1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Malware Problems

Discussion in 'Virus & Other Malware Removal' started by zigackly, Apr 6, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    Hi. I seem to have been infected with some malware, trying unsuccessfully to remove it with commercial software but having no luck.

    There may be more than one problem. I have seen popup ads, anti-virus software and windows defender attacked, browser redirection when searching for malware help and a number of crashes or slowdowns. Not sure how this got on here, I suspect through exploiting browser security because I don't think I have installed anything recently.

    My operating system is Windows Vista. I include a HijackThis log below. Any help much appreciated!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:28:37, on 06/04/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RtHDVCpl.exe
    C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    C:\Windows\BR040286.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Acer\Empowering Technology\eAudio\eAudio.exe
    C:\Users\dj\AppData\Local\Temp\RtkBtMnt.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
    C:\Program Files\Apoint2K\Apoint.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
    C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
    C:\Program Files\STOPzilla!\STOPzilla.exe
    C:\Program Files\STOPzilla!\SZOptions.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\PROGRA~1\mcafee\msc\mcshell.exe
    C:\Windows\system32\taskeng.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [BisonInst0402] C:\Windows\BR040286.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
    O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [Google Update] "C:\Users\dj\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fbpt.tmp\svchost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fbpt.tmp\svchost.exe (User 'Default user')
    O4 - Global Startup: Empowering Technology Launcher.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://ukgateway.logica.com/dana-cached/sc/JuniperSetupClient.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
    O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    O23 - Service: IntelĀ® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: IntelĀ® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
    O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
    --
    End of file - 9716 bytes
     
  2. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    Update: decided to try Malwarebytes Anti-Malware after reading some threads on here, and it found the following. Not sure if the problem has been completely fixed so I will wait to see if I get more symptoms and update here shortly.

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org
    Database version: 3958
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.18904
    06/04/2010 17:40:03
    mbam-log-2010-04-06 (17-40-03).txt
    Scan type: Full scan (C:\|)
    Objects scanned: 229264
    Time elapsed: 1 hour(s), 44 minute(s), 25 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\Users\dj\downloads\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
     
  3. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    Still getting the odd popup but the browser hijacking appears to be better.
     
  4. shinybeast

    shinybeast

    Joined:
    Sep 29, 2008
    Messages:
    513
    Hello and welcome to TSG Forums

    My handle is shinybeast and I will be assisting you in the removal of malware your computer may have.


    Please follow these guidelines as we work to clean your computer.

    • Read through the instructions before you perform them and if you have questions please ask before you perform them. Please do not guess. I will be happy to clarify or explain.
    • Perform all instructions in the order given.
    • Stick with the process until I give you an "all clean." If the symptoms are gone, it does not necessarily mean your computer is safe and secure.
    • Do not run any other tools to remove malware while we are working.
    • If your security software throws up warnings about some of these tools, please allow these tools to run.
    • Any instructions given are for your computer only and should NOT be used on any other computer.


    Be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

    Because of this, I advise you to backup any personal files and folders before we start.


    Scan with OTL

    Click here to download OTL by OldTimer and save it to your Desktop

    • Close all other open windows, then double-click OTL [​IMG] to start the tool.
    • Under Output, ensure that Minimal Output is selected
    • Copy the text in the code box below and paste it into the Custom Scans/Fixes box (under the cyan line at the bottom of the window)
      Code:
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      CREATERESTOREPOINT
    • Click Run Scan in upper left of window.
    • When the scan is finished, two logs will open:
      OTL.Txt <-- Will be opened
      Extras.Txt <-- Will be minimized
    • Please post the contents of the two logs in your next reply.
     
  5. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    Hi shinybeast, thanks for the help.

    My PC won't allow me to post when I paste the two files you requested into the message box!

    I am going to try attaching them to this post.
     

    Attached Files:

  6. shinybeast

    shinybeast

    Joined:
    Sep 29, 2008
    Messages:
    513
    Hello zigackly,


    P2P Warning


    I notice you have been using Peer to Peer (P2P) software. Most malware is distributed by P2P and the "gains" are not worth the risk. Scanning files before using them is no guarantee of avoiding infection.

    P2P file sharing is dangerous, no matter how it is done. I strongly suggest that you not use P2P file sharing.

    Here is a good summation of the risks: http://www.us-cert.gov/cas/tips/ST05-007.html


    Uninstall Programs

    Please uninstall STOPZilla. It is not a recommended program and may interfere with the tools we use. You may re-install it after we are finished, but I recommend you do not.

    Click Start button
    Type appwiz.cpl and press Enter to open Programs and Features
    For each of the programs listed below, right-click them in the list and click Uninstall

    STOPzilla

    Once finished, close Programs and Features window


    TFC (Temp File Cleaner)


    • Click here to download TFC by OldTimer and save it to your desktop.
      NOTE: Save any unsaved work. TFC will close all open application windows.
    • Double-click TFC [​IMG] to run the program.
    • Click Start to clean out temp files.
    • When prompted, click Yes to reboot.



    Defogger

    The virtual cd drivers you have installed will interfere with some of the tools we use.
    Disable them by doing the following:

    Click Here to download Defogger by jpshortstuff and save it to your desktop.

