9e,97,df,e4,ec
.
[HKEY_USERS\S-1-5-21-682003330-308236825-725345543-500\Software\SecuROM\License information*]
"datasecu"=hex:4f,7b,fd,ac,4f,c5,c9,f4,5d,c1,a0,60,c9,eb,52,4d,56,24,fb,5a,d1,
17,90,ad,ab,dc,f9,37,74,6f,14,fa,8c,a3,79,44,ab,2c,97,e2,17,7f,81,1f,c8,91,\
"rkeysecu"=hex:4b,4a,a7,ae,b5,00,e9,fc,cc,f3,a7,43,b2,51,a3,50
.
Completion time: 2012-04-22 14:52:06
ComboFix-quarantined-files.txt 2012-04-22 18:51
.
Pre-Run: 365,579,255,808 bytes free
Post-Run: 366,892,163,072 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
[spybotsd]
timeout.old=30
.
- - End Of File - - 42D9BD6962B227C84464713D20E4B8C1

oldman960
2012-04-23, 00:50
Hi mrclark,


Please go to Virustotal (www.virustotal.com) Please submit these files for analysis

copy and paste (or use the choose file button to browse to the files)the following into the choose file box (one at a time if more than one file is listed)

c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe
c:\windows\explorer.exe

click the Scan it button. Wait for the results and post them in your next reply.

If it says the file has all ready been analysed click reanalyse.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

mrclark
2012-04-23, 04:01
hi heres the first one from the list winlogon.exe

SHA256: 24d7e2103df54af70e8a65dced36a4d67e2fa0354a58e1aeda09aa340074c058
SHA1: 640e1a59d0b9688acc52e376a7c441260b1b08c6
MD5: e12a7df6efb606316dbc801c473f1fe7
File size: 532.5 KB ( 545280 bytes )
File name: C:\WINDOWS\system32\winlogon.exe
File type: Win32 EXE
Detection ratio: 9 / 42
Analysis date: 2012-04-23 00:46:27 UTC ( 0 minutes ago )

00More details
Antivirus Result Update
AhnLab-V3 - 20120422
AntiVir - 20120422
Antiy-AVL Trojan/Win32.Patched.gen 20120422
Avast - 20120422
AVG - 20120422
BitDefender - 20120423
ByteHero - 20120417
CAT-QuickHeal - 20120420
ClamAV Trojan.Agent-278170 20120422
Commtouch - 20120422
Comodo - 20120422
DrWeb - 20120423
Emsisoft Trojan.Patched!IK 20120423
eSafe - 20120419
eTrust-Vet - 20120421
F-Prot - 20120422
F-Secure - 20120422
Fortinet - 20120422
GData - 20120423
Ikarus Trojan.Patched 20120423
Jiangmin - 20120422
K7AntiVirus - 20120420
Kaspersky - 20120423
McAfee Artemis!E12A7DF6EFB6 20120423
McAfee-GW-Edition Artemis!E12A7DF6EFB6 20120422
Microsoft - 20120422
NOD32 - 20120423
Norman - 20120422
nProtect - 20120422
Panda - 20120422
PCTools - 20120423
Rising Trojan.Win32.Generic.12ADFFB3 20120420
Sophos - 20120422
SUPERAntiSpyware - 20120402
Symantec - 20120423
TheHacker - 20120422
TrendMicro PE_BAMITAL.SME 20120422
TrendMicro-HouseCall PE_BAMITAL.SME 20120423
VBA32 - 20120422
VIPRE - 20120422
ViRobot - 20120422
VirusBuster - 20120422

Comments
Votes
Additional information
No commentsMore comments Leave your comment...? Rich Text AreaToolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼
Remove Formatting


Post comment You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community
No votesMore votes

An error occurred
ssdeep
6144:ENZlxEdL5RvGlcHF37newMLao6nfnKHOD13XRnCfOVSePfLtisgZYls83Dm:Ddz+lcDKao6nfKHsRqOMgxZgWD
TrID
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)

ExifTool
UninitializedDataSize....: 0
InitializedDataSize......: 57856
ImageVersion.............: 21315.20512
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 5.1.2600.5512
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Windows NT Logon Application
CharacterSet.............: Unicode
LinkerVersion............: 7.1
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 5.1.2600.5512 (xpsp.080413-2113)
TimeStamp................: 2008:04:13 14:43:44+02:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: winlogon
ProductVersion...........: 5.1.2600.5512
SubsystemVersion.........: 4.0
OSVersion................: 5.1
OriginalFilename.........: WINLOGON.EXE
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 461312
FileSubtype..............: 0
ProductVersionNumber.....: 5.1.2600.5512
EntryPoint...............: 0x3e5e1
ObjectFileType...........: Executable application

Sigcheck
publisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: winlogon
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: WINLOGON.EXE
file version.............: 5.1.2600.5512 (xpsp.080413-2113)
description..............: Windows NT Logon Application

Portable Executable structural information
Compilation timedatestamp.....: 2008-04-13 12:43:44
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x0003E5E1

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 461201 461312 6.82 41b65e581e86359983610db8fa403c24
.data 466944 45168 45568 6.25 80d12c8cf6321f352d6fae58fd012c01
.rsrc 516096 36896 37376 3.62 2125d2aebebda4c2fcf377ebf03d5275

PE Imports....................:

NDdeApi.dll
-, -, -, -

AUTHZ.dll
AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle

PROFMAP.dll
InitializeProfileMappingApi, RemapAndMoveUserW

VERSION.dll
GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

WINTRUST.dll
CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext

WINSTA.dll
WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon

CRYPT32.dll
CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx

KERNEL32.dll
WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree

msvcrt.dll
wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp

Secur32.dll
LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess

GDI32.dll
RemoveFontResourceW, AddFontResourceW

REGAPI.dll
RegDefaultUserConfigQueryW, RegUserConfigQuery

ntdll.dll
RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject

ADVAPI32.dll
ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA

RPCRT4.dll
RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate

PSAPI.DLL
EnumProcesses, EnumProcessModules, GetModuleBaseNameW

SETUPAPI.dll
SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW

WS2_32.dll
-, -, getaddrinfo

USER32.dll
SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW

USERENV.dll
-, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
Symantec Reputation
Suspicious.Insight
F-Secure Deepguard
Suspicious:W32/Malware!Gemini
First seen by VirusTotal
2012-04-21 23:02:00 UTC ( 1 day, 1 hour ago )
Last seen by VirusTotal
2012-04-23 00:46:27 UTC ( 10 minutes ago )
File names (max. 25)
1.C:\WINDOWS\system32\winlogon.exe
2.winlogon.exe

mrclark
2012-04-23, 04:11
then the svchost.exe






SHA256: 698d0d08a9a2b2a817820da920eabdb84c85d18e4d1ca12c2f2f318137ff6c38
SHA1: cd12207c5fdc8aea0fe9273992501e9f94d57955
MD5: e5900f36f2bd2335433334b56eca9fdd
File size: 39.0 KB ( 39936 bytes )
File name: C:\WINDOWS\system32\svchost.exe
File type: Win32 EXE
Detection ratio: 5 / 42
Analysis date: 2012-04-23 01:04:16 UTC ( 0 minutes ago )

00More details
Antivirus Result Update
AhnLab-V3 - 20120422
AntiVir TR/Crypt.XPACK.Gen 20120422
Antiy-AVL - 20120422
Avast - 20120423
AVG - 20120422
BitDefender - 20120423
ByteHero - 20120417
CAT-QuickHeal - 20120420
ClamAV - 20120422
Commtouch - 20120422
Comodo - 20120422
DrWeb - 20120423
Emsisoft Trojan.Patched!IK 20120423
eSafe - 20120419
eTrust-Vet - 20120421
F-Prot - 20120422
F-Secure - 20120422
Fortinet - 20120422
GData - 20120423
Ikarus Trojan.Patched 20120423
Jiangmin - 20120422
K7AntiVirus - 20120420
Kaspersky - 20120423
McAfee - 20120423
McAfee-GW-Edition - 20120422
Microsoft - 20120422
NOD32 - 20120423
Norman - 20120422
nProtect - 20120422
Panda - 20120422
PCTools - 20120423
Rising - 20120420
Sophos - 20120422
SUPERAntiSpyware - 20120402
Symantec - 20120423
TheHacker - 20120422
TrendMicro PE_BAMITAL.SME 20120422
TrendMicro-HouseCall PE_BAMITAL.SME 20120423
VBA32 - 20120422
VIPRE - 20120422
ViRobot - 20120422
VirusBuster - 20120422

Comments
Votes
Additional information
No commentsMore comments Leave your comment...? Rich Text AreaToolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼
Remove Formatting


Post comment You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community
No votesMore votes

