Malware Problems

Hi. I seem to have been infected with some malware, trying unsuccessfully to remove it with commercial software but having no luck.

There may be more than one problem. I have seen popup ads, anti-virus software and windows defender attacked, browser redirection when searching for malware help and a number of crashes or slowdowns. Not sure how this got on here, I suspect through exploiting browser security because I don't think I have installed anything recently.

My operating system is Windows Vista. I include a HijackThis log below. Any help much appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:37, on 06/04/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\BR040286.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Users\dj\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Apoint2K\Apoint.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\STOPzilla!\SZOptions.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BisonInst0402] C:\Windows\BR040286.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\dj\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fbpt.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fbpt.tmp\svchost.exe (User 'Default user')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://ukgateway.logica.com/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9716 bytes

 

Update: decided to try Malwarebytes Anti-Malware after reading some threads on here, and it found the following. Not sure if the problem has been completely fixed so I will wait to see if I get more symptoms and update here shortly.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3958
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904
06/04/2010 17:40:03
mbam-log-2010-04-06 (17-40-03).txt
Scan type: Full scan (C:\|)
Objects scanned: 229264
Time elapsed: 1 hour(s), 44 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\dj\downloads\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

 

Still getting the odd popup but the browser hijacking appears to be better.

 

Hello and welcome to TSG Forums

My handle is shinybeast and I will be assisting you in the removal of malware your computer may have.


Please follow these guidelines as we work to clean your computer.

• Read through the instructions before you perform them and if you have questions please ask before you perform them. Please do not guess. I will be happy to clarify or explain.
• Perform all instructions in the order given.
• Stick with the process until I give you an "all clean." If the symptoms are gone, it does not necessarily mean your computer is safe and secure.
• Do not run any other tools to remove malware while we are working.
• If your security software throws up warnings about some of these tools, please allow these tools to run.
• Any instructions given are for your computer only and should NOT be used on any other computer.

Be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before we start.


Scan with OTL

Click here to download OTL by OldTimer and save it to your Desktop

• Close all other open windows, then double-click OTL to start the tool.
• Under Output, ensure that Minimal Output is selected
• Copy the text in the code box below and paste it into the Custom Scans/Fixes box (under the cyan line at the bottom of the window)
  
  Code:

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  CREATERESTOREPOINT

• Click Run Scan in upper left of window.
• When the scan is finished, two logs will open:
  OTL.Txt <-- Will be opened
  Extras.Txt <-- Will be minimized
• Please post the contents of the two logs in your next reply.

 

Hi shinybeast, thanks for the help.

My PC won't allow me to post when I paste the two files you requested into the message box!

I am going to try attaching them to this post.

 

Hello zigackly,


P2P Warning

I notice you have been using Peer to Peer (P2P) software. Most malware is distributed by P2P and the "gains" are not worth the risk. Scanning files before using them is no guarantee of avoiding infection.

P2P file sharing is dangerous, no matter how it is done. I strongly suggest that you not use P2P file sharing.

Here is a good summation of the risks: http://www.us-cert.gov/cas/tips/ST05-007.html


Uninstall Programs

Please uninstall STOPZilla. It is not a recommended program and may interfere with the tools we use. You may re-install it after we are finished, but I recommend you do not.

Click Start button
Type appwiz.cpl and press Enter to open Programs and Features
For each of the programs listed below, right-click them in the list and click Uninstall

STOPzilla

Once finished, close Programs and Features window


TFC (Temp File Cleaner)

• Click here to download TFC by OldTimer and save it to your desktop.
  NOTE: Save any unsaved work. TFC will close all open application windows.
• Double-click TFC to run the program.
• Click Start to clean out temp files.
• When prompted, click Yes to reboot.

Defogger

The virtual cd drivers you have installed will interfere with some of the tools we use.
Disable them by doing the following:

Click Here to download Defogger by jpshortstuff and save it to your desktop.

• Right-click Defogger.exe and click Run as Administrator in the context menu.
• In the window that opens click Disable
• Read the warning and click Yes
• When the Finished! message appears, click OK.
• If Defogger asks to reboot the machine, click OK to allow it.

IMPORTANT! If you receive an error message while running DeFogger, please post the contents of defogger_disable.log which will appear on your desktop.

Do NOT re-enable these drivers until otherwise instructed.


Scan with GMER

Click here to download GMER Rootkit Scanner and save it to your desktop.