    • Right-click Defogger.exe and click [​IMG] Run as Administrator in the context menu.
    • In the window that opens click Disable
    • Read the warning and click Yes
    • When the Finished! message appears, click OK.
    • If Defogger asks to reboot the machine, click OK to allow it.


    IMPORTANT! If you receive an error message while running DeFogger, please post the contents of defogger_disable.log which will appear on your desktop.

    Do NOT re-enable these drivers until otherwise instructed.


    Scan with GMER

    Click here to download GMER Rootkit Scanner and save it to your desktop.


    • Disconnect your computer from the internet and disable all security software before starting the scan.
      NOTE: To disable McAfee SecurityCenter
      • Locate McAfee [​IMG] icon in the system tray and double-click it to open McAfee SecurityCenter
      • Click Advanced Menu or Basic Menu in the lower left of the window.
      • Click Computer & Files, then click [​IMG] in the right pane.
      • Under Virus Protection is enabled, select (tick) Off
      • In the popup window, select Never in the drop-down menu, then click OK
      • Select (tick) Off for all other modules installed (Spyware, SystemGuard, etc.)
      • Click Advanced Menu or Basic Menu in the lower left of the window.
      • Click Internet & Network, then click [​IMG] in the right pane.
      • Under Firewall Protection is enabled, select (tick) Off
      • In the popup window, select Never in the drop-down menu, then click OK
      • Close McAfee SecurityCenter
    • Double click the randomly named GMER file. If asked to allow gmer to run, please allow it.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following boxes:
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All
    • Then click the Scan button and wait for it to finish
    • Once done click on the Save.. button at lower right, and in the File name area, type in "ark.txt" (include the quotes or it will save as a .log file)
    • Save it where you can easily find it, such as your desktop, and post it in reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Note: Do not run any programs while Gmer is running.


    IMPORTANT: After tools have run and any necessary reboots have occurred, open McAfee SecurityCenter and click the [​IMG] button in the upper right of the window to enable protection.


    Please reply with the GMER log.
     
  7. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    I am experiencing insurmountable problems bringing you the output from GMER.

    The scan runs to completion, but the following actions all result in a blue screen of death:
    1. Using the "save" button as you describe.
    2. Copying the output into notepad and clicking "save".
    3. Attempting to reconnect the internet to paste the output here.
    4. Repeating (1) in safe mode.
    5. Repeating (2) in safe mode.

    I can copy and paste other text, save text files and connect to the internet without having run the scan with no difficulties.

    It's only after running the scan that I am having problems.

    I've run the scan about ten times now and experience these problems consistently. Is there anything else you can suggest?
     
  8. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    The attached McAfee messages may also prove relevant.
     

    Attached Files:

  9. shinybeast

    shinybeast

    Joined:
    Sep 29, 2008
    Messages:
    513
    Hi zigackly,

    RE: the screenshots. One was for Stopzilla which McAfee does not like either. You uninstalled it, correct?
    The other was something that was in your initial HijackThis log but not in subsequent OTL log, so it appears McAfee took care of it.

    RE: GMER. It is not too uncommon to run into difficulties with GMER. However, the difficulty you described is new to me and is suspicious.

    Let's try a different rootkit scan.


    Download and Run RootRepeal

    Please download RootRepeal.zip from one of the following links and save it to your desktop.
    Link 1 | Link 2 | Link 3

    • Extract RootRepeal.zip to your desktop
    • Disconnect from the Internet as your system will be unprotected while using this tool.
    • Close all programs and temporarily disable your anti-virus, firewall and any anti-malware real-time protection before performing the scan.
    • NOTE: To disable McAfee SecurityCenter

    • Locate McAfee [​IMG] icon in the system tray and double-click it to open McAfee SecurityCenter
    • Click Advanced Menu or Basic Menu in the lower left of the window.
    • Click Computer & Files, then click [​IMG] in the right pane.
    • Under Virus Protection is enabled, select (tick) Off
    • In the popup window, select Never in the drop-down menu, then click OK
    • Select (tick) Off for all other modules installed (Spyware, SystemGuard, etc.)
    • Click Advanced Menu or Basic Menu in the lower left of the window.
    • Click Internet & Network, then click [​IMG] in the right pane.
    • Under Firewall Protection is enabled, select (tick) Off
    • In the popup window, select Never in the drop-down menu, then click OK
    • Close McAfee SecurityCenter
    • Double-click on RootRepeal.exe to launch RootRepeal
    • After the program opens, click the Report tab at the bottom of the window, then click the Scan button.
    • A dialog box will open and ask "What do you want to include in the scan?"
    • Check all of the boxes, then click OK
    • Another dialog box will open and read "Please select drives to scan:"
    • Place a check next to the main system drive (usually C: ), then click OK
    • The scan will start. Please be patient as it may take quite a while if you have a lot of data on your drive.
    • Do not run any other programs while Rootrepeal is running


    Once it is finished a log will open. Please copy and paste the contents of that log in your next reply.
    NOTE: The log can also be found at the root of the system drive (usually C: ) and named "RootRepeal report date (time).txt"


    IMPORTANT: After tools have run and any necessary reboots have occurred, open McAfee SecurityCenter and click the [​IMG] button in the upper right of the window to enable protection.