An error occurred
ssdeep
768:vNcG6xlCRaJvGOA7SoUWKCPIcv1EcLWiaQm+NFqNeXZUCa16lqsqoBJ:VcG6y+zKSPYAs3Dm+N6eXZe6lWoBJ
TrID
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ExifTool
UninitializedDataSize....: 0
InitializedDataSize......: 2560
ImageVersion.............: 5.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 5.1.2600.5512
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Generic Host Process for Win32 Services
CharacterSet.............: Unicode
LinkerVersion............: 7.1
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 5.1.2600.5512 (xpsp.080413-2111)
TimeStamp................: 2008:04:13 14:43:44+02:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: svchost.exe
ProductVersion...........: 5.1.2600.5512
SubsystemVersion.........: 4.0
OSVersion................: 5.1
OriginalFilename.........: svchost.exe
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 11264
FileSubtype..............: 0
ProductVersionNumber.....: 5.1.2600.5512
EntryPoint...............: 0x2509
ObjectFileType...........: Executable application

Sigcheck
publisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: svchost.exe
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: svchost.exe
file version.............: 5.1.2600.5512 (xpsp.080413-2111)
description..............: Generic Host Process for Win32 Services

Portable Executable structural information
Compilation timedatestamp.....: 2008-04-13 12:43:44
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00002509

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 11264 11264 6.29 f634bdf114ad9a7ea08d94ae43ccbe3c
.data 16384 25616 26112 7.83 c2d36bf458fb470feadb0a2f4d73fb1b
.rsrc 45056 1032 1536 2.51 0ce411030b6d3ec8e6dd25d861233cc9

PE Imports....................:

ADVAPI32.dll
RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW

ntdll.dll
NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid

KERNEL32.dll
HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook

RPCRT4.dll
RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening
Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2012-04-21 22:54:06 UTC ( 1 day, 2 hours ago )
Last seen by VirusTotal
2012-04-23 01:04:16 UTC ( 5 minutes ago )
File names (max. 25)
1.C:\WINDOWS\system32\svchost.exe
2.svchost.exe

mrclark
2012-04-23, 04:17
the the last one explorer.exe


SHA256: 8980a1865acb1dcdc73498674e9cd690a87f43396ef68bd19e481005b1afeaeb
SHA1: fa11ed8508e72405fe37256f09e30f56b003be8d
MD5: 86b13bd2dac4d331b0b6406e632ab086
File size: 1.0 MB ( 1058816 bytes )
File name: C:\WINDOWS\explorer.exe
File type: Win32 EXE
Detection ratio: 5 / 42
Analysis date: 2012-04-23 01:13:23 UTC ( 0 minutes ago )

00More details
Antivirus Result Update
AhnLab-V3 - 20120422
AntiVir TR/Crypt.XPACK.Gen 20120422
Antiy-AVL - 20120422
Avast - 20120423
AVG - 20120422
BitDefender - 20120423
ByteHero - 20120417
CAT-QuickHeal - 20120420
ClamAV - 20120422
Commtouch - 20120422
Comodo - 20120422
DrWeb - 20120423
Emsisoft - 20120423
eSafe Win32.TRCrypt.XPACK 20120419
eTrust-Vet - 20120421
F-Prot - 20120422
F-Secure - 20120422
Fortinet - 20120422
GData - 20120423
Ikarus - 20120423
Jiangmin - 20120422
K7AntiVirus - 20120420
Kaspersky - 20120423
McAfee - 20120423
McAfee-GW-Edition - 20120422
Microsoft - 20120422
NOD32 - 20120423
Norman - 20120422
nProtect - 20120422
Panda - 20120422
PCTools - 20120423
Rising Trojan.Win32.Generic.12ADF86E 20120420
Sophos - 20120422
SUPERAntiSpyware - 20120402
Symantec - 20120423
TheHacker - 20120422
TrendMicro PE_BAMITAL.SME 20120422
TrendMicro-HouseCall PE_BAMITAL.SME 20120423
VBA32 - 20120422
VIPRE - 20120422
ViRobot - 20120423
VirusBuster - 20120422

Comments
Votes
Additional information
No commentsMore comments Leave your comment...? Rich Text AreaToolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼
Remove Formatting


Post comment You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community
No votesMore votes

An error occurred
ssdeep
24576:2mftyEwAvN7lrvbkf8w0VnH1/g/J/kD2:2micN7Bbkf8THH2
TrID
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ExifTool
UninitializedDataSize....: 0
InitializedDataSize......: 752128
ImageVersion.............: 5.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 6.0.2900.5512
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Windows Explorer
CharacterSet.............: Unicode
LinkerVersion............: 7.1
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 6.00.2900.5512 (xpsp.080413-2105)
TimeStamp................: 2008:04:13 14:43:44+02:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: explorer
ProductVersion...........: 6.00.2900.5512
SubsystemVersion.........: 4.1
OSVersion................: 5.1
OriginalFilename.........: EXPLORER.EXE
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 282112
FileSubtype..............: 0
ProductVersionNumber.....: 6.0.2900.5512
EntryPoint...............: 0x1a55f
ObjectFileType...........: Executable application

Sigcheck
publisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: explorer
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: EXPLORER.EXE
file version.............: 6.00.2900.5512 (xpsp.080413-2105)
description..............: Windows Explorer

Portable Executable structural information
Compilation timedatestamp.....: 2008-04-13 12:43:44
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x0001A55F

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 281609 282112 6.38 f26eeac76bcf10cad2a0cd98fe3c0cbc
.data 286720 7604 6144 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 294912 754792 755200 6.70 57f6ae51d22a70d52e8a52de88acea30
.reloc 1052672 14156 14336 6.78 8ab3b57351c95c8d78540008b9a707bc

PE Imports....................:

msvcrt.dll
_itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf

SHDOCVW.dll
-, -, -

GDI32.dll
GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode

ADVAPI32.dll
RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW

KERNEL32.dll
GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject

UxTheme.dll
GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

BROWSEUI.dll
-, -, -, -

SHELL32.dll
-, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -

ntdll.dll
RtlNtStatusToDosError, NtQueryInformationProcess

ole32.dll
CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop

SHLWAPI.dll
StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -

USER32.dll
TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW

OLEAUT32.dll
-, -
Symantec Reputation
Suspicious.Insight
F-Secure Deepguard
Suspicious:W32/Malware!Gemini
First seen by VirusTotal
2012-04-12 09:13:50 UTC ( 1 week, 3 days ago )
Last seen by VirusTotal
2012-04-23 01:13:23 UTC ( 3 minutes ago )
File names (max. 25)
1.C:\WINDOWS\explorer.exe
2.explorer.exe

oldman960
2012-04-23, 12:25
Hi mrclark,

We have some files we need to find a replacement for. Do you have your XP disk?

mrclark
2012-04-23, 12:51
I certainly do :)

oldman960
2012-04-23, 15:11
Hi mrclark,

Please confirm it is a retail copy of XP. What drive letter does the computer see the CD rom as?

Any of the original symptoms still present.

Let's see if combofix can find us a copy of the files.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



SRPEEK::
c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe
c:\windows\explorer.exe



In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post the combofix log.

mrclark
2012-04-26, 04:05
Hi, I am noticing a definete difference the redirect is gone, so were on the right track thats for sure, so thank you very very much.