• Disconnect your computer from the internet and disable all security software before starting the scan.
  NOTE: To disable McAfee SecurityCenter
  • Locate McAfee icon in the system tray and double-click it to open McAfee SecurityCenter
  • Click Advanced Menu or Basic Menu in the lower left of the window.
  • Click Computer & Files, then click in the right pane.
  • Under Virus Protection is enabled, select (tick) Off
  • In the popup window, select Never in the drop-down menu, then click OK
  • Select (tick) Off for all other modules installed (Spyware, SystemGuard, etc.)
  • Click Advanced Menu or Basic Menu in the lower left of the window.
  • Click Internet & Network, then click in the right pane.
  • Under Firewall Protection is enabled, select (tick) Off
  • In the popup window, select Never in the drop-down menu, then click OK
  • Close McAfee SecurityCenter
• Double click the randomly named GMER file. If asked to allow gmer to run, please allow it.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  
  Click the image to enlarge it
• In the right panel, you will see several boxes that have been checked. Uncheck the following boxes:
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All
• Then click the Scan button and wait for it to finish
• Once done click on the Save.. button at lower right, and in the File name area, type in "ark.txt" (include the quotes or it will save as a .log file)
• Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.


IMPORTANT: After tools have run and any necessary reboots have occurred, open McAfee SecurityCenter and click the button in the upper right of the window to enable protection.


Please reply with the GMER log.

 

I am experiencing insurmountable problems bringing you the output from GMER.

The scan runs to completion, but the following actions all result in a blue screen of death:
1. Using the "save" button as you describe.
2. Copying the output into notepad and clicking "save".
3. Attempting to reconnect the internet to paste the output here.
4. Repeating (1) in safe mode.
5. Repeating (2) in safe mode.

I can copy and paste other text, save text files and connect to the internet without having run the scan with no difficulties.

It's only after running the scan that I am having problems.

I've run the scan about ten times now and experience these problems consistently. Is there anything else you can suggest?

 

The attached McAfee messages may also prove relevant.

 

Hi zigackly,

RE: the screenshots. One was for Stopzilla which McAfee does not like either. You uninstalled it, correct?
The other was something that was in your initial HijackThis log but not in subsequent OTL log, so it appears McAfee took care of it.

RE: GMER. It is not too uncommon to run into difficulties with GMER. However, the difficulty you described is new to me and is suspicious.

Let's try a different rootkit scan.


Download and Run RootRepeal

Please download RootRepeal.zip from one of the following links and save it to your desktop.
Link 1 | Link 2 | Link 3

• Extract RootRepeal.zip to your desktop
• Disconnect from the Internet as your system will be unprotected while using this tool.
• Close all programs and temporarily disable your anti-virus, firewall and any anti-malware real-time protection before performing the scan.
• NOTE: To disable McAfee SecurityCenter

• Locate McAfee icon in the system tray and double-click it to open McAfee SecurityCenter
• Click Advanced Menu or Basic Menu in the lower left of the window.
• Click Computer & Files, then click in the right pane.
• Under Virus Protection is enabled, select (tick) Off
• In the popup window, select Never in the drop-down menu, then click OK
• Select (tick) Off for all other modules installed (Spyware, SystemGuard, etc.)
• Click Advanced Menu or Basic Menu in the lower left of the window.
• Click Internet & Network, then click in the right pane.
• Under Firewall Protection is enabled, select (tick) Off
• In the popup window, select Never in the drop-down menu, then click OK
• Close McAfee SecurityCenter

​

• Double-click on RootRepeal.exe to launch RootRepeal
• After the program opens, click the Report tab at the bottom of the window, then click the Scan button.
• A dialog box will open and ask "What do you want to include in the scan?"
• Check all of the boxes, then click OK
• Another dialog box will open and read "Please select drives to scan:"
• Place a check next to the main system drive (usually C: ), then click OK
• The scan will start. Please be patient as it may take quite a while if you have a lot of data on your drive.
• Do not run any other programs while Rootrepeal is running

Once it is finished a log will open. Please copy and paste the contents of that log in your next reply.
NOTE: The log can also be found at the root of the system drive (usually C: ) and named "RootRepeal report date (time).txt"


IMPORTANT: After tools have run and any necessary reboots have occurred, open McAfee SecurityCenter and click the button in the upper right of the window to enable protection.

Also, please update me on the behavior of the computer. What symptoms are you still experiencing?

