Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help with a MBR rootkit!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help with a MBR rootkit!

Unread postby pimse » April 23rd, 2010, 8:43 pm

Hi
I´m struggling with a stubborn MBR rootkit. I have done some cleaning on my own, such as Mbam and Superantispyware and also DRweb Cureit. None of them detects the rootkit. I have also tried Blacklight, Norman Sinowal cleaner but without luck.
I have run Combofix and it says early in the scan that it has: Detected rootkit activity and must reboot the computer. After Combofix has finished, the rootkit is still there!

Thanks

Per


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:40:19, on 2010-04-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Personal\bin\Personal.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BankID Security Application.lnk = C:\Program Files\Personal\bin\Personal.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2062205156
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://81.232.99.43:60108/activex/AMC.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - f:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4799 bytes


Uninstall list

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Shockwave Player 11.5
Avanquest update
AXIS Media Control Embedded
BankID Security Application 4.10.2
BurnInTest v5.3 Standard
Colin McRae Rally 2
Critical Update for Windows Media Player 11 (KB959772)
Duplicate Email Remover
Gordon's Gate Flash Driver 1.1.0.12
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
IL-2 Sturmovik 1946
Interactive Repair Manuals
Jane's Combat Simulations WWII Fighters
Java(TM) 6 Update 20
LAME v3.98.2 for Audacity
Look@LAN 2.50 Build 35
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.6.3)
MyPhoneExplorer
NVIDIA Drivers
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Shockwave
Sony Ericsson PC Suite 5.009.00
SpeedFan (remove only)
SuperEF2000
Sygate Personal Firewall
ToolBook II 6.1 Runtime Files
Total Commander (Remove or Repair)
UBCD4Win 3.22
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Service
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
XAMPP 1.7.1
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm
Advertisement
Register to Remove

Re: Need help with a MBR rootkit!

Unread postby MWR 3 day Mod » April 27th, 2010, 12:31 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 27th, 2010, 9:40 am

Hi pimse,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Also please post the contents of the log from the last Combofix scan.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 27th, 2010, 10:25 am

Hi deltalima,

Thanks for helping me out with this!

First, I failed to do the second task. Running Gmer. I have tried to run Gmer many times earlier, but always failed.
Below is the error message i got as usual.

z10hn0xd.exe has encountered a problem and needs to close. We are sorry for the inconvenience.


Here follows the logs you requested.

Thanks
pimse


OTL log

OTL logfile created on: 2010-04-27 15:56:01 - Run 2
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Per\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 86,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 27,48 Gb Free Space | 56,29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 48,83 Gb Total Space | 28,46 Gb Free Space | 58,29% Space Free | Partition Type: NTFS
Drive G: | 97,65 Gb Total Space | 23,75 Gb Free Space | 24,32% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
Drive I: | 102,78 Gb Total Space | 7,93 Gb Free Space | 7,71% Space Free | Partition Type: NTFS

Computer Name: DUO
Current User Name: Per
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Per\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
PRC - C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()
PRC - C:\Program Files\Personal\bin\Personal.exe (Technology Nexus AB)
PRC - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe ()
PRC - C:\WINDOWS\system32\msfeedssync.exe (Microsoft Corporation)
PRC - G:\Program Files\Hard Disk Sentinel\HDSentinel.exe (H.D.S. Hungary)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Per\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\SSSensor.dll (Sygate Technologies, Inc.)


========== Win32 Services (SafeList) ==========

SRV - (NMSAccessU) -- File not found
SRV - (Samsung UPD Service) -- C:\WINDOWS\System32\SUPDSvc.exe (Samsung Electronics CO., LTD.)
SRV - (EhttpSrv) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET)
SRV - (ekrn) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
SRV - (ImDskSvc) -- C:\WINDOWS\system32\imdsksvc.exe (Olof Lagerkvist)
SRV - (OMSI download service) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe ()
SRV - (SmcService) -- C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Driver Services (SafeList) ==========

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (epfwtdir) -- C:\WINDOWS\system32\drivers\epfwtdir.sys (ESET)
DRV - (ehdrv) -- C:\WINDOWS\system32\drivers\ehdrv.sys (ESET)
DRV - (eamon) -- C:\WINDOWS\system32\drivers\eamon.sys (ESET)
DRV - (ImDisk) -- C:\WINDOWS\system32\drivers\imdisk.sys (Olof Lagerkvist)
DRV - (ggsemc) -- C:\WINDOWS\system32\drivers\ggsemc.sys (Sony Ericsson Mobile Communications)
DRV - (ggflt) -- C:\WINDOWS\system32\drivers\ggflt.sys (Sony Ericsson Mobile Communications)
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows (R) 2000 DDK provider)
DRV - (AWEAlloc) -- C:\WINDOWS\system32\drivers\awealloc.sys (Olof Lagerkvist)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM) -- C:\WINDOWS\system32\drivers\s0016unic.sys (MCCI Corporation)
DRV - (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS) -- C:\WINDOWS\system32\drivers\s0016nd5.sys (MCCI Corporation)
DRV - (s0016mdfl) -- C:\WINDOWS\system32\drivers\s0016mdfl.sys (MCCI Corporation)
DRV - (s0016mdm) -- C:\WINDOWS\system32\drivers\s0016mdm.sys (MCCI Corporation)
DRV - (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s0016mgmt.sys (MCCI Corporation)
DRV - (s0016obex) -- C:\WINDOWS\system32\drivers\s0016obex.sys (MCCI Corporation)
DRV - (s0016bus) Sony Ericsson Device 0016 driver (WDM) -- C:\WINDOWS\system32\drivers\s0016bus.sys (MCCI Corporation)
DRV - (atapi) -- C:\WINDOWS\system32\DRIVERS\atapi.sys ()
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (seehcri) -- C:\WINDOWS\system32\drivers\seehcri.sys (Sony Ericsson Mobile Communications)
DRV - (NVHDA) -- C:\WINDOWS\system32\drivers\nvhda32.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows (R) 2000 DDK provider)
DRV - (ElbyCDIO) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (sfvfs02) StarForce Protection VFS Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (ElbyCDFL) -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys (SlySoft, Inc.)
DRV - (wg6n) -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys (Sygate Technologies, Inc.)
DRV - (wg5n) -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys (Sygate Technologies, Inc.)
DRV - (wg4n) -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys (Sygate Technologies, Inc.)
DRV - (wg3n) -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys (Sygate Technologies, Inc.)
DRV - (wpsdrvnt) -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Sygate Technologies, Inc.)
DRV - (Teefer) -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys (Sygate Technologies, Inc.)
DRV - (Maplom) -- C:\WINDOWS\system32\drivers\maplom.sys (Jacal Consulting Pty Ltd)
DRV - (a347bus) -- C:\WINDOWS\system32\DRIVERS\a347bus.sys ( )
DRV - (a347scsi) -- C:\WINDOWS\System32\Drivers\a347scsi.sys ( )
DRV - (axsaki) -- C:\WINDOWS\system32\drivers\axsaki.sys ( )
DRV - (axskbus) -- C:\WINDOWS\system32\drivers\axskbus.sys ( )
DRV - (msgame) -- C:\WINDOWS\system32\drivers\msgame.sys (Microsoft Corporation)
DRV - (hidgame) -- C:\WINDOWS\system32\drivers\hidgame.sys (Microsoft Corporation)
DRV - (es1371) Creative AudioPCI (ES1371,ES1373) (WDM) -- C:\WINDOWS\system32\drivers\es1371mp.sys (Creative Technology Ltd.)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1454471165-1844237615-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1454471165-1844237615-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://se.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1454471165-1844237615-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = sv
IE - HKU\S-1-5-21-1454471165-1844237615-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 38 99 F1 6B 45 DE C9 01 [binary data]
IE - HKU\S-1-5-21-1454471165-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.leta.se/"
FF - prefs.js..extensions.enabledItems: {F33233B3-EDB1-41f4-8482-917AB190E647}:3.0
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {21cfaec0-dbb3-11dc-95ff-0800200c9a66}:1.1.2.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..extensions.enabledItems: {8b86149f-01fb-4842-9dd8-4d7eb02fd055}:0.21.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-04-23 23:13:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-04-24 11:21:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010-04-23 21:15:21 | 000,000,000 | ---D | M]

[2009-04-08 19:16:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Extensions
[2010-04-24 01:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Easy DragToGo) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{21cfaec0-dbb3-11dc-95ff-0800200c9a66}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Tab Saver!) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{7A074BE0-2326-436d-B473-029FAEBEB5C6}
[2010-04-23 23:09:47 | 000,000,000 | ---D | M] (All-in-One Gestures) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010-04-23 22:53:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010-04-23 22:53:52 | 000,000,000 | ---D | M] (Add Bookmark Here) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{F33233B3-EDB1-41f4-8482-917AB190E647}
[2010-04-23 22:53:52 | 000,000,000 | ---D | M] (Mouse Gestures Redox) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\firefox@red-cog.com
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
[2010-04-24 00:35:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010-04-24 00:35:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010-04-12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010-04-24 11:21:01 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2010-04-01 19:42:59 | 000,001,470 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allaannonser-sv-SE.xml
[2010-04-01 19:42:59 | 000,002,670 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\prisjakt-sv-SE.xml
[2010-04-01 19:42:59 | 000,000,948 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\tyda-sv-SE.xml
[2010-04-01 19:42:59 | 000,001,174 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-sv-SE.xml
[2010-04-01 19:42:59 | 000,000,951 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-sv-SE.xml