Heres the log file

ComboFix 12-04-22.01 - Administrator 04/25/2012 18:20:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2347 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-25 to 2012-04-25 )))))))))))))))))))))))))))))))
.
.
2012-04-18 22:46 . 2012-04-18 22:47 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2012-04-17 21:54 . 2012-04-17 21:54 -------- d-----w- c:\program files\Microsoft Download Manager
2012-04-16 23:26 . 2012-04-16 23:26 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-04-16 23:21 . 2012-04-16 23:21 -------- d-----w- c:\program files\HitmanPro
2012-04-16 23:20 . 2012-04-16 23:20 -------- d-----w- c:\program files\New Folder
2012-04-16 01:48 . 2012-04-16 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-04-15 19:19 . 2012-04-15 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-04-15 19:19 . 2009-01-25 16:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-04-15 19:19 . 2012-04-15 19:20 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-04-15 19:17 . 2012-04-15 19:17 325200 ----a-w- c:\program files\spybotsd-2.exe
2012-04-15 00:32 . 2012-04-15 00:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-15 00:31 . 2012-04-15 00:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-04-09 01:25 . 2012-04-09 01:25 -------- d-----w- c:\program files\iPod
2012-04-08 02:10 . 2012-04-14 00:56 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-25 11:42 . 2010-09-06 04:46 17488 ----a-w- c:\windows\gdrv.sys
2012-04-25 00:13 . 2010-09-06 20:53 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-04-25 00:11 . 2010-09-06 20:53 234536 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-04-25 00:11 . 2010-09-06 20:52 234536 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-04-24 00:46 . 2010-09-06 20:52 234536 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-04-14 00:56 . 2011-05-14 23:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-24 21:55 . 2010-11-06 16:50 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2012-03-24 21:54 . 2010-11-06 16:47 34226736 ----a-w- c:\program files\nmsetup.exe
2012-03-01 11:01 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2008-04-14 09:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 09:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-29 14:10 . 2008-04-14 09:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 09:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 04:07 385024 ----a-w- c:\windows\system32\html.iec
2012-02-25 23:41 . 2010-09-13 16:54 69316464 ----a-w- c:\program files\iTunesSetup.exe
2012-02-15 15:01 . 2010-09-13 16:56 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 15:01 . 2010-09-13 16:56 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2008-04-14 05:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-20 02:00 . 2012-01-20 02:00 3147344 ----a-w- c:\program files\iExplorer_Setup.exe
2012-01-08 00:26 . 2011-12-22 22:43 39401336 ----a-w- c:\program files\QuickTimeInstaller.exe
2011-11-01 22:16 . 2011-11-01 22:16 63084671 ----a-w- c:\program files\c4demo.exe
2011-09-28 22:35 . 2011-09-28 22:35 3815360 ----a-w- c:\program files\battlelog-web-plugins-0.80.0-retail-ob.exe
2011-09-21 21:23 . 2011-09-21 21:23 47963312 ----a-w- c:\program files\OriginSetup.exe
2011-06-12 20:48 . 2010-10-08 00:09 589640 ----a-w- c:\program files\GoogleEarthSetup.exe
2011-06-05 00:48 . 2011-06-05 00:48 291539 ----a-w- c:\program files\cputhermometer_setup.exe
2011-03-21 21:57 . 2011-03-21 21:36 38191344 ----a-w- c:\program files\AVSAudioEditor.exe
2011-03-21 21:41 . 2011-03-21 21:36 150895952 ----a-w- c:\program files\AVSVideoEditor.exe
2010-10-16 20:10 . 2010-10-16 20:10 2129648 ----a-w- c:\program files\fraps.exe
2010-10-11 02:55 . 2010-10-11 02:55 874272 ----a-w- c:\program files\JavaSetup6u21.exe
2010-09-06 22:53 . 2010-09-06 22:52 2133536 ----a-w- c:\program files\avg_free_stb_all_9_115_cnet.exe
2010-09-06 18:53 . 2010-09-06 18:52 1364522 ----a-w- c:\program files\winrar-x64-393.exe
2010-09-06 07:18 . 2010-09-06 07:18 1588224 ----a-w- c:\program files\SteamInstall.msi
2010-09-06 05:30 . 2010-09-06 05:30 16883056 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe
2008-06-04 16:27 . 2011-04-23 17:14 44048 ----a-w- c:\program files\EVGAPrecisionWrapper.exe
2008-06-04 16:27 . 2011-04-23 17:14 203792 ----a-w- c:\program files\EVGAPrecision.exe
.
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . E12A7DF6EFB606316DBC801C473F1FE7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2008-04-14 . E5900F36F2BD2335433334B56ECA9FDD . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-04-14 . 86B13BD2DAC4D331B0B6406E632AB086 . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-04-22_18.48.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-25 11:42 . 2012-04-25 11:42 16384 c:\windows\Temp\Perflib_Perfdata_d2c.dat
+ 2012-04-25 11:42 . 2012-04-25 11:42 16384 c:\windows\Temp\Perflib_Perfdata_bcc.dat
+ 2012-04-23 00:40 . 2012-04-23 00:45 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F5EDF233-8CDC-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 18:57 . 2012-04-22 18:58 86528 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F22F6463-8CAC-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-24 19:15 . 2012-04-24 19:15 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E1D8FAA5-8E41-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-24 00:03 . 2012-04-24 00:06 14848 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E060FF46-8DA0-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-24 00:03 . 2012-04-24 00:06 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E060FF45-8DA0-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 00:40 . 2012-04-23 00:45 17920 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DCB7F485-8CDC-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 21:32 . 2012-04-23 21:33 25600 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CDA7D74D-8D8B-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-22 22:02 . 2012-04-22 22:02 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C842D769-8CC6-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 19:23 . 2012-04-22 19:24 22016 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AE8D0C01-8CB0-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 00:38 . 2012-04-23 00:45 31232 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9964AD17-8CDC-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 21:53 . 2012-04-22 22:00 37888 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{916EA403-8CC5-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 22:05 . 2012-04-23 22:12 67584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7E0BEE8B-8D90-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 00:44 . 2012-04-23 00:45 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7344518D-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 00:43 . 2012-04-23 00:45 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{51BADD8D-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 00:43 . 2012-04-23 00:45 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{51BADD8C-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 21:14 . 2012-04-23 21:20 76800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{50174009-8D89-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-22 19:35 . 2012-04-22 19:35 29184 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3EF6BB11-8CB2-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-24 00:05 . 2012-04-24 00:06 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3E2C21DA-8DA1-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-24 19:53 . 2012-04-24 19:54 13312 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{385E2D0F-8E47-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-23 00:42 . 2012-04-23 00:45 21504 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3439C3CE-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 21:27 . 2012-04-23 21:27 30208 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{27950A39-8D8B-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 00:42 . 2012-04-23 00:45 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1E37EF11-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 18:58 . 2012-04-22 18:58 37376 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1ACA7133-8CAD-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-23 22:10 . 2012-04-23 22:11 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{136980E3-8D91-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-22 20:30 . 2012-04-22 20:37 46592 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0C28389B-8CBA-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-24 00:04 . 2012-04-24 00:06 16896 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{07D6CAD6-8DA1-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 00:41 . 2012-04-23 00:45 27136 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{067D074D-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 10:54 . 2012-04-25 10:54 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{046C1363-8EC5-11E1-91EC-1C6F652BCBB1}.dat
- 2012-04-15 00:59 . 2012-04-18 23:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-04-15 00:59 . 2012-04-25 22:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-04-15 00:31 . 2012-04-22 18:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2012-04-15 00:31 . 2012-04-25 22:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2012-04-15 00:31 . 2012-04-22 18:37 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2012-04-15 00:31 . 2012-04-25 22:18 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2012-04-22 19:35 . 2012-04-23 22:03 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
- 2012-04-18 22:46 . 2012-04-18 22:46 82740 c:\windows\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\UserCache.bin
+ 2012-04-18 22:46 . 2012-04-24 00:03 82740 c:\windows\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\UserCache.bin
+ 2012-04-24 00:06 . 2012-04-25 22:18 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{5EED504D-8DA1-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-25 22:18 . 2012-04-25 22:18 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{910D012E-8F24-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-22 18:50 . 2012-04-22 18:50 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FD847280-8CAB-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-24 19:16 . 2012-04-24 19:16 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F4B29230-8E41-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-25 17:12 . 2012-04-25 17:12 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E36D20AE-8EF9-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-25 12:12 . 2012-04-25 12:12 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E355C8D4-8ECF-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-25 10:53 . 2012-04-25 10:53 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E052F8BA-8EC4-11E1-91EC-1C6F652BCBB1}.dat
+ 2012-04-24 19:15 . 2012-04-24 19:15 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{DB0C85FC-8E41-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-22 18:49 . 2012-04-22 18:49 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D4A1DF24-8CAB-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-23 21:32 . 2012-04-23 21:32 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CDA7D74C-8D8B-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-22 22:02 . 2012-04-22 22:02 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C842D768-8CC6-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-24 19:29 . 2012-04-24 19:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C4161E88-8E43-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-22 20:21 . 2012-04-22 20:21 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C0F36BFC-8CB8-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 23:20 . 2012-04-22 23:20 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BC2F45FA-8CD1-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 19:23 . 2012-04-22 19:23 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{AE8D0C00-8CB0-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 22:04 . 2012-04-25 22:04 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9719BA36-8F22-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-22 21:53 . 2012-04-22 21:53 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{916EA402-8CC5-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 18:54 . 2012-04-22 18:58 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8D97CD2C-8CAC-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-23 23:03 . 2012-04-23 23:03 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8A13860E-8D98-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-24 00:00 . 2012-04-24 00:06 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{84E7863C-8DA0-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 22:05 . 2012-04-23 22:12 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7E0BEE8A-8D90-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 21:58 . 2012-04-23 22:05 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7CF2194E-8D8F-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 21:22 . 2012-04-23 21:27 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7B50C162-8D8A-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-22 19:28 . 2012-04-22 19:35 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{686CA07C-8CB1-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 21:14 . 2012-04-23 21:14 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{50174008-8D89-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-25 12:43 . 2012-04-25 12:43 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3D28DE4C-8ED4-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-22 19:49 . 2012-04-22 19:49 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{38FAB286-8CB4-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 19:31 . 2012-04-25 19:31 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{345E07F4-8F0D-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-22 22:19 . 2012-04-22 22:19 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{33E11B36-8CC9-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 16:32 . 2012-04-25 16:32 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{324C2FEA-8EF4-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-24 19:53 . 2012-04-24 19:53 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{32101508-8E47-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-22 18:51 . 2012-04-22 18:51 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{20FDCF9A-8CAC-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-22 20:30 . 2012-04-22 20:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0C28389A-8CBA-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 20:45 . 2012-04-22 20:45 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{075D5D0C-8CBC-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 10:54 . 2012-04-25 10:54 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{046C1362-8EC5-11E1-91EC-1C6F652BCBB1}.dat