    Also, please update me on the behavior of the computer. What symptoms are you still experiencing?
     
  10. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    The "New Malware.j" message started occurring frequently within the last hour, but I had not seen it before. I just got another one whilst typing this.

    Yes, I have uninstalled StopZilla.

    Trying your new instructions now :)
     
  11. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    I've twice tried RootRepeal now with the same result. I've attached a jpg of the error message, which consists of a frame with a transparent background, and also the crash log generated at the time. I'm going to try it in safe mode shortly.
     

    Attached Files:

  12. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    Same error in safe mode, I'm afraid.
     
  13. shinybeast

    shinybeast

    Joined:
    Sep 29, 2008
    Messages:
    513
    OK, something appears to be bringing the bad svchost file back. And so far no rootkit scans have worked. This makes me think something is going on under the surface.

    Let's try one more scan and give me a new OTL log.


    Scan with SysProt

    Download SysProt AntiRootkit by swatkat from one of the links below and save SysProt.zip to your desktop.
    Link 1 | Link 2 | Link 3

    • Disconnect from the internet and disable all of your security software to avoid conflicts. Click here for instructions.
    • Extract SysProt.zip to desktop
    • Locate and double-click SysProt.exe to start the tool
      NOTE: Vista users must right-click Sysprot.exe and click [​IMG] Run as administrator.
    • In the SysProt window, click the Log tab
    • In Write to log box, check all items.
    • Check Hidden objects only at the bottom of the window
    • Click Create Log button near bottom right of window and wait for initial scan
    • A new window will open; select (tick) Scan root drive only then click Start
    • When the scan is completed, a window will pop up saying ...\SysProtLog.txt - created successfully; click OK and close SysProt.
    • Locate SysProtLog.txt in same folder where SysProt.exe resides.
    • Copy and paste the contents of the log in your next reply.



    Scan with OTL


    • Close all other open windows, then double-click OTL [​IMG] to start the tool.
    • Under Output, ensure that Minimal Output is selected
    • Copy the text in the code box below and paste it into the Custom Scans/Fixes box (under the cyan line at the bottom of the window)
      Code:
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
    • Click Run Scan in upper left of window.
    • When the scan is finished, a log will open.
    • Please post the contents of the log (OTL.txt) in your next reply.
     
  14. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    SysProt AntiRootkit v1.0.1.0
    by swatkat
    ******************************************************************************************
    ******************************************************************************************
    No Hidden Processes found
    ******************************************************************************************
    ******************************************************************************************
    Kernel Modules:
    Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
    Service Name: ---
    Module Base: 8D80B000
    Module End: 8D8D2000
    Hidden: Yes
    ******************************************************************************************
    ******************************************************************************************
    No SSDT Hooks found
    ******************************************************************************************
    ******************************************************************************************
    Kernel Hooks:
    Hooked Function: ZwCreateUserProcess
    At Address: 81FFBDD5
    Jump To: 90E23766
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwYieldExecution
    At Address: 81E5A1C0
    Jump To: 90E237CC
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwUnmapViewOfSection
    At Address: 82057DA5
    Jump To: 90E237F6
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwTerminateProcess
    At Address: 82015F8A
    Jump To: 90E2380F
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwSetInformationProcess
    At Address: 82067674
    Jump To: 90E2377A
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwSetContextThread
    At Address: 820C7CB7
    Jump To: 90E2378E
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwRestoreKey
    At Address: 82088452
    Jump To: 90E23837
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwReplaceKey
    At Address: 8208949E
    Jump To: 90E2384B
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwProtectVirtualMemory
    At Address: 820698CE
    Jump To: 90E237B6
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwOpenThread
    At Address: 820351D8
    Jump To: 90E23728
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwOpenProcess
    At Address: 82044B14
    Jump To: 90E23714
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwNotifyChangeKey
    At Address: 81FF417C
    Jump To: 90E23823
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwMapViewOfSection
    At Address: 8205774E
    Jump To: 90E237E0
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwCreateProcessEx
    At Address: 820C71FA
    Jump To: 90E23750
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwCreateProcess
    At Address: 820C71AF
    Jump To: 90E2373C
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: ZwCreateFile
    At Address: 82059FB6
    Jump To: 90E237A2
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    Hooked Function: PsSetContextThread
    At Address: 820C7CB7
    Jump To: 90E2378E
    Module Name: C:\Windows\system32\drivers\mfehidk.sys
    ******************************************************************************************
    ******************************************************************************************
    No IRP Hooks found
    ******************************************************************************************
    ******************************************************************************************
    Ports:
    Local Address: DJ-COMP:49156
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: C:\Windows\System32\services.exe
    State: LISTENING
    Local Address: DJ-COMP:49155
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: C:\Windows\System32\lsass.exe
    State: LISTENING
    Local Address: DJ-COMP:49154
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: C:\Windows\System32\svchost.exe
    State: LISTENING
    Local Address: DJ-COMP:49153
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: C:\Windows\System32\svchost.exe
    State: LISTENING
    Local Address: DJ-COMP:49152
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: C:\Windows\System32\wininit.exe
    State: LISTENING
    Local Address: DJ-COMP:6646
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
    State: LISTENING
    Local Address: DJ-COMP:5357
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: System
    State: LISTENING
    Local Address: DJ-COMP:MICROSOFT-DS
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: System
    State: LISTENING
    Local Address: DJ-COMP:EPMAP
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: C:\Windows\System32\svchost.exe
    State: LISTENING
    Local Address: 192.168.0.101:6646
    Remote Address: NA
    Type: UDP
    Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
    State: NA
    Local Address: DJ-COMP:58546
    Remote Address: NA
    Type: UDP
    Process: C:\Windows\System32\svchost.exe
    State: NA
    Local Address: DJ-COMP:53338
    Remote Address: NA
    Type: UDP
    Process: C:\Windows\System32\svchost.exe
    State: NA
    Local Address: DJ-COMP:SSDP
    Remote Address: NA
    Type: UDP
    Process: C:\Windows\System32\svchost.exe
    State: NA
    Local Address: DJ-COMP:IPSEC-MSFT
    Remote Address: NA
    Type: UDP
    Process: C:\Windows\System32\svchost.exe
    State: NA
    Local Address: DJ-COMP:500
    Remote Address: NA
    Type: UDP
    Process: C:\Windows\System32\svchost.exe
    State: NA
    Local Address: DJ-COMP:123
    Remote Address: NA
    Type: UDP
    Process: C:\Windows\System32\svchost.exe
    State: NA
    ******************************************************************************************
    ******************************************************************************************
    Hidden files/folders:
    Object: C:\System Volume Information\75594753a69894797e5d18edc4852cdb.szcpf
    Status: Access denied
    Object: C:\System Volume Information\MountPointManagerRemoteDatabase
    Status: Access denied
    Object: C:\System Volume Information\SPP
    Status: Access denied
    Object: C:\System Volume Information\SystemRestore
    Status: Access denied
    Object: C:\System Volume Information\tracking.log
    Status: Access denied
    Object: C:\System Volume Information\{d112f07f-3ec3-11df-b7c2-001b38df8b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}.szfi
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\09a574aad6e10a7c9dd6b254a42a0001.szcpf
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\28cd7ebdbacb140d505d175588a2ded6.szcpf
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\3bd839637859086e89b4e7e6d3349762.szcpf
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\723a12f59f2a886ebd5ca000601d4f84.szcpf
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl
    Status: Access denied
    Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTumstartup.etl
    Status: Access denied
     