 

The "New Malware.j" message started occurring frequently within the last hour, but I had not seen it before. I just got another one whilst typing this.

Yes, I have uninstalled StopZilla.

Trying your new instructions now

 

I've twice tried RootRepeal now with the same result. I've attached a jpg of the error message, which consists of a frame with a transparent background, and also the crash log generated at the time. I'm going to try it in safe mode shortly.

 

Same error in safe mode, I'm afraid.

 

OK, something appears to be bringing the bad svchost file back. And so far no rootkit scans have worked. This makes me think something is going on under the surface.

Let's try one more scan and give me a new OTL log.


Scan with SysProt

Download SysProt AntiRootkit by swatkat from one of the links below and save SysProt.zip to your desktop.
Link 1 | Link 2 | Link 3

• Disconnect from the internet and disable all of your security software to avoid conflicts. Click here for instructions.
• Extract SysProt.zip to desktop
• Locate and double-click SysProt.exe to start the tool
  NOTE: Vista users must right-click Sysprot.exe and click Run as administrator.
• In the SysProt window, click the Log tab
• In Write to log box, check all items.
• Check Hidden objects only at the bottom of the window
• Click Create Log button near bottom right of window and wait for initial scan
• A new window will open; select (tick) Scan root drive only then click Start
• When the scan is completed, a window will pop up saying ...\SysProtLog.txt - created successfully; click OK and close SysProt.
• Locate SysProtLog.txt in same folder where SysProt.exe resides.
• Copy and paste the contents of the log in your next reply.

Scan with OTL

• Close all other open windows, then double-click OTL to start the tool.
• Under Output, ensure that Minimal Output is selected
• Copy the text in the code box below and paste it into the Custom Scans/Fixes box (under the cyan line at the bottom of the window)
  
  Code:

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav

• Click Run Scan in upper left of window.
• When the scan is finished, a log will open.
• Please post the contents of the log (OTL.txt) in your next reply.

 

SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 8D80B000
Module End: 8D8D2000
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateUserProcess
At Address: 81FFBDD5
Jump To: 90E23766
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwYieldExecution
At Address: 81E5A1C0
Jump To: 90E237CC
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwUnmapViewOfSection
At Address: 82057DA5
Jump To: 90E237F6
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwTerminateProcess
At Address: 82015F8A
Jump To: 90E2380F
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwSetInformationProcess
At Address: 82067674
Jump To: 90E2377A
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwSetContextThread
At Address: 820C7CB7
Jump To: 90E2378E
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwRestoreKey
At Address: 82088452
Jump To: 90E23837
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwReplaceKey
At Address: 8208949E
Jump To: 90E2384B
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwProtectVirtualMemory
At Address: 820698CE
Jump To: 90E237B6
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenThread
At Address: 820351D8
Jump To: 90E23728
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenProcess
At Address: 82044B14
Jump To: 90E23714
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwNotifyChangeKey
At Address: 81FF417C
Jump To: 90E23823
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwMapViewOfSection
At Address: 8205774E
Jump To: 90E237E0
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateProcessEx
At Address: 820C71FA
Jump To: 90E23750
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateProcess
At Address: 820C71AF
Jump To: 90E2373C
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateFile
At Address: 82059FB6
Jump To: 90E237A2
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: PsSetContextThread
At Address: 820C7CB7
Jump To: 90E2378E
Module Name: C:\Windows\system32\drivers\mfehidk.sys
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: DJ-COMP:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING
Local Address: DJ-COMP:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING
Local Address: DJ-COMP:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: DJ-COMP:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: DJ-COMP:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING
Local Address: DJ-COMP:6646
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: LISTENING
Local Address: DJ-COMP:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: DJ-COMP:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: DJ-COMP:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: 192.168.0.101:6646
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: NA
Local Address: DJ-COMP:58546
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: DJ-COMP:53338
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: DJ-COMP:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: DJ-COMP:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: DJ-COMP:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: DJ-COMP:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\75594753a69894797e5d18edc4852cdb.szcpf
Status: Access denied
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\SPP
Status: Access denied
Object: C:\System Volume Information\SystemRestore
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\{d112f07f-3ec3-11df-b7c2-001b38df8b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}.szfi
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\09a574aad6e10a7c9dd6b254a42a0001.szcpf
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\28cd7ebdbacb140d505d175588a2ded6.szcpf
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\3bd839637859086e89b4e7e6d3349762.szcpf
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\723a12f59f2a886ebd5ca000601d4f84.szcpf
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTumstartup.etl
Status: Access denied