+ 2012-04-22 18:50 . 2012-04-22 18:50 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD847281-8CAB-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-23 00:41 . 2012-04-23 00:45 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FBE897EE-8CDC-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-24 00:03 . 2012-04-24 00:03 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F506BCAF-8DA0-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-24 19:16 . 2012-04-24 19:16 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F4B29231-8E41-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-25 17:12 . 2012-04-25 17:13 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E36D20AF-8EF9-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-25 12:12 . 2012-04-25 12:12 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E355C8D5-8ECF-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-25 10:53 . 2012-04-25 10:53 9728 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E052F8BB-8EC4-11E1-91EC-1C6F652BCBB1}.dat
+ 2012-04-23 00:40 . 2012-04-23 00:45 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DCB7F486-8CDC-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 18:49 . 2012-04-22 18:49 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D4A1DF25-8CAB-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-24 19:29 . 2012-04-24 19:29 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C4161E89-8E43-11E1-91EB-1C6F652BCBB1}.dat
+ 2012-04-22 23:20 . 2012-04-22 23:20 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BC2F45FB-8CD1-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-24 00:01 . 2012-04-24 00:06 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AF8CB607-8DA0-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-25 22:04 . 2012-04-25 22:04 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9719BA37-8F22-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-23 00:45 . 2012-04-23 00:45 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{91167B41-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 23:03 . 2012-04-23 23:03 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{90CF4A41-8D98-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 00:44 . 2012-04-23 00:45 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8B0FE9C5-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 00:44 . 2012-04-23 00:45 8704 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{81C9439C-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 22:12 . 2012-04-23 22:12 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{76886491-8D91-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 22:05 . 2012-04-23 22:05 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7353BBE2-8D90-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 22:05 . 2012-04-23 22:05 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7353BBE1-8D90-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 00:44 . 2012-04-23 00:45 8704 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6D4284C5-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 19:35 . 2012-04-22 19:35 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5A2D5254-8CB2-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-24 00:06 . 2012-04-24 00:06 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5525EB28-8DA1-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-25 12:43 . 2012-04-25 12:43 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3D28DE4D-8ED4-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-22 22:19 . 2012-04-22 22:19 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3BD2D114-8CC9-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 19:49 . 2012-04-22 19:49 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{38FAB287-8CB4-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 19:31 . 2012-04-25 19:31 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{345E07F5-8F0D-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-23 00:42 . 2012-04-23 00:45 8704 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3439C3CC-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 16:32 . 2012-04-25 16:32 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{324C2FEB-8EF4-11E1-91ED-1C6F652BCBB1}.dat
+ 2012-04-22 18:51 . 2012-04-22 18:51 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{20FDCF9B-8CAC-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-23 22:03 . 2012-04-23 22:03 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2039A4E3-8D90-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 00:41 . 2012-04-23 00:45 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1E37EF10-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-23 00:41 . 2012-04-23 00:45 8704 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1E37EF0E-8CDD-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-24 00:04 . 2012-04-24 00:04 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{13B6A116-8DA1-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-24 00:04 . 2012-04-24 00:06 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{13B6A114-8DA1-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-22 19:33 . 2012-04-22 19:33 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{12024413-8CB2-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 20:45 . 2012-04-22 20:45 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{075D5D0D-8CBC-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-25 10:43 . 2012-04-25 22:18 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012042520120426\index.dat
+ 2012-04-24 18:56 . 2012-04-25 01:25 114688 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012042420120425\index.dat
+ 2012-04-23 20:45 . 2012-04-24 01:29 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012042320120424\index.dat
+ 2012-04-23 20:45 . 2012-04-23 20:45 327680 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012041620120423\index.dat
+ 2012-04-22 20:21 . 2012-04-22 20:28 163840 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C0F36BFD-8CB8-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 18:54 . 2012-04-22 18:56 208896 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8D97CD2D-8CAC-11E1-91E8-1C6F652BCBB1}.dat
+ 2012-04-24 00:00 . 2012-04-24 00:06 303104 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{84E7863D-8DA0-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 21:58 . 2012-04-23 22:05 580096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7CF2194F-8D8F-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-23 21:22 . 2012-04-23 21:29 175616 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7B50C163-8D8A-11E1-91EA-1C6F652BCBB1}.dat
+ 2012-04-22 19:29 . 2012-04-22 19:35 143360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{686CA07D-8CB1-11E1-91E9-1C6F652BCBB1}.dat
+ 2012-04-22 18:52 . 2012-04-25 22:18 131072 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-04-15 00:32 . 2012-04-25 22:04 1474560 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2012-04-15 00:31 . 2012-04-25 22:18 1327104 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [BU]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-02 1242448]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2011-08-23 50592]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"CPUThermometer"="c:\documents and settings\Administrator\Desktop\CPU Thermometer\CPUThermometer.exe" [2011-01-14 127488]
"dabebdbdaafdct"="c:\documents and settings\All Users\Application Data\dabebdbdaafdct.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2008-06-04 203792]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-02-07 3865504]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-02-07 2972056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dabebdbdaafdct"="c:\documents and settings\All Users\Application Data\dabebdbdaafdct.exe" [BU]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-9-6 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDWinLogon]
SDWinLogon.dll [BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv episodes from liberty city\\EFLC\\EFLC.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJackLoader.exe"=
"c:\\Program Files\\Steam\\steamapps\\hicks439\\half-life 2 lostcoast\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\forgottenhope2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2BenchmarkTool.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\far cry 2\\bin\\FC2ServerLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_DX11.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv episodes from liberty city\\EFLC\\LaunchEFLC.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\medal of honor\\Binaries\\moh.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\medal of honor\\MP\\mohmpgame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\medal of honor\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\battle los angeles\\bin\\BattleLA.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\hydrophobia\\HydroPC.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crysis 2\\bin32\\Crysis2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crysis 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Battlelog Web Plugins\\Sonar\\0.70.0\\SonarHost.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOps.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOpsMP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dcs a10c warthog trailer\\smp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\driver san francisco\\Driver.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\batman2\\Binaries\\Win32\\BatmanAC.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\batman2\\RunLauncher.bat"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sniper ghost warrior\\Sniper_x86.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\microsoft flight\\Flight.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 3\\iw5sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 3\\iw5mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [9/6/2010 12:39 AM 19496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 295248]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 5:06 PM 223464]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [9/6/2010 3:34 AM 68136]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [4/23/2011 1:24 PM 2253120]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [4/15/2012 3:19 PM 1181104]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 16720]
R3 RTCore32;RTCore32;c:\program files\EVGA Precision\RTCore32.sys [5/25/2005 2:39 PM 4608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [9/6/2010 3:39 AM 30392]
R4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2010 8:09 PM 136176]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [4/16/2012 7:21 PM 105288]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [4/15/2012 3:19 PM 1185704]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/7/2012 10:10 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/6/2010 3:37 AM 1691480]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 etdrv;etdrv;c:\windows\etdrv.sys [9/6/2010 1:06 AM 17488]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2010 8:09 PM 136176]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [9/6/2010 12:47 AM 24944]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 00:56]
.
2012-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-04-25 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-04-15 21:19]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 00:09]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 00:09]
.
2012-03-09 c:\windows\Tasks\PC Unleashed Defrag.job
- c:\program files\PC Unleashed Online\Suite\pcu.exe [2011-09-06 18:27]
.
2012-04-25 c:\windows\Tasks\PC Unleashed Registration3.job
- c:\program files\Common Files\PC Unleashed Online\UUS3\UUS3.dll [2011-09-06 18:27]
.
2012-03-09 c:\windows\Tasks\PC Unleashed Update Version3.job
- c:\program files\Common Files\PC Unleashed Online\UUS3\Update3.exe [2011-09-06 18:27]
.
2012-04-04 c:\windows\Tasks\PC Unleashed.job
- c:\program files\PC Unleashed Online\Suite\pcu.exe [2011-09-06 18:27]
.
2012-04-15 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-04-15 21:19]
.
2012-04-15 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-04-15 21:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.gunbroker.com/WebResource.axd?d=Qydpf0KIwF1Fr6RRPI2vp09Qx7960W1PefrwdgTL1YWRWyUo6in6PN6VS7m59gst6zjhnPK4xtevtkkiPAeNbVdLz1lm1BKvO-eVx_B2d1Lb7EFrywmMr-EfCQUqniwFPL_qr5-6LT50B9lSJqZDgme2Vksu6ajL4Qvm6a-2VX8ROm8K0&t=634230999680000000
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-25 18:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,6f,f1,63,32,e5,bc,45,89,bf,b0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,6f,f1,63,32,e5,bc,45,89,bf,b0,\
.
[HKEY_USERS\S-1-5-21-682003330-308236825-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,66,85,47,9d,ef,52,ba,43,a7,e7,2e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,45,f0,cc,f9,29,c5,4d,9e,6c,27,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,45,f0,cc,f9,29,c5,4d,9e,6c,27,\
.
[HKEY_USERS\S-1-5-21-682003330-308236825-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:b0,92,5d,7f,74,6f,64,2e,f2,07,94,8b,39,bb,2f,90,78,3b,d3,9a,b3,5d,1c,
d7,63,8c,72,e2,a3,26,59,a8,a9,72,5e,5c,4e,6e,f4,6b,47,95,f8,a3,84,f4,45,d6,\
"??"=hex:c4,eb,46,72,21,b0,9f,a8,fb,ea,d5,9e,97,df,e4,ec
.
[HKEY_USERS\S-1-5-21-682003330-308236825-725345543-500\Software\SecuROM\License information*]
"datasecu"=hex:4f,7b,fd,ac,4f,c5,c9,f4,5d,c1,a0,60,c9,eb,52,4d,56,24,fb,5a,d1,
17,90,ad,ab,dc,f9,37,74,6f,14,fa,8c,a3,79,44,ab,2c,97,e2,17,7f,81,1f,c8,91,\
"rkeysecu"=hex:4b,4a,a7,ae,b5,00,e9,fc,cc,f3,a7,43,b2,51,a3,50
.
Completion time: 2012-04-25 18:33:47
ComboFix-quarantined-files.txt 2012-04-25 22:33
ComboFix2.txt 2012-04-22 18:52
.
Pre-Run: 366,377,033,728 bytes free
Post-Run: 366,673,752,064 bytes free
.
- - End Of File - - A67EB80948E5CEE5FCF3FB22BCAB1DCA

