Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Suspected malware or backdoor access [Solved]


  • This topic is locked This topic is locked
18 replies to this topic

#1 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 11 June 2014 - 09:38 AM

Hello,

 

I have an XP work machine which I disconnected from the internet after I became suspicious that it may have been remotely accessed and files copied or screenshots taken. I have run scans with an up-to-date Kaspersky Internet Security but it has never found anything. I guess this usually would mean there's no problem, but I've been wondering if it is possible Kaspersky could miss something, and decided to try these tools and ask if any of the experts here can spot anything odd.

 

I've run the OTL, DDS and HijackThis tools and attach the logs. Please let me know if I should provide any other information. Would be very grateful if you can help.

 

-zorkon

 

.
DDS (Ver_11-03-05.01) - NTFSx86  
Run by xxxxxxxxx at  0:56:06.25 on Thu 12/06/2014
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3006.2234 [GMT 12:00]
.
AV: Kaspersky Internet Security *Enabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* 
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
svchost.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Embarcadero\Studio\14.0\InterBaseXE3\bin\ibguard.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Architect\HelperService.exe
C:\Program Files\PDF Architect\ConversionService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Garmin\gStart.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\OpenHardwareMonitor\OpenHardwareMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Embarcadero\Studio\14.0\InterBaseXE3\bin\ibserver.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Downloads\Software\Utilities\whatthetech\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PDF Architect Helper: {3a2d5eba-f86d-4bd3-a177-019765996711} - c:\program files\pdf architect\PDFIEHelper.dll
BHO: Content Blocker Plugin: {5564cc73-efa7-4cbf-918a-5cf7fbbfff4f} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Virtual Keyboard Plugin: {73455575-e40c-433c-9784-c78dc7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Safe Money Plugin: {9e6d0d23-3d72-4a94-ae1f-2d167624e3d9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
TB: PDF Architect Toolbar: {25a3a431-30bb-47c8-ad6a-e1063801134f} - c:\program files\pdf architect\PDFIEPlugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [gStart] c:\garmin\gStart.exe
uRun: [Core Temp] "c:\program files\core temp\Core Temp.exe"
uRun: [Umpcwiz] "c:\program files\intel\intel usbc host\umpcwiz.exe"
uRun: [Power2GoExpress] NA
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [OpenHardwareMonitor] c:\openhardwaremonitor\OpenHardwareMonitor.exe
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NPSStartup] 
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /l*v c:\windows\temp\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\adrawn~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\adrawn~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm
IE: QuickDefine - c:\program files\common files\microsoft shared\reference 2001\EDDEFINE.HTM
IE: QuickTranslate - c:\program files\common files\microsoft shared\reference 2001\EDTRANS.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - hxxp://www.cult3d.com/download/cult.cab
DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} - hxxp://www.powerleap.com/cab_files/InSPECS3_0.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/183bba7734acd9889e06/netzip/RdxIE601.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1344761145948
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1344761122261
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38393.112962963
DPF: {B0781EB7-16EA-49F1-9C1D-9716D88206CF} - hxxp://192.168.0.7/view.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - hxxp://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: {4CBD8727-696A-4484-993B-A2E7E0B9A341} = 192.168.0.1
TCP: {826935B1-C24F-411C-8A51-1D13DD8B7C06} = 202.27.158.40,202.27.156.72,192.168.0.1
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\adrawn~1\applic~1\mozilla\firefox\profiles\00u2lmp1.default\
FF - prefs.js: browser.search.selectedEngine - Wolfram|Alpha
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.ftp - 122.248.235.140
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 200.19.159.35
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 122.248.235.140
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - 122.248.235.140
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\documents and settings\xxxxxxxxx\application data\mozilla\firefox\profiles\00u2lmp1.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\xxxxxxxxx\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\Npindeo.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2008-7-15 17792]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-10-16 591968]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 44000]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 145040]
R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2012-1-28 20549]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-2-15 12672]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-6-8 21992]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-10-6 238952]
R2 IBG_gds_db;InterBase XE3 Guardian gds_db;c:\program files\embarcadero\studio\14.0\interbasexe3\bin\ibguard.exe -i "c:\program files\embarcadero\studio\14.0\interbasexe3" -p gds_db --> c:\program files\embarcadero\studio\14.0\interbasexe3\bin\ibguard.exe -i c:\program files\embarcadero\studio\14.0\InterBaseXE3 [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2014-5-13 1259296]
R2 PDF Architect Helper Service;PDF Architect Helper Service;c:\program files\pdf architect\HelperService.exe [2013-4-8 1320496]
R2 PDF Architect Service;PDF Architect Service;c:\program files\pdf architect\ConversionService.exe [2013-4-8 799280]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-10-6 36608]
R3 IBS_gds_db;InterBase XE3 Server gds_db;c:\program files\embarcadero\studio\14.0\interbasexe3\bin\ibserver.exe -i "c:\program files\embarcadero\studio\14.0\interbasexe3" -p gds_db --> c:\program files\embarcadero\studio\14.0\interbasexe3\bin\ibserver.exe -i c:\program files\embarcadero\studio\14.0\InterBaseXE3 [?]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-5-25 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-7-25 24920]
R3 ncfvsbus;NCF Virtual Serial Bus Enumerator;c:\windows\system32\drivers\ncfvsbus.sys [2005-9-10 25088]
R3 WinRing0_1_2_0;WinRing0_1_2_0;\??\c:\openhardwaremonitor\openhardwaremonitor.sys --> c:\openhardwaremonitor\OpenHardwareMonitor.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AEXPAM;Philips SmartManage Service;c:\windows\system32\drivers\aexpamdrv.sys --> c:\windows\system32\drivers\aexpamdrv.sys [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\adrawn~1\locals~1\temp\alsysio.sys --> c:\docume~1\adrawn~1\locals~1\temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2012-5-18 25728]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-5 117144]
S3 MtxVxd;MtxVxd;\??\c:\windows\system32\drivers\mtxvxd.sys --> c:\windows\system32\drivers\MtxVxd.sys [?]
S3 MultiDec DVB-TV-Treiber;MultiDec DVB-TV-Treiber;WINDRVR.SYS --> WINDRVR.SYS [?]
S3 PORTMON;PORTMON;\??\c:\sysinternals\portmsys.sys --> c:\sysinternals\PORTMSYS.SYS [?]
S3 QHY5II_A;QHY5II_A;c:\windows\system32\drivers\QHY5II_A.sys [2014-5-17 26176]
S3 QHY5II_B;QHY5II_B;c:\windows\system32\drivers\QHY5II_B.sys [2014-5-17 46144]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2012-12-16 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2012-12-16 60544]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 BlackfishSQL;BlackfishSQL;c:\program files\embarcadero\rad studio\7.0\bin\BSQLServer.exe [2009-11-19 65536]
S4 gupdate1c99155bca77f92;Google Update Service (gupdate1c99155bca77f92);c:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]
S4 IKBMWG;IKBMWG;c:\docume~1\adrawn~1\locals~1\temp\ikbmwg.exe --> c:\docume~1\adrawn~1\locals~1\temp\IKBMWG.exe [?]
S4 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [2003-2-15 91520]
S4 SC;SC;c:\docume~1\adrawn~1\locals~1\temp\sc.exe --> c:\docume~1\adrawn~1\locals~1\temp\SC.exe [?]
S4 TMOHE;TMOHE;c:\docume~1\adrawn~1\locals~1\temp\tmohe.exe --> c:\docume~1\adrawn~1\locals~1\temp\TMOHE.exe [?]
S4 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2003-2-16 5533]
.
=============== File Associations ===============
.
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2014-05-29 09:57:08 --------  d-----w-  c:\program files\Microsoft Encarta
2014-05-17 01:39:26 46144 ----a-w-  c:\windows\system32\drivers\QHY5II_B.sys
2014-05-17 01:39:26 26176 ----a-w-  c:\windows\system32\drivers\QHY5II_A.sys
2014-05-17 01:39:26 179136  ----a-w-  c:\windows\system32\QHY5IIDel.dll
2014-05-17 01:39:26 17856 ----a-w-  c:\windows\system32\QHYCCDINSTALLER.dll
2014-05-17 01:39:26 178112  ----a-w-  c:\windows\system32\setupINF.dll
2014-05-17 01:39:12 --------  d-----w-  c:\program files\QHYCCD
2014-05-13 11:20:22 --------  d-----w-  c:\docume~1\alluse~1\applic~1\Downloaded Installations
2014-05-13 11:09:01 --------  d-----w-  C:\NVIDIA
2014-05-13 10:32:11 --------  d-----w-  c:\program files\Geeks3D
.
==================== Find3M  ====================
.
2014-05-13 11:10:30 1072544 ----a-w-  c:\windows\system32\nvdrsdb0.bin
2014-05-13 11:10:30 1 ----a-w-  c:\windows\system32\nvdrssel.bin
2014-05-13 11:10:25 1072544 ----a-w-  c:\windows\system32\nvdrsdb1.bin
2014-04-17 00:54:11 71168 ----a-w-  c:\windows\system32\PKIEDB20.bpl
2014-04-17 00:54:07 3115520 ----a-w-  c:\windows\system32\PKIECtrl20.bpl
2014-04-09 17:00:00 563656  ----a-w-  c:\windows\system32\CodeSiteExpressPkg200.bpl
2014-04-09 17:00:00 143288  ----a-w-  c:\windows\system32\CodeSitePlugIns160.bpl
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR 
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
1 ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Harddisk0\DR0[0x8AEEDAB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\00000081[0x8AFAE9E8]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Ide\IdeDeviceP2T0L0-e[0x8AEEE940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
user != kernel MBR !!! 
.
============= FINISH:  0:56:45.60 ===============
 
 
 
 
 

OTL logfile created on: 12/06/2014 12:32:29 a.m. - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Downloads\Software\Utilities\whatthetech
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001409 | Country: New Zealand | Language: ENZ | Date Format: d/MM/yyyy
 
2.94 Gb Total Physical Memory | 2.26 Gb Available Physical Memory | 77.09% Memory free
4.77 Gb Paging File | 4.12 Gb Available in Paging File | 86.32% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 488.28 Gb Total Space | 51.00 Gb Free Space | 10.45% Space Free | Partition Type: NTFS
Drive D: | 468.75 Gb Total Space | 1.60 Gb Free Space | 0.34% Space Free | Partition Type: NTFS
Drive E: | 1863.01 Gb Total Space | 1048.47 Gb Free Space | 56.28% Space Free | Partition Type: NTFS
 