 

OTL logfile created on: 08/04/2010 00:17:11 - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\dj\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 58.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.72 Gb Total Space | 54.56 Gb Free Space | 49.28% Space Free | Partition Type: NTFS
Drive D: | 110.46 Gb Total Space | 13.58 Gb Free Space | 12.30% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 7.64 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DJ-COMP
Current User Name: dj
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\dj\AppData\Local\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Users\dj\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSK\msksrver.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
PRC - C:\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
PRC - C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe (CyberLink Corp.)
PRC - C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
PRC - C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
PRC - C:\Acer\Mobility Center\MobilityService.exe ()
PRC - C:\Acer\Empowering Technology\eAudio\eAudio.exe (CyberLink)
PRC - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
PRC - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Windows\BR040286.exe (Bison Inc.)


========== Modules (SafeList) ==========

MOD - C:\Users\dj\Desktop\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
SRV - (eDataSecurity Service) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (eNet Service) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
SRV - (eSettingsService) -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
SRV - (MobilityService) -- C:\Acer\Mobility Center\MobilityService.exe ()
SRV - (eLockService) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
SRV - (WMIService) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\Windows\System32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\Windows\System32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\Windows\System32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (NETw5v32) Intel(R) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (NTIDrvr) -- C:\Windows\System32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (HSFHWAZL) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796}) -- C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl (Cyberlink Corp.)
DRV - (psdvdisk) -- C:\Windows\System32\drivers\PSDVdisk.sys (Egis Incorporated)
DRV - (PSDFilter) -- C:\Windows\system32\DRIVERS\psdfilter.sys (Egis Incorporated)
DRV - (PSDNServ) -- C:\Windows\System32\drivers\PSDNServ.sys (Egis Incorporated)
DRV - (NETw4x32) Intel(R) -- C:\Windows\System32\drivers\NETw4x32.sys (Intel Corporation)
DRV - (NETw4v32) Intel(R) -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (Cam5607) -- C:\Windows\System32\drivers\BisonC07.sys (Bison Electronics. Inc. )
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (enecir) -- C:\Windows\System32\drivers\enecir.sys (ENE TECHNOLOGY INC.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (DKbFltr) -- C:\Windows\System32\drivers\DKbFltr.sys (Dritek System Inc.)
DRV - (DritekPortIO) -- C:\Program Files\Launch Manager\DPortIO.sys (Dritek System Inc.)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/22 23:34:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 12:34:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 12:34:10 | 000,000,000 | ---D | M]