oldman960
2012-04-26, 05:13
Hi mrclark,

No good copies to be found on the computer. Let's if we can get a good copy from the cd.

Insert your XP cd, make sure it doesn't run, we just want to copy some files.

In the following commands please replace the letter X with the correct drive letter for your CD drive.

Click start > run. In the run box type cmd

Copy and paste the following commands one at a time into the command window and hit enter after each one.

expand x:\i386\explorer.ex_ c:\explorer.exe
expand x:\i386\winlogon.ex_ c:\winlogon.exe
expand x:\i386\svchost.ex_ c:\svchost.exe

You should get a message "1 file expanded" or similar. Let me know how you make out.

mrclark
2012-04-27, 02:09
hi no message popped up heres a screen shot of the process

oldman960
2012-04-27, 02:52
Hi mrclark,

That worked. Let's see if we can replace them.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



FCopy::
c:\explorer.exe | c:\windows\explorer.exe
c:\winlogon.exe | c:\windows\system32\winlogon.exe
c:\svchost.exe | c:\windows\system32\svchost.exe
c:\explorer.exe | c:\windows\dllcache\explorer.exe
c:\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe
c:\svchost.exe | c:\windows\system32\dllcache\svchost.exe
SkipFix::



In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post the combofix log.

How's the computer?

mrclark
2012-04-28, 02:21
Hi, well Houston we have a problem. The pc won't boot up into windows properly anymore. It just keeps cycling before xp starts up. So I set it from the prompt screen to the last known running configuration and it boots up but windows explorer crashes. I am looking at just my desktop image any nothing more.

Any thoughts?

mrclark
2012-04-28, 02:39
Oh by the way I can access my files through task manager everything seems intact.

oldman960
2012-04-28, 03:38
Hi mrclark,

Open taskmanger
click file > New task (run)
type explorer and click ok
is your desktop back?

mrclark
2012-04-28, 03:42
An error warning comes up stating "Windows explorer has encountered a problem and needs to be closed"

I'm using my phone by the way to respond.

oldman960
2012-04-28, 04:04
Hi mrclark,

Go back into Task Manger. This time type iexplore

Internet Explorer should open. Access this for and attach C:\combofix.txt to your next reply.

mrclark
2012-04-28, 05:48
Hi unfortunetly there is no C:\combofix.txt in that folder, actually I dont think there was any text files there

oldman960
2012-04-28, 06:22
Hi mrclark,

Sorry I may have confused you. After you type iexplore internet explorer should open and you should be able to go on line. Do you get that far?

mrclark
2012-04-28, 06:48
Oh ya no problem I can get online and get anywhere on my pc really through task m

oldman960
2012-04-28, 08:51
Hi mrclark,

Let's try this. In Task Manager check on the process tab for explorer.exe. If it's there end the process and try to start it again.

In File > New Task use the browse button to locate DeskTop. Click on OTL.exe and click ok. When OTL opens click the Run Scan button and post the log that is produced.

mrclark
2012-04-28, 23:34
hi I couldnt get to control panel from task man to turn off AVG and spybot, the windows explorer warning would pop up and again and crash.

but managed to get a log run

OTL logfile created on: 4/28/2012 2:37:48 PM - Run 2
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Administrator\Desktop\New Folder
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.78 Gb Available Physical Memory | 85.48% Memory free
5.09 Gb Paging File | 4.60 Gb Available in Paging File | 90.40% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 341.39 Gb Free Space | 36.65% Space Free | Partition Type: NTFS
Drive D: | 642.92 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: ADMIN-FDC77CCCA | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
PRC - C:\Documents and Settings\Administrator\Desktop\New Folder\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe (DeviceVM, Inc.)
PRC - C:\Program Files\Gigabyte\EasySaver\essvr.exe ()