Computer Name: XXXXXXXXXX | User Name: xxxxxxxxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Downloads\Software\Utilities\whatthetech\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Embarcadero\Studio\14.0\InterBaseXE3\bin\ibguard.exe (Embarcadero Technologies, Inc.)
PRC - C:\Program Files\Embarcadero\Studio\14.0\InterBaseXE3\bin\ibserver.exe (Embarcadero Technologies, Inc.)
PRC - C:\OpenHardwareMonitor\OpenHardwareMonitor.exe ()
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\PDF Architect\HelperService.exe (pdfforge GmbH)
PRC - C:\Program Files\PDF Architect\ConversionService.exe (pdfforge GmbH)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe (Kaspersky Lab ZAO)
PRC - C:\Program Files\SAMSUNG\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
PRC - C:\WINDOWS\system32\FsUsbExService.Exe (Teruten)
PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Garmin\gStart.exe (GARMIN Corp.)
PRC - C:\Program Files\TextPad 4\TextPad.exe (Helios Software Solutions)
PRC - C:\Palm\HOTSYNC.EXE (Palm, Inc.)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\OpenHardwareMonitor\OpenHardwareMonitor.exe ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\b2c0f91d4817a23f3fd07cd05ebd8e89\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuration\11dfbb7df959cb6dd5b57816141de355\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuratio#\32ecd6bef90d6da4b2b33850c3ce99e1\System.Configuration.Install.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Management\2024a7339aa5ad2712d239d454d3c355\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\b83993cc955262507c8ead67567c8060\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\d884c684ee3f738a60e3c50dd5d88caa\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\df418085cedae9fa2efee87e20a419a4\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\60c214b6ad5691e368a16ec65d127c27\mscorlib.ni.dll ()
MOD - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\kpcengine.2.2.dll ()
MOD - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\QtWebKit\qmlwebkitplugin4.dll ()
MOD - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\dblite.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()
MOD - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
MOD - C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll ()
MOD - C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll ()
MOD - C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (TMOHE) -- C:\DOCUME~1\ADRAWN~1\LOCALS~1\Temp\TMOHE.exe File not found
SRV - (SC) -- C:\DOCUME~1\ADRAWN~1\LOCALS~1\Temp\SC.exe File not found
SRV - (MySql) -- C:/mysql/bin/mysqld-nt.exe File not found
SRV - (IKBMWG) -- C:\DOCUME~1\ADRAWN~1\LOCALS~1\Temp\IKBMWG.exe File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (IBG_gds_db) -- C:\Program Files\Embarcadero\Studio\14.0\InterBaseXE3\bin\ibguard.exe (Embarcadero Technologies, Inc.)
SRV - (IBS_gds_db) -- C:\Program Files\Embarcadero\Studio\14.0\InterBaseXE3\bin\ibserver.exe (Embarcadero Technologies, Inc.)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (PDF Architect Helper Service) -- C:\Program Files\PDF Architect\HelperService.exe (pdfforge GmbH)
SRV - (PDF Architect Service) -- C:\Program Files\PDF Architect\ConversionService.exe (pdfforge GmbH)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (AVP) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe (Kaspersky Lab ZAO)
SRV - (FsUsbExService) -- C:\WINDOWS\system32\FsUsbExService.Exe (Teruten)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (NMSAccess) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (BlackfishSQL) -- C:\Program Files\Embarcadero\RAD Studio\7.0\bin\BSQLServer.exe (CodeGear)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (Macromedia Licensing Service) -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe ()
SRV - (ATMsrvc) -- C:\WINDOWS\system32\ATMsrvc.exe (Adobe Systems Incorporated)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (WinRing0_1_2_0) -- C:\OpenHardwareMonitor\OpenHardwareMonitor.sys File not found
DRV - (WDICA) --  File not found
DRV - (VMnetAdapter) -- system32\DRIVERS\vmnetadapter.sys File not found
DRV - (smwdm) -- system32\drivers\smwdm.sys File not found
DRV - (rtl8029) -- System32\DRIVERS\RTL8029.SYS File not found
DRV - (PORTMON) -- C:\Sysinternals\PORTMSYS.SYS File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (PCIDump) --  File not found
DRV - (MtxVxd) -- C:\WINDOWS\system32\drivers\MtxVxd.sys File not found
DRV - (Monfilt) -- system32\drivers\Monfilt.sys File not found
DRV - (MidiSyn) -- system32\drivers\MidiSyn.sys File not found
DRV - (maxidemo) -- system32\DRIVERS\maxidemo.sys File not found
DRV - (lbrtfdc) --  File not found
DRV - (i2omgmt) --  File not found
DRV - (Changer) --  File not found
DRV - (BTWDNDIS) -- system32\DRIVERS\btwdndis.sys File not found
DRV - (BTDriver) -- system32\DRIVERS\btport.sys File not found
DRV - (Ambfilt) -- system32\drivers\Ambfilt.sys File not found
DRV - (ALSysIO) -- C:\DOCUME~1\ADRAWN~1\LOCALS~1\Temp\ALSysIO.sys File not found
DRV - (AEXPAM) -- System32\Drivers\aexpamdrv.sys File not found
DRV - (aeaudio) -- system32\drivers\aeaudio.sys File not found
DRV - (kltdi) -- C:\WINDOWS\system32\drivers\kltdi.sys (Kaspersky Lab ZAO)
DRV - (KLIF) -- C:\WINDOWS\system32\drivers\klif.sys (Kaspersky Lab ZAO)
DRV - (kneps) -- C:\WINDOWS\system32\drivers\kneps.sys (Kaspersky Lab ZAO)
DRV - (QHY5II_B) -- C:\WINDOWS\system32\drivers\QHY5II_B.sys (Cypress Semiconductor)
DRV - (QHY5II_A) -- C:\WINDOWS\system32\drivers\QHY5II_A.sys (anchor chips)
DRV - (klmouflt) -- C:\WINDOWS\system32\drivers\klmouflt.sys (Kaspersky Lab)
DRV - (klkbdflt) -- C:\WINDOWS\system32\drivers\klkbdflt.sys (Kaspersky Lab)
DRV - (klim5) -- C:\WINDOWS\system32\drivers\klim5.sys (Kaspersky Lab ZAO)
DRV - (kl1) -- C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Lab ZAO)
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows ® 2000 DDK provider)
DRV - (androidusb) -- C:\WINDOWS\system32\drivers\androidusb.sys (Google Inc)
DRV - (cpuz135) -- C:\WINDOWS\system32\drivers\cpuz135_x32.sys (CPUID)
DRV - (FsUsbExDisk) -- C:\WINDOWS\system32\FsUsbExDisk.Sys ()
DRV - (nvgts) -- C:\WINDOWS\system32\drivers\nvgts.sys (NVIDIA Corporation)
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Sonic Solutions)
DRV - (cpuz132) -- C:\WINDOWS\system32\drivers\cpuz132_x32.sys (Windows ® Codename Longhorn DDK provider)
DRV - (silabser) -- C:\WINDOWS\system32\drivers\silabser.sys (Silicon Laboratories)
DRV - (silabenm) -- C:\WINDOWS\system32\drivers\silabenm.sys (Silicon Laboratories, Inc.)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (USB_RNDIS) -- C:\WINDOWS\system32\drivers\usb8023.sys (Microsoft Corporation)
DRV - (Ser2pl) -- C:\WINDOWS\system32\drivers\ser2pl.sys (Prolific Technology Inc.)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (PalmUSBD) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys (PalmSource, Inc.)
DRV - (ncfvsbus) -- C:\WINDOWS\system32\drivers\ncfvsbus.sys (Microsoft Corporation)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (SMBios) -- C:\WINDOWS\system32\drivers\SMBios.sys (Intel Corporation)
DRV - (cdrbsvsd) -- C:\WINDOWS\System32\drivers\cdrbsvsd.sys (B.H.A Corporation)
DRV - (sf) -- C:\WINDOWS\system32\drivers\sf.sys (Sonic Focus, Inc)
DRV - (DCamUSBSQTECH) -- C:\WINDOWS\system32\drivers\SQCaptur.sys (Service & Quality Technology.)
DRV - (smbusp) -- C:\WINDOWS\system32\drivers\smb.sys (Intel Corporation)
DRV - (IdeChnDr) -- C:\WINDOWS\system32\drivers\IdeChnDr.sys (Intel Corporation)
DRV - (IdeBusDr) -- C:\WINDOWS\system32\drivers\IdeBusDr.sys (Intel Corporation)
DRV - (PQNTDrv) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys (PowerQuest Corporation)
DRV - (PPSCAN) -- C:\WINDOWS\System32\drivers\ppscan.sys (Hewlett-Packard Co.)
DRV - (Cinemsup) -- C:\WINDOWS\system32\drivers\cinemsup.sys (Ravisent Technologies, Inc.)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (G400) -- C:\WINDOWS\system32\drivers\g400m.sys (Matrox Graphics Inc.)
DRV - (UtilNT) -- C:\WINDOWS\system32\drivers\utilnt.sys (Matrox Graphics Inc.)
DRV - (ASPI32) -- C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)
DRV - (MultiDec DVB-TV-Treiber) -- C:\WINDOWS\WINDRVR.SYS (KRFTech)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\SearchScopes,DefaultScope = {A40E57EE-BD03-4B64-8BD2-23ADF0894587}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{A40E57EE-BD03-4B64-8BD2-23ADF0894587}: "URL" = http://search.yahoo....ei=utf-8&fr=ie8
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Wolfram|Alpha"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0
FF - prefs.js..extensions.enabledAddons: eastasian%40eunheui:1.1.3
FF - prefs.js..extensions.enabledAddons: en-GB%40dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledAddons: en_NZ%40dictionaries.addons.mozilla.org:2008.12.03
FF - prefs.js..extensions.enabledAddons: %7B45d8ff86-d909-11db-9705-005056c00008%7D:1.1.0
FF - prefs.js..extensions.enabledAddons: %7Baff87fa2-a58e-4edd-b852-0a20203c1e17%7D:0.9
FF - prefs.js..extensions.enabledAddons: %7Bd40f5e7b-d2cf-4856-b441-cc613eeffbe3%7D:1.68
FF - prefs.js..extensions.enabledAddons: %7Be968fc70-8f95-4ab9-9e79-304de2a71ee1%7D:0.7.3
FF - prefs.js..extensions.enabledAddons: %7B195A3098-0BD5-4e90-AE22-BA1C540AFD1E%7D:4.0.4
FF - prefs.js..extensions.enabledAddons: anti_banner%40kaspersky.com:13.0.1.4307
FF - prefs.js..extensions.enabledAddons: %7Bd37dc5d0-431d-44e5-8c91-49419370caa1%7D:3.1.26
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.6.1rc2
FF - prefs.js..extensions.enabledAddons: zotero%40chnm.gmu.edu:4.0.6
FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.15
FF - prefs.js..extensions.enabledAddons: jsprintsetup%40edabg.com:0.9.2
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: add-to-searchbox@maltekraus.de:2.0
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.49
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledItems: {71328583-3CA7-4809-B4BA-570A85818FBB}:0.6.3
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.4
FF - prefs.js..extensions.enabledItems: eastasian@eunheui:1.1.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.9.9
FF - prefs.js..extensions.enabledItems: {aff87fa2-a58e-4edd-b852-0a20203c1e17}:0.8
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:11.0.1.400
FF - prefs.js..extensions.enabledItems: {d37dc5d0-431d-44e5-8c91-49419370caa1}:2.6.18
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: KavAntiBanner@Kaspersky.ru:11.0.1.400
FF - prefs.js..network.proxy.autoconfig_url: "file:///c:/windows/no-ads.pac"
FF - prefs.js..network.proxy.backup.ftp: "122.248.235.140"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "200.19.159.35"
FF - prefs.js..network.proxy.backup.gopher_port: 3128
FF - prefs.js..network.proxy.backup.socks: "122.248.235.140"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "122.248.235.140"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "122.248.235.140"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "200.19.159.35"
FF - prefs.js..network.proxy.gopher_port: 3128
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "122.248.235.140"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "122.248.235.140"
FF - prefs.js..network.proxy.ssl_port: 80
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\url_advisor@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\url_advisor@kaspersky.com [2013/04/23 13:06:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtual_keyboard@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\virtual_keyboard@kaspersky.com [2013/04/23 13:06:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\content_blocker@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\content_blocker@kaspersky.com [2013/04/23 13:06:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\anti_banner@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\anti_banner@kaspersky.com [2013/04/23 13:06:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\online_banking@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\online_banking@kaspersky.com [2013/04/23 13:06:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\FFPDFArchitectConverter@pdfarchitect.com: C:\Program Files\PDF Architect\FFPDFArchitectExt [2014/03/12 16:53:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/05/16 23:03:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/05/16 23:03:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/08/15 01:18:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2013/03/20 20:02:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 6 6.1\Extensions\\Components: C:\Program Files\Netscape\Netscape 6\Components [2012/08/15 01:18:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 6 6.1\Extensions\\Plugins: C:\Program Files\Netscape\Netscape 6\Plugins [2013/03/20 20:02:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape 7.2\Components [2012/10/23 21:47:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape 7.2\Plugins [2013/03/20 20:02:36 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 6 6.1\Extensions\\Components: C:\Program Files\Netscape\Netscape 6\Components [2012/08/15 01:18:10 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 6 6.1\Extensions\\Plugins: C:\Program Files\Netscape\Netscape 6\Plugins [2013/03/20 20:02:36 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape 7.2\Components [2012/10/23 21:47:04 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape 7.2\Plugins [2013/03/20 20:02:36 | 000,000,000 | ---D | M]
 