[2009/05/02 09:12:14 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Extensions
[2010/04/07 14:13:11 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions
[2009/06/24 18:53:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/03 20:00:11 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions\[email protected]
[2010/04/03 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions\[email protected]
[2009/07/28 19:14:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/16 19:27:25 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/03/16 19:27:25 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/03/16 19:27:25 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/03/16 19:27:25 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BisonInst0402] C:\Windows\BR040286.exe (Bison Inc.)
O4 - HKLM..\Run: [eAudio] C:\Acer\Empowering Technology\eAudio\eAudio.exe (CyberLink)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [PlayMovie] C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} http://driveragent.com/files/driveragent.cab (Driver Agent ActiveX Control)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ukgateway.logica.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\dj\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\dj\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2004/03/12 21:29:51 | 000,000,031 | R--- | M] () - F:\AUTORUN.INF -- [ UDF ]
O33 - MountPoints2\{1cb068f1-36ab-11de-bddd-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{1cb068f1-36ab-11de-bddd-806e6f6e6963}\Shell\AutoRun\command - "" = F:\dvd-rom.exe -- [2004/03/12 21:29:51 | 000,738,930 | R--- | M] (Macromedia, Inc.)
O33 - MountPoints2\{31856c6a-f6e0-11de-8fbc-88f82a0eb375}\Shell - "" = AutoRun
O33 - MountPoints2\{31856c6a-f6e0-11de-8fbc-88f82a0eb375}\Shell\AutoRun\command - "" = E:\autorun.exe -- File not found
O33 - MountPoints2\{7d674829-a457-11de-a9f6-99b3b243a049}\Shell - "" = Autorun
O33 - MountPoints2\{7d674829-a457-11de-a9f6-99b3b243a049}\Shell\open\command - "" = F:\unlock.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\dvd-rom.exe -- [2004/03/12 21:29:51 | 000,738,930 | R--- | M] (Macromedia, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/21 03:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/08 00:05:28 | 000,000,000 | ---D | C] -- C:\Users\dj\Desktop\SysProt
[2010/04/07 16:40:54 | 000,472,064 | ---- | C] ( ) -- C:\Users\dj\Desktop\RootRepeal.exe
[2010/04/07 08:20:11 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\dj\Desktop\TFC.exe
[2010/04/06 22:50:29 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\dj\Desktop\OTL.exe
[2010/04/06 22:46:25 | 000,000,000 | -H-D | C] -- C:\Users\dj\AppData\Local\acer eNM
[2010/04/06 22:34:54 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/04/06 12:14:52 | 365,230,920 | ---- | C] (Microsoft Corporation) -- C:\Users\dj\Desktop\Windows6.0-KB948465-X86.exe
[2010/04/06 11:27:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/06 10:14:55 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Roaming\Malwarebytes
[2010/04/06 10:14:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/06 10:14:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/06 10:14:31 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/06 10:14:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/06 10:04:07 | 000,000,000 | ---D | C] -- C:\Users\dj\Documents\Downloads
[2010/04/06 09:59:57 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Local\Google
[2010/04/06 09:28:03 | 000,000,000 | ---D | C] -- C:\ProgramData\SITEguard
[2010/04/06 09:27:14 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
[2010/04/06 09:27:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/04/06 09:15:36 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/04/04 14:29:19 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Roaming\TVU Networks
[2010/04/04 02:24:18 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Roaming\dvdcss
[2010/04/02 12:20:46 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe
[2010/03/31 07:40:23 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/03/31 07:40:23 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/03/31 07:40:23 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/03/31 07:40:22 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/03/31 07:40:22 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/03/31 07:40:22 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/03/31 07:40:22 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/03/31 07:40:22 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/03/31 07:40:22 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/03/31 07:40:22 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/03/31 07:40:22 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/03/31 07:40:22 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/03/31 07:40:22 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/03/31 07:40:22 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/03/31 07:40:22 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/03/12 23:41:02 | 000,000,000 | ---D | C] -- C:\Program Files\Firaxis Games
[2010/03/10 12:21:13 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/03/10 12:21:11 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll

========== Files - Modified Within 30 Days ==========

[2010/04/08 00:17:25 | 001,572,864 | -HS- | M] () -- C:\Users\dj\NTUSER.DAT
[2010/04/08 00:16:03 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/08 00:16:03 | 000,600,378 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/08 00:16:03 | 000,105,852 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/08 00:14:42 | 000,010,101 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/04/08 00:05:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000UA.job
[2010/04/08 00:04:03 | 000,354,396 | ---- | M] () -- C:\Users\dj\Desktop\SysProt.zip
[2010/04/07 23:09:06 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 23:09:06 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 22:29:39 | 000,090,066 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/07 22:29:39 | 000,090,066 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/07 22:29:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/07 21:09:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/07 21:08:54 | 3219,111,936 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/07 21:04:12 | 000,524,288 | -HS- | M] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2010/04/07 21:04:12 | 000,065,536 | -HS- | M] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TM.blf
[2010/04/07 21:03:19 | 000,069,622 | ---- | M] () -- C:\Users\dj\Desktop\rootrepealerrorsafemode.jpg
[2010/04/07 19:36:07 | 000,464,595 | ---- | M] () -- C:\Users\dj\Desktop\RootRepeal.zip
[2010/04/07 19:29:27 | 000,114,961 | ---- | M] () -- C:\Users\dj\Desktop\rootrepealerror.jpg
[2010/04/07 19:26:01 | 000,000,000 | ---- | M] () -- C:\Users\dj\Desktop\RootRepeal.dmp
[2010/04/07 16:43:11 | 000,000,000 | ---- | M] () -- C:\Users\dj\Desktop\settings.dat
[2010/04/07 16:24:28 | 000,066,464 | ---- | M] () -- C:\Users\dj\Desktop\artemis.jpg
[2010/04/07 16:22:53 | 000,069,320 | ---- | M] () -- C:\Users\dj\Desktop\newmalwarej.jpg
[2010/04/07 13:55:02 | 402,664,288 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/07 10:16:31 | 000,420,338 | ---- | M] () -- C:\Users\dj\Desktop\Malware Problems - Tech Support Guy Forums.mht
[2010/04/07 10:05:00 | 000,000,842 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000Core.job
[2010/04/07 08:29:59 | 000,293,376 | ---- | M] () -- C:\Users\dj\Desktop\zpunlmnd.exe
[2010/04/07 08:26:14 | 000,000,020 | ---- | M] () -- C:\Users\dj\defogger_reenable
[2010/04/07 08:25:22 | 000,050,477 | ---- | M] () -- C:\Users\dj\Desktop\Defogger.exe
[2010/04/07 08:20:31 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\dj\Desktop\TFC.exe
[2010/04/07 08:14:21 | 000,000,520 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2010/04/06 22:50:49 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\dj\Desktop\OTL.exe
[2010/04/06 22:45:42 | 000,000,953 | ---- | M] () -- C:\Users\dj\Desktop\Internet Explorer.lnk
[2010/04/06 22:35:28 | 000,001,356 | ---- | M] () -- C:\Users\dj\AppData\Local\d3d9caps.dat
[2010/04/06 12:16:47 | 365,230,920 | ---- | M] (Microsoft Corporation) -- C:\Users\dj\Desktop\Windows6.0-KB948465-X86.exe
[2010/04/06 11:27:14 | 000,001,878 | ---- | M] () -- C:\Users\dj\Desktop\HijackThis.lnk
[2010/04/05 09:28:58 | 000,073,216 | ---- | M] () -- C:\Users\dj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 19:01:22 | 000,001,290 | ---- | M] () -- C:\Users\dj\Desktop\CIV III.lnk
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/15 02:00:00 | 000,000,356 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2010/03/14 00:58:38 | 000,102,424 | ---- | M] () -- C:\Users\dj\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/13 18:56:12 | 000,379,896 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2010/04/08 00:04:01 | 000,354,396 | ---- | C] () -- C:\Users\dj\Desktop\SysProt.zip
[2010/04/07 21:08:54 | 3219,111,936 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/07 21:03:18 | 000,069,622 | ---- | C] () -- C:\Users\dj\Desktop\rootrepealerrorsafemode.jpg
[2010/04/07 19:29:27 | 000,114,961 | ---- | C] () -- C:\Users\dj\Desktop\rootrepealerror.jpg
[2010/04/07 19:26:01 | 000,000,000 | ---- | C] () -- C:\Users\dj\Desktop\RootRepeal.dmp
[2010/04/07 16:43:11 | 000,000,000 | ---- | C] () -- C:\Users\dj\Desktop\settings.dat
[2010/04/07 16:40:31 | 000,464,595 | ---- | C] () -- C:\Users\dj\Desktop\RootRepeal.zip
[2010/04/07 16:24:28 | 000,066,464 | ---- | C] () -- C:\Users\dj\Desktop\artemis.jpg
[2010/04/07 16:22:53 | 000,069,320 | ---- | C] () -- C:\Users\dj\Desktop\newmalwarej.jpg
[2010/04/07 10:16:27 | 000,420,338 | ---- | C] () -- C:\Users\dj\Desktop\Malware Problems - Tech Support Guy Forums.mht
[2010/04/07 09:30:37 | 402,664,288 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/04/07 08:29:53 | 000,293,376 | ---- | C] () -- C:\Users\dj\Desktop\zpunlmnd.exe
[2010/04/07 08:25:54 | 000,000,020 | ---- | C] () -- C:\Users\dj\defogger_reenable
[2010/04/07 08:25:22 | 000,050,477 | ---- | C] () -- C:\Users\dj\Desktop\Defogger.exe
[2010/04/07 08:13:21 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2010/04/06 22:45:42 | 000,000,953 | ---- | C] () -- C:\Users\dj\Desktop\Internet Explorer.lnk
[2010/04/06 11:27:14 | 000,001,878 | ---- | C] () -- C:\Users\dj\Desktop\HijackThis.lnk
[2010/04/06 10:00:20 | 000,000,894 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000UA.job
[2010/04/06 10:00:19 | 000,000,842 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000Core.job
[2010/04/02 19:01:22 | 000,001,290 | ---- | C] () -- C:\Users\dj\Desktop\CIV III.lnk
[2010/02/18 07:21:57 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2010/02/18 07:21:56 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2010/02/18 07:21:56 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TM.blf
[2009/12/08 22:04:16 | 000,001,473 | ---- | C] () -- C:\Users\dj\.recently-used.xbel