  15. zigackly

    zigackly Thread Starter

    Joined:
    Apr 6, 2010
    Messages:
    34
    OTL logfile created on: 08/04/2010 00:17:11 - Run 2
    OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\dj\Desktop
    Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18904)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 58.00% Memory free
    6.00 Gb Paging File | 5.00 Gb Available in Paging File | 78.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 110.72 Gb Total Space | 54.56 Gb Free Space | 49.28% Space Free | Partition Type: NTFS
    Drive D: | 110.46 Gb Total Space | 13.58 Gb Free Space | 12.30% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    Drive F: | 7.64 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: DJ-COMP
    Current User Name: dj
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Processes (SafeList) ==========

    PRC - C:\Users\dj\AppData\Local\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
    PRC - C:\Users\dj\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
    PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\MSK\msksrver.exe (McAfee, Inc.)
    PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
    PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
    PRC - C:\Windows\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
    PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
    PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
    PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
    PRC - C:\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
    PRC - C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe (CyberLink Corp.)
    PRC - C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
    PRC - C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
    PRC - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
    PRC - C:\Acer\Mobility Center\MobilityService.exe ()
    PRC - C:\Acer\Empowering Technology\eAudio\eAudio.exe (CyberLink)
    PRC - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
    PRC - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
    PRC - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
    PRC - C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
    PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
    PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    PRC - C:\Windows\BR040286.exe (Bison Inc.)


    ========== Modules (SafeList) ==========

    MOD - C:\Users\dj\Desktop\OTL.exe (OldTimer Tools)
    MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
    MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
    SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
    SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
    SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
    SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
    SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
    SRV - (MSK80Service) -- C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
    SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
    SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
    SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
    SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
    SRV - (eDataSecurity Service) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
    SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
    SRV - (eNet Service) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
    SRV - (eSettingsService) -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
    SRV - (MobilityService) -- C:\Acer\Mobility Center\MobilityService.exe ()
    SRV - (eLockService) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
    SRV - (WMIService) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
    SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
    SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