[2010/08/25 21:04:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Extensions
[2010/08/25 21:04:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2014/01/22 03:04:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions
[2013/03/27 01:27:26 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/01/23 10:57:29 | 000,000,000 | ---D | M] (CacheViewer) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
[2013/06/29 23:53:53 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/10/15 06:31:50 | 000,000,000 | ---D | M] (FoxClocks) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
[2010/01/24 16:11:35 | 000,000,000 | ---D | M] (Add to Search Bar) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\add-to-searchbox@maltekraus.de
[2011/01/24 18:24:24 | 000,000,000 | ---D | M] (East Asian Translator) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\eastasian@eunheui
[2012/08/12 20:56:05 | 000,000,000 | ---D | M] (New Zealander English Dictionary) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\en_NZ@dictionaries.addons.mozilla.org
[2010/12/10 09:53:24 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2014/01/22 03:04:37 | 000,024,752 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\jsprintsetup@edabg.com.xpi
[2013/05/16 23:01:38 | 004,668,836 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\zotero@chnm.gmu.edu.xpi
[2012/01/16 13:32:33 | 000,060,243 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{45d8ff86-d909-11db-9705-005056c00008}.xpi
[2013/05/16 23:01:38 | 000,534,565 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2011/11/11 13:11:21 | 000,042,737 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}.xpi
[2013/06/18 15:51:35 | 000,870,680 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/01/22 01:23:17 | 000,138,614 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
[2011/07/02 03:53:19 | 000,042,336 | ---- | M] () (No name found) -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
[2009/08/03 18:34:10 | 000,002,172 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\searchplugins\bing.xml
[2009/10/13 16:58:03 | 000,002,758 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\searchplugins\cuil.xml
[2008/09/07 14:14:24 | 000,002,523 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\searchplugins\ebay.xml
[2008/09/07 14:14:35 | 000,007,582 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\searchplugins\trademe.xml
[2009/10/17 16:43:31 | 000,001,987 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\searchplugins\wolframalpha.xml
[2008/09/07 13:34:43 | 000,009,400 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\00u2lmp1.default\searchplugins\yahooxtra.xml
[2013/05/16 23:03:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/05/16 23:03:36 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/04/23 13:06:36 | 000,000,000 | ---D | M] (Anti-Banner) -- C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY INTERNET SECURITY 2013\FFEXT\ANTI_BANNER@KASPERSKY.COM
 
========== Chrome  ==========
 
CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&output=chrome&hl={language}&q={searchTerms}
CHR - homepage: about:blank
 