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Gigabyte\EasySaver\essvr.exe ()
MOD - C:\Program Files\Gigabyte\EasySaver\ycc.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (HitmanProScheduler) -- C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (AppleChargerSrv) -- C:\WINDOWS\system32\AppleChargerSrv.exe ()
SRV - (BCUService) -- C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe (DeviceVM, Inc.)
SRV - (ES lite Service) -- C:\Program Files\Gigabyte\EasySaver\essvr.exe ()
SRV - (Adobe Version Cue CS3) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (Adobe Systems Incorporated)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows (R) 2000 DDK provider)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (GVTDrv) -- C:\WINDOWS\system32\drivers\GVTDrv.sys ()
DRV - (etdrv) -- C:\WINDOWS\etdrv.sys (Windows (R) 2000 DDK provider)
DRV - (AppleCharger) -- C:\WINDOWS\system32\drivers\AppleCharger.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (usbfilter) -- C:\WINDOWS\system32\drivers\usbfilter.sys (Advanced Micro Devices)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (AmdLLD) -- C:\WINDOWS\system32\drivers\AmdLLD.sys (AMD, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (RTCore32) -- C:\Program Files\EVGA Precision\RTCore32.sys ()
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\system32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfhlp02.sys (Protection Technology)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {67B304DA-6278-40b3-B8E8-D46F814D6BFB}
IE - HKCU\..\SearchScopes\{0A4D1FD6-14A6-42b7-B9E4-A9A86BA9C833}: "URL" = http://www.google.com/cse?cx=partner-pub-3794288947762788%3A2938615334&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A2938615334&q={searchTerms}
IE - HKCU\..\SearchScopes\{0C0AD665-632E-4818-A02A-A810DEFFC693}: "URL" = http://search.avg.com/route/?d=$instd$&v=$ver$&i=$dchid$&tp=chrome&q={searchTerms}&lng={moz:locale}&iy=&ychte=ca
IE - HKCU\..\SearchScopes\{67B304DA-6278-40b3-B8E8-D46F814D6BFB}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBD
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.0: C:\Program Files\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=0.80.0: C:\Program Files\Battlelog Web Plugins\0.80.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@fileplanet.com/fpdlm: C:\Program Files\Download Manager\npfpdlm.dll (IGN Entertainment)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2012/04/27 18:43:27 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/01/31 21:04:43 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/04/26 21:14:51 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCU] C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe (DeviceVM, Inc.)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF19386.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [EVGAPrecision] C:\Program Files\EVGA Precision\EVGAPrecision.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [Spybot-S&D Cleaning] C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [CPUThermometer] C:\Documents and Settings\Administrator\Desktop\CPU Thermometer\CPUThermometer.exe ()
O4 - HKCU..\Run: [dabebdbdaafdct] "C:\Documents and Settings\All Users\Application Data\dabebdbdaafdct.exe" File not found
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe (IGN Entertainment)
O4 - HKCU..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent File not found
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF19386.3XE (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab (CDownloadCtrl Object)
O16 - DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} http://www.gunbroker.com/WebResource.axd?d=Qydpf0KIwF1Fr6RRPI2vp09Qx7960W1PefrwdgTL1YWRWyUo6in6PN6VS7m59gst6zjhnPK4xtevtkkiPAeNbVdLz1lm1BKvO-eVx_B2d1Lb7EFrywmMr-EfCQUqniwFPL_qr5-6LT50B9lSJqZDgme2Vksu6ajL4Qvm6a-2VX8ROm8K0&t=634230999680000000 (Image Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} https://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.66.2.cab (Battlefield Play4Free Updater)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AB79E8E6-3A4E-4955-9F00-0C1D77D8038C}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/09/06 02:55:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/04 08:00:00 | 000,000,110 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/26 21:11:44 | 001,058,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2012/04/26 21:11:38 | 000,545,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winlogon.exe
[2012/04/26 21:11:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\dllcache
[2012/04/26 21:10:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/04/26 21:10:38 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/04/22 13:55:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/04/22 13:53:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/04/22 13:53:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/04/22 13:53:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/04/22 13:53:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/04/22 13:53:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/04/22 13:52:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/22 13:41:12 | 004,470,812 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2012/04/21 18:41:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\New Folder
[2012/04/17 17:54:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Download Manager
[2012/04/17 17:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Download Manager
[2012/04/16 19:26:48 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2012/04/16 19:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/04/16 19:21:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2012/04/16 19:20:17 | 000,000,000 | ---D | C] -- C:\Program Files\New Folder
[2012/04/15 21:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/04/15 21:48:21 | 007,245,976 | ---- | C] (SurfRight B.V.) -- C:\Program Files\HitmanPro36.exe
[2012/04/15 21:46:24 | 008,250,768 | ---- | C] (SurfRight B.V.) -- C:\Program Files\HitmanPro36_x64.exe
[2012/04/15 18:36:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/04/15 15:19:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/04/15 15:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
[2012/04/15 15:19:47 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\WINDOWS\System32\sdnclean.exe
[2012/04/15 15:19:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2012/04/15 15:17:03 | 000,325,200 | ---- | C] (OpenInstall ) -- C:\Program Files\spybotsd-2.exe
[2012/04/08 21:27:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/04/08 21:25:52 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/04/07 22:10:02 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/01/19 22:00:20 | 003,147,344 | ---- | C] (Macroplant, LLC ) -- C:\Program Files\iExplorer_Setup.exe
[2011/12/22 18:43:38 | 039,401,336 | ---- | C] (Apple Inc.) -- C:\Program Files\QuickTimeInstaller.exe
[2011/11/01 18:16:13 | 063,084,671 | ---- | C] (NovaLogic ) -- C:\Program Files\c4demo.exe
[2011/09/21 17:23:35 | 047,963,312 | ---- | C] (Electronic Arts, Inc.) -- C:\Program Files\OriginSetup.exe
[2011/03/21 17:36:17 | 038,191,344 | ---- | C] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSAudioEditor.exe
[2011/03/21 17:36:16 | 150,895,952 | ---- | C] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSVideoEditor.exe
[2010/11/06 12:47:43 | 034,226,736 | ---- | C] (Cisco Systems, Inc.) -- C:\Program Files\nmsetup.exe
[2010/10/16 16:10:34 | 002,129,648 | ---- | C] (Beepa Pty Ltd) -- C:\Program Files\fraps.exe
[2010/10/10 22:55:19 | 000,874,272 | ---- | C] (Sun Microsystems, Inc.) -- C:\Program Files\JavaSetup6u21.exe
[2010/10/07 20:09:26 | 000,589,640 | ---- | C] (Google Inc.) -- C:\Program Files\GoogleEarthSetup.exe
[2010/09/13 12:54:17 | 069,316,464 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2010/09/06 18:52:56 | 002,133,536 | ---- | C] (AVG Technologies) -- C:\Program Files\avg_free_stb_all_9_115_cnet.exe
[2010/09/06 01:30:18 | 016,883,056 | ---- | C] (Microsoft Corporation) -- C:\Program Files\IE8-WindowsXP-x86-ENU.exe
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/28 14:09:17 | 096,476,685 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/04/28 14:03:54 | 000,000,598 | ---- | M] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2012/04/28 14:03:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/28 14:03:28 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2012/04/28 14:03:18 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/28 14:03:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/27 22:56:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/27 22:56:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/27 21:25:55 | 000,138,520 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2012/04/27 21:24:09 | 000,234,536 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2012/04/27 21:24:09 | 000,234,536 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.ex0
[2012/04/27 21:02:25 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/26 21:14:51 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/04/26 21:04:40 | 000,000,267 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\redirect virus and malware please help me!!! - Safer-Networking Forums.url
[2012/04/26 19:09:15 | 000,063,406 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CMD.JPG
[2012/04/26 19:04:56 | 001,367,030 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\untitled.bmp
[2012/04/26 19:04:45 | 001,367,030 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CMD.bmp
[2012/04/26 18:00:00 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\PC Unleashed Registration3.job
[2012/04/26 17:56:54 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2012/04/25 21:08:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/04/25 18:02:50 | 000,228,055 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/04/25 07:43:12 | 000,001,048 | -H-- | M] () -- C:\Documents and Settings\Administrator\Desktop\magicJack.lnk
[2012/04/22 13:56:03 | 000,000,367 | RHS- | M] () -- C:\boot.ini
[2012/04/22 13:41:18 | 004,470,812 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2012/04/21 18:43:25 | 000,205,312 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/19 19:29:25 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\play in right rear wheel of 08 ren x, is it bearings - can-am ATV Forums - can-amtalk.com.url
[2012/04/18 22:02:24 | 000,000,578 | ---- | M] () -- C:\WINDOWS\M3JPEG.INI
[2012/04/18 18:44:09 | 000,002,353 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Download Manager.lnk
[2012/04/17 17:52:26 | 000,000,172 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/04/17 17:41:59 | 000,000,257 | ---- | M] () -- C:\Boot.bak
[2012/04/16 19:26:48 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2012/04/15 21:48:31 | 007,245,976 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36.exe
[2012/04/15 21:46:37 | 008,250,768 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36_x64.exe
[2012/04/15 15:19:59 | 000,000,594 | ---- | M] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2012/04/15 15:19:59 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2012/04/15 15:19:52 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/04/15 15:17:08 | 000,325,200 | ---- | M] (OpenInstall ) -- C:\Program Files\spybotsd-2.exe
[2012/04/15 13:15:25 | 000,000,683 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Another Renegade SUBSEA snorkel kit is created! - can-am ATV Forums - can-amtalk.com - Page 2.url
[2012/04/15 13:14:57 | 000,000,318 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\4 x Cases (Military Boxes) for .22.url
[2012/04/15 12:04:44 | 000,000,882 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.hitmanpro
[2012/04/15 12:04:44 | 000,000,882 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120415-183150.backup
[2012/04/13 20:56:05 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/13 20:56:04 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/11 06:55:30 | 000,573,400 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/11 06:55:30 | 000,108,130 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/11 06:45:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/08 21:27:47 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/04 17:51:43 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\PC Unleashed.job
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/26 19:09:14 | 000,063,406 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CMD.JPG
[2012/04/26 19:04:44 | 001,367,030 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CMD.bmp
[2012/04/26 19:03:20 | 001,367,030 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\untitled.bmp
[2012/04/22 13:56:03 | 000,000,257 | ---- | C] () -- C:\Boot.bak
[2012/04/22 13:55:57 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/04/22 13:53:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/22 13:53:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/22 13:53:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/22 13:53:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/22 13:53:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/04/19 21:12:01 | 000,000,267 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\redirect virus and malware please help me!!! - Safer-Networking Forums.url
[2012/04/17 17:54:55 | 000,002,353 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Download Manager.lnk
[2012/04/15 18:26:43 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\play in right rear wheel of 08 ren x, is it bearings - can-am ATV Forums - can-amtalk.com.url
[2012/04/15 17:42:23 | 000,000,172 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/04/15 15:19:58 | 000,000,594 | ---- | C] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2012/04/15 15:19:58 | 000,000,462 | ---- | C] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2012/04/15 15:19:57 | 000,000,598 | ---- | C] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2012/04/15 15:19:52 | 000,001,842 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2012/04/15 15:19:52 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/04/08 21:27:47 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/07 22:10:03 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/04 21:28:35 | 000,409,738 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-682003330-308236825-725345543-500-0.dat
[2012/02/14 18:50:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/30 23:47:35 | 000,345,706 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/10/11 22:05:39 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/28 18:44:14 | 000,179,271 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2011/09/28 18:35:17 | 003,815,360 | ---- | C] () -- C:\Program Files\battlelog-web-plugins-0.80.0-retail-ob.exe
[2011/06/13 15:16:33 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/06/04 20:48:52 | 000,291,539 | ---- | C] () -- C:\Program Files\cputhermometer_setup.exe
[2011/04/23 13:14:57 | 000,203,792 | ---- | C] () -- C:\Program Files\EVGAPrecision.exe
[2011/04/23 13:14:57 | 000,044,048 | ---- | C] () -- C:\Program Files\EVGAPrecisionWrapper.exe
[2010/12/04 01:27:07 | 000,003,217 | ---- | C] () -- C:\WINDOWS\pi2000.ini
[2010/12/04 01:27:06 | 000,000,021 | ---- | C] () -- C:\WINDOWS\arcsuite.ini
[2010/11/29 02:16:18 | 000,056,844 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/11/28 18:37:42 | 002,250,024 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe
[2010/11/06 12:50:38 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/10/16 18:18:57 | 000,000,578 | ---- | C] () -- C:\WINDOWS\M3JPEG.INI
[2010/10/12 15:18:39 | 002,601,752 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_moh.exe
[2010/09/13 13:13:32 | 000,000,026 | ---- | C] () -- C:\WINDOWS\GeoLan.ini
[2010/09/13 13:11:28 | 000,229,376 | R--- | C] () -- C:\WINDOWS\System32\GXGM20.dll
[2010/09/13 13:11:19 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\GODDNIF.ini
[2010/09/06 20:32:02 | 000,205,312 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/06 16:53:10 | 000,138,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/09/06 16:53:10 | 000,022,328 | -H-- | C] () -- C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
[2010/09/06 16:52:28 | 000,234,536 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2010/09/06 16:52:27 | 002,434,856 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_bc2.exe
[2010/09/06 16:52:27 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2010/09/06 16:06:01 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/09/06 15:38:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/09/06 14:52:38 | 001,364,522 | ---- | C] () -- C:\Program Files\winrar-x64-393.exe
[2010/09/06 03:39:30 | 000,080,416 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2010/09/06 03:33:41 | 000,207,400 | R--- | C] () -- C:\WINDOWS\GSetup.exe
[2010/09/06 03:33:41 | 000,000,010 | ---- | C] () -- C:\WINDOWS\GSetup.ini
[2010/09/06 03:18:17 | 001,588,224 | ---- | C] () -- C:\Program Files\SteamInstall.msi
[2010/09/06 02:56:39 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/09/06 02:52:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/09/06 02:42:09 | 000,194,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/06 00:55:07 | 000,286,760 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/09/06 00:55:06 | 000,286,760 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/09/06 00:55:06 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/09/06 00:47:59 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/06 00:47:58 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/09/06 00:47:03 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2010/09/06 00:39:52 | 000,031,272 | ---- | C] () -- C:\WINDOWS\System32\AppleChargerSrv.exe
[2010/09/06 00:39:52 | 000,019,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\AppleCharger.sys
[2010/09/05 19:41:11 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/09/05 19:40:07 | 001,563,640 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Files - Unicode (All) ==========
[2012/02/10 22:23:46 | 000,000,317 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Cat Massage?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Cat Massage‬‏ - YouTube.url
[2011/11/26 23:16:32 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?Husky Dog Talking - I love you ??.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪Husky Dog Talking - I love you ‬‏.url
[2011/09/11 11:38:13 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube.url
[2011/09/10 11:15:26 | 000,000,836 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube (2).url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube (2).url
[2011/09/07 23:07:40 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Commander 1000 XT BRP Can Am?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Commander 1000 XT BRP Can Am‬‏ - YouTube.url
[2011/08/12 00:59:28 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?GoRidingTV tests the 2011 CAN-AM Commander?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪GoRidingTV tests the 2011 CAN-AM Commander‬‏ - YouTube.url
[2011/08/06 17:03:37 | 000,000,836 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube (2).url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube (2).url
[2011/08/06 17:03:05 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Commander 1000 XT BRP Can Am?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Commander 1000 XT BRP Can Am‬‏ - YouTube.url
[2011/08/06 15:58:47 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube.url
[2011/08/06 15:58:23 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?GoRidingTV tests the 2011 CAN-AM Commander?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪GoRidingTV tests the 2011 CAN-AM Commander‬‏ - YouTube.url
[2011/07/30 17:25:16 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Amy winehouse - Teach me tonight?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Amy winehouse - Teach me tonight‬‏ - YouTube.url
[2011/07/23 20:44:10 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Amy winehouse - Teach me tonight?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Amy winehouse - Teach me tonight‬‏ - YouTube.url
[2011/07/22 00:26:55 | 000,000,317 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Cat Massage?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Cat Massage‬‏ - YouTube.url
[2011/06/30 13:33:23 | 000,000,267 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?gardea23's Channel??#p-u-2-gRw-lfXy_tQ.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪gardea23's Channel‬‏#p-u-2-gRw-lfXy_tQ.url
[2011/06/30 13:33:23 | 000,000,267 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?gardea23's Channel??#p-u-2-gRw-lfXy_tQ.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪gardea23's Channel‬‏#p-u-2-gRw-lfXy_tQ.url
[2011/06/30 13:30:02 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?Husky Dog Talking - I love you ??.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪Husky Dog Talking - I love you ‬‏.url