    ========== Driver Services (SafeList) ==========

    DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.)
    DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
    DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
    DRV - (mfesmfk) -- C:\Windows\System32\drivers\mfesmfk.sys (McAfee, Inc.)
    DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
    DRV - (mferkdk) -- C:\Windows\System32\drivers\mferkdk.sys (McAfee, Inc.)
    DRV - (MPFP) -- C:\Windows\System32\drivers\Mpfp.sys (McAfee, Inc.)
    DRV - (NETw5v32) Intel(R) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
    DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
    DRV - (NTIDrvr) -- C:\Windows\System32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
    DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
    DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
    DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
    DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
    DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
    DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
    DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
    DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
    DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
    DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
    DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
    DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
    DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
    DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
    DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
    DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
    DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
    DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
    DRV - (HSFHWAZL) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.)
    DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
    DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
    DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
    DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
    DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
    DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
    DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
    DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
    DRV - ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796}) -- C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl (Cyberlink Corp.)
    DRV - (psdvdisk) -- C:\Windows\System32\drivers\PSDVdisk.sys (Egis Incorporated)
    DRV - (PSDFilter) -- C:\Windows\system32\DRIVERS\psdfilter.sys (Egis Incorporated)
    DRV - (PSDNServ) -- C:\Windows\System32\drivers\PSDNServ.sys (Egis Incorporated)
    DRV - (NETw4x32) Intel(R) -- C:\Windows\System32\drivers\NETw4x32.sys (Intel Corporation)
    DRV - (NETw4v32) Intel(R) -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
    DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
    DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
    DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
    DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
    DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
    DRV - (Cam5607) -- C:\Windows\System32\drivers\BisonC07.sys (Bison Electronics. Inc. )
    DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
    DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
    DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)
    DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
    DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
    DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
    DRV - (enecir) -- C:\Windows\System32\drivers\enecir.sys (ENE TECHNOLOGY INC.)
    DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
    DRV - (DKbFltr) -- C:\Windows\System32\drivers\DKbFltr.sys (Dritek System Inc.)
    DRV - (DritekPortIO) -- C:\Program Files\Launch Manager\DPortIO.sys (Dritek System Inc.)
    DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
    DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
    DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
    DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
    DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
    DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
    DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
    DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
    DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
    DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
    DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
    DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
    DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
    DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
    DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
    DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
    DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
    DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: [email protected]:2
    FF - prefs.js..extensions.enabledItems: 4
    FF - prefs.js..extensions.enabledItems: 9
    FF - prefs.js..extensions.enabledItems: 1

    FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/22 23:34:57 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 12:34:10 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 12:34:10 | 000,000,000 | ---D | M]

    [2009/05/02 09:12:14 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Extensions
    [2010/04/07 14:13:11 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions
    [2009/06/24 18:53:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/04/03 20:00:11 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions\[email protected]
    [2010/04/03 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\dj\AppData\Roaming\Mozilla\Firefox\Profiles\umz0wdot.default\extensions\[email protected]
    [2009/07/28 19:14:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/03/16 19:27:25 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2010/03/16 19:27:25 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2010/03/16 19:27:25 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2010/03/16 19:27:25 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
    O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
    O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [BisonInst0402] C:\Windows\BR040286.exe (Bison Inc.)
    O4 - HKLM..\Run: [eAudio] C:\Acer\Empowering Technology\eAudio\eAudio.exe (CyberLink)
    O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
    O4 - HKLM..\Run: [eRecoveryService] File not found
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
    O4 - HKLM..\Run: [PlayMovie] C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Incorporated)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} http://driveragent.com/files/driveragent.cab (Driver Agent ActiveX Control)
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ukgateway.logica.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
    O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\dj\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O24 - Desktop BackupWallPaper: C:\Users\dj\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2004/03/12 21:29:51 | 000,000,031 | R--- | M] () - F:\AUTORUN.INF -- [ UDF ]
    O33 - MountPoints2\{1cb068f1-36ab-11de-bddd-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{1cb068f1-36ab-11de-bddd-806e6f6e6963}\Shell\AutoRun\command - "" = F:\dvd-rom.exe -- [2004/03/12 21:29:51 | 000,738,930 | R--- | M] (Macromedia, Inc.)
    O33 - MountPoints2\{31856c6a-f6e0-11de-8fbc-88f82a0eb375}\Shell - "" = AutoRun
    O33 - MountPoints2\{31856c6a-f6e0-11de-8fbc-88f82a0eb375}\Shell\AutoRun\command - "" = E:\autorun.exe -- File not found
    O33 - MountPoints2\{7d674829-a457-11de-a9f6-99b3b243a049}\Shell - "" = Autorun
    O33 - MountPoints2\{7d674829-a457-11de-a9f6-99b3b243a049}\Shell\open\command - "" = F:\unlock.exe -- File not found
    O33 - MountPoints2\F\Shell - "" = AutoRun
    O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\dvd-rom.exe -- [2004/03/12 21:29:51 | 000,738,930 | R--- | M] (Macromedia, Inc.)
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias [2008/01/21 03:34:27 | 000,000,000 | ---D | M]
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/04/08 00:05:28 | 000,000,000 | ---D | C] -- C:\Users\dj\Desktop\SysProt
    [2010/04/07 16:40:54 | 000,472,064 | ---- | C] ( ) -- C:\Users\dj\Desktop\RootRepeal.exe
    [2010/04/07 08:20:11 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\dj\Desktop\TFC.exe
    [2010/04/06 22:50:29 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\dj\Desktop\OTL.exe
    [2010/04/06 22:46:25 | 000,000,000 | -H-D | C] -- C:\Users\dj\AppData\Local\acer eNM
    [2010/04/06 22:34:54 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
    [2010/04/06 12:14:52 | 365,230,920 | ---- | C] (Microsoft Corporation) -- C:\Users\dj\Desktop\Windows6.0-KB948465-X86.exe
    [2010/04/06 11:27:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2010/04/06 10:14:55 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Roaming\Malwarebytes
    [2010/04/06 10:14:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/04/06 10:14:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2010/04/06 10:14:31 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/04/06 10:14:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/04/06 10:04:07 | 000,000,000 | ---D | C] -- C:\Users\dj\Documents\Downloads
    [2010/04/06 09:59:57 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Local\Google
    [2010/04/06 09:28:03 | 000,000,000 | ---D | C] -- C:\ProgramData\SITEguard
    [2010/04/06 09:27:14 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
    [2010/04/06 09:27:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
    [2010/04/06 09:15:36 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
    [2010/04/04 14:29:19 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Roaming\TVU Networks
    [2010/04/04 02:24:18 | 000,000,000 | ---D | C] -- C:\Users\dj\AppData\Roaming\dvdcss
    [2010/04/02 12:20:46 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe
    [2010/03/31 07:40:23 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
    [2010/03/31 07:40:23 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
    [2010/03/31 07:40:23 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
    [2010/03/31 07:40:22 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
    [2010/03/31 07:40:22 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
    [2010/03/31 07:40:22 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
    [2010/03/31 07:40:22 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
    [2010/03/31 07:40:22 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
    [2010/03/31 07:40:22 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
    [2010/03/31 07:40:22 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
    [2010/03/31 07:40:22 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
    [2010/03/31 07:40:22 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
    [2010/03/31 07:40:22 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
    [2010/03/31 07:40:22 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
    [2010/03/31 07:40:22 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
    [2010/03/12 23:41:02 | 000,000,000 | ---D | C] -- C:\Program Files\Firaxis Games
    [2010/03/10 12:21:13 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
    [2010/03/10 12:21:11 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll

    ========== Files - Modified Within 30 Days ==========

    [2010/04/08 00:17:25 | 001,572,864 | -HS- | M] () -- C:\Users\dj\NTUSER.DAT
    [2010/04/08 00:16:03 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
    [2010/04/08 00:16:03 | 000,600,378 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2010/04/08 00:16:03 | 000,105,852 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2010/04/08 00:14:42 | 000,010,101 | ---- | M] () -- C:\Windows\System32\Config.MPF
    [2010/04/08 00:05:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000UA.job
    [2010/04/08 00:04:03 | 000,354,396 | ---- | M] () -- C:\Users\dj\Desktop\SysProt.zip
    [2010/04/07 23:09:06 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/04/07 23:09:06 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/04/07 22:29:39 | 000,090,066 | ---- | M] () -- C:\ProgramData\nvModes.dat
    [2010/04/07 22:29:39 | 000,090,066 | ---- | M] () -- C:\ProgramData\nvModes.001
    [2010/04/07 22:29:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/04/07 21:09:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2010/04/07 21:08:54 | 3219,111,936 | -HS- | M] () -- C:\hiberfil.sys
    [2010/04/07 21:04:12 | 000,524,288 | -HS- | M] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2010/04/07 21:04:12 | 000,065,536 | -HS- | M] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TM.blf
    [2010/04/07 21:03:19 | 000,069,622 | ---- | M] () -- C:\Users\dj\Desktop\rootrepealerrorsafemode.jpg
    [2010/04/07 19:36:07 | 000,464,595 | ---- | M] () -- C:\Users\dj\Desktop\RootRepeal.zip
    [2010/04/07 19:29:27 | 000,114,961 | ---- | M] () -- C:\Users\dj\Desktop\rootrepealerror.jpg
    [2010/04/07 19:26:01 | 000,000,000 | ---- | M] () -- C:\Users\dj\Desktop\RootRepeal.dmp
    [2010/04/07 16:43:11 | 000,000,000 | ---- | M] () -- C:\Users\dj\Desktop\settings.dat
    [2010/04/07 16:24:28 | 000,066,464 | ---- | M] () -- C:\Users\dj\Desktop\artemis.jpg
    [2010/04/07 16:22:53 | 000,069,320 | ---- | M] () -- C:\Users\dj\Desktop\newmalwarej.jpg
    [2010/04/07 13:55:02 | 402,664,288 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2010/04/07 10:16:31 | 000,420,338 | ---- | M] () -- C:\Users\dj\Desktop\Malware Problems - Tech Support Guy Forums.mht
    [2010/04/07 10:05:00 | 000,000,842 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000Core.job
    [2010/04/07 08:29:59 | 000,293,376 | ---- | M] () -- C:\Users\dj\Desktop\zpunlmnd.exe
    [2010/04/07 08:26:14 | 000,000,020 | ---- | M] () -- C:\Users\dj\defogger_reenable
    [2010/04/07 08:25:22 | 000,050,477 | ---- | M] () -- C:\Users\dj\Desktop\Defogger.exe
    [2010/04/07 08:20:31 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\dj\Desktop\TFC.exe
    [2010/04/07 08:14:21 | 000,000,520 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg
    [2010/04/06 22:50:49 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\dj\Desktop\OTL.exe
    [2010/04/06 22:45:42 | 000,000,953 | ---- | M] () -- C:\Users\dj\Desktop\Internet Explorer.lnk
    [2010/04/06 22:35:28 | 000,001,356 | ---- | M] () -- C:\Users\dj\AppData\Local\d3d9caps.dat
    [2010/04/06 12:16:47 | 365,230,920 | ---- | M] (Microsoft Corporation) -- C:\Users\dj\Desktop\Windows6.0-KB948465-X86.exe
    [2010/04/06 11:27:14 | 000,001,878 | ---- | M] () -- C:\Users\dj\Desktop\HijackThis.lnk
    [2010/04/05 09:28:58 | 000,073,216 | ---- | M] () -- C:\Users\dj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/04/02 19:01:22 | 000,001,290 | ---- | M] () -- C:\Users\dj\Desktop\CIV III.lnk
    [2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/03/15 02:00:00 | 000,000,356 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
    [2010/03/14 00:58:38 | 000,102,424 | ---- | M] () -- C:\Users\dj\AppData\Local\GDIPFONTCACHEV1.DAT
    [2010/03/13 18:56:12 | 000,379,896 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