O1 HOSTS File: ([2006/12/21 22:54:10 | 000,000,754 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1 microweb
O2 - BHO: (PDF Architect Helper) - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files\PDF Architect\PDFIEHelper.dll (pdfforge GmbH)
O2 - BHO: (Content Blocker Plugin) - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
O2 - BHO: (Virtual Keyboard Plugin) - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Safe Money Plugin) - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (URL Advisor Plugin) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
O3 - HKLM\..\Toolbar: (PDF Architect Toolbar) - {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files\PDF Architect\PDFIEPlugin.dll (pdfforge GmbH)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [NPSStartup]  File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [AutoStartNPSAgent] C:\Program Files\SAMSUNG\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKCU..\Run: [Core Temp] "C:\Program Files\Core Temp\Core Temp.exe" File not found
O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)
O4 - HKCU..\Run: [OpenHardwareMonitor] C:\OpenHardwareMonitor\OpenHardwareMonitor.exe ()
O4 - HKCU..\Run: [Power2GoExpress] NA File not found
O4 - HKCU..\Run: [Umpcwiz] C:\Program Files\Intel\Intel USBC Host\umpcwiz.exe (Intel Corporation)
O4 - Startup: C:\Documents and Settings\xxxxxxxxx\Start Menu\Programs\Startup\AutorunsDisabled [2010/02/16 10:38:57 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\xxxxxxxxx\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE (Palm, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2010/02/16 10:38:52 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 223
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 01 00 00 00  [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ie_banner_deny.htm ()
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EDDEFINE.HTM ()
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EDTRANS.HTM ()
O9 - Extra Button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Error: Key error. File not found
O9 - Extra Button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} http://codecs.micros...i386/voxacm.CAB (Reg Error: Key error.)
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} http://download.giga...bject/Dldrv.ocx (Dldrv2 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} http://www.cult3d.co...wnload/cult.cab (Cult3D ActiveX Player)
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} http://www.powerleap.../InSPECS3_0.cab (InSPECS3_0 Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.2.cab (DLM Control)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} http://software-dl.r...ip/RdxIE601.cab (RdxIE Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1344761145948 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1344761122261 (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai...all/xscan53.cab (HouseCall Control)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zon...StatsClient.cab (MessengerStatsClient Class)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...38393.112962963 (Reg Error: Key error.)
O16 - DPF: {B0781EB7-16EA-49F1-9C1D-9716D88206CF} http://192.168.0.7/view.cab (CSQ Object)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} http://sc.groups.msn...UC/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.21.2)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4CBD8727-696A-4484-993B-A2E7E0B9A341}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{826935B1-C24F-411C-8A51-1D13DD8B7C06}: NameServer = 202.27.158.40,202.27.156.72,192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - (C:\WINDOWS\system32\klogon.dll) - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2013/02/12 21:34:39 | 000,000,085 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9107c9c5-082b-11e0-9433-001d7dad1ede}\Shell\AutoRun\command - "" = F:\Install.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sprestrt)
O34 - HKLM BootExecute: (sprestrt)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
NetSvcs: 6to4 -  File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
Drivers32: MSACM.CEGSM - C:\WINDOWS\System32\mobileV.acm ()
Drivers32: Msacm.dvacm - C:\Program Files\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.enc - C:\WINDOWS\System32\ITIG726.acm (Ingenient Technologies, Inc.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\LameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.mpegacm - mpegacm.acm File not found
Drivers32: msacm.rav - C:\WINDOWS\System32\Ravmp3e.acm (RAVISENT Tech.)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.ulmp3acm - ulmp3acm.acm File not found
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.444p - C:\Program Files\t@b\0.958\686\tabdec.dll File not found
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.dvsd - C:\WINDOWS\System32\MCDVD_32.DLL (MainConcept)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.mjpg - C:\Program Files\t@b\0.956\686\tabdec.dll File not found
Drivers32: vidc.mpng - C:\Program Files\t@b\0.958\686\tabdec.dll File not found
Drivers32: vidc.mvjp - C:\Program Files\t@b\0.958\686\tabdec.dll File not found
Drivers32: vidc.mxmc - MimicICM.DLL File not found
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/05/29 21:57:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Encarta
[2014/05/29 21:57:08 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Encarta
[2014/05/17 13:39:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QHYCCD EZPlanetary
[2014/05/17 13:39:26 | 000,046,144 | ---- | C] (Cypress Semiconductor) -- C:\WINDOWS\System32\drivers\QHY5II_B.sys
[2014/05/17 13:39:26 | 000,026,176 | ---- | C] (anchor chips) -- C:\WINDOWS\System32\drivers\QHY5II_A.sys
[2014/05/17 13:39:12 | 000,000,000 | ---D | C] -- C:\Program Files\QHYCCD
[2014/05/17 13:39:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QHY5_II Drivers
[2014/05/13 23:20:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2014/05/13 23:09:01 | 000,000,000 | ---D | C] -- C:\NVIDIA
[2014/05/13 22:32:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Geeks3D
[2014/05/13 22:32:11 | 000,000,000 | ---D | C] -- C:\Program Files\Geeks3D
[2010/06/09 01:52:05 | 001,531,392 | ---- | C] (Toshiba Samsung Storage Technology Corporation) -- C:\Documents and Settings\xxxxxxxxx\Application Data\tsdnwin.dll
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/06/11 16:31:28 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/06/11 16:30:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/06/06 01:52:48 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Encarta World English Dictionary - WE.lnk
[2014/05/29 22:01:48 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2014/05/17 13:39:46 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EZPlanetary.lnk
[2014/05/13 23:18:30 | 000,548,818 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2014/05/13 23:18:30 | 000,103,244 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2014/05/13 23:10:30 | 001,072,544 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2014/05/13 23:10:30 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
[2014/05/13 23:10:25 | 001,072,544 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/05/17 13:39:46 | 000,000,947 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EZPlanetary.lnk
[2014/05/17 13:39:26 | 000,179,136 | ---- | C] () -- C:\WINDOWS\System32\QHY5IIDel.dll
[2014/05/17 13:39:26 | 000,178,112 | ---- | C] () -- C:\WINDOWS\System32\setupINF.dll
[2014/05/17 13:39:26 | 000,017,856 | ---- | C] () -- C:\WINDOWS\System32\QHYCCDINSTALLER.dll
[2014/05/07 03:50:18 | 000,006,465 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Local Settings\Application Data\recently-used.xbel
[2014/03/08 15:41:37 | 000,000,100 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.gtk-bookmarks
[2013/06/08 07:42:56 | 000,001,827 | ---- | C] () -- C:\WINDOWS\iris.ini
[2013/03/06 02:13:01 | 000,431,280 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/12/16 15:41:23 | 000,000,580 | ---- | C] () -- C:\WINDOWS\HTDATALOGGER.ini
[2011/11/05 12:48:13 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Local Settings\Application Data\WebpageIcons.db
[2010/03/24 13:10:07 | 000,044,403 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\logo.miff
[2010/03/15 04:26:22 | 000,000,197 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\gnuplot_history
[2010/02/25 10:57:15 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\$_hpcst$.hpc
[2010/02/13 20:39:45 | 000,000,441 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\SamsungLiveUpdateConfig.ini
[2009/09/11 15:04:50 | 000,011,400 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\gsview32.ini
[2009/08/12 15:44:46 | 000,000,565 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\wgnuplot.ini
[2008/08/25 23:52:34 | 000,000,038 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\_lesshst
[2008/08/25 17:19:43 | 000,019,727 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.octave_hist
[2008/07/10 00:47:21 | 000,002,349 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\registax.ini
[2008/06/10 06:53:09 | 000,000,294 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\suchandsuch-org-publickey
[2007/12/30 01:03:38 | 000,001,377 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/12/16 20:49:32 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Local Settings\Application Data\PUTTY.RND
[2007/02/11 11:05:33 | 000,004,622 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\vnc.conf
[2006/06/02 22:06:31 | 000,063,730 | ---- | C] () -- C:\Program Files\viewsonicinstruct_xp.pdf
[2006/05/12 05:12:33 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Untitled.tgl
[2006/03/29 21:13:22 | 000,000,109 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\stereoscope.ini
[2005/11/06 22:14:09 | 000,274,467 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.fonts.cache-1
[2005/02/28 13:21:12 | 000,000,196 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\default.pls
[2005/02/15 21:11:43 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2004/09/25 15:04:42 | 000,001,932 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\AVSEdit Settings.bin
[2004/09/25 15:03:44 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Local Settings\Application Data\fusioncache.dat
[2003/05/16 03:10:13 | 000,000,147 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.appletviewer
[2003/05/14 01:41:31 | 000,004,436 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\tempfile.diff
[2003/05/11 03:39:48 | 000,000,715 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.plugin141_02.trace
[2003/04/07 20:10:06 | 000,002,158 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.powerupdate.user.properties
[2003/04/07 20:10:06 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.installanywhere.user.properties
[2003/02/26 22:06:40 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/02/15 22:29:30 | 000,000,746 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxx\.plugin141_01.trace
 
========== ZeroAccess Check ==========
 
[2004/09/25 13:30:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 04:42:06 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2008/04/14 04:41:54 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 12:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2005/06/29 21:09:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\.bittorrent
[2003/11/12 22:05:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\ActiveState
[2010/09/12 14:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Audacity
[2009/03/30 16:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\avidemux
[2012/09/13 00:57:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Borland
[2010/12/05 11:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Canneverbe Limited
[2013/11/16 22:19:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Canon
[2013/11/16 22:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Canon_Inc_IC
[2009/12/29 17:28:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\CodeGear
[2009/11/10 19:43:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/08/31 15:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\com.ebay.sandimas.public-beta.AA1EEF5552BF52051F68E7EAF27E23FA6449A65C.1
[2005/11/15 13:54:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\CursorArts
[2005/10/31 09:24:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\DataLayer
[2011/09/06 19:10:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\DevJET
[2008/09/21 20:50:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\DNA
[2014/04/17 07:34:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Embarcadero
[2012/11/07 03:33:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\FileZilla
[2008/08/25 18:46:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\fityk
[2008/09/10 15:30:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\GARMIN
[2003/02/18 20:26:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\GlobalSCAPE
[2012/05/16 16:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\gtk-2.0
[2008/12/17 20:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\HDRsoft
[2007/12/20 21:01:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\ImgBurn
[2006/03/04 10:24:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Leadertech
[2005/10/31 08:48:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\MobileAction
[2009/08/23 17:56:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\NASA
[2005/07/15 21:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\NetMedia Providers
[2008/03/22 16:12:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Netscape
[2003/04/25 02:08:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Nikon
[2010/08/03 21:00:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Nokia
[2009/05/26 07:47:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\OfficeUpdate12
[2011/01/06 09:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Open Watcom
[2012/11/23 00:56:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\OpenOffice.org
[2008/11/07 20:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Opera
[2012/01/28 01:32:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Oracle
[2010/02/25 11:00:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\PC Suite
[2014/03/12 16:56:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\PDF Architect
[2014/03/12 16:52:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\pdfforge
[2009/04/28 14:50:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\PE Explorer
[2005/07/15 21:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Publish Providers
[2011/10/06 23:46:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Samsung
[2010/03/16 19:54:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Scilab
[2013/04/27 11:19:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Scooter Software
[2012/04/20 12:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\SmartBear
[2009/02/21 21:13:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Sony
[2011/06/12 16:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Stellarium
[2011/09/06 22:46:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Subversion
[2003/11/30 20:27:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\TextPad
[2010/08/25 21:04:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Thunderbird
[2009/11/16 21:01:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Topten Software
[2014/05/02 13:18:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\U.S. Naval Observatory
[2006/03/07 10:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Ulead Systems
[2009/11/18 01:27:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Voxengo
[2012/02/04 15:20:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Windows Desktop Search
[2012/02/04 17:12:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Windows Search
[2006/07/18 23:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\WinMX Music
[2010/09/09 23:16:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\44755A6B-3F1D-4238-B2EF-77D59B73B320
[2009/10/02 13:22:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BOINC
[2005/03/26 06:03:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland
[2010/12/05 11:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2010/11/16 21:04:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2013/12/02 07:19:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canon_Inc_IC
[2013/01/06 02:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DeepSkyStacker
[2014/05/13 23:20:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2014/06/05 12:42:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Embarcadero
[2008/10/26 23:20:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Equation Wizard
[2009/05/27 18:51:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2008/09/10 15:30:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2010/08/03 20:57:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2011/08/15 10:30:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IProt
[2008/01/26 05:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Matrox
[2010/02/25 11:00:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2011/03/13 07:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2011/09/06 19:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Raize
[2010/08/26 21:34:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung
[2012/09/04 12:11:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartBear
[2005/12/10 18:47:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2006/09/04 21:58:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Softdisk LLC
[2011/07/08 07:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/04/13 15:35:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2013/04/24 05:57:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{01CD0E72-1D08-4B21-84C4-C96BE90080B2}
[2012/04/20 12:26:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{05500BA0-5731-46FD-9326-FA79A36E6D46}
[2010/07/09 19:38:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{0AACF4C1-EFDF-412A-8AAB-F4C23000EA28}
[2014/04/17 06:50:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{0DE47792-19BD-4AF4-B9CF-6378FBA44825}
[2012/08/13 02:09:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{16DDC977-28D8-44E8-8358-8BBFBEE97FE7}
[2009/12/29 16:55:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{2563F97A-045F-4E4C-9DB1-D5D26C269882}
[2014/01/14 00:30:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{2D559015-4C05-4AE5-8C8B-7E13E1EAB09D}
[2010/06/09 01:41:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/09/04 11:34:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{4C1A27DF-1043-4893-9757-DE2CE28C3D82}
[2014/01/13 00:49:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{64FC42F6-3358-4CC4-B977-B0BB87927B07}
[2009/09/10 16:51:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2013/04/24 05:48:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{857B0D11-62C8-4FE0-B933-B80313FE43AD}
[2014/04/17 07:03:09 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{8BC39306-28C8-4CAB-801D-9BB22E813571}
[2009/05/08 21:08:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2014/01/13 00:36:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{D8AD9B23-35FA-4AA7-9779-6B9D955BAB23}
[2012/11/04 20:31:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EB57C875-F849-4B7C-8632-9D9B47675823}
[2012/05/05 00:55:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{F7D4D386-417C-4A74-AE20-47CA69DFF0A9}
[2011/10/05 22:07:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~0
[2012/09/06 20:01:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~1
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< %USERPROFILE%\..|smtmp;true;true;true /FP >
 
< %temp%\smtmp\*.* /s > >
 
< MD5 for: EXPLORER.CS  >
[2001/08/27 12:39:10 | 000,008,982 | ---- | M] () MD5=6F7CC5557ED5A1552A92F130B54EF1C1 -- C:\Program Files\Microsoft.NET\SDK\v1.1\Samples\Technologies\Interop\Basic\InternetExplorer\Explorer.cs
[2001/06/26 10:14:00 | 000,007,336 | ---- | M] () MD5=C4309B47114B5B0826FC2515BEDF8D97 -- C:\Program Files\Microsoft.NET\SDK\v1.1\Tool Developers Guide\Samples\adepends\gui\explorer.cs
 
< MD5 for: EXPLORER.DLL  >
[2009/10/26 22:51:44 | 000,237,568 | ---- | M] (Jens Lorenz) MD5=D1E125A5160C126B285BEB663811F7F8 -- C:\Octave\3.2.3_gcc-4.4.0\tools\notepad++\plugins\Explorer.dll
 
< MD5 for: EXPLORER.EXE  >
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2007/06/13 23:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2004/08/03 23:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2002/08/29 02:41:24 | 001,004,032 | ---- | M] (Microsoft Corporation) MD5=A82B28BFC2E4455FE43022A498C0EF0A -- C:\WINDOWS\$NtUninstallKB820291$\explorer.exe
 
< MD5 for: EXPLORER.EXE-082F38A9.PF  >
[2014/06/12 00:10:19 | 000,017,478 | ---- | M] () MD5=95D475D87DFA8F0FA7B12C1AF0619D2F -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
 
< MD5 for: EXPLORER.GIF  >
[2012/08/30 17:03:34 | 000,001,050 | ---- | M] () MD5=6D1B9F5221A0E3012D4C7F63A5D606FF -- C:\Program Files\SmartBear\AQtime 7\Bin\Extensions\Assistant.Files\Common\explorer.gif
[2001/10/12 00:47:16 | 000,000,312 | ---- | M] () MD5=F9D36A7BB55B61A1CC26DCF83485B55C -- C:\Purged\Develop\bingwood\cd\bingwood\scrap\explorer.gif
 
< MD5 for: EXPLORER.PROPERTIES  >
[2008/08/05 04:38:12 | 000,000,071 | ---- | M] () MD5=D891AF1F1AEC857954A155EC37A00B54 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\6.1\config\Preferences\org\openide\explorer.properties
 
< MD5 for: EXPLORER.PY  >
[2008/04/16 16:38:24 | 000,003,411 | ---- | M] () MD5=36FD689035EAE56446FE2FFCBBBCA201 -- C:\Python25\Lib\site-packages\enthought.naming-2.0.3-py2.5.egg\enthought\naming\ui\explorer.py
[2008/04/16 16:39:06 | 000,021,497 | ---- | M] () MD5=38B36906E816E6BDBFF6B2E600AAF339 -- C:\Python25\Lib\site-packages\Twisted-2.5.0.0002-py2.5-win32.egg\twisted\manhole\explorer.py
[2008/03/07 08:27:40 | 000,006,467 | ---- | M] () MD5=611948B5A2BF9B5E1BDC87CCB02F2FF3 -- C:\Python25\Examples\pyface\explorer.py
[2008/04/16 16:38:32 | 000,006,278 | ---- | M] () MD5=6C302DEEC86CB8DFAAE36D736FA4ED10 -- C:\Python25\Lib\site-packages\enthought.envisage-2.0.3-py2.5.egg\enthought\envisage\resource\ui\explorer.py
[2008/03/07 08:27:40 | 000,002,861 | ---- | M] () MD5=92E095C55CCD356548924AC24AC5C0B5 -- C:\Python25\Examples\naming\explorer.py
 
< MD5 for: EXPLORER.SCF  >
[2001/08/24 00:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf
 
< MD5 for: EXPLORER.WSMODE  >
[2003/11/04 21:33:14 | 000,000,833 | ---- | M] () MD5=05E12179C5964E25555E202EB46CFD04 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.5\system\Projects\Default\system\Windows\WindowManager\Editing\explorer.wsmode
[2004/10/22 09:18:57 | 000,000,833 | ---- | M] () MD5=05E12179C5964E25555E202EB46CFD04 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\Default\system\Windows\WindowManager\Editing\explorer.wsmode
[2008/08/05 04:01:20 | 000,000,586 | ---- | M] () MD5=1ECB373027EDB87A15EB0BE80AB34F39 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\5.5\config\Windows2Local\Modes\explorer.wsmode
[2003/11/04 21:30:48 | 000,000,712 | ---- | M] () MD5=22483FE6C54BD5D1243477182693B9AB -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.5\system\Projects\Default\system\Windows\WindowManager\Visual\explorer.wsmode
[2004/10/22 09:18:57 | 000,000,712 | ---- | M] () MD5=22483FE6C54BD5D1243477182693B9AB -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\Default\system\Windows\WindowManager\Visual\explorer.wsmode
[2003/01/20 21:18:48 | 000,000,475 | ---- | M] () MD5=37871FCC59696772CF6A7DE7CD274E0D -- C:\Purged\Develop\Java\sun-ide\system\Projects\Default\system\Windows\WindowManager\Running\explorer.wsmode
[2003/02/08 01:42:39 | 000,000,834 | ---- | M] () MD5=3974C64637F16E33134D0C5568664D43 -- C:\Purged\Develop\Java\sun-ide\system\Projects\Template\system\Windows\WindowManager\Editing\explorer.wsmode
[2004/10/22 09:21:06 | 000,000,509 | ---- | M] () MD5=3F53EB5909200088731BE3F20911CE1B -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\Default\system\Windows2Local\Modes\explorer.wsmode
[2004/10/22 09:22:05 | 000,000,509 | ---- | M] () MD5=3F53EB5909200088731BE3F20911CE1B -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\JDK 1.1\system\Windows2Local\Modes\explorer.wsmode
[2003/02/08 01:38:21 | 000,000,713 | ---- | M] () MD5=485F0A358E72CE5815B899257833C299 -- C:\Purged\Develop\Java\sun-ide\system\Projects\Template\system\Windows\WindowManager\Visual\explorer.wsmode
[2003/02/08 01:38:21 | 000,000,531 | ---- | M] () MD5=5624B0B4992ADCD1C760BB3748FA3B79 -- C:\Purged\Develop\Java\sun-ide\system\Projects\Template\system\Windows\WindowManager\Running\explorer.wsmode
[2003/05/16 03:54:44 | 000,000,835 | ---- | M] () MD5=633DF58FA234D35660EE00AAA19DB4B0 -- C:\Dev\Java\sun-ide\system\Projects\Default\system\Windows\WindowManager\Editing\explorer.wsmode
[2009/07/27 14:45:11 | 000,000,642 | ---- | M] () MD5=7258255F196B6935C7CE3759F1E5C6D6 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\6.1\config\Windows2Local\Modes\explorer.wsmode
[2004/12/21 04:01:01 | 000,000,524 | ---- | M] () MD5=7E643BB687B2AD5452DBFD0BB00F0449 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\JDK 1.4\system\Windows2Local\Modes\explorer.wsmode
[2003/11/04 21:37:33 | 000,000,833 | ---- | M] () MD5=94C37CAA4FF51383157F2D92F6B555E6 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.5\system\Projects\JDK 1.0\system\Windows\WindowManager\Editing\explorer.wsmode
[2004/10/22 09:18:58 | 000,000,833 | ---- | M] () MD5=94C37CAA4FF51383157F2D92F6B555E6 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\JDK 1.1\system\Windows\WindowManager\Editing\explorer.wsmode
[2004/10/22 09:21:59 | 000,000,833 | ---- | M] () MD5=94C37CAA4FF51383157F2D92F6B555E6 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\JDK 1.4\system\Windows\WindowManager\Editing\explorer.wsmode
[2003/01/20 21:18:50 | 000,000,754 | ---- | M] () MD5=CEEFB31722D4D40A44C50BDCDC24FB21 -- C:\Purged\Develop\Java\sun-ide\system\Projects\Default\system\Windows\WindowManager\Editing\explorer.wsmode
[2003/01/20 21:18:49 | 000,000,713 | ---- | M] () MD5=D1059F82DB0292E373069457D0A16958 -- C:\Purged\Develop\Java\sun-ide\system\Projects\Default\system\Windows\WindowManager\Visual\explorer.wsmode
[2003/11/04 21:34:34 | 000,000,618 | ---- | M] () MD5=E084AECAC1F1B22CB71A85E1789214C9 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.5\system\Projects\JDK 1.0\system\Windows\WindowManager\Visual\explorer.wsmode
[2004/10/22 09:18:59 | 000,000,618 | ---- | M] () MD5=E084AECAC1F1B22CB71A85E1789214C9 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\JDK 1.1\system\Windows\WindowManager\Visual\explorer.wsmode
[2004/10/22 09:21:59 | 000,000,618 | ---- | M] () MD5=E084AECAC1F1B22CB71A85E1789214C9 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\3.6\system\Projects\JDK 1.4\system\Windows\WindowManager\Visual\explorer.wsmode
[2005/09/10 11:17:17 | 000,000,632 | ---- | M] () MD5=EE226B5C3D4177F64C2B50FA82C48F47 -- C:\Documents and Settings\xxxxxxxxx\.netbeans\4.1\config\Windows2Local\Modes\explorer.wsmode
 
< MD5 for: IEXPLORE.CHM  >
[2009/02/21 00:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\Help\iexplore.chm
[2004/07/17 10:40:18 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie7\iexplore.chm
[2007/04/02 21:09:24 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie8\iexplore.chm
 
< MD5 for: IEXPLORE.CHW  >
[2006/11/21 23:56:10 | 000,157,092 | ---- | M] () MD5=9080B4CE6FA08AA525B3B2E2298E0BB1 -- C:\WINDOWS\Help\iexplore.chw
 
< MD5 for: IEXPLORE.EXE  >
[2008/12/19 17:25:25 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=030D78FE84A086ED376EFCBD2D72C522 -- C:\WINDOWS\ie7updates\KB963027-IE7\iexplore.exe
[2008/10/15 18:34:58 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=056C927CF7207857E8B34F7A8FFD9B9E -- C:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[2007/04/25 02:26:26 | 000,625,152 | ---- | M] (Microsoft Corporation) MD5=10BDB55982586A432A3951EB19A26009 -- C:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe
[2008/12/19 17:25:30 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=15E8A89499741D5CF59A9CF6463A4339 -- C:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[2008/04/22 20:02:46 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=197B7E4030CFBD8D2979D375E1787AA2 -- C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[2008/08/23 17:56:15 | 000,635,848 | ---- | M] (Microsoft Corporation) MD5=1F03216084447F990AE797317D0A6E70 -- C:\WINDOWS\ie7updates\KB958215-IE7\iexplore.exe
[2008/04/22 19:40:18 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=232B22817B90AE0AFF2D189E3E3735AC -- C:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe
[2007/12/06 23:01:25 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=2703D940A62B731AA220529DD7331A78 -- C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
[2008/02/29 20:55:46 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=2D0E5592AB5A46C27DAF7CCAFF4F5B59 -- C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
[2007/08/17 22:21:21 | 000,625,152 | ---- | M] (Microsoft Corporation) MD5=3AC2BC667DA0AF2C968E96E1630F5AB5 -- C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
[2006/10/17 12:04:40 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=5334D4461AA92A7B008755FE6D13C5F2 -- C:\WINDOWS\ie7updates\KB928090-IE7\iexplore.exe
[2007/08/17 22:12:49 | 000,625,152 | ---- | M] (Microsoft Corporation) MD5=5577D0E3AC2F9F035ACD81B44AF5F511 -- C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe
[2008/04/14 04:42:24 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ie8\iexplore.exe
[2007/10/10 20:16:56 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=632BDE0179847234433CA50945442ACB -- C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[2008/06/23 21:20:52 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=64E376A47763DAEABCDA14BD5B6EA286 -- C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
[2007/02/21 20:00:58 | 000,623,616 | ---- | M] (Microsoft Corporation) MD5=683DDE71BCF03B501B912D20CB93B549 -- C:\WINDOWS\ie7updates\KB933566-IE7\iexplore.exe
[2008/02/22 21:40:22 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=6E0888626E0CAC79F57149814E22DB4D -- C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[2007/12/06 20:34:45 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=809D17D8FA0FDAEE07778CD821CAFFDE -- C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[2007/01/08 17:08:42 | 000,623,616 | ---- | M] (Microsoft Corporation) MD5=93A6A4F5293AE19E3B37021AABCF0902 -- C:\WINDOWS\ie7updates\KB931768-IE7\iexplore.exe
[2007/04/25 02:20:41 | 000,625,152 | ---- | M] (Microsoft Corporation) MD5=9B3516C1F30DA17ADD3818573047D63C -- C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe
[2008/10/15 19:06:26 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=9D3DB9ADFABD2F0BC778EC03250A3ABB -- C:\WINDOWS\ie7updates\KB961260-IE7\iexplore.exe
[2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2009/02/28 16:54:44 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=BCD8E48709BE4A79606F0B6E8E9A6162 -- C:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[2008/06/23 20:23:52 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=C52A9EF571E91535EB78DB4B8B95EA07 -- C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[2007/02/28 18:51:34 | 000,625,152 | ---- | M] (Microsoft Corporation) MD5=D321092F8529CDAE843D6E24E3CAC6CB -- C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe
[2004/08/03 23:56:52 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=E7484514C0464642BE7B4DC2689354C8 -- C:\WINDOWS\ie7\iexplore.exe
[2008/08/23 17:56:16 | 000,635,848 | ---- | M] (Microsoft Corporation) MD5=E8305C30D35E85D6657ED3E9934CB302 -- C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[2007/10/10 22:59:52 | 000,625,152 | ---- | M] (Microsoft Corporation) MD5=E854D02E4231F704D9BE782A424E6D8B -- C:\WINDOWS\ie7updates\KB944533-IE7\iexplore.exe
 
< MD5 for: IEXPLORE.EXE.MUI  >
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\iexplore.exe.mui
 
< MD5 for: IEXPLORE.EXE-27122324.PF  >
[2014/05/27 17:00:44 | 000,092,060 | ---- | M] () MD5=BFFB107FB13F6F7092B658F0D06F86C6 -- C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf
 
< MD5 for: IEXPLORE.HLP  >
[2001/08/24 00:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp
 
< MD5 for: IEXPLORE.ICO  >
[1998/06/15 00:00:00 | 000,010,134 | ---- | M] () MD5=E1DE25357FB7464E0E8E2BA76A1F1757 -- C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Template\ATL\IEXPLORE.ICO
 
< MD5 for: SERVICES  >
[2009/06/09 11:21:02 | 000,018,396 | ---- | M] () MD5=31E3D9EC21CFCFBA97AF98AC61025C6E -- C:\www\horowhenua.org.nz\malcoms_odd_files\etc\services
[2014/04/17 06:58:26 | 000,007,188 | ---- | M] () MD5=9B32920E7448AA54B22C7FCEAF7071B5 -- C:\WINDOWS\system32\drivers\etc\services
 
< MD5 for: SERVICES.001  >
[2001/08/24 00:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services.001
 
< MD5 for: SERVICES.002  >
[2012/09/04 03:17:16 | 000,007,188 | ---- | M] () MD5=9B32920E7448AA54B22C7FCEAF7071B5 -- C:\WINDOWS\system32\drivers\etc\services.002
 
< MD5 for: SERVICES.CFG  >
[2012/12/19 07:08:30 | 000,559,043 | ---- | M] () MD5=BA25E8F1460C7453B7488FE4B42F6919 -- C:\Program Files\Adobe\Reader 11.0\Reader\Services\Services.cfg
 
< MD5 for: SERVICES.EXE  >
[2009/02/06 23:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2009/02/06 23:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[2008/04/14 04:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\system32\dllcache\services.exe
[2008/04/14 04:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\system32\services.exe
[2009/02/07 05:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[2009/02/06 22:22:21 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=4712531AB7A01B7EE059853CA17D39BD -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[2009/02/06 23:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
 
< MD5 for: SERVICES.GIF  >
[2004/10/23 05:00:00 | 000,001,022 | ---- | M] () MD5=144D37B4269ACB48E166EE0244B3827B -- C:\Program Files\Borland\BDS\3.0\Demos\IntraWeb\Win32\DieFlyDie\Files\services.gif
 
< MD5 for: SERVICES.HTML  >
[2012/05/16 15:29:59 | 000,109,895 | ---- | M] () MD5=27C527CBCA5F2A406A8705400A044C5C -- C:\Program Files\Android\android-sdk\docs\guide\topics\fundamentals\services.html
[1999/04/26 07:51:48 | 000,001,844 | R--- | M] () MD5=4BB6F4F0BBF2BE29974B73781D71AAEF -- C:\BDK\beans\doc\services.html
 
< MD5 for: SERVICES.JAVA  >
[2012/05/16 15:36:15 | 000,006,748 | R--- | M] () MD5=411111AD775B441DDCC5D4EFF612F591 -- C:\Program Files\Android\android-sdk\sources\android-15\org\apache\harmony\security\fortress\Services.java
 
< MD5 for: SERVICES.LNK  >
[2014/01/12 22:24:54 | 000,001,608 | ---- | M] () MD5=A988A0D80467E75DD53CBE02B02696E5 -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk
 
< MD5 for: SERVICES.M  >
[2009/03/05 17:33:34 | 000,024,015 | ---- | M] () MD5=E5E8598A64BD1FAE04BBBF8AA8F8D092 -- C:\Program Files\Wolfram Research\Mathematica Player\7.0\SystemFiles\Autoload\PacletManager\Kernel\Services.m
 
< MD5 for: SERVICES.MSC  >
[2001/08/24 00:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc
 
< MD5 for: SERVICES.MXSD  >
[2005/11/15 02:57:34 | 000,005,944 | ---- | M] () MD5=4019A19F36C29E4951E76134E0CC2894 -- C:\Downloads\Software\Development\Java\Eclipse\eclipse-SDK-3.1-win32\eclipse\plugins\org.eclipse.rcp.source_3.1.0\src\org.eclipse.ui_3.1.0\schema\services.mxsd
 
< MD5 for: SERVICES.PY  >
[2008/04/16 16:38:26 | 000,000,303 | ---- | M] () MD5=175161982808AEE24264EE3D305BD589 -- C:\Python25\Lib\site-packages\enthought.mayavi-2.1.1-py2.5.egg\enthought\mayavi\services.py
[2008/04/16 16:38:32 | 000,000,545 | ---- | M] () MD5=804B197283AB787C975D41D74708D016 -- C:\Python25\Lib\site-packages\enthought.envisage-2.0.3-py2.5.egg\enthought\envisage\single_project\services.py
[2008/04/16 16:38:28 | 000,000,083 | ---- | M] () MD5=8C9D2BAEB173B72A04AD8A8228967BDA -- C:\Python25\Lib\site-packages\enthought.logger-2.0.3-py2.5.egg\enthought\logger\plugin\services.py
[2008/04/16 16:38:20 | 000,000,213 | ---- | M] () MD5=BF0EDD57077A60764240BD79F1C8B09F -- C:\Python25\Lib\site-packages\enthought.tvtk-2.0.2-py2.5-win32.egg\enthought\tvtk\plugins\browser\services.py
[2008/04/16 16:38:20 | 000,000,206 | ---- | M] () MD5=DC0DC7C638305EA2A96DD52E0265ABFE -- C:\Python25\Lib\site-packages\enthought.tvtk-2.0.2-py2.5-win32.egg\enthought\tvtk\plugins\scene\services.py
[2008/04/16 16:38:32 | 000,000,164 | ---- | M] () MD5=ED9A385A5C51EE4D4A3E7771B0AF9E7D -- C:\Python25\Lib\site-packages\enthought.envisage-2.0.3-py2.5.egg\enthought\envisage\workbench\services.py
 
< MD5 for: SERVICES.RDB  >
[2012/08/13 09:51:02 | 000,178,348 | ---- | M] () MD5=039C8CFBD74EE07F38CD9E4C7D95C5C6 -- C:\Program Files\OpenOffice.org 3\Basis\program\services.rdb
[2012/08/13 09:51:02 | 000,000,453 | ---- | M] () MD5=3D2ADA15FEF5B5FF468243161543D610 -- C:\Program Files\OpenOffice.org 3\program\services.rdb
[2012/08/10 14:12:16 | 000,008,060 | ---- | M] () MD5=7CA7D7150EC46321162F932ADCF5F35B -- C:\Program Files\OpenOffice.org 3\URE\misc\services.rdb
 
< MD5 for: WINLOGON.EXE  >
[2002/08/29 02:41:28 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=2246D8D8F4714A2CEDB21AB9B1849ABB -- C:\WINDOWS\$NtUninstallKB840987$\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe
 
< %SYSTEMDRIVE%\*.* >
[2009/08/13 00:41:29 | 000,001,866 | ---- | M] () -- C:\.octave_hist
[2013/06/28 19:40:27 | 000,000,000 | ---- | M] () -- C:\=,@&!.txt
[2010/12/05 09:31:37 | 000,000,332 | -H-- | M] () -- C:\aaw7boot.cmd
[2013/02/12 21:34:39 | 000,000,085 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/08/15 04:57:20 | 000,000,585 | ---- | M] () -- C:\BcBtRmv.log
[2014/05/29 22:01:48 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/04/13 23:02:08 | 000,260,288 | RHS- | M] () -- C:\cmldr
[2014/01/12 22:24:48 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2003/02/15 12:02:05 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2003/02/15 12:02:05 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/13 21:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/13 23:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2014/06/11 16:30:29 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/10/04 13:16:22 | 000,003,250 | ---- | M] () -- C:\pcwdbg.log
 
< %systemroot%\Fonts\*.com >
[2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
 
< %systemroot%\Fonts\*.dll >
 
< %systemroot%\Fonts\*.ini >
[2014/01/12 22:24:16 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini
 
< %systemroot%\Fonts\*.ini2 >
 
< %systemroot%\Fonts\*.exe >
 
< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2002/09/05 16:00:00 | 000,013,824 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD3m.DLL
[2002/09/05 13:00:00 | 000,046,080 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP3m.DLL
[2008/07/07 00:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 22:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
 
< %systemroot%\REPAIR\*.bak1 >
 
< %systemroot%\REPAIR\*.ini >
 
< %systemroot%\system32\*.jpg >
 
< %systemroot%\*.jpg >
 
< %systemroot%\*.png >
 
< %systemroot%\*.scr >
[2009/06/10 11:05:34 | 000,828,160 | ---- | M] (Space Sciences Laboratory) -- C:\WINDOWS\boinc.scr
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
< %systemroot%\*._sy >
 
< %APPDATA%\Adobe\Update\*.* >
 
< %ALLUSERSPROFILE%\Favorites\*.* >
 
< %APPDATA%\Microsoft\*.* >
 
< %PROGRAMFILES%\*.* >
[2002/09/12 02:26:52 | 000,063,730 | ---- | M] () -- C:\Program Files\viewsonicinstruct_xp.pdf
 
< %APPDATA%\Update\*.* >
 
< %systemroot%\*. /mp /s >
 
< dir "%systemdrive%\*" /S /A:L /C >
 Volume in drive C is System
 Volume Serial Number is B8A9-CD1E
 Directory of C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices
16/05/2013  11:16 p.m.    <JUNCTION>     2.0.0.0__b03f5f7f11d50a3a
               0 File(s)              0 bytes
 Directory of C:\WINDOWS\assembly\GAC_MSIL\Borland.Data.Common
29/12/2009  04:46 p.m.    <JUNCTION>     3.0.0.0__91d62ebb5b0d1b1b
               0 File(s)              0 bytes
 Directory of C:\WINDOWS\assembly\GAC_MSIL\Borland.Data.Provider
29/12/2009  04:46 p.m.    <JUNCTION>     3.0.0.0__91d62ebb5b0d1b1b
               0 File(s)              0 bytes
 Directory of C:\WINDOWS\assembly\GAC_MSIL\Borland.Vcl
29/12/2009  04:46 p.m.    <JUNCTION>     14.0.0.0__91d62ebb5b0d1b1b
               0 File(s)              0 bytes
 Directory of C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote
16/05/2013  11:16 p.m.    <JUNCTION>     2.0.0.0__b03f5f7f11d50a3a
               0 File(s)              0 bytes
 Directory of C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices
16/05/2013  11:12 p.m.    <JUNCTION>     v4.0_4.0.0.0__b03f5f7f11d50a3a
               0 File(s)              0 bytes
 Directory of C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler
14/01/2014  12:00 a.m.    <JUNCTION>     v4.0_4.0.0.0__31bf3856ad364e35
               0 File(s)              0 bytes
     Total Files Listed:
               0 File(s)              0 bytes
               7 Dir(s)  54,694,506,496 bytes free
 
< %systemroot%\System32\config\*.sav >
[2014/01/13 10:53:31 | 000,786,432 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2014/01/12 09:44:48 | 000,262,144 | ---- | M] () -- C:\WINDOWS\System32\config\security.sav
[2014/01/13 10:53:31 | 069,992,448 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2014/01/13 10:53:31 | 010,485,760 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
 
< %PROGRAMFILES%\bak. /s >
 
< %systemroot%\system32\bak. /s >
 
< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2014/01/12 22:24:54 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
 
< %systemroot%\system32\config\systemprofile\*.dat /x >
 
< %systemroot%\*.config >
 
< %systemroot%\system32\*.db >
 
< %PROGRAMFILES%\Internet Explorer\*.dat >
 
< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/02/12 16:16:43 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2003/02/16 21:13:50 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
 
< %USERPROFILE%\Desktop\*.exe >
 
< %PROGRAMFILES%\Common Files\*.* >
 
< %systemroot%\*.src >
 
< %systemroot%\install\*.* >
 
< %systemroot%\system32\DLL\*.* >
 
< %systemroot%\system32\HelpFiles\*.* >
 
< %systemroot%\system32\rundll\*.* >
 
< %systemroot%\winn32\*.* >
 
< %systemroot%\Java\*.* >
 
< %systemroot%\system32\test\*.* >
 
< %systemroot%\system32\Rundll32\*.* >
 
< %systemroot%\AppPatch\Custom\*.* >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-06-18 04:01:26
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:408F95E5
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F7B65412
 
< End of report >
 

Attached Files


Edited by ken545, 11 June 2014 - 05:34 PM.

    Advertisements

Register to Remove


#2 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 12 June 2014 - 09:57 AM

Hi zorkon,

My name is OCD.

 

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands.

A few items we should address before we can continue.

Important information regarding Windows XP

Microsoft will no longer offer support for Windows XP beginning on April 8, 2014

If you are running Windows XP, please take the time to read the information provided at these links.

= = = = = = = = = = = = = = = = = = = =

Also, in your opening statement you said that this is a "work machine". Can you please explain what you mean by work machine?


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#3 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 12 June 2014 - 11:21 AM

Hello OCD,

 

By "work machine" I mean that I only use it for work (programming) and do not usually use it to go online. I have a separate Linux machine here for internet stuff.

 

I understand the risks for XP online after 8 April and the machine has not actually been online since then. I do sometimes use a flash drive to move files to and fro when I have to.

 

-zorkon



#4 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 12 June 2014 - 11:51 AM

Hi zorkon,

Thanks for your reply.
 

By "work machine" I mean that I only use it for work (programming) and do not usually use it to go online.

I just needed to confirm that this computer is not used for commercial purposes. Situations that arise on a business computer we are unable to offer assistance. Since we don't know all the parameters of the business we suggest that the companies' IT department handle any issues that are encountered.

In reviewing your logs, is it safe to assume that you edited out the information in the logs with "xxxx"?
By editing a file path it might prove difficult in removing certain files. It is fine to edit the header if you choose, but you may have to leave the path names intact so the fixes I provide will properly target the desired file/folders.

Did you make these settings?

 

FF - prefs.js..network.proxy.autoconfig_url: "file:///c:/windows/no-ads.pac"
FF - prefs.js..network.proxy.backup.ftp: "122.248.235.140"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "200.19.159.35"
FF - prefs.js..network.proxy.backup.gopher_port: 3128
FF - prefs.js..network.proxy.backup.socks: "122.248.235.140"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "122.248.235.140"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "122.248.235.140"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "200.19.159.35"
FF - prefs.js..network.proxy.gopher_port: 3128
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "122.248.235.140"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "122.248.235.140"
FF - prefs.js..network.proxy.ssl_port: 80
FF - prefs.js..network.proxy.type: 0


=========================

bullseye_zpse9eaf36e.gif Run OTL.exe

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    
    :Commands
    [purity]
    [createrestorepoint]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

=========================

In your next post please provide the following:

  • OTL fix log
  • Answer to my questions.
  • Are you experiencing any symptoms?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#5 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 12 June 2014 - 01:57 PM

Hello OCD,

 

Many thanks for looking at this.

 

I confirm it is a private home machine and not a business machine.

 

I replaced my username in the logs with 9 x's, so I will search/replace these in any pathnames/instructions if necessary.

 

 

For FF settings:

I did make the first setting for the no-ads autoconfig url

FF - prefs.js..network.proxy.autoconfig_url: "file:///c:/windows/no-ads.pac"

 

For the others:

I have changed the http proxy at times in the past, but have never had a reason to change the other ftp, gopher, socks, ssl proxies. At the moment Firefox settings are set to No proxy. I suppose it's possible these are cached somehow?

 

 

Have run the custom OTL commands and log follows below. I received a prompt on reboot from Outlook Express asking to compact messages. Best to OK or Cancel, or doesn't matter? Not noticing any other symptoms.

 

 

06132014_072502.log:

 

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
File No CLSID not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point
 
[EMPTYTEMP]
 
User: xxxxxxxxx
->Temp folder emptied: 216564681 bytes
->Temporary Internet Files folder emptied: 523157 bytes
->Java cache emptied: 1319590 bytes
->FireFox cache emptied: 72905080 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 41831 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 81569 bytes
->Flash cache emptied: 41 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 934544 bytes
->Temporary Internet Files folder emptied: 30419784 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 81569 bytes
->Flash cache emptied: 41 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 22982161 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 193303 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 291580446 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 95181 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 608.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 06132014_072502
 
Files\Folders moved on Reboot...
 
PendingFileRenameOperations files...
 
Registry entries deleted on Reboot...



#6 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 12 June 2014 - 03:40 PM

Hi zorkon,
 

I received a prompt on reboot from Outlook Express asking to compact messages. Best to OK or Cancel, or doesn't matter?