[2009/10/23 07:08:04 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4f1b205e-bf9a-11de-b53b-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2009/10/23 07:08:04 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4f1b205e-bf9a-11de-b53b-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2009/10/23 07:08:04 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4f1b205e-bf9a-11de-b53b-001f3c2ab3c7}.TM.blf
[2009/09/25 03:41:10 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{c26e49de-a97c-11de-8575-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2009/09/25 03:41:10 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{c26e49de-a97c-11de-8575-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2009/09/25 03:41:10 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{c26e49de-a97c-11de-8575-001f3c2ab3c7}.TM.blf
[2009/09/11 07:07:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4d3ae68b-9e99-11de-a700-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2009/09/11 07:07:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4d3ae68b-9e99-11de-a700-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2009/09/11 07:07:40 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4d3ae68b-9e99-11de-a700-001f3c2ab3c7}.TM.blf
[2009/06/24 18:51:39 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{90ced7ff-60e7-11de-a0e4-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2009/06/24 18:51:39 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{90ced7ff-60e7-11de-a0e4-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2009/06/24 18:51:39 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{90ced7ff-60e7-11de-a0e4-001f3c2ab3c7}.TM.blf
[2009/06/13 06:22:35 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{1261dd7d-57da-11de-8145-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2009/06/13 06:22:34 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{1261dd7d-57da-11de-8145-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2009/06/13 06:22:33 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{1261dd7d-57da-11de-8145-001f3c2ab3c7}.TM.blf
[2009/06/08 07:49:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{6f39b0dc-53f8-11de-b002-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2009/06/08 07:49:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{6f39b0dc-53f8-11de-b002-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2009/06/08 07:49:40 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{6f39b0dc-53f8-11de-b002-001f3c2ab3c7}.TM.blf
[2009/05/10 09:16:05 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{aef81204-3d3a-11de-8071-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
[2009/05/10 09:16:05 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{aef81204-3d3a-11de-8071-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
[2009/05/10 09:16:05 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{aef81204-3d3a-11de-8071-001f3c2ab3c7}.TM.blf
[2009/05/09 05:02:07 | 000,001,356 | ---- | C] () -- C:\Users\dj\AppData\Local\d3d9caps.dat
[2009/05/02 09:49:47 | 000,073,216 | ---- | C] () -- C:\Users\dj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/02 09:19:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/05/01 17:08:42 | 000,090,066 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/05/01 17:06:41 | 000,090,066 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/05/01 17:06:37 | 000,000,020 | -HS- | C] () -- C:\Users\dj\ntuser.ini
[2009/05/01 17:06:36 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
[2009/05/01 17:06:36 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/05/01 17:06:35 | 001,572,864 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT
[2009/05/01 17:06:35 | 001,310,720 | -HS- | C] () -- C:\Users\dj\ntuser.dat_previous
[2009/05/01 17:06:35 | 000,262,144 | -H-- | C] () -- C:\Users\dj\ntuser.dat.LOG1
[2009/05/01 17:06:35 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/05/01 17:06:35 | 000,000,000 | -H-- | C] () -- C:\Users\dj\ntuser.dat.LOG2
[2009/02/09 19:03:12 | 000,000,030 | ---- | C] () -- C:\Windows\SETPANEL.INI
[2009/02/09 19:03:07 | 000,000,092 | ---- | C] () -- C:\Windows\CLEANUP.INI
[2008/03/18 15:50:41 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/03/17 19:42:34 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2008/03/17 19:36:06 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2008/03/17 19:13:52 | 000,000,775 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2008/03/17 18:46:21 | 000,000,122 | ---- | C] () -- C:\Windows\Alaunch.ini
[2008/03/17 18:44:49 | 000,015,190 | ---- | C] () -- C:\Windows\M3000Twn.ini
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/12/27 00:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 07:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/31 00:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 06:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/08/16 08:49:12 | 000,040,960 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\junction.exe


< MD5 for: AGP440.SYS >
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 10:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 10:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >
[2007/07/13 00:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/07/13 00:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\drivers\iaStor.sys
[2007/07/13 00:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_cfa1dde4\iaStor.sys
[2007/07/13 00:35:44 | 000,381,976 | ---- | M] (Intel Corporation) MD5=CEB53BB804B41C52AB0782505C8E2994 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 10:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/21 03:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/21 03:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 10:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/21 03:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/21 03:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/21 03:24:42 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/21 03:24:38 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV
< End of report >