< End of report >

oldman960
2012-04-29, 08:32
Hi mrclark,

I see only parts of the last fix we ran in the log. Have a look in C:\Qoobox for a file named ComboFix-quarantined-files.txt

Next Please open OTL.


When the window appears, click the None button near the top (it may looked greyed out)

In the window under Custom Scans/Fixes copy and paste the following



/md5start
svchost.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
/md5stop



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Please post back with
ComboFix-quarantined-files.txt
OTL.txt

mrclark
2012-05-01, 03:14
hi

OTL logfile created on: 4/30/2012 7:42:42 PM - Run 3
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Administrator\Desktop\New Folder
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.73 Gb Available Physical Memory | 84.15% Memory free
5.09 Gb Paging File | 4.54 Gb Available in Paging File | 89.26% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 341.27 Gb Free Space | 36.64% Space Free | Partition Type: NTFS

Computer Name: ADMIN-FDC77CCCA | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\dllcache\explorer.exe
[2012/02/07 17:19:30 | 003,149,736 | ---- | M] (Safer-Networking Ltd.) MD5=511D1BEF41D4A018501139F409DE5ED6 -- C:\Program Files\Spybot - Search & Destroy 2\explorer.exe
[2008/04/14 05:42:10 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=6771E48723C7ECFA3395CCBC666CE0E9 -- C:\WINDOWS\explorer.exe

< MD5 for: EXPLORER.EXE.VIR >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\Qoobox\Quarantine\C\explorer.exe.vir
[2008/04/14 05:42:10 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=86B13BD2DAC4D331B0B6406E632AB086 -- C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2012/04/30 15:45:27 | 000,020,936 | ---- | M] () MD5=33A5DE2DEE0DAD8D005147CF1E438BBE -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2004/08/04 08:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: EXPLORER.ZIP >
[2006/03/06 22:48:08 | 000,020,394 | ---- | M] () MD5=B469409C2B2A33C542190B720E11BD79 -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip

< MD5 for: SVCHOST.DAT >
[2000/08/30 20:00:00 | 000,000,555 | ---- | M] () MD5=75FCC9D372E19562BA0F254042739920 -- C:\ComboFix\svchost.dat

< MD5 for: SVCHOST.EXE >
[2012/04/26 21:11:42 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=E5900F36F2BD2335433334B56ECA9FDD -- C:\WINDOWS\system32\svchost.exe

< MD5 for: SVCHOST.EXE.ND_ >
[2012/04/26 21:13:40 | 000,000,014 | ---- | M] () MD5=45FCF799EB0FBE276985D816B9AE8E91 -- C:\ComboFix\svchost.exe.ND_

< MD5 for: SVCHOST.EXE.VIR >
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\Qoobox\Quarantine\C\svchost.exe.vir
[2008/04/14 05:42:10 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=E5900F36F2BD2335433334B56ECA9FDD -- C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir

< MD5 for: SVCHOST.EXE-3530F672.PF >
[2012/04/25 07:42:36 | 000,049,264 | ---- | M] () MD5=D8614F3D9ED6DC6FF778B0A9B45F80E6 -- C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

< MD5 for: SVCHOST.VISTA.X64.DAT >
[2010/11/27 01:12:00 | 000,000,749 | ---- | M] () MD5=14CAA9E2E82256EC016BE799DE6498DB -- C:\ComboFix\svchost.vista.x64.dat

< MD5 for: WINLOGON.EXE >
[2008/04/14 05:42:10 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=CEB69A8FC53AAF8BCB361A875A44B4CB -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2012/04/26 21:11:42 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=E12A7DF6EFB606316DBC801C473F1FE7 -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINLOGON.EXE.VIR >
[2008/04/14 05:42:10 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=E12A7DF6EFB606316DBC801C473F1FE7 -- C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\Qoobox\Quarantine\C\winlogon.exe.vir