    ========== Files Created - No Company Name ==========

    [2010/04/08 00:04:01 | 000,354,396 | ---- | C] () -- C:\Users\dj\Desktop\SysProt.zip
    [2010/04/07 21:08:54 | 3219,111,936 | -HS- | C] () -- C:\hiberfil.sys
    [2010/04/07 21:03:18 | 000,069,622 | ---- | C] () -- C:\Users\dj\Desktop\rootrepealerrorsafemode.jpg
    [2010/04/07 19:29:27 | 000,114,961 | ---- | C] () -- C:\Users\dj\Desktop\rootrepealerror.jpg
    [2010/04/07 19:26:01 | 000,000,000 | ---- | C] () -- C:\Users\dj\Desktop\RootRepeal.dmp
    [2010/04/07 16:43:11 | 000,000,000 | ---- | C] () -- C:\Users\dj\Desktop\settings.dat
    [2010/04/07 16:40:31 | 000,464,595 | ---- | C] () -- C:\Users\dj\Desktop\RootRepeal.zip
    [2010/04/07 16:24:28 | 000,066,464 | ---- | C] () -- C:\Users\dj\Desktop\artemis.jpg
    [2010/04/07 16:22:53 | 000,069,320 | ---- | C] () -- C:\Users\dj\Desktop\newmalwarej.jpg
    [2010/04/07 10:16:27 | 000,420,338 | ---- | C] () -- C:\Users\dj\Desktop\Malware Problems - Tech Support Guy Forums.mht
    [2010/04/07 09:30:37 | 402,664,288 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2010/04/07 08:29:53 | 000,293,376 | ---- | C] () -- C:\Users\dj\Desktop\zpunlmnd.exe
    [2010/04/07 08:25:54 | 000,000,020 | ---- | C] () -- C:\Users\dj\defogger_reenable
    [2010/04/07 08:25:22 | 000,050,477 | ---- | C] () -- C:\Users\dj\Desktop\Defogger.exe
    [2010/04/07 08:13:21 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg
    [2010/04/06 22:45:42 | 000,000,953 | ---- | C] () -- C:\Users\dj\Desktop\Internet Explorer.lnk
    [2010/04/06 11:27:14 | 000,001,878 | ---- | C] () -- C:\Users\dj\Desktop\HijackThis.lnk
    [2010/04/06 10:00:20 | 000,000,894 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000UA.job
    [2010/04/06 10:00:19 | 000,000,842 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2530070054-2038504099-4068766465-1000Core.job
    [2010/04/02 19:01:22 | 000,001,290 | ---- | C] () -- C:\Users\dj\Desktop\CIV III.lnk
    [2010/02/18 07:21:57 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2010/02/18 07:21:56 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2010/02/18 07:21:56 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{cc6b45c5-1c55-11df-bd6f-001f3c2ab3c7}.TM.blf
    [2009/12/08 22:04:16 | 000,001,473 | ---- | C] () -- C:\Users\dj\.recently-used.xbel
    [2009/10/23 07:08:04 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4f1b205e-bf9a-11de-b53b-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2009/10/23 07:08:04 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4f1b205e-bf9a-11de-b53b-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2009/10/23 07:08:04 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4f1b205e-bf9a-11de-b53b-001f3c2ab3c7}.TM.blf
    [2009/09/25 03:41:10 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{c26e49de-a97c-11de-8575-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2009/09/25 03:41:10 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{c26e49de-a97c-11de-8575-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2009/09/25 03:41:10 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{c26e49de-a97c-11de-8575-001f3c2ab3c7}.TM.blf
    [2009/09/11 07:07:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4d3ae68b-9e99-11de-a700-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2009/09/11 07:07:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4d3ae68b-9e99-11de-a700-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2009/09/11 07:07:40 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{4d3ae68b-9e99-11de-a700-001f3c2ab3c7}.TM.blf
    [2009/06/24 18:51:39 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{90ced7ff-60e7-11de-a0e4-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2009/06/24 18:51:39 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{90ced7ff-60e7-11de-a0e4-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2009/06/24 18:51:39 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{90ced7ff-60e7-11de-a0e4-001f3c2ab3c7}.TM.blf
    [2009/06/13 06:22:35 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{1261dd7d-57da-11de-8145-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2009/06/13 06:22:34 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{1261dd7d-57da-11de-8145-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2009/06/13 06:22:33 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{1261dd7d-57da-11de-8145-001f3c2ab3c7}.TM.blf
    [2009/06/08 07:49:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{6f39b0dc-53f8-11de-b002-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2009/06/08 07:49:40 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{6f39b0dc-53f8-11de-b002-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2009/06/08 07:49:40 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{6f39b0dc-53f8-11de-b002-001f3c2ab3c7}.TM.blf
    [2009/05/10 09:16:05 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{aef81204-3d3a-11de-8071-001f3c2ab3c7}.TMContainer00000000000000000002.regtrans-ms
    [2009/05/10 09:16:05 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{aef81204-3d3a-11de-8071-001f3c2ab3c7}.TMContainer00000000000000000001.regtrans-ms
    [2009/05/10 09:16:05 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{aef81204-3d3a-11de-8071-001f3c2ab3c7}.TM.blf
    [2009/05/09 05:02:07 | 000,001,356 | ---- | C] () -- C:\Users\dj\AppData\Local\d3d9caps.dat
    [2009/05/02 09:49:47 | 000,073,216 | ---- | C] () -- C:\Users\dj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/05/02 09:19:41 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2009/05/01 17:08:42 | 000,090,066 | ---- | C] () -- C:\ProgramData\nvModes.001
    [2009/05/01 17:06:41 | 000,090,066 | ---- | C] () -- C:\ProgramData\nvModes.dat
    [2009/05/01 17:06:37 | 000,000,020 | -HS- | C] () -- C:\Users\dj\ntuser.ini
    [2009/05/01 17:06:36 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
    [2009/05/01 17:06:36 | 000,524,288 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
    [2009/05/01 17:06:35 | 001,572,864 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT
    [2009/05/01 17:06:35 | 001,310,720 | -HS- | C] () -- C:\Users\dj\ntuser.dat_previous
    [2009/05/01 17:06:35 | 000,262,144 | -H-- | C] () -- C:\Users\dj\ntuser.dat.LOG1
    [2009/05/01 17:06:35 | 000,065,536 | -HS- | C] () -- C:\Users\dj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
    [2009/05/01 17:06:35 | 000,000,000 | -H-- | C] () -- C:\Users\dj\ntuser.dat.LOG2
    [2009/02/09 19:03:12 | 000,000,030 | ---- | C] () -- C:\Windows\SETPANEL.INI
    [2009/02/09 19:03:07 | 000,000,092 | ---- | C] () -- C:\Windows\CLEANUP.INI
    [2008/03/18 15:50:41 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
    [2008/03/17 19:42:34 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
    [2008/03/17 19:36:06 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
    [2008/03/17 19:13:52 | 000,000,775 | ---- | C] () -- C:\Windows\RtDefLvl.ini
    [2008/03/17 18:46:21 | 000,000,122 | ---- | C] () -- C:\Windows\Alaunch.ini
    [2008/03/17 18:44:49 | 000,015,190 | ---- | C] () -- C:\Windows\M3000Twn.ini
    [2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2001/12/27 00:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
    [2001/09/04 07:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
    [2001/07/31 00:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
    [2001/07/24 06:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >
    [2005/08/16 08:49:12 | 000,040,960 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\junction.exe