Compacting helps, but if this machine isn't used for internet use then it probably doesn't matter.

bullseye_zpse9eaf36e.gif aswMBR

Download aswMBR.exe and save it to your desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
=========================

bullseye_zpse9eaf36e.gif Run OTL.exe
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    FF - prefs.js..network.proxy.backup.ftp: "122.248.235.140"
    FF - prefs.js..network.proxy.backup.ftp_port: 80
    FF - prefs.js..network.proxy.backup.gopher: "200.19.159.35"
    FF - prefs.js..network.proxy.backup.gopher_port: 3128
    FF - prefs.js..network.proxy.backup.socks: "122.248.235.140"
    FF - prefs.js..network.proxy.backup.socks_port: 80
    FF - prefs.js..network.proxy.backup.ssl: "122.248.235.140"
    FF - prefs.js..network.proxy.backup.ssl_port: 80
    FF - prefs.js..network.proxy.ftp: "122.248.235.140"
    FF - prefs.js..network.proxy.ftp_port: 80
    FF - prefs.js..network.proxy.gopher: "200.19.159.35"
    FF - prefs.js..network.proxy.gopher_port: 3128
    FF - prefs.js..network.proxy.http_port: 80
    FF - prefs.js..network.proxy.share_proxy_settings: true
    FF - prefs.js..network.proxy.socks: "122.248.235.140"
    FF - prefs.js..network.proxy.socks_port: 80
    FF - prefs.js..network.proxy.ssl: "122.248.235.140"
    FF - prefs.js..network.proxy.ssl_port: 80
    FF - prefs.js..network.proxy.type: 0
    
    :Commands
    [purity]
    [createrestorepoint]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then re-run OTL and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
=========================

Please do not edit out the information (9 x's) from the new OTL log. If you don't want the information posted on the public forum, you can attach the file instead. It can still be downloaded, but it won't be readily visible.

In your next post please provide the following:
  • OTL fix log
  • attach Fresh OTL.txt
  • aswMBR.txt
  • attach MBR.zip

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#7 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 12 June 2014 - 04:06 PM

Please do not edit out the information (9 x's) from the new OTL log. If you don't want the information posted on the public forum, you can attach the file instead. It can still be downloaded, but it won't be readily visible.

 

Quick question: are the attached files indexed by search engines? (That's my main concern)



#8 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 12 June 2014 - 05:02 PM

Hi zorkon,

 

 

Quick question: are the attached files indexed by search engines? (That's my main concern)

 

 

I'm sorry, but I don't understand what you are asking.


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#9 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 13 June 2014 - 02:37 PM

Hello OCD,

 

Here are the files requested:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-06-13 21:11:55
-----------------------------
21:11:55.453    OS Version: Windows 5.1.2600 Service Pack 3
21:11:55.453    Number of processors: 4 586 0x503
21:11:55.453    ComputerName: AARONS-PC  UserName: adrawson
21:12:05.765    Initialize success
21:12:40.593    AVAST engine defs: 14061201
21:12:57.453    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
21:12:57.453    Disk 0 Vendor:   Size: 0MB BusType: 0
21:12:57.453    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19
21:12:57.453    Disk 1 Vendor:   Size: 0MB BusType: 0
21:12:57.562    Disk 0 MBR read successfully
21:12:57.562    Disk 0 MBR scan
21:12:57.562    Disk 0 Windows XP default MBR code
21:12:57.562    Disk 0 MBR hidden
21:12:57.562    Disk 0 Partition 1 00     07    HPFS/NTFS NTFS       499999 MB offset 63
21:12:57.593    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       479996 MB offset 1023999165
21:12:57.593    Disk 0 Partition - 80 (A) 0F Extended LBA            450800 MB offset 2007032580
21:12:57.609    Disk 0 Partition 3 00     82   Linux swap              2055 MB offset 2007032643
21:12:57.609    Disk 0 Partition - 00     05     Extended             20481 MB offset 2011241610
21:12:57.609    Disk 0 Partition 4 00     83        Linux             20481 MB offset 2011241673
21:12:57.625    Disk 0 Partition - 00     05     Extended            102398 MB offset 2057396355
21:12:57.625    Disk 0 Partition 5 00     83        Linux            102398 MB offset 2053187388
21:12:57.640    Disk 0 scanning C:\WINDOWS\system32\drivers
21:13:07.796    Service scanning
21:13:13.312    Service kl1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
21:13:13.406    Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
21:13:13.406    Service klkbdflt C:\WINDOWS\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
21:13:13.421    Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
21:13:13.437    Service kltdi C:\WINDOWS\system32\DRIVERS\kltdi.sys **LOCKED** 5
21:13:13.484    Service kneps C:\WINDOWS\system32\DRIVERS\kneps.sys **LOCKED** 5
21:13:21.859    Modules scanning
21:13:25.062    Disk 0 trace - called modules:
21:13:25.093    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS  
21:13:25.093    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aedbab8]
21:13:25.093    3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000081[0x8af879e8]
21:13:25.093    5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8af63940]
21:13:26.437    AVAST engine scan C:\WINDOWS
21:13:38.703    AVAST engine scan C:\WINDOWS\system32
21:17:11.796    AVAST engine scan C:\WINDOWS\system32\drivers
21:17:39.281    AVAST engine scan C:\Documents and Settings\adrawson
21:30:53.187    AVAST engine scan C:\Documents and Settings\All Users
23:42:28.437    Scan finished successfully
23:49:58.406    Disk 0 MBR has been saved successfully to "C:\Downloads\Software\Utilities\whatthetech\topost2\MBR.dat"
23:49:58.406    The log file has been saved successfully to "C:\Downloads\Software\Utilities\whatthetech\topost2\aswMBR.txt"
 

 

--------------------------------------------

 

 

All processes killed
========== OTL ==========
Prefs.js: "122.248.235.140" removed from network.proxy.backup.ftp
Prefs.js: 80 removed from network.proxy.backup.ftp_port
Prefs.js: "200.19.159.35" removed from network.proxy.backup.gopher
Prefs.js: 3128 removed from network.proxy.backup.gopher_port
Prefs.js: "122.248.235.140" removed from network.proxy.backup.socks
Prefs.js: 80 removed from network.proxy.backup.socks_port
Prefs.js: "122.248.235.140" removed from network.proxy.backup.ssl
Prefs.js: 80 removed from network.proxy.backup.ssl_port
Prefs.js: "122.248.235.140" removed from network.proxy.ftp
Prefs.js: 80 removed from network.proxy.ftp_port
Prefs.js: "200.19.159.35" removed from network.proxy.gopher
File - not found.
Prefs.js: 80 removed from network.proxy.http_port
Prefs.js: true removed from network.proxy.share_proxy_settings
Prefs.js: "122.248.235.140" removed from network.proxy.socks
Prefs.js: 80 removed from network.proxy.socks_port
Prefs.js: "122.248.235.140" removed from network.proxy.ssl
Prefs.js: 80 removed from network.proxy.ssl_port
Prefs.js: 0 removed from network.proxy.type
========== COMMANDS ==========
Restore point Set: OTL Restore Point
 
[EMPTYTEMP]
 
User: adrawson
->Temp folder emptied: 122160887 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 117.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 06132014_235126
 
Files\Folders moved on Reboot...
 
PendingFileRenameOperations files...
 
Registry entries deleted on Reboot...

Attached Files

  • Attached File  OTL.Txt   88.66KB   217 downloads
  • Attached File  MBR.zip   518bytes   193 downloads


#10 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 13 June 2014 - 09:25 PM

Hi zorkon,

Your logs are looking pretty good.

bullseye_zpse9eaf36e.gif Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware (save it to your desktop).
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Select Scan tab.
    MBAMDashboard_zpsddef9b5f.gif
  • Select type of scan to perform:
    MBAMScanTab_zps2c5e74bd.gif
    • Threat Scan < --- Select this type of scan
    • Custom Scan
    • Hyper Scan
  • Next click the Scan button.
  • When the scan is complete, if no malicious items are found you can close the program.
  • If malicious items are found be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
=========================


bullseye_zpse9eaf36e.gif ESET Online Scanner

*Note:
  • It is recommended to disable on-board antivirus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
  • Please don't go surfing while your resident protection is disabled!
  • Once the scan is finished remember to re-enable your antivirus along with your anti-spyware programs.
** You need to run your browser with Administrator Rights, to do so right click your browsers short cut and select "Run as Administrator".

= = = = = = = = = = = = = = = = = = = =

Go here to run ESET Online Scanner

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your Antivirus software. You can usually do this with its Notification Tray icon near the clock
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
  • Click Scan.
  • Wait for the scan to finish.
  • When the scan completes, click List of found threats
  • click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  • Include the contents of this report in your next reply

    Note - when ESET doesn't find any threats, no report will be created.
  • Push the back button.
  • Push Finish
  • Re-enable your Antivirus software.
=========================

In your next post please provide the following:
  • MBAM log
  • ESET's log.txt
  • How's the computer running, any symptoms?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

    Advertisements

Register to Remove


#11 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 13 June 2014 - 11:45 PM

As soon as I click "Scan Now" on Malwarebytes the program freezes the computer so that I have to press the reset button on the case. Is this a known problem?



#12 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 13 June 2014 - 11:52 PM

Hi zorkon,

 

Go to Start > All Programs > Malwarebytes Antimalware > Tools > Malwarebytes Anti-malware Chameleon and it will take you to this page
ChameleonPic.jpg

Then click on the first link to run Malwarebytes and if wont run try the next one until one of them runs


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#13 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 June 2014 - 02:55 AM

I was eventually able to get a Malwarebytes scan to work. It seems I needed to wait quite a few minutes for the computer to become unstuck and continue scanning. One of the Chameleon's started a scan which eventually ended in BSOD, but the last run was successful, log follows.

 

I've opted not to run the ESET online scanner as I do not want to connect the machine to the internet, so unless there are any other offline tests is the machine looking OK this far?

 

------------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 14/06/2014
Scan Time: 7:37:05 p.m.
Logfile: mbam.txt
Administrator: No
 
Version: 2.00.2.1012
Malware Database: v2014.06.14.01
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: adrawson
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 323666
Time Elapsed: 18 min, 17 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 1
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),,[c6ec93e06912e55129d08ae631d30ef2]
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)



#14 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 14 June 2014 - 08:19 AM

Hi zorkon,
 

so unless there are any other offline tests is the machine looking OK this far?

Um, Yes and No. Some of the scans you have already completed required you to connect the machine to the internet to get the latest updates. Did you not complete this step when prompted to do so?
Without doing the complete battery of scans I can't be certain we have gotten all the malware removed.
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#15 zorkon

zorkon

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 14 June 2014 - 08:33 AM

Hi OCD,

 

I used another machine to download the malwarebytes updates then copied the definitions over (used instructions posted by the developers on their forum), so that was OK. Are there any other scans that don't require the machine live-connected to the internet?

 

zorkon


Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users