O1 HOSTS File: ([2007-07-27 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [Hard Disk Sentinel] G:\Program Files\Hard Disk Sentinel\HDSentinel.exe (H.D.S. Hungary)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKLM..\Run: [SmcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BankID Security Application.lnk = C:\Program Files\Personal\bin\Personal.exe (Technology Nexus AB)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1454471165-1844237615-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Key error. File not found
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/ ... ontrol.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupda ... 2062205156 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdat ... /opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://81.232.99.43:60108/activex/AMC.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-03-14 06:32:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-04-27 15:46:42 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Per\Desktop\OTL.exe
[2010-04-26 18:42:29 | 000,021,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml2a.dll
[2010-04-26 18:42:28 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml4r.dll
[2010-04-26 18:42:28 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml4a.dll
[2010-04-26 18:42:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\Samsung
[2010-04-26 18:42:01 | 000,218,112 | ---- | C] (SEC) -- C:\WINDOWS\System32\SIPDUtil.dll
[2010-04-26 18:42:01 | 000,157,552 | ---- | C] (SS) -- C:\WINDOWS\System32\spd__ci.exe
[2010-04-26 18:42:01 | 000,141,680 | ---- | C] (Samsung Electronics CO., LTD.) -- C:\WINDOWS\System32\SUPDSvcA.dll
[2010-04-26 18:42:01 | 000,132,464 | ---- | C] (Samsung Electronics CO., LTD.) -- C:\WINDOWS\System32\SUPDSvc.exe
[2010-04-26 18:42:01 | 000,065,536 | ---- | C] (SS) -- C:\WINDOWS\System32\spd__ci.dll
[2010-04-26 18:39:23 | 000,000,000 | ---D | C] -- C:\Program Files\SAMSUNG
[2010-04-26 18:29:30 | 000,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbprint.sys
[2010-04-25 18:00:42 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010-04-25 13:25:29 | 000,027,632 | ---- | C] (Sony Ericsson Mobile Communications) -- C:\WINDOWS\System32\drivers\seehcri.sys
[2010-04-24 11:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
[2010-04-24 11:55:29 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010-04-24 11:21:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Application Data\Foxit
[2010-04-24 11:21:09 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010-04-24 11:12:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Application Data\JAM Software
[2010-04-24 11:09:43 | 000,000,000 | ---D | C] -- C:\Program Files\JAM Software
[2010-04-24 11:08:56 | 000,000,000 | ---D | C] -- C:\Program Files\ImgBurn
[2010-04-24 11:08:28 | 000,019,968 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\drivers\imdisk.sys
[2010-04-24 11:08:28 | 000,009,216 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\drivers\awealloc.sys
[2010-04-24 11:08:27 | 000,080,384 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\imdisk.cpl
[2010-04-24 11:08:27 | 000,035,840 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\imdisk.exe
[2010-04-24 11:08:27 | 000,010,240 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\imdsksvc.exe
[2010-04-24 11:02:51 | 000,741,744 | ---- | C] (RealVNC Ltd. ) -- C:\Documents and Settings\Per\My Documents\vnc-4_1_3-x86_win32.exe
[2010-04-24 11:02:34 | 267,940,236 | ---- | C] (UBCD4Win Team - Benjamin Burrows ) -- C:\Documents and Settings\Per\My Documents\UBCD4WinV350.exe
[2010-04-24 11:02:24 | 021,663,557 | ---- | C] (Samsung ) -- C:\Documents and Settings\Per\My Documents\SamsungUniversalPrintDriver_PS.exe
[2010-04-24 11:01:46 | 011,714,981 | ---- | C] (Extensoft) -- C:\Documents and Settings\Per\My Documents\FreeTaskManager.exe
[2010-04-24 11:01:42 | 013,062,272 | ---- | C] (Fengtao Software Inc. ) -- C:\Documents and Settings\Per\My Documents\DVDFab6070.exe
[2010-04-24 11:01:39 | 000,670,072 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Per\My Documents\autoruns.exe
[2010-04-24 11:01:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\WNC-0301V3(CD)
[2010-04-24 11:01:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\WNC-0301USBV3(CD)
[2010-04-24 11:01:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\winbuild
[2010-04-24 11:01:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Video Converter
[2010-04-24 11:00:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\SysinternalsSuite
[2010-04-24 11:00:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Spotify_ripper
[2010-04-24 10:59:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\siv
[2010-04-24 10:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\nod32ubcd
[2010-04-24 10:58:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\New Folder
[2010-04-24 10:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\My Downloads
[2010-04-24 10:50:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\joomla
[2010-04-24 10:47:26 | 004,411,392 | ---- | C] (Gabest) -- C:\Documents and Settings\Per\Desktop\mplayerc.exe
[2010-04-24 10:47:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\f305
[2010-04-24 10:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\ENG
[2010-04-24 10:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\dvds
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\bp
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\bin2iso
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\belos
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Alcohol 120%
[2010-04-24 08:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\DoctorWeb
[2010-04-24 02:37:44 | 000,060,496 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\drivers\Teefer.sys
[2010-04-24 02:37:44 | 000,014,568 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\drivers\wg3n.sys
[2010-04-24 02:37:43 | 000,021,075 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\drivers\wpsdrvnt.sys
[2010-04-24 02:37:42 | 000,083,096 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\SSSensor.dll
[2010-04-24 02:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\Sygate
[2010-04-24 01:49:57 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010-04-24 01:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010-04-24 01:38:50 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010-04-24 01:38:46 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe
[2010-04-24 01:37:41 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll
[2010-04-24 01:37:40 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll
[2010-04-24 01:37:30 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010-04-24 01:29:30 | 000,278,016 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe
[2010-04-24 01:26:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010-04-24 01:10:18 | 001,304,576 | ---- | C] (Norman ASA) -- C:\Documents and Settings\Per\Desktop\Norman_Sinowal_Cleaner.exe
[2010-04-24 01:10:17 | 001,878,888 | ---- | C] (Adobe Systems Incorporated) -- C:\Documents and Settings\Per\Desktop\install_flash_player.exe
[2010-04-24 01:10:17 | 000,069,632 | ---- | C] (Auto Debug System) -- C:\Documents and Settings\Per\Desktop\KillProcess.exe
[2010-04-24 01:10:14 | 013,062,272 | ---- | C] (Fengtao Software Inc. ) -- C:\Documents and Settings\Per\Desktop\DVDFab6070.exe
[2010-04-24 01:09:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Desktop\txt
[2010-04-24 01:09:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Desktop\New Folder (6)
[2010-04-24 01:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Local Settings\Application Data\Spotify
[2010-04-24 01:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Application Data\Spotify
[2010-04-24 01:01:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\McafeeRootkitDetective
[2010-04-24 01:01:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Hämtade filer
[2010-04-24 00:39:04 | 000,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2010-04-24 00:35:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010-04-24 00:35:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010-04-24 00:35:17 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010-04-24 00:35:16 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010-04-24 00:35:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010-04-24 00:35:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010-04-23 21:33:08 | 000,000,000 | ---D | C] -- C:\Program Files\MAPILab Ltd
[2010-04-23 21:32:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010-04-23 21:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010-04-03 22:55:32 | 011,647,592 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcompiler.dll
[2010-04-03 22:55:32 | 004,075,520 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuda.dll
[2010-04-03 22:55:32 | 002,646,632 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuvenc.dll
[2010-04-03 22:55:32 | 002,030,184 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuvid.dll
[2010-04-03 22:55:32 | 000,061,440 | ---- | C] (Khronos Group) -- C:\WINDOWS\System32\OpenCL.dll
[2010-04-03 19:23:18 | 000,278,120 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvmccs.dll
[2010-04-03 19:23:16 | 013,670,504 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcpl.dll
[2010-04-03 19:23:16 | 000,145,000 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcolor.exe
[2010-04-03 19:23:16 | 000,110,696 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvmctray.dll
[2010-04-03 19:22:54 | 000,081,920 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwddi.dll
[2009-04-04 17:02:56 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2009-04-04 17:02:56 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2003-03-30 21:38:18 | 000,102,624 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\axsaki.sys
[2003-03-28 11:58:42 | 000,008,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\axskbus.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-04-27 15:56:28 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job
[2010-04-27 15:54:13 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-04-27 15:53:54 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010-04-27 15:53:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-04-27 15:53:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-04-27 15:52:42 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Per\NTUSER.DAT
[2010-04-27 15:47:09 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\z10hn0xd.exe
[2010-04-27 15:46:46 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Per\Desktop\OTL.exe
[2010-04-27 15:45:13 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-04-27 15:45:13 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-04-27 15:45:12 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-04-27 15:17:55 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Per\ntuser.ini
[2010-04-26 20:21:53 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\MemberImport.xls
[2010-04-26 17:54:35 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\rik.xls
[2010-04-26 17:54:35 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Bok1.xls
[2010-04-25 17:46:51 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Per\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-04-25 13:25:28 | 000,001,855 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sony Ericsson PC Suite 6.0.lnk
[2010-04-25 00:58:06 | 005,845,068 | -H-- | M] () -- C:\Documents and Settings\Per\Local Settings\Application Data\IconCache.db
[2010-04-24 17:58:19 | 000,002,406 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175817.reg
[2010-04-24 17:58:07 | 000,015,076 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175804.reg
[2010-04-24 17:55:36 | 000,029,894 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175533.reg
[2010-04-24 11:47:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-04-24 11:38:28 | 000,002,163 | ---- | M] () -- C:\WINDOWS\WINCMD.INI
[2010-04-24 11:21:22 | 000,000,883 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2010-04-24 11:08:59 | 000,001,528 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ImgBurn.lnk
[2010-04-24 10:45:08 | 000,000,579 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\HTTrack Website Copier.lnk
[2010-04-24 10:45:02 | 000,000,697 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\CCleaner.lnk
[2010-04-24 10:44:57 | 000,000,591 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\DVD Shrink 3.2.lnk
[2010-04-24 10:44:13 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Look@LAN.lnk
[2010-04-24 10:44:00 | 000,000,551 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Game Jackal.lnk
[2010-04-24 10:43:53 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IrfanView.lnk
[2010-04-24 10:43:39 | 000,000,595 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Shortcut to AboutTime.exe.lnk
[2010-04-24 10:43:34 | 000,000,531 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\XnView.lnk
[2010-04-24 10:43:27 | 000,000,686 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Shortcut to audacity.exe.lnk
[2010-04-24 10:43:26 | 000,000,693 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Shortcut to EasyClea.exe.lnk
[2010-04-24 08:25:34 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Hard Disk Sentinel.lnk
[2010-04-24 08:25:21 | 000,000,766 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\DVD Decrypter.lnk
[2010-04-24 08:25:10 | 000,000,473 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\GT Legends.lnk
[2010-04-24 02:32:37 | 009,228,440 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\spf.exe
[2010-04-24 02:24:23 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CDBurnerXP.lnk
[2010-04-24 02:19:21 | 000,245,512 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010-04-24 01:31:48 | 000,064,752 | ---- | M] () -- C:\Documents and Settings\Per\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010-04-24 01:08:02 | 000,000,607 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Spotify.lnk
[2010-04-24 00:55:25 | 000,000,918 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Age of Empires II.lnk
[2010-04-24 00:39:08 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IL-2 Sturmovik 1946.lnk
[2010-04-24 00:30:05 | 000,000,486 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010-04-24 00:29:39 | 000,000,642 | ---- | M] () -- C:\WINDOWS\win.ini
[2010-04-23 22:43:33 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010-04-23 21:41:43 | 000,000,139 | ---- | M] () -- C:\WINDOWS\wcx_ftp.ini
[2010-04-22 22:30:12 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\NTREGOPT.lnk
[2010-04-22 22:30:12 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\ERUNT.lnk
[2010-04-22 22:28:01 | 000,794,112 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\The_Comedian.exe
[2010-04-22 21:57:53 | 001,304,576 | ---- | M] (Norman ASA) -- C:\Documents and Settings\Per\Desktop\Norman_Sinowal_Cleaner.exe
[2010-04-22 14:54:48 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\settings.dat
[2010-04-22 12:56:25 | 001,872,472 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\SmitfraudFix.exe
[2010-04-22 07:32:04 | 000,001,414 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\shutdown.exe.lnk
[2010-04-21 23:51:09 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\E-mail.lnk
[2010-04-17 11:42:37 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Webkamera Gång.doc
[2010-04-12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010-04-12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010-04-12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010-04-12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010-04-12 15:19:02 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010-04-03 22:55:32 | 014,757,888 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvoglnt.dll
[2010-04-03 22:55:32 | 011,647,592 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcompiler.dll
[2010-04-03 22:55:32 | 010,232,128 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nv4_mini.sys
[2010-04-03 22:55:32 | 010,232,128 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\dllcache\nv4_mini.sys
[2010-04-03 22:55:32 | 006,432,128 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nv4_disp.dll
[2010-04-03 22:55:32 | 004,075,520 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuda.dll
[2010-04-03 22:55:32 | 002,646,632 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuvenc.dll
[2010-04-03 22:55:32 | 002,183,470 | ---- | M] () -- C:\WINDOWS\System32\nvdata.bin
[2010-04-03 22:55:32 | 002,030,184 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuvid.dll
[2010-04-03 22:55:32 | 001,097,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvapi.dll
[2010-04-03 22:55:32 | 000,600,680 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\NVUNINST.EXE
[2010-04-03 22:55:32 | 000,600,680 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvudisp.exe
[2010-04-03 22:55:32 | 000,227,944 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcodins.dll
[2010-04-03 22:55:32 | 000,227,944 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcod.dll
[2010-04-03 22:55:32 | 000,061,440 | ---- | M] (Khronos Group) -- C:\WINDOWS\System32\OpenCL.dll
[2010-04-03 22:55:32 | 000,025,755 | ---- | M] () -- C:\WINDOWS\System32\nvdisp.nvu
[2010-04-03 22:55:32 | 000,009,046 | ---- | M] () -- C:\WINDOWS\System32\nvinfo.pb
[2010-04-03 19:23:18 | 000,278,120 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvmccs.dll
[2010-04-03 19:23:16 | 013,670,504 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcpl.dll
[2010-04-03 19:23:16 | 000,145,000 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcolor.exe
[2010-04-03 19:23:16 | 000,110,696 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvmctray.dll
[2010-04-03 19:22:54 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwddi.dll
[2010-04-03 19:22:32 | 000,066,714 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2010-03-30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-03-30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-04-27 15:47:08 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\z10hn0xd.exe
[2010-04-26 20:21:53 | 000,033,280 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\MemberImport.xls
[2010-04-26 18:42:29 | 000,482,408 | ---- | C] () -- C:\WINDOWS\ssndii.exe
[2010-04-26 18:42:05 | 000,011,502 | ---- | C] () -- C:\WINDOWS\Dr. Printer Icon.ico
[2010-04-26 18:42:01 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\DscPnt.dll
[2010-04-26 18:42:01 | 000,260,464 | ---- | C] () -- C:\WINDOWS\SUPDRun.exe
[2010-04-26 18:42:01 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\spd__l.dll
[2010-04-26 18:42:01 | 000,000,363 | ---- | C] () -- C:\WINDOWS\System32\spd__l.smt
[2010-04-26 17:48:53 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Bok1.xls
[2010-04-25 13:25:28 | 000,001,855 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Sony Ericsson PC Suite 6.0.lnk
[2010-04-24 17:58:18 | 000,002,406 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175817.reg
[2010-04-24 17:58:06 | 000,015,076 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175804.reg
[2010-04-24 17:55:34 | 000,029,894 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175533.reg
[2010-04-24 11:21:22 | 000,000,883 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2010-04-24 11:08:59 | 000,001,528 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ImgBurn.lnk
[2010-04-24 11:03:02 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\You.doc
[2010-04-24 11:03:02 | 000,001,321 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\yellow.png
[2010-04-24 11:02:54 | 002,208,984 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\WW2_108.EXE
[2010-04-24 11:02:54 | 000,032,800 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\WRT54GLV1_v4.30.7.cfg
[2010-04-24 11:02:49 | 004,770,227 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\verktygsstallet_med_priser.pdf
[2010-04-24 11:02:49 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Webkamera Gång.doc
[2010-04-24 11:02:34 | 003,079,715 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Tweaking Companion for Windows Vista (Tweakguides, 2007).pdf
[2010-04-24 11:02:30 | 103,937,719 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\The Art Of Woodworking Vol 18 - Outdoor Furniture.pdf
[2010-04-24 11:02:30 | 012,216,170 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\SysinternalsSuite.zip
[2010-04-24 11:02:30 | 003,279,751 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Swiftamatic_8_Serv_Man_0863.pdf
[2010-04-24 11:02:30 | 000,165,379 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Spotify_ripper.rar
[2010-04-24 11:02:30 | 000,050,677 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\TageN.png
[2010-04-24 11:02:30 | 000,014,532 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\tagenylander.pdf
[2010-04-24 11:02:26 | 002,888,232 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Spotify Installer.exe
[2010-04-24 11:02:25 | 002,292,413 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\smide.pdf
[2010-04-24 11:02:25 | 001,318,647 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\siv.zip
[2010-04-24 11:02:25 | 000,123,722 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Sjukersättning.pdf
[2010-04-24 11:02:25 | 000,096,084 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Sjukpenninggrundande inkomst - information till dig som studerar, är arbetslös, har sjukersättning,.pdf
[2010-04-24 11:02:24 | 000,057,856 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\rol-biWO 2008026930 20080306.doc
[2010-04-24 11:02:24 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Robban 850.doc
[2010-04-24 11:02:23 | 008,834,504 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\RMSetup.exe
[2010-04-24 11:02:23 | 004,211,811 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\PV_Design_45 HY30-3245-uk-02-2007.pdf
[2010-04-24 11:02:23 | 001,980,651 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\PV_Catalog.pdf
[2010-04-24 11:02:23 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\rik.xls
[2010-04-24 11:02:23 | 000,001,305 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\red.png
[2010-04-24 11:02:21 | 034,021,481 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Produktbok2007.pdf
[2010-04-24 11:02:21 | 001,309,584 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\ProcessMonitor.zip
[2010-04-24 11:02:21 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\persbios.bin
[2010-04-24 11:02:21 | 000,028,595 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\processkill.zip
[2010-04-24 11:02:09 | 000,676,135 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Om du är sjuk och inte kan arbeta.pdf
[2010-04-24 11:02:09 | 000,393,334 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\nussbaum2.jpg
[2010-04-24 11:02:09 | 000,354,630 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\nussbaum1.jpg
[2010-04-24 11:02:09 | 000,001,660 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\nod32ubcd.zip
[2010-04-24 11:01:56 | 002,991,563 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\MBD-I-D945GSEJT-manual.pdf
[2010-04-24 11:01:56 | 001,262,858 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\mobil_refill_priserSamtTjan081202.pdf
[2010-04-24 11:01:56 | 000,981,457 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\lcdmonitor_STXsorozat.pdf
[2010-04-24 11:01:56 | 000,195,383 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\mbookmark.xml
[2010-04-24 11:01:56 | 000,052,111 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\motorer.pdf
[2010-04-24 11:01:56 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Minska risk för fukt på vinden.doc
[2010-04-24 11:01:51 | 000,771,658 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\l225.pdf
[2010-04-24 11:01:51 | 000,743,728 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\l220.pdf
[2010-04-24 11:01:50 | 003,108,547 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\K800__UG_R1a_SV.pdf
[2010-04-24 11:01:50 | 002,518,490 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\katalog.pdf
[2010-04-24 11:01:50 | 001,788,208 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\kampanj.pdf
[2010-04-24 11:01:50 | 000,132,804 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\index.php
[2010-04-24 11:01:49 | 003,354,819 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\IBMThinkpadA31.pdf
[2010-04-24 11:01:49 | 000,417,792 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\HP Color LaserJet 2605 Series Printer.doc
[2010-04-24 11:01:49 | 000,127,091 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\HP Laserjet Guide TD 200812.pdf
[2010-04-24 11:01:49 | 000,055,296 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\I den här artikeln beskrivs återställning av en dator med Windows XP.doc
[2010-04-24 11:01:48 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Hans Bergströms artikel om.doc
[2010-04-24 11:01:48 | 000,006,957 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\hdsentinel.png
[2010-04-24 11:01:48 | 000,001,300 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\green.png
[2010-04-24 11:01:44 | 072,673,280 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FreeNAS-i386-LiveCD-0.7RC1.4735.iso
[2010-04-24 11:01:44 | 000,933,717 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#6PSMay50.pdf
[2010-04-24 11:01:44 | 000,169,746 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FPFAI-UK-DSLROUTERG-AA.pdf
[2010-04-24 11:01:44 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Files named @.jpg.fnd
[2010-04-24 11:01:44 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Files named @.jpg (2).fnd
[2010-04-24 11:01:43 | 006,013,893 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\EeePC4G_web.pdf
[2010-04-24 11:01:43 | 003,054,046 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#4.pdf
[2010-04-24 11:01:43 | 000,933,145 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#2.pdf
[2010-04-24 11:01:43 | 000,728,297 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#5PMFM47.pdf
[2010-04-24 11:01:43 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Elpriset smyghöjs för två miljoner svenskar.doc
[2010-04-24 11:01:43 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Eftersom du bygga en brant trappa.doc
[2010-04-24 11:01:43 | 000,000,498 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\EseTLicense.reg
[2010-04-24 11:01:42 | 002,894,611 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Convertible_76_Serv_Man_1174.pdf
[2010-04-24 11:01:42 | 001,338,145 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Convertible_76_IPL_1972.pdf
[2010-04-24 11:01:42 | 000,370,473 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Customize_Joomla's_Default_Template[1].pdf
[2010-04-24 11:01:42 | 000,049,753 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Disk report 2010 03 10.html
[2010-04-24 11:01:42 | 000,013,886 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\config-freenas.local-20100306122725.xml
[2010-04-24 11:01:40 | 000,756,177 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Cement-Mixer.pdf
[2010-04-24 11:01:40 | 000,294,087 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Building a Standard Image of Windows 7 Step-by-Step Guide.doc.docx
[2010-04-24 11:01:40 | 000,083,155 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\bios.ini
[2010-04-24 11:01:40 | 000,024,093 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Bransle_Maflex_2009.pdf
[2010-04-24 11:01:40 | 000,009,187 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\bin2iso.zip
[2010-04-24 11:01:37 | 007,198,798 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\4725.pdf
[2010-04-24 11:01:37 | 002,616,830 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\5000_Series_Op_Man_0881.pdf
[2010-04-24 11:01:37 | 000,588,661 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\37-120.pdf
[2010-04-24 11:01:37 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\6a61ng02.0
[2010-04-24 11:01:37 | 000,023,055 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\advis.mht
[2010-04-24 11:01:37 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Per\My Documents\~$You.doc
[2010-04-24 11:00:24 | 004,032,807 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\The Psychedelic Furs - Pretty In Pink.mp3
[2010-04-24 11:00:24 | 003,306,393 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Thorleifs - Aldrig nånsin glömmer jag dig.mp3
[2010-04-24 11:00:23 | 003,668,766 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Erik Grönwall - Run To The Hills.mp3
[2010-04-24 02:32:31 | 009,228,440 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\spf.exe
[2010-04-24 01:29:30 | 000,082,944 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010-04-24 01:29:29 | 000,077,312 | ---- | C] () -- C:\WINDOWS\mbr.exe
[2010-04-24 01:10:21 | 000,000,766 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Sandboxed Web Browser.lnk
[2010-04-24 01:10:21 | 000,000,595 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Shortcut to AboutTime.exe.lnk
[2010-04-24 01:10:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\settings.dat
[2010-04-24 01:10:20 | 023,834,246 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\publication.pdf
[2010-04-24 01:10:20 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\NTREGOPT.lnk
[2010-04-24 01:10:18 | 000,557,056 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\LaunchEAW.exe
[2010-04-24 01:10:17 | 000,000,579 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\HTTrack Website Copier.lnk
[2010-04-24 01:10:15 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\esetsmartinstaller_enu.exe
[2010-04-24 01:10:15 | 002,162,688 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\fixntldr.iso
[2010-04-24 01:10:15 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\ERUNT.lnk
[2010-04-24 01:10:15 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\E-mail.lnk
[2010-04-24 01:10:14 | 003,704,042 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\D_Z3_SW.pdf
[2010-04-24 01:10:14 | 000,819,347 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\BoPC_KotOR_Troubleshooting.rtf
[2010-04-24 01:10:14 | 000,000,591 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\DVD Shrink 3.2.lnk
[2010-04-24 01:05:30 | 009,324,333 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Windows6.1-KB947821-x86-RC.msu
[2010-04-24 01:05:30 | 005,497,090 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\The Key To Metal Bumping.pdf
[2010-04-24 01:05:30 | 000,794,112 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\The_Comedian.exe
[2010-04-24 01:05:30 | 000,766,337 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Tröja.pdf
[2010-04-24 01:05:30 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\trappa.xls
[2010-04-24 01:05:30 | 000,000,721 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Winbuilder lx76hfcxaf.lnk
[2010-04-24 01:05:30 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Spotify.lnk
[2010-04-24 01:05:30 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\start.bat
[2010-04-24 01:05:26 | 022,191,482 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\snoslunga.wmv
[2010-04-24 01:05:26 | 000,001,414 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\shutdown.exe.lnk
[2010-04-24 01:00:59 | 001,872,472 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\SmitfraudFix.exe
[2010-04-24 01:00:52 | 001,728,150 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\McafeeRootkitDetective.zip
[2010-04-24 00:35:54 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010-04-03 22:55:32 | 002,183,470 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010-04-03 22:55:32 | 000,009,046 | ---- | C] () -- C:\WINDOWS\System32\nvinfo.pb
[2010-04-03 19:22:32 | 000,276,202 | ---- | C] () -- C:\WINDOWS\System32\NvApps.xml
[2010-04-03 19:22:32 | 000,066,714 | ---- | C] () -- C:\WINDOWS\System32\NvwsApps.xml
[2009-04-24 12:48:52 | 000,000,139 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2009-04-12 16:23:21 | 000,517,120 | ---- | C] () -- C:\WINDOWS\System32\7-ZIP32.DLL
[2009-04-09 22:19:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009-04-04 22:53:35 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009-04-04 16:43:25 | 000,002,163 | ---- | C] () -- C:\WINDOWS\WINCMD.INI
[2009-03-14 19:44:48 | 000,000,486 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008-02-04 19:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007-10-04 10:14:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007-07-27 14:00:00 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2006-08-16 16:13:34 | 001,382,280 | ---- | C] () -- C:\WINDOWS\System32\fftw3.dll
[2004-10-15 18:31:56 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll
[2004-05-27 16:52:52 | 000,058,880 | ---- | C] () -- C:\WINDOWS\System32\mslffv1.dll
[2003-04-08 12:35:24 | 000,005,414 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1997-06-14 04:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[1996-04-03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94EAB850
< End of report >


Extras log

OTL Extras logfile created on: 2010-04-27 15:56:01 - Run 2
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Per\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 86,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 27,48 Gb Free Space | 56,29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 48,83 Gb Total Space | 28,46 Gb Free Space | 58,29% Space Free | Partition Type: NTFS
Drive G: | 97,65 Gb Total Space | 23,75 Gb Free Space | 24,32% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
Drive I: | 102,78 Gb Total Space | 7,93 Gb Free Space | 7,71% Space Free | Partition Type: NTFS

Computer Name: DUO
Current User Name: Per
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1454471165-1844237615-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "F:\Program\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"F:\Program Files\Look@LAN\LookAtLan.exe" = F:\Program Files\Look@LAN\LookAtLan.exe:*:Enabled:Look@LAN -- File not found
"G:\Program Files\Spotify\spotify.exe" = G:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify AB)
"C:\WINDOWS\system32\SUPDSvc.exe" = C:\WINDOWS\system32\SUPDSvc.exe:*:Enabled:Samsung UPD Service -- (Samsung Electronics CO., LTD.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{19B72AA9-985A-11D4-9C8A-00D0B75D1498}" = Colin McRae Rally 2
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 20
"{29384623-4136-4C13-B112-B647464783CA}" = ESET NOD32 Antivirus
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 6.009.00
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}" = Duplicate Email Remover
"{9111041D-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9455959E-D588-EFAE-329C-F66CC797F32A}" = Adobe Media Player
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" =
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F34D9A5F-484A-4E31-A9D3-908CB265B289}" = Sygate Personal Firewall
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BurnInTest_is1" = BurnInTest v5.3 Standard
"Defraggler" = Defraggler
"ESET Online Scanner" = ESET Online Scanner v3
"Foxit Reader" = Foxit Reader
"Gordon's Gate Flash Driver" = Gordon's Gate Flash Driver 1.1.0.12
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"ImDisk" = ImDisk Virtual Disk Driver
"ImgBurn" = ImgBurn
"InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"Interactive Repair Manuals" = Interactive Repair Manuals
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Look@LAN_1.0" = Look@LAN 2.50 Build 35
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MPE" = MyPhoneExplorer
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Personal" = BankID Security Application 4.10.2
"Samsung Universal Print Driver" = Samsung Universal Print Driver
"SEF2000DeinstKey" = SuperEF2000
"Shockwave" = Shockwave
"SpeedFan" = SpeedFan (remove only)
"ToolBook II 6.1 Runtime Files" = ToolBook II 6.1 Runtime Files
"Totalcmd" = Total Commander (Remove or Repair)
"TreeSize Free_is1" = TreeSize Free V2.3.1
"UBCD4Win_is1" = UBCD4Win 3.22
"Update Service" = Update Service
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"WWII Fighters" = Jane's Combat Simulations WWII Fighters
"xampp" = XAMPP 1.7.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2010-04-23 19:18:04 | Computer Name = DUO | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 2010-04-23 19:21:16 | Computer Name = DUO | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 2010-04-23 19:21:25 | Computer Name = DUO | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 2010-04-23 19:21:30 | Computer Name = DUO | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 2010-04-23 19:21:45 | Computer Name = DUO | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 2010-04-23 19:25:21 | Computer Name = DUO | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2010-04-23 19:25:21 | Computer Name = DUO | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2010-04-23 19:25:21 | Computer Name = DUO | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2010-04-23 19:25:21 | Computer Name = DUO | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2010-04-23 20:23:54 | Computer Name = DUO | Source = SmcService | ID = 0
Description =

[ System Events ]
Error - 2009-04-19 13:51:08 | Computer Name = DUO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 2009-04-19 13:51:08 | Computer Name = DUO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 2009-04-19 13:51:08 | Computer Name = DUO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 2009-04-19 13:51:08 | Computer Name = DUO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 2009-04-19 13:51:08 | Computer Name = DUO | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 2009-04-29 15:57:30 | Computer Name = DUO | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.205 for the Network Card with network
address 001FD0D59FD4 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 2009-04-30 09:42:57 | Computer Name = DUO | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.201 for the Network Card with network
address 001FD0D59FD4 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 2009-05-01 04:05:18 | Computer Name = DUO | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.200 for the Network Card with network
address 001FD0D59FD4 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 2009-05-01 09:35:43 | Computer Name = DUO | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 2009-05-01 09:35:43 | Computer Name = DUO | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >

Combofix log

ComboFix 10-04-15.05 - Per 2010-04-17 8:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3197.2759 [GMT 2:00]
Running from: c:\documents and settings\Per\My Documents\Hämtade filer\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~57EB.tmp
C:\~AB41.tmp
c:\documents and settings\Per\Application Data\EurekaLog
c:\documents and settings\Per\Application Data\inst.exe
c:\windows\eSellerateEngine.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-16 10:46 . 2010-04-16 10:46 -------- d-----w- c:\program files\AskBarDis
2010-04-16 10:43 . 2010-04-16 10:43 -------- d-----w- c:\documents and settings\Per\Application Data\Foxit Software
2010-04-14 12:52 . 2010-04-14 12:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-14 12:52 . 2010-04-14 12:52 -------- d-----w- c:\program files\Microsoft
2010-04-03 13:49 . 2010-04-03 13:49 -------- d-----w- c:\program files\Defraggler
2010-03-31 17:16 . 2010-03-31 17:16 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 17:16 . 2010-03-31 17:16 503808 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35683776-n\msvcp71.dll
2010-03-31 17:16 . 2010-03-31 17:16 499712 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35683776-n\jmc.dll
2010-03-31 17:16 . 2010-03-31 17:16 348160 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35683776-n\msvcr71.dll
2010-03-31 17:16 . 2010-03-31 17:16 61440 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-21e63a1f-n\decora-sse.dll
2010-03-31 17:16 . 2010-03-31 17:16 12800 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-21e63a1f-n\decora-d3d.dll
2010-03-31 15:08 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-31 15:08 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-29 14:48 . 2010-02-03 12:56 26176 ---ha-w- c:\windows\system32\hamachi.sys
2010-03-29 14:47 . 2010-03-29 14:47 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-03-21 09:14 . 2010-03-21 08:29 38784 ----a-w- c:\documents and settings\Per\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-21 08:29 . 2010-03-21 08:29 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-21 08:29 . 2010-03-21 08:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-21 08:29 . 2010-04-17 06:44 -------- d-----w- C:\Voddler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 06:29 . 2009-04-04 06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 06:28 . 2009-05-23 12:59 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-16 19:49 . 2009-06-04 18:29 -------- d-----w- c:\documents and settings\Per\Application Data\Spotify
2010-04-16 09:50 . 2009-04-19 08:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-14 12:55 . 2009-11-12 14:58 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-05 17:17 . 2009-04-04 20:51 -------- d-----w- c:\documents and settings\Per\Application Data\XnView
2010-04-03 07:50 . 2009-11-10 22:59 -------- d-----w- c:\documents and settings\Per\Application Data\Petroglyph
2010-04-03 07:49 . 2009-11-10 21:42 -------- d-----w- c:\program files\LucasArts
2010-04-01 16:14 . 2009-04-04 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-03-31 17:15 . 2009-04-08 16:54 -------- d-----w- c:\program files\Java
2010-03-29 22:46 . 2009-04-04 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2009-04-04 06:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 08:29 . 2010-01-31 17:48 -------- d-----w- c:\program files\Voddler
2010-03-17 15:39 . 2009-04-04 20:49 -------- d-----w- c:\documents and settings\Per\Application Data\Audacity
2010-03-10 06:15 . 2007-07-27 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 17:55 . 2009-06-05 12:05 -------- d-----w- c:\program files\Samsung
2010-03-09 17:01 . 2009-10-27 19:45 -------- d-----w- c:\documents and settings\Per\Application Data\DVD Flick
2010-03-09 02:28 . 2009-04-08 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-07 11:56 . 2009-08-31 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-06 10:15 . 2009-04-04 18:01 -------- d-----w- c:\documents and settings\Per\Application Data\RipIt4Me
2010-02-25 06:24 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-07-27 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 11:39 . 2010-02-19 11:39 7668 ----a-w- c:\windows\system32\drivers\RKREVEAL150.SYS
2010-02-16 14:08 . 2007-07-27 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2007-07-27 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2007-07-27 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-08 22:14 . 2010-02-08 22:14 25214 ----a-r- c:\documents and settings\Per\Application Data\Microsoft\Installer\{EEECE229-49F6-4851-A73A-99B058221F8C}\ARPPRODUCTICON.exe
2010-02-08 22:14 . 2010-02-08 22:14 25214 ----a-r- c:\documents and settings\Per\Application Data\Microsoft\Installer\{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}\ARPPRODUCTICON.exe
2006-05-03 09:06 . 2009-10-27 19:33 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-10-27 19:33 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-10-27 19:33 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 16:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2007-07-27 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 10:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-12-01 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="f:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"Hard Disk Sentinel"="f:\program files\Hard Disk Sentinel\HDSentinel.exe" [2009-02-24 3198464]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"VoddlerNet Manager"="c:\program files\Voddler\service\VNetManager.exe" [2010-03-18 580296]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-25 1820040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BankID Security Application.lnk - c:\program files\Personal\bin\Personal.exe [2010-1-1 939920]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2004-03-11 00:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Look@LAN\\LookAtLan.exe"=
"f:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Voddler\\service\\voddler.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2009-04-04 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2009-04-04 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-09-11 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-09-11 96408]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-10-06 115856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-10-06 41424]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-11 735960]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-10-30 90112]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2007-11-10 29728]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-10-30 27632]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-10-02 103568]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S2 VoddlerNet;VoddlerNet;c:\program files\Voddler\service\voddler.exe [2010-03-18 1160912]
S3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2009-03-14 200320]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-04-19 13224]
S3 ImDisk;ImDisk Virtual Disk Driver;c:\windows\system32\drivers\imdisk.sys [2009-06-12 19968]
S3 ImDskSvc;ImDisk Virtual Disk Driver Helper;c:\windows\system32\imdsksvc.exe [2009-06-12 10240]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-04-18 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-04-18 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-04-18 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-04-18 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-04-18 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-04-18 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-04-18 115752]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2009-06-05 127656]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [2009-05-31 49656]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-10-06 94992]
S3 VirtualDK;VirtualDK;c:\ubcd4win350\UBCD4Win\vdk.sys [2009-10-10 16283]
S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-03-25 1107336]
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://81.232.99.43:60108/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.leta.se/
FF - component: c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - plugin: c:\program files\Voddler\plugin\npvoddler.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-{76E41F43-59D2-4F30-BA42-9A762EE1E8DE} - c:\program files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 08:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7B2528]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb811cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f57cb8
\Driver\atapi -> 0x8a7b2528
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"D140111900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
f:\program files\Sygate\SPF\smc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
f:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-17 08:58:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-17 06:58

Pre-Run: 9 085 779 968 bytes free
Post-Run: 9 344 004 096 bytes free

- - End Of File - - C11A71882F37265315A2405CB7E84160
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 27th, 2010, 10:45 am

Hi pimse,

We will need to use the Recovery Console to investigate further.

Please run Combofix again and follow the instructions to install the Recovery Console and then post the log from Combofix in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 27th, 2010, 11:51 am

Hi,

Recovery console is installed and before scanning Combofix took up a dialog box saying: Rootkit! in the namelist

and below: Combofix has detected the presence of rootkit activity and needs to reboot the machine.

After that, Combofix scanned the computer in 50 steps.


Combofix log

ComboFix 10-04-26.04 - Per 2010-04-27 17:21:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3197.2813 [GMT 2:00]
Running from: c:\documents and settings\Per\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-27 15:21 . 2010-04-27 15:21 -------- d-----w- c:\documents and settings\Per\Local Settings\Application Data\ESET
2010-04-26 16:41 . 2010-04-26 16:41 -------- d-----w- c:\temp\SamsungUniversalPrintDriver
2010-04-26 16:39 . 2010-04-26 16:41 -------- d-----w- c:\program files\SAMSUNG
2010-04-26 16:39 . 2010-04-26 16:39 -------- d-----w- c:\temp\ML-1710
2010-04-26 16:29 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-04-26 16:29 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-04-25 16:00 . 2010-04-25 16:00 -------- d-----w- c:\program files\Defraggler
2010-04-25 11:25 . 2008-01-09 10:28 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2010-04-24 09:55 . 2010-04-24 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-04-24 09:55 . 2010-04-24 09:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-24 09:21 . 2010-04-24 09:21 -------- d-----w- c:\documents and settings\Per\Application Data\Foxit
2010-04-24 09:21 . 2010-04-24 09:21 -------- d-----w- c:\program files\Foxit Software
2010-04-24 09:12 . 2010-04-24 09:12 -------- d-----w- c:\documents and settings\Per\Application Data\JAM Software
2010-04-24 09:09 . 2010-04-24 09:09 -------- d-----w- c:\program files\JAM Software
2010-04-24 09:08 . 2010-04-24 09:09 -------- d-----w- c:\program files\ImgBurn
2010-04-24 09:08 . 2009-05-13 16:51 19968 ----a-w- c:\windows\system32\drivers\imdisk.sys
2010-04-24 09:08 . 2009-02-09 13:16 9216 ----a-w- c:\windows\system32\drivers\awealloc.sys
2010-04-24 09:08 . 2009-05-13 16:51 10240 ----a-w- c:\windows\system32\imdsksvc.exe
2010-04-24 09:08 . 2009-05-13 16:51 35840 ----a-w- c:\windows\system32\imdisk.exe
2010-04-24 06:43 . 2010-04-24 06:43 -------- d-----w- c:\documents and settings\Per\DoctorWeb
2010-04-24 00:37 . 2004-10-15 16:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2010-04-24 00:37 . 2004-10-15 16:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2010-04-24 00:37 . 2004-10-15 16:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2010-04-24 00:37 . 2004-10-15 16:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2010-04-24 00:37 . 2010-04-24 00:37 -------- d-----w- c:\program files\Sygate
2010-04-23 23:51 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-23 23:51 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-23 23:51 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-23 23:49 . 2010-04-23 23:50 -------- dc-h--w- c:\windows\ie8
2010-04-23 23:47 . 2010-04-23 23:47 -------- d-----w- c:\program files\Trend Micro
2010-04-23 23:41 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-23 23:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-23 23:38 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-23 23:37 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-23 23:37 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-23 23:37 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-23 23:35 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-23 23:34 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-04-23 23:08 . 2010-04-23 23:22 -------- d-----w- c:\documents and settings\Per\Local Settings\Application Data\Spotify
2010-04-23 23:08 . 2010-04-23 23:13 -------- d-----w- c:\documents and settings\Per\Application Data\Spotify
2010-04-23 22:35 . 2010-04-23 22:35 -------- d-----w- c:\program files\Common Files\Java
2010-04-23 22:35 . 2010-04-23 22:35 503808 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\msvcp71.dll
2010-04-23 22:35 . 2010-04-23 22:35 499712 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\jmc.dll
2010-04-23 22:35 . 2010-04-23 22:35 348160 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\msvcr71.dll
2010-04-23 22:35 . 2010-04-23 22:35 61440 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45960d9c-n\decora-sse.dll
2010-04-23 22:35 . 2010-04-23 22:35 12800 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45960d9c-n\decora-d3d.dll
2010-04-23 22:35 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-23 20:53 . 2009-02-07 05:43 24576 ----a-w- c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
2010-04-23 20:53 . 2009-05-17 17:56 11776 ----a-w- c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}\platform\WINNT_x86-msvc\components\mgMouseService.dll
2010-04-23 19:33 . 2010-04-23 19:33 -------- d-----w- c:\program files\MAPILab Ltd
2010-04-23 19:32 . 2010-04-23 19:32 -------- d-----w- c:\windows\Downloaded Installations
2010-04-23 19:15 . 2010-04-23 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-03 20:55 . 2010-04-03 20:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 20:55 . 2010-04-03 20:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 20:55 . 2010-04-03 20:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 20:55 . 2010-04-03 20:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 20:55 . 2010-04-03 20:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 20:55 . 2010-04-03 20:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 17:23 . 2010-04-03 17:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 17:23 . 2010-04-03 17:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 17:23 . 2010-04-03 17:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 17:23 . 2010-04-03 17:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:23 . 2010-04-03 17:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 17:22 . 2010-04-03 17:22 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 11:50 . 2009-04-19 08:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-25 11:24 . 2009-04-19 08:58 -------- d-----w- c:\program files\Sony Ericsson
2010-04-25 11:24 . 2009-03-13 21:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-25 11:23 . 2009-04-19 08:59 -------- d-----w- c:\program files\Avanquest update
2010-04-24 15:54 . 2009-04-22 19:18 -------- d-----w- c:\program files\Axis Communications
2010-04-24 09:59 . 2009-03-15 09:12 -------- d-----w- c:\program files\ESET
2010-04-24 08:43 . 2009-04-04 20:49 -------- d-----w- c:\documents and settings\Per\Application Data\Audacity
2010-04-23 23:31 . 2009-03-13 21:28 64752 ----a-w- c:\documents and settings\Per\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-23 22:54 . 2009-04-10 21:54 -------- d-----w- c:\program files\SpeedFan
2010-04-23 22:41 . 2009-04-04 06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 22:35 . 2009-04-08 16:54 -------- d-----w- c:\program files\Java
2010-04-23 20:28 . 2009-05-23 12:59 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 20:55 . 2009-03-14 05:16 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-03 20:55 . 2009-03-13 21:20 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 20:55 . 2007-10-04 08:14 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 20:55 . 2007-10-04 08:14 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 20:55 . 2007-10-04 08:14 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 20:55 . 2007-10-04 08:14 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 20:55 . 2007-10-04 08:14 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 20:55 . 2007-10-04 08:14 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-29 22:46 . 2009-04-04 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2009-04-04 06:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 07:49 . 2010-04-26 16:42 282624 ----a-w- c:\windows\system32\DscPnt.dll
2010-03-16 15:01 . 2010-04-26 16:42 141680 ----a-w- c:\windows\system32\SUPDSvcA.dll
2010-03-16 15:01 . 2010-04-26 16:42 132464 ----a-w- c:\windows\system32\SUPDSvc.exe
2010-03-16 15:00 . 2010-04-26 16:42 260464 ----a-w- c:\windows\SUPDRun.exe
2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-10 06:15 . 2007-07-27 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:34 . 2010-04-26 16:42 157552 ----a-w- c:\windows\system32\spd__ci.exe
2010-02-25 06:24 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-07-27 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2007-07-27 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2007-07-27 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2007-07-27 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 16:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2007-07-27 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"Hard Disk Sentinel"="g:\program files\Hard Disk Sentinel\HDSentinel.exe" [2009-02-24 3198464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-10-12 614400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BankID Security Application.lnk - c:\program files\Personal\bin\Personal.exe [2009-5-3 939536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2009-04-04 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2009-04-04 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2010-04-25 90112]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2007-11-10 29728]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-04-25 27632]
S3 AWEAlloc;AWE Memory Allocation Driver;c:\windows\system32\drivers\awealloc.sys [2010-04-24 9216]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-04-19 13224]
S3 ImDisk;ImDisk Virtual Disk Driver;c:\windows\system32\drivers\imdisk.sys [2010-04-24 19968]
S3 ImDskSvc;ImDisk Virtual Disk Driver Helper;c:\windows\system32\imdsksvc.exe [2010-04-24 10240]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-04-18 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-04-18 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-04-18 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-04-18 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-04-18 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-04-18 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-04-18 115752]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-04-26 132464]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://81.232.99.43:60108/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.leta.se/
FF - component: c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-nwiz - nwiz.exe
AddRemove-SEF2000DeinstKey - f:\ef2000\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A82F010]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb811cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f57cb8
\Driver\atapi -> 0x8a82f010
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1844237615-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:34,16,57,02,3b,e5,67,7e,51,a1,ab,35,30,1a,60,b1,b1,bf,5b,05,40,89,12,
96,a7,85,da,07,ef,fa,f4,8e,87,76,cb,87,cd,98,ac,b8,36,d6,e1,e0,16,94,85,ad,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"D140111900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\WININET.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Sygate\SPF\smc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-04-27 17:27:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-27 15:27

Pre-Run: 29 363 150 848 bytes free
Post-Run: 29 497 999 360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6C9FD449C1900635182C35879C53C20F
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 27th, 2010, 1:26 pm

Hi pimse,

Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!

restart the computer and logon to the Recovery Console.

As soon as the computer starts there will be a black screen with white writing displayed for a few seconds.

On this screen there will be the options to boot Microsoft Windows XP or
Microsoft Windows Recovery Console

Use the cursor keys to select Microsoft Windows Recovery Console then press enter.

Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

Image

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and post (or attach) the log produced, C:\looklog.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 27th, 2010, 2:29 pm

Is there any alternative site to download maxlook?

I´ve got a error message when trying downloading maxlook!

Thanks

pimse
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 27th, 2010, 3:14 pm

Unfortunatley there are no other download links for that tool. Please try again later, if it is still not available later then I will contact the author of the tool.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 27th, 2010, 3:21 pm

OK, I will do so!

Thanks

pimse
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 28th, 2010, 3:17 am

Hi pimse,

The link is working again now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 28th, 2010, 8:32 am

Hi,

Here is the looklog.


Code: Select all
Run from C:\Documents and Settings\Per\Desktop\maxlook.exe on 2010-04-28 at 14:29:00,54

--------- maxlook unsigned files ---------

c:\windows\maxdriver\a347bus.sys:
	Verified:	Unsigned
	File date:	09:37 2004-04-30
	Publisher:	 
	Description:	Plug and Play BIOS Extension
	Product:	 
	Version:	3.47.0.0
	File version:	3.47.0.0 built by: WinDDK
c:\windows\maxdriver\a347scsi.sys:
	Verified:	Unsigned
	File date:	09:33 2004-04-30
	Publisher:	 
	Description:	SCSI miniport
	Product:	 
	Version:	3.47.0.0
	File version:	3.47.0.0 built by: WinDDK
c:\windows\maxdriver\awealloc.sys:
	Verified:	Unsigned
	File date:	15:16 2009-02-09
	Publisher:	Olof Lagerkvist
	Description:	AWE Allocation Driver
	Product:	imdisk
	Version:	1.1.3.1
	File version:	1.1.3.1
c:\windows\maxdriver\axsaki.sys:
	Verified:	Unsigned
	File date:	21:38 2003-03-30
	Publisher:	 
	Description:	SCSI miniport
	Product:	 
	Version:	3.32.0.0
	File version:	3.32.0.0
c:\windows\maxdriver\axskbus.sys:
	Verified:	Unsigned
	File date:	11:58 2003-03-28
	Publisher:	 
	Description:	Plug and Play BIOS Extension
	Product:	 
	Version:	3.32.0.0
	File version:	3.32.0.0
c:\windows\maxdriver\ElbyCDFL.sys:
	Verified:	Unsigned
	File date:	17:34 2005-05-03
	Publisher:	SlySoft, Inc.
	Description:	ElbyCDIO Filter Driver
	Product:	CloneCD
	Version:	5, 2, 1, 2
	File version:	5, 2, 1, 2
c:\windows\maxdriver\ElbyCDIO.sys:
	Verified:	Unsigned
	File date:	03:44 2006-04-22
	Publisher:	Elaborate Bytes AG
	Description:	ElbyCD Windows NT/2000/XP I/O driver
	Product:	CDRTools
	Version:	6, 0, 0, 0
	File version:	6, 0, 0, 0
c:\windows\maxdriver\imdisk.sys:
	Verified:	Unsigned
	File date:	18:51 2009-05-13
	Publisher:	Olof Lagerkvist
	Description:	ImDisk Virtual Disk Driver
	Product:	imdisk
	Version:	1.1.4.23
	File version:	1.1.4.23
c:\windows\maxdriver\maplom.sys:
	Verified:	Unsigned
	File date:	15:02 2004-05-12
	Publisher:	Jacal Consulting Pty Ltd
	Description:	GameJackal driver
	Product:	GameJackal
	Version:	2.0.0.1052
	File version:	2.0.0.1052
c:\windows\maxdriver\sfdrv01.sys:
	Verified:	Unsigned
	File date:	14:44 2005-08-10
	Publisher:	Protection Technology
	Description:	StarForce Protection Environment Driver
	Product:	StarForce Protection System
	Version:	3.4
	File version:	1.37
c:\windows\maxdriver\sfhlp02.sys:
	Verified:	Unsigned
	File date:	15:20 2005-05-16
	Publisher:	Protection Technology
	Description:	StarForce Protection Helper Driver
	Product:	StarForce Protection System
	Version:	3.4
	File version:	2.3
c:\windows\maxdriver\sfsync02.sys:
	Verified:	Unsigned
	File date:	16:06 2005-08-10
	Publisher:	Protection Technology
	Description:	StarForce Protection Synchronization Driver
	Product:	StarForce Protection System
	Version:	3.4
	File version:	2.12
c:\windows\maxdriver\sfvfs02.sys:
	Verified:	Unsigned
	File date:	15:55 2005-08-24
	Publisher:	Protection Technology
	Description:	StarForce Protection VFS Driver
	Product:	StarForce Protection System
	Version:	3.5
	File version:	2.10
c:\windows\maxdriver\Teefer.sys:
	Verified:	Unsigned
	File date:	18:17 2004-10-15
	Publisher:	Sygate Technologies, Inc.
	Description:	Teefer Driver
	Product:	Sygate Teefer Driver
	Version:	1.60.1101
	File version:	1.60.1101
c:\windows\maxdriver\wpsdrvnt.sys:
	Verified:	Unsigned
	File date:	18:18 2004-10-15
	Publisher:	Sygate Technologies, Inc.
	Description:	wpsdrvnt
	Product:	wpsdrvnt
	Version:	1, 0, 0, 17
	File version:	1, 0, 0, 17

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\a347bus.sys:
	Verified:	Unsigned
	File date:	09:37 2004-04-30
	Publisher:	 
	Description:	Plug and Play BIOS Extension
	Product:	 
	Version:	3.47.0.0
	File version:	3.47.0.0 built by: WinDDK
c:\windows\system32\drivers\a347scsi.sys:
	Verified:	Unsigned
	File date:	09:33 2004-04-30
	Publisher:	 
	Description:	SCSI miniport
	Product:	 
	Version:	3.47.0.0
	File version:	3.47.0.0 built by: WinDDK
c:\windows\system32\drivers\atapi.sys:
	Verified:	Error accessing file
	Publisher:	n/a
	Description:	n/a
	Product:	n/a
	Version:	n/a
	File version:	n/a
c:\windows\system32\drivers\awealloc.sys:
	Verified:	Unsigned
	File date:	15:16 2009-02-09
	Publisher:	Olof Lagerkvist
	Description:	AWE Allocation Driver
	Product:	imdisk
	Version:	1.1.3.1
	File version:	1.1.3.1
c:\windows\system32\drivers\axsaki.sys:
	Verified:	Unsigned
	File date:	21:38 2003-03-30
	Publisher:	 
	Description:	SCSI miniport
	Product:	 
	Version:	3.32.0.0
	File version:	3.32.0.0
c:\windows\system32\drivers\axskbus.sys:
	Verified:	Unsigned
	File date:	11:58 2003-03-28
	Publisher:	 
	Description:	Plug and Play BIOS Extension
	Product:	 
	Version:	3.32.0.0
	File version:	3.32.0.0
c:\windows\system32\drivers\ElbyCDFL.sys:
	Verified:	Unsigned
	File date:	17:34 2005-05-03
	Publisher:	SlySoft, Inc.
	Description:	ElbyCDIO Filter Driver
	Product:	CloneCD
	Version:	5, 2, 1, 2
	File version:	5, 2, 1, 2
c:\windows\system32\drivers\ElbyCDIO.sys:
	Verified:	Unsigned
	File date:	03:44 2006-04-22
	Publisher:	Elaborate Bytes AG
	Description:	ElbyCD Windows NT/2000/XP I/O driver
	Product:	CDRTools
	Version:	6, 0, 0, 0
	File version:	6, 0, 0, 0
c:\windows\system32\drivers\imdisk.sys:
	Verified:	Unsigned
	File date:	18:51 2009-05-13
	Publisher:	Olof Lagerkvist
	Description:	ImDisk Virtual Disk Driver
	Product:	imdisk
	Version:	1.1.4.23
	File version:	1.1.4.23
c:\windows\system32\drivers\maplom.sys:
	Verified:	Unsigned
	File date:	15:02 2004-05-12
	Publisher:	Jacal Consulting Pty Ltd
	Description:	GameJackal driver
	Product:	GameJackal
	Version:	2.0.0.1052
	File version:	2.0.0.1052
c:\windows\system32\drivers\sfdrv01.sys:
	Verified:	Unsigned
	File date:	14:44 2005-08-10
	Publisher:	Protection Technology
	Description:	StarForce Protection Environment Driver
	Product:	StarForce Protection System
	Version:	3.4
	File version:	1.37
c:\windows\system32\drivers\sfhlp02.sys:
	Verified:	Unsigned
	File date:	15:20 2005-05-16
	Publisher:	Protection Technology
	Description:	StarForce Protection Helper Driver
	Product:	StarForce Protection System
	Version:	3.4
	File version:	2.3
c:\windows\system32\drivers\sfsync02.sys:
	Verified:	Unsigned
	File date:	16:06 2005-08-10
	Publisher:	Protection Technology
	Description:	StarForce Protection Synchronization Driver
	Product:	StarForce Protection System
	Version:	3.4
	File version:	2.12
c:\windows\system32\drivers\sfvfs02.sys:
	Verified:	Unsigned
	File date:	15:55 2005-08-24
	Publisher:	Protection Technology
	Description:	StarForce Protection VFS Driver
	Product:	StarForce Protection System
	Version:	3.5
	File version:	2.10
c:\windows\system32\drivers\Teefer.sys:
	Verified:	Unsigned
	File date:	18:17 2004-10-15
	Publisher:	Sygate Technologies, Inc.
	Description:	Teefer Driver
	Product:	Sygate Teefer Driver
	Version:	1.60.1101
	File version:	1.60.1101
c:\windows\system32\drivers\wpsdrvnt.sys:
	Verified:	Unsigned
	File date:	18:18 2004-10-15
	Publisher:	Sygate Technologies, Inc.
	Description:	wpsdrvnt
	Product:	wpsdrvnt
	Version:	1, 0, 0, 17
	File version:	1, 0, 0, 17
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 28th, 2010, 9:07 am

Hi pimse,

Custom OTL scan
  • Double click on OTL.exe to run it.
  • Under the Custom Scan box paste this in
    Code: Select all
    /md5start
    atapi.sys
    /md5stop
    
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • Please post the contents of OTL.txt in your next reply.

TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 28th, 2010, 9:22 am

Hi,

OTL log

OTL logfile created on: 2010-04-28 15:12:01 - Run 3
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Per\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 80,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 91,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 27,38 Gb Free Space | 56,07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 48,83 Gb Total Space | 28,46 Gb Free Space | 58,29% Space Free | Partition Type: NTFS
Drive G: | 97,65 Gb Total Space | 23,75 Gb Free Space | 24,32% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
Drive I: | 102,78 Gb Total Space | 7,93 Gb Free Space | 7,71% Space Free | Partition Type: NTFS

Computer Name: DUO
Current User Name: Per
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Per\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
PRC - C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()
PRC - C:\Program Files\Personal\bin\Personal.exe (Technology Nexus AB)
PRC - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe ()
PRC - G:\Program Files\Hard Disk Sentinel\HDSentinel.exe (H.D.S. Hungary)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Per\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\SSSensor.dll (Sygate Technologies, Inc.)


========== Win32 Services (SafeList) ==========

SRV - (NMSAccessU) -- File not found
SRV - (Samsung UPD Service) -- C:\WINDOWS\System32\SUPDSvc.exe (Samsung Electronics CO., LTD.)
SRV - (EhttpSrv) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET)
SRV - (ekrn) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
SRV - (ImDskSvc) -- C:\WINDOWS\system32\imdsksvc.exe (Olof Lagerkvist)
SRV - (OMSI download service) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe ()
SRV - (SmcService) -- C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Driver Services (SafeList) ==========

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (epfwtdir) -- C:\WINDOWS\system32\drivers\epfwtdir.sys (ESET)
DRV - (ehdrv) -- C:\WINDOWS\system32\drivers\ehdrv.sys (ESET)
DRV - (eamon) -- C:\WINDOWS\system32\drivers\eamon.sys (ESET)
DRV - (ImDisk) -- C:\WINDOWS\system32\drivers\imdisk.sys (Olof Lagerkvist)
DRV - (ggsemc) -- C:\WINDOWS\system32\drivers\ggsemc.sys (Sony Ericsson Mobile Communications)
DRV - (ggflt) -- C:\WINDOWS\system32\drivers\ggflt.sys (Sony Ericsson Mobile Communications)
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows (R) 2000 DDK provider)
DRV - (AWEAlloc) -- C:\WINDOWS\system32\drivers\awealloc.sys (Olof Lagerkvist)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM) -- C:\WINDOWS\system32\drivers\s0016unic.sys (MCCI Corporation)
DRV - (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS) -- C:\WINDOWS\system32\drivers\s0016nd5.sys (MCCI Corporation)
DRV - (s0016mdfl) -- C:\WINDOWS\system32\drivers\s0016mdfl.sys (MCCI Corporation)
DRV - (s0016mdm) -- C:\WINDOWS\system32\drivers\s0016mdm.sys (MCCI Corporation)
DRV - (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s0016mgmt.sys (MCCI Corporation)
DRV - (s0016obex) -- C:\WINDOWS\system32\drivers\s0016obex.sys (MCCI Corporation)
DRV - (s0016bus) Sony Ericsson Device 0016 driver (WDM) -- C:\WINDOWS\system32\drivers\s0016bus.sys (MCCI Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (atapi) -- C:\WINDOWS\system32\DRIVERS\atapi.sys ()
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (seehcri) -- C:\WINDOWS\system32\drivers\seehcri.sys (Sony Ericsson Mobile Communications)
DRV - (NVHDA) -- C:\WINDOWS\system32\drivers\nvhda32.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows (R) 2000 DDK provider)
DRV - (ElbyCDIO) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (sfvfs02) StarForce Protection VFS Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (ElbyCDFL) -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys (SlySoft, Inc.)
DRV - (wg6n) -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys (Sygate Technologies, Inc.)
DRV - (wg5n) -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys (Sygate Technologies, Inc.)
DRV - (wg4n) -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys (Sygate Technologies, Inc.)
DRV - (wg3n) -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys (Sygate Technologies, Inc.)
DRV - (wpsdrvnt) -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Sygate Technologies, Inc.)
DRV - (Teefer) -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys (Sygate Technologies, Inc.)
DRV - (Maplom) -- C:\WINDOWS\system32\drivers\maplom.sys (Jacal Consulting Pty Ltd)
DRV - (a347bus) -- C:\WINDOWS\system32\DRIVERS\a347bus.sys ( )
DRV - (a347scsi) -- C:\WINDOWS\System32\Drivers\a347scsi.sys ( )
DRV - (axsaki) -- C:\WINDOWS\system32\drivers\axsaki.sys ( )
DRV - (axskbus) -- C:\WINDOWS\system32\drivers\axskbus.sys ( )
DRV - (msgame) -- C:\WINDOWS\system32\drivers\msgame.sys (Microsoft Corporation)
DRV - (hidgame) -- C:\WINDOWS\system32\drivers\hidgame.sys (Microsoft Corporation)
DRV - (es1371) Creative AudioPCI (ES1371,ES1373) (WDM) -- C:\WINDOWS\system32\drivers\es1371mp.sys (Creative Technology Ltd.)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://se.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = sv
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 38 99 F1 6B 45 DE C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.leta.se/"
FF - prefs.js..extensions.enabledItems: {F33233B3-EDB1-41f4-8482-917AB190E647}:3.0
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {21cfaec0-dbb3-11dc-95ff-0800200c9a66}:1.1.2.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..extensions.enabledItems: {8b86149f-01fb-4842-9dd8-4d7eb02fd055}:0.21.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-04-23 23:13:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-04-24 11:21:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010-04-23 21:15:21 | 000,000,000 | ---D | M]

[2009-04-08 19:16:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Extensions
[2010-04-24 01:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Easy DragToGo) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{21cfaec0-dbb3-11dc-95ff-0800200c9a66}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Tab Saver!) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{7A074BE0-2326-436d-B473-029FAEBEB5C6}
[2010-04-23 23:09:47 | 000,000,000 | ---D | M] (All-in-One Gestures) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010-04-23 22:53:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010-04-23 22:53:52 | 000,000,000 | ---D | M] (Add Bookmark Here) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{F33233B3-EDB1-41f4-8482-917AB190E647}
[2010-04-23 22:53:52 | 000,000,000 | ---D | M] (Mouse Gestures Redox) -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\firefox@red-cog.com
[2010-04-23 22:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
[2010-04-24 00:35:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010-04-24 00:35:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010-04-12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010-04-24 11:21:01 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2010-04-01 19:42:59 | 000,001,470 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allaannonser-sv-SE.xml
[2010-04-01 19:42:59 | 000,002,670 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\prisjakt-sv-SE.xml
[2010-04-01 19:42:59 | 000,000,948 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\tyda-sv-SE.xml
[2010-04-01 19:42:59 | 000,001,174 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-sv-SE.xml
[2010-04-01 19:42:59 | 000,000,951 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-sv-SE.xml

O1 HOSTS File: ([2010-04-27 17:25:06 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [Hard Disk Sentinel] G:\Program Files\Hard Disk Sentinel\HDSentinel.exe (H.D.S. Hungary)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKLM..\Run: [SmcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BankID Security Application.lnk = C:\Program Files\Personal\bin\Personal.exe (Technology Nexus AB)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Key error. File not found
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/ ... ontrol.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupda ... 2062205156 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdat ... /opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://81.232.99.43:60108/activex/AMC.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-03-14 06:32:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010-04-28 14:29:00 | 000,220,024 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\sigcheck.exe
[2010-04-28 14:24:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\maxdriver
[2010-04-27 17:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Local Settings\Application Data\ESET
[2010-04-27 17:17:07 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010-04-27 17:16:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010-04-27 17:16:40 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010-04-27 17:16:40 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010-04-27 17:16:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010-04-27 17:16:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010-04-27 15:46:42 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Per\Desktop\OTL.exe
[2010-04-26 18:42:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\Samsung
[2010-04-26 18:42:01 | 000,218,112 | ---- | C] (SEC) -- C:\WINDOWS\System32\SIPDUtil.dll
[2010-04-26 18:42:01 | 000,157,552 | ---- | C] (SS) -- C:\WINDOWS\System32\spd__ci.exe
[2010-04-26 18:42:01 | 000,141,680 | ---- | C] (Samsung Electronics CO., LTD.) -- C:\WINDOWS\System32\SUPDSvcA.dll
[2010-04-26 18:42:01 | 000,132,464 | ---- | C] (Samsung Electronics CO., LTD.) -- C:\WINDOWS\System32\SUPDSvc.exe
[2010-04-26 18:42:01 | 000,065,536 | ---- | C] (SS) -- C:\WINDOWS\System32\spd__ci.dll
[2010-04-26 18:39:23 | 000,000,000 | ---D | C] -- C:\Program Files\SAMSUNG
[2010-04-25 18:00:42 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010-04-25 13:25:29 | 000,027,632 | ---- | C] (Sony Ericsson Mobile Communications) -- C:\WINDOWS\System32\drivers\seehcri.sys
[2010-04-24 11:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
[2010-04-24 11:55:29 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010-04-24 11:21:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Application Data\Foxit
[2010-04-24 11:21:09 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010-04-24 11:12:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Application Data\JAM Software
[2010-04-24 11:09:43 | 000,000,000 | ---D | C] -- C:\Program Files\JAM Software
[2010-04-24 11:08:56 | 000,000,000 | ---D | C] -- C:\Program Files\ImgBurn
[2010-04-24 11:08:28 | 000,019,968 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\drivers\imdisk.sys
[2010-04-24 11:08:28 | 000,009,216 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\drivers\awealloc.sys
[2010-04-24 11:08:27 | 000,080,384 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\imdisk.cpl
[2010-04-24 11:08:27 | 000,035,840 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\imdisk.exe
[2010-04-24 11:08:27 | 000,010,240 | ---- | C] (Olof Lagerkvist) -- C:\WINDOWS\System32\imdsksvc.exe
[2010-04-24 11:02:51 | 000,741,744 | ---- | C] (RealVNC Ltd. ) -- C:\Documents and Settings\Per\My Documents\vnc-4_1_3-x86_win32.exe
[2010-04-24 11:02:34 | 267,940,236 | ---- | C] (UBCD4Win Team - Benjamin Burrows ) -- C:\Documents and Settings\Per\My Documents\UBCD4WinV350.exe
[2010-04-24 11:02:24 | 021,663,557 | ---- | C] (Samsung ) -- C:\Documents and Settings\Per\My Documents\SamsungUniversalPrintDriver_PS.exe
[2010-04-24 11:01:46 | 011,714,981 | ---- | C] (Extensoft) -- C:\Documents and Settings\Per\My Documents\FreeTaskManager.exe
[2010-04-24 11:01:42 | 013,062,272 | ---- | C] (Fengtao Software Inc. ) -- C:\Documents and Settings\Per\My Documents\DVDFab6070.exe
[2010-04-24 11:01:39 | 000,670,072 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Per\My Documents\autoruns.exe
[2010-04-24 11:01:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\WNC-0301V3(CD)
[2010-04-24 11:01:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\WNC-0301USBV3(CD)
[2010-04-24 11:01:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\winbuild
[2010-04-24 11:01:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Video Converter
[2010-04-24 11:00:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\SysinternalsSuite
[2010-04-24 11:00:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Spotify_ripper
[2010-04-24 10:59:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\siv
[2010-04-24 10:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\nod32ubcd
[2010-04-24 10:58:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\New Folder
[2010-04-24 10:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\My Downloads
[2010-04-24 10:50:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\joomla
[2010-04-24 10:47:26 | 004,411,392 | ---- | C] (Gabest) -- C:\Documents and Settings\Per\Desktop\mplayerc.exe
[2010-04-24 10:47:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\f305
[2010-04-24 10:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\ENG
[2010-04-24 10:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\dvds
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\bp
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\bin2iso
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\belos
[2010-04-24 10:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Alcohol 120%
[2010-04-24 08:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\DoctorWeb
[2010-04-24 02:37:44 | 000,060,496 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\drivers\Teefer.sys
[2010-04-24 02:37:44 | 000,014,568 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\drivers\wg3n.sys
[2010-04-24 02:37:43 | 000,021,075 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\drivers\wpsdrvnt.sys
[2010-04-24 02:37:42 | 000,083,096 | ---- | C] (Sygate Technologies, Inc.) -- C:\WINDOWS\System32\SSSensor.dll
[2010-04-24 02:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\Sygate
[2010-04-24 01:49:57 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010-04-24 01:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010-04-24 01:29:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe
[2010-04-24 01:26:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010-04-24 01:10:18 | 001,304,576 | ---- | C] (Norman ASA) -- C:\Documents and Settings\Per\Desktop\Norman_Sinowal_Cleaner.exe
[2010-04-24 01:10:17 | 000,069,632 | ---- | C] (Auto Debug System) -- C:\Documents and Settings\Per\Desktop\KillProcess.exe
[2010-04-24 01:10:14 | 013,062,272 | ---- | C] (Fengtao Software Inc. ) -- C:\Documents and Settings\Per\Desktop\DVDFab6070.exe
[2010-04-24 01:09:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Desktop\txt
[2010-04-24 01:09:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Desktop\New Folder (6)
[2010-04-24 01:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Local Settings\Application Data\Spotify
[2010-04-24 01:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\Application Data\Spotify
[2010-04-24 01:01:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\McafeeRootkitDetective
[2010-04-24 01:01:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per\My Documents\Hämtade filer
[2010-04-24 00:35:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010-04-24 00:35:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010-04-23 21:33:08 | 000,000,000 | ---D | C] -- C:\Program Files\MAPILab Ltd
[2010-04-23 21:32:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010-04-23 21:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010-04-03 22:55:32 | 000,061,440 | ---- | C] (Khronos Group) -- C:\WINDOWS\System32\OpenCL.dll
[2009-04-04 17:02:56 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2009-04-04 17:02:56 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2003-03-30 21:38:18 | 000,102,624 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\axsaki.sys
[2003-03-28 11:58:42 | 000,008,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\axskbus.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010-04-28 15:07:45 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job
[2010-04-28 14:31:56 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-04-28 14:31:56 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-04-28 14:31:56 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-04-28 14:27:51 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-04-28 14:27:39 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010-04-28 14:27:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-04-28 14:27:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-04-28 14:24:50 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Per\NTUSER.DAT
[2010-04-28 14:24:43 | 004,314,128 | -H-- | M] () -- C:\Documents and Settings\Per\Local Settings\Application Data\IconCache.db
[2010-04-28 14:24:19 | 000,013,409 | ---- | M] () -- C:\WINDOWS\look.bat
[2010-04-28 06:03:58 | 001,138,992 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\maxlook.exe
[2010-04-27 17:25:27 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010-04-27 17:25:06 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010-04-27 17:17:10 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010-04-27 17:14:50 | 003,920,068 | R--- | M] () -- C:\Documents and Settings\Per\Desktop\ComboFix.exe
[2010-04-27 17:04:47 | 003,919,003 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\ComboFix.exe.part
[2010-04-27 16:09:22 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Per\ntuser.ini
[2010-04-27 15:47:09 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\z10hn0xd.exe
[2010-04-27 15:46:46 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Per\Desktop\OTL.exe
[2010-04-26 20:21:53 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\MemberImport.xls
[2010-04-26 17:54:35 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\rik.xls
[2010-04-26 17:54:35 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Bok1.xls
[2010-04-26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010-04-25 17:46:51 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Per\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-04-25 13:25:28 | 000,001,855 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sony Ericsson PC Suite 6.0.lnk
[2010-04-24 17:58:19 | 000,002,406 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175817.reg
[2010-04-24 17:58:07 | 000,015,076 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175804.reg
[2010-04-24 17:55:36 | 000,029,894 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175533.reg
[2010-04-24 11:47:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-04-24 11:38:28 | 000,002,163 | ---- | M] () -- C:\WINDOWS\WINCMD.INI
[2010-04-24 11:21:22 | 000,000,883 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2010-04-24 11:08:59 | 000,001,528 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ImgBurn.lnk
[2010-04-24 10:45:08 | 000,000,579 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\HTTrack Website Copier.lnk
[2010-04-24 10:45:02 | 000,000,697 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\CCleaner.lnk
[2010-04-24 10:44:57 | 000,000,591 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\DVD Shrink 3.2.lnk
[2010-04-24 10:44:13 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Look@LAN.lnk
[2010-04-24 10:44:00 | 000,000,551 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Game Jackal.lnk
[2010-04-24 10:43:53 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IrfanView.lnk
[2010-04-24 10:43:39 | 000,000,595 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Shortcut to AboutTime.exe.lnk
[2010-04-24 10:43:34 | 000,000,531 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\XnView.lnk
[2010-04-24 10:43:27 | 000,000,686 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Shortcut to audacity.exe.lnk
[2010-04-24 10:43:26 | 000,000,693 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Shortcut to EasyClea.exe.lnk
[2010-04-24 08:25:34 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Hard Disk Sentinel.lnk
[2010-04-24 08:25:21 | 000,000,766 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\DVD Decrypter.lnk
[2010-04-24 08:25:10 | 000,000,473 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\GT Legends.lnk
[2010-04-24 02:32:37 | 009,228,440 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\spf.exe
[2010-04-24 02:24:23 | 000,000,743 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CDBurnerXP.lnk
[2010-04-24 02:19:21 | 000,245,512 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010-04-24 01:31:48 | 000,064,752 | ---- | M] () -- C:\Documents and Settings\Per\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010-04-24 01:08:02 | 000,000,607 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Spotify.lnk
[2010-04-24 00:55:25 | 000,000,918 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Age of Empires II.lnk
[2010-04-24 00:39:08 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IL-2 Sturmovik 1946.lnk
[2010-04-24 00:30:05 | 000,000,486 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010-04-24 00:29:39 | 000,000,642 | ---- | M] () -- C:\WINDOWS\win.ini
[2010-04-23 22:43:33 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010-04-23 21:41:43 | 000,000,139 | ---- | M] () -- C:\WINDOWS\wcx_ftp.ini
[2010-04-22 22:30:12 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\NTREGOPT.lnk
[2010-04-22 22:30:12 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\ERUNT.lnk
[2010-04-22 22:28:01 | 000,794,112 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\The_Comedian.exe
[2010-04-22 21:57:53 | 001,304,576 | ---- | M] (Norman ASA) -- C:\Documents and Settings\Per\Desktop\Norman_Sinowal_Cleaner.exe
[2010-04-22 14:54:48 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\settings.dat
[2010-04-22 12:56:25 | 001,872,472 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\SmitfraudFix.exe
[2010-04-22 07:32:04 | 000,001,414 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\shutdown.exe.lnk
[2010-04-21 23:51:09 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\E-mail.lnk
[2010-04-17 11:42:37 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Webkamera Gång.doc
[2010-04-03 22:55:32 | 002,183,470 | ---- | M] () -- C:\WINDOWS\System32\nvdata.bin
[2010-04-03 22:55:32 | 000,061,440 | ---- | M] (Khronos Group) -- C:\WINDOWS\System32\OpenCL.dll
[2010-04-03 22:55:32 | 000,025,755 | ---- | M] () -- C:\WINDOWS\System32\nvdisp.nvu
[2010-04-03 22:55:32 | 000,009,046 | ---- | M] () -- C:\WINDOWS\System32\nvinfo.pb
[2010-04-03 19:22:32 | 000,066,714 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2010-03-30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-03-30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-03-25 09:49:36 | 000,282,624 | ---- | M] () -- C:\WINDOWS\System32\DscPnt.dll
[2010-03-21 10:06:39 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\You.doc
[2010-03-21 10:06:39 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Per\My Documents\~$You.doc
[2010-03-16 17:01:58 | 000,141,680 | ---- | M] (Samsung Electronics CO., LTD.) -- C:\WINDOWS\System32\SUPDSvcA.dll
[2010-03-16 17:01:22 | 000,132,464 | ---- | M] (Samsung Electronics CO., LTD.) -- C:\WINDOWS\System32\SUPDSvc.exe
[2010-03-16 17:00:14 | 000,260,464 | ---- | M] () -- C:\WINDOWS\SUPDRun.exe
[2010-03-10 07:27:19 | 000,049,753 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Disk report 2010 03 10.html
[2010-03-10 07:27:19 | 000,006,957 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\hdsentinel.png
[2010-03-10 07:27:19 | 000,001,321 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\yellow.png
[2010-03-10 07:27:19 | 000,001,305 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\red.png
[2010-03-10 07:27:19 | 000,001,300 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\green.png
[2010-03-09 23:33:05 | 003,668,766 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\Erik Grönwall - Run To The Hills.mp3
[2010-03-09 19:52:36 | 021,663,557 | ---- | M] (Samsung ) -- C:\Documents and Settings\Per\My Documents\SamsungUniversalPrintDriver_PS.exe
[2010-03-09 19:52:13 | 007,198,798 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\4725.pdf
[2010-03-09 13:34:36 | 000,157,552 | ---- | M] (SS) -- C:\WINDOWS\System32\spd__ci.exe
[2010-03-06 13:27:31 | 000,013,886 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\config-freenas.local-20100306122725.xml
[2010-03-04 16:10:41 | 000,933,717 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#6PSMay50.pdf
[2010-03-04 16:10:40 | 003,054,046 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#4.pdf
[2010-03-04 16:10:30 | 000,728,297 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#5PMFM47.pdf
[2010-03-04 16:05:28 | 000,933,145 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#2.pdf
[2010-03-01 20:56:12 | 000,417,792 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\HP Color LaserJet 2605 Series Printer.doc
[2010-02-28 09:35:43 | 002,518,490 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\katalog.pdf
[2010-02-28 02:16:31 | 000,756,177 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Cement-Mixer.pdf
[2010-02-26 17:26:56 | 000,220,024 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\sigcheck.exe
[2010-02-25 18:47:17 | 000,294,087 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Building a Standard Image of Windows 7 Step-by-Step Guide.doc.docx
[2010-02-25 16:52:55 | 000,032,800 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\WRT54GLV1_v4.30.7.cfg
[2010-02-23 23:55:46 | 002,888,232 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Spotify Installer.exe
[2010-02-22 23:49:08 | 002,292,413 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\smide.pdf
[2010-02-21 22:05:41 | 002,616,830 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\5000_Series_Op_Man_0881.pdf
[2010-02-21 21:36:27 | 003,279,751 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Swiftamatic_8_Serv_Man_0863.pdf
[2010-02-20 18:43:10 | 001,338,145 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Convertible_76_IPL_1972.pdf
[2010-02-20 14:49:18 | 002,894,611 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Convertible_76_Serv_Man_1174.pdf
[2010-02-19 17:31:13 | 000,670,072 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Per\My Documents\autoruns.exe
[2010-02-19 13:28:02 | 012,216,170 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\SysinternalsSuite.zip
[2010-02-19 13:00:04 | 001,309,584 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\ProcessMonitor.zip
[2010-02-17 17:36:38 | 000,981,457 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\lcdmonitor_STXsorozat.pdf
[2010-02-11 15:45:14 | 000,000,363 | ---- | M] () -- C:\WINDOWS\System32\spd__l.smt
[2010-02-06 19:54:50 | 000,393,334 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\nussbaum2.jpg
[2010-02-06 19:53:05 | 000,354,630 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\nussbaum1.jpg
[2010-02-06 13:45:49 | 000,052,111 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\motorer.pdf
[2010-02-06 13:45:11 | 000,771,658 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\l225.pdf
[2010-02-06 13:44:03 | 000,743,728 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\l220.pdf
[2010-02-06 13:24:36 | 000,588,661 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\37-120.pdf
[2010-02-05 17:55:41 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Per\Desktop\pris.xls
[2010-02-03 23:56:47 | 000,055,296 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\I den här artikeln beskrivs återställning av en dator med Windows XP.doc
[2010-01-29 13:10:40 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\Per\My Documents\Minska risk för fukt på vinden.doc
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-04-28 14:24:18 | 000,013,409 | ---- | C] () -- C:\WINDOWS\look.bat
[2010-04-28 06:03:56 | 001,138,992 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\maxlook.exe
[2010-04-27 17:17:10 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010-04-27 17:17:08 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010-04-27 17:16:41 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010-04-27 17:16:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010-04-27 17:16:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010-04-27 17:14:39 | 003,920,068 | R--- | C] () -- C:\Documents and Settings\Per\Desktop\ComboFix.exe
[2010-04-27 17:03:12 | 003,919,003 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\ComboFix.exe.part
[2010-04-27 15:47:08 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\z10hn0xd.exe
[2010-04-26 20:21:53 | 000,033,280 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\MemberImport.xls
[2010-04-26 18:42:29 | 000,482,408 | ---- | C] () -- C:\WINDOWS\ssndii.exe
[2010-04-26 18:42:05 | 000,011,502 | ---- | C] () -- C:\WINDOWS\Dr. Printer Icon.ico
[2010-04-26 18:42:01 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\DscPnt.dll
[2010-04-26 18:42:01 | 000,260,464 | ---- | C] () -- C:\WINDOWS\SUPDRun.exe
[2010-04-26 18:42:01 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\spd__l.dll
[2010-04-26 18:42:01 | 000,000,363 | ---- | C] () -- C:\WINDOWS\System32\spd__l.smt
[2010-04-26 17:48:53 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Bok1.xls
[2010-04-25 13:25:28 | 000,001,855 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Sony Ericsson PC Suite 6.0.lnk
[2010-04-24 17:58:18 | 000,002,406 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175817.reg
[2010-04-24 17:58:06 | 000,015,076 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175804.reg
[2010-04-24 17:55:34 | 000,029,894 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\cc_20100424_175533.reg
[2010-04-24 11:21:22 | 000,000,883 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2010-04-24 11:08:59 | 000,001,528 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ImgBurn.lnk
[2010-04-24 11:03:02 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\You.doc
[2010-04-24 11:03:02 | 000,001,321 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\yellow.png
[2010-04-24 11:02:54 | 002,208,984 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\WW2_108.EXE
[2010-04-24 11:02:54 | 000,032,800 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\WRT54GLV1_v4.30.7.cfg
[2010-04-24 11:02:49 | 004,770,227 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\verktygsstallet_med_priser.pdf
[2010-04-24 11:02:49 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Webkamera Gång.doc
[2010-04-24 11:02:34 | 003,079,715 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Tweaking Companion for Windows Vista (Tweakguides, 2007).pdf
[2010-04-24 11:02:30 | 103,937,719 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\The Art Of Woodworking Vol 18 - Outdoor Furniture.pdf
[2010-04-24 11:02:30 | 012,216,170 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\SysinternalsSuite.zip
[2010-04-24 11:02:30 | 003,279,751 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Swiftamatic_8_Serv_Man_0863.pdf
[2010-04-24 11:02:30 | 000,165,379 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Spotify_ripper.rar
[2010-04-24 11:02:30 | 000,050,677 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\TageN.png
[2010-04-24 11:02:30 | 000,014,532 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\tagenylander.pdf
[2010-04-24 11:02:26 | 002,888,232 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Spotify Installer.exe
[2010-04-24 11:02:25 | 002,292,413 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\smide.pdf
[2010-04-24 11:02:25 | 001,318,647 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\siv.zip
[2010-04-24 11:02:25 | 000,123,722 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Sjukersättning.pdf
[2010-04-24 11:02:25 | 000,096,084 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Sjukpenninggrundande inkomst - information till dig som studerar, är arbetslös, har sjukersättning,.pdf
[2010-04-24 11:02:24 | 000,057,856 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\rol-biWO 2008026930 20080306.doc
[2010-04-24 11:02:24 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Robban 850.doc
[2010-04-24 11:02:23 | 008,834,504 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\RMSetup.exe
[2010-04-24 11:02:23 | 004,211,811 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\PV_Design_45 HY30-3245-uk-02-2007.pdf
[2010-04-24 11:02:23 | 001,980,651 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\PV_Catalog.pdf
[2010-04-24 11:02:23 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\rik.xls
[2010-04-24 11:02:23 | 000,001,305 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\red.png
[2010-04-24 11:02:21 | 034,021,481 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Produktbok2007.pdf
[2010-04-24 11:02:21 | 001,309,584 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\ProcessMonitor.zip
[2010-04-24 11:02:21 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\persbios.bin
[2010-04-24 11:02:21 | 000,028,595 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\processkill.zip
[2010-04-24 11:02:09 | 000,676,135 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Om du är sjuk och inte kan arbeta.pdf
[2010-04-24 11:02:09 | 000,393,334 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\nussbaum2.jpg
[2010-04-24 11:02:09 | 000,354,630 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\nussbaum1.jpg
[2010-04-24 11:02:09 | 000,001,660 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\nod32ubcd.zip
[2010-04-24 11:01:56 | 002,991,563 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\MBD-I-D945GSEJT-manual.pdf
[2010-04-24 11:01:56 | 001,262,858 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\mobil_refill_priserSamtTjan081202.pdf
[2010-04-24 11:01:56 | 000,981,457 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\lcdmonitor_STXsorozat.pdf
[2010-04-24 11:01:56 | 000,195,383 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\mbookmark.xml
[2010-04-24 11:01:56 | 000,052,111 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\motorer.pdf
[2010-04-24 11:01:56 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Minska risk för fukt på vinden.doc
[2010-04-24 11:01:51 | 000,771,658 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\l225.pdf
[2010-04-24 11:01:51 | 000,743,728 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\l220.pdf
[2010-04-24 11:01:50 | 003,108,547 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\K800__UG_R1a_SV.pdf
[2010-04-24 11:01:50 | 002,518,490 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\katalog.pdf
[2010-04-24 11:01:50 | 001,788,208 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\kampanj.pdf
[2010-04-24 11:01:50 | 000,132,804 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\index.php
[2010-04-24 11:01:49 | 003,354,819 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\IBMThinkpadA31.pdf
[2010-04-24 11:01:49 | 000,417,792 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\HP Color LaserJet 2605 Series Printer.doc
[2010-04-24 11:01:49 | 000,127,091 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\HP Laserjet Guide TD 200812.pdf
[2010-04-24 11:01:49 | 000,055,296 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\I den här artikeln beskrivs återställning av