< >

< End of report >

mrclark
2012-05-01, 03:16
2012-04-25 22:20:18 . 2012-04-25 22:20:18 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2012-04-22 18:49:24 . 2012-04-22 18:49:24 474 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-XWW2_BF2_1.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,918 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 478 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Precision.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,544 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Nations at War6.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 46.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,666 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 36.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 26.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,666 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 16.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 520 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-BattlEye.reg.dat
2012-04-22 18:49:02 . 2012-04-22 18:49:02 618 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-SDWinLogon.reg.dat
2012-04-22 18:48:58 . 2012-04-22 18:48:58 181 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-dabebdbdaafdct.reg.dat
2012-04-22 18:48:56 . 2012-04-22 18:48:56 179 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-dabebdbdaafdct.reg.dat
2012-04-22 18:48:55 . 2012-04-22 18:48:56 177 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-RGSC.reg.dat
2012-04-22 18:48:55 . 2012-04-25 22:32:38 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2012-04-22 18:48:55 . 2012-04-25 22:32:37 213 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2012-04-22 18:48:55 . 2012-04-25 22:32:37 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2012-04-22 18:41:46 . 2012-04-25 22:27:42 5,845 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-22 17:53:02 . 2012-04-25 22:19:18 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-04-21 03:38:11 . 2012-04-21 03:38:11 571 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\iiaraaa.tmp.vir
2012-04-15 17:04:28 . 2012-04-15 18:51:22 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\dabebdbdaafdct.exe.vir
2012-01-20 02:07:59 . 2012-01-20 02:07:59 10,498 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\unins000.msg.vir
2012-01-20 02:07:59 . 2011-11-07 15:16:46 192,512 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\ICSharpCode.SharpZipLib.dll.vir
2012-01-20 02:07:59 . 2011-11-30 21:05:46 27,648 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\MPUpdater.dll.vir
2012-01-20 02:07:59 . 2011-10-20 13:15:46 28,672 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\AxInterop.QTOControlLib.dll.vir
2012-01-20 02:07:59 . 2011-10-20 13:15:42 32,768 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\Interop.QTOControlLib.dll.vir
2012-01-20 02:07:59 . 2011-10-20 13:15:42 94,208 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\Interop.QTOLibrary.dll.vir
2012-01-20 02:07:59 . 2011-12-06 21:35:32 30,720 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\MPCrashReporter.dll.vir
2012-01-20 02:07:59 . 2011-12-06 21:35:32 41,984 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\PodPhone2.dll.vir
2012-01-20 02:07:58 . 2011-12-06 21:35:34 2,689,024 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\iExplorer.exe.vir
2012-01-20 02:07:58 . 2011-10-20 13:15:46 348,160 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\msvcr71.dll.vir
2012-01-20 02:07:58 . 2011-10-20 13:15:46 49,664 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\isxdl.dll.vir
2012-01-20 02:07:58 . 2012-01-20 02:07:59 22,221 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\unins000.dat.vir
2012-01-20 02:07:58 . 2012-01-20 02:00:30 770,624 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\unins000.exe.vir
2011-10-25 22:07:45 . 2011-10-25 22:32:25 89,643,496 ----a-w- C:\Qoobox\Quarantine\C\Program Files\285.58-desktop-winxp-32bit-english-whql.exe.vir
2011-07-25 04:31:27 . 2012-04-21 22:44:41 292,864 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Recent\Thumbs.db.vir
2011-04-23 17:22:32 . 2011-04-23 17:22:43 88,715,952 ----a-w- C:\Qoobox\Quarantine\C\Program Files\270.61-desktop-winxp-32bit-english-whql.exe.vir
2010-10-19 15:41:31 . 2010-10-19 15:41:53 4,290,744 ----a-w- C:\Qoobox\Quarantine\C\Program Files\avg_free_stb_all_2011_1136_upgrade.exe.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 1,033,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\expl.dat.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllc.dat.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\svch.dat.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 507,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winl.dat.vir
2007-11-07 13:03:18 . 2007-11-07 13:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir
2006-10-19 01:47:20 . 2006-10-19 01:47:20 99,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET5C.tmp.vir

oldman960
2012-05-01, 15:32
Hi mrclark,

We'll do this over 2 posts. In this one we'll move some files around. In the next one we'll put them where they belong.


Next, Double click on OTL.exe
Under the Custom Scans/Fixes box at the bottom, paste in the following
Do Not copy the word CODE
please note the fix starts with the :


:Services

:Files
ren "C:\WINDOWS\system32\dllcache\winlogon.exe" winlogon.xxe /c
copy "C:\Qoobox\Quarantine\C\winlogon.exe.vir" "C:\WINDOWS\system32\dllcache\winlogon.exe" /c
copy "C:\Qoobox\Quarantine\C\svchost.exe.vir" "C:\WINDOWS\system32\dllcache\svchost.exe" /c



Then click the Run Fix button at the top
Let the program run unhindered
Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.

mrclark
2012-05-01, 19:23
the file seems a little short is this is?

========== SERVICES/DRIVERS ==========
========== FILES ==========
< ren "C:\WINDOWS\system32\dllcache\winlogon.exe" winlogon.xxe /c >
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\winlogon.exe.vir" "C:\WINDOWS\system32\dllcache\winlogon.exe" /c >
1 file(s) copied.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\svchost.exe.vir" "C:\WINDOWS\system32\dllcache\svchost.exe" /c >
1 file(s) copied.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.40.0 log created on 05012012_122058

oldman960
2012-05-02, 19:35
Hi mrclark,

Yes that was all that should have been in the OTL log

Read through these instructions so you are familar with what you will be doing. You may want to print them out. If you are unsure of anything please ask.

Next, create this batch file.

Open a new Notepad session (type notepad into task manager)
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad.
Do Not copy the word CODE


ren explorer.exe explorer.xxe
copy C:\WINDOWS\dllcache\explorer.exe
cd system32
ren winlogon.exe winlogon.xxe
ren svchost.exe svchost.xxe
copy C:\WINDOWS\system32\dllcache\winlogon.exe
copy C:\WINDOWS\system32\dllcache\svchost.exe
copy C:\WINDOWS\dllcache\explorer.exe C:\WINDOWS\system32\dllcache\explorer.exe
exit

In the notepad
Click File, Save as..., and set the Save in to C:\
In the filename box, type (including quotation marks) as the filename: "fix.bat"
Click save


Restat your computer. You should be presented with a screen asking you which operating system do you wish to start. Use the arrow keys to select Microsoft Windows Recovery Console

1. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
2. You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
3. Select the appropriate number for the Windows installation that you want to repair. If you only have one, press 1.
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You should now have a C:\windows> prompt

type the following line and hit enter

batch C:\fix.bat

Note there is a space after batch. It needs to be there.

When the prompt reappears type exit and hit enter. Your computer should boot to windows.

After the computer has restarted:

Please open OTL.


When the window appears, click the None button near the top (it may looked greyed out)

In the window under Custom Scans/Fixes copy and paste the following



/md5start
svchost.exe
explorer.exe
winlogon.exe
/md5stop



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

mrclark
2012-05-04, 02:39
Hi unfortunetly it gets to to windows xp screen with the animated progress bar underneath and crashes. It just keeps cycling and restarts going through the process over and over again.

oldman960
2012-05-04, 17:21
Hi mrclark,

We can undo the changes we made. You will need to a bit of typing though.

Boot to the recovery console as you did before. From the C:\windows> prompt type the following and hit enter after each line.

ren explorer.exe explorer.old
ren explorer.xxe explorer.exe
cd system32
ren winlogon.exe winlogon.old
ren winlogon.xxe winlogon.exe
ren svchost.exe svchost.old
ren svchost.xxe svchost.exe
exit

Note in the 1st,4th & 6th lines there is a space after ren and .exe

In the 2nd, 5th & 7th line there is a space after ren and .xxe

In the 3rd line there is a space after cd

Let me know if you can boot to windows now. Let me know if you recieve any error messages.

mrclark
2012-05-06, 05:24
Sorry for the late reply I'll give it a shot

mrclark
2012-05-08, 02:20
Hi no difference it still will not boot up even when I go to "start at the last know good configuration" or whatever.

oldman960
2012-05-08, 11:12
Hi mrclark,

Ok we'll need to build a disk.


Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a working computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
Double-Click on the PE Builder that you just downloaded to your desktop.
Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
Double-Click on PE Builder.exe located on your desktop.
Click NO to Search for Windows Installation Files
Make the following selections from the Main Screen that pops up:
Builder
Source:(path to Windows installation files)
Enter the path to the drive where your XP CD is located.
You can click on the "..." button on the right to navigate to the path as well.

Custom: (include files and folders from this directory)
No information is necessary, leave blank.

Output:
Keep the default



Media output
Choose Create ISO image

Do not choose Burn to CD/DVD
Download the RunScanner plugin and save it to your desktop

http://www.paraglidernc.com/Files/RunScanner10025.cab

Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


Press the Plugin button on the PE Builder interface
Press the Add button and navigate to the location of the RunScanner plugin to install
Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable

When you're done press Close and the PE Builder interface will re-appear

3. Click on the "Build" button
You will see the Windows EULA message. Click on I Agree
You will now see the Build Screen. Let it run it's course
When the Build is finished you can click close, then exit
4. Burn your ISO file to CD
Please see http://www.petri.co.il/how_to_write_iso_files_to_cd.htm on how to burn an ISO to CD.


==========

Next........

On your working computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
Insert the CD in to one of your CD/DVD drives.
Restart your computer.
The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.

Once the desktop appears, you will receive a message asking: Do you want to start Network support?
Click on No

After it loads press the Go button in the lower left and do this....
Go
System
Display
Screen Resolution
1024x768
Next choose....
Go
Programs
A43 File Management Utility


==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.

When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTLPE should now start



Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!

Copy and Paste the following code from your flash drive into the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/customFix.png textbox. Do not include the word "Code"



/md5start
winlogon.*
svchost.*
explorer.*
/md5stop

[list]
Push http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/runscanbutton.png
A report will open named "OTL.txt". Save it to your flash drive. Copy and Paste it in your next reply.

=========

With your next post please provide:

* OTLPE.txt

oldman960
2012-05-23, 04:56
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.