    < MD5 for: AGP440.SYS >
    [2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
    [2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
    [2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
    [2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
    [2006/11/02 10:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

    < MD5 for: ATAPI.SYS >
    [2009/04/11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
    [2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
    [2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
    [2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
    [2006/11/02 10:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

    < MD5 for: CNGAUDIT.DLL >
    [2006/11/02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
    [2006/11/02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

    < MD5 for: IASTOR.SYS >
    [2007/07/13 00:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
    [2007/07/13 00:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\drivers\iaStor.sys
    [2007/07/13 00:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_cfa1dde4\iaStor.sys
    [2007/07/13 00:35:44 | 000,381,976 | ---- | M] (Intel Corporation) MD5=CEB53BB804B41C52AB0782505C8E2994 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

    < MD5 for: IASTORV.SYS >
    [2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
    [2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
    [2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
    [2006/11/02 10:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

    < MD5 for: NETLOGON.DLL >
    [2009/04/11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
    [2008/01/21 03:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
    [2008/01/21 03:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

    < MD5 for: NVSTOR.SYS >
    [2006/11/02 10:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
    [2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
    [2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
    [2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

    < MD5 for: SCECLI.DLL >
    [2008/01/21 03:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
    [2008/01/21 03:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
    [2009/04/11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >
    [2008/01/21 03:24:42 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
    [2008/01/21 03:24:38 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2008/01/21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2008/01/21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2008/01/21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV
    < End of report >
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/915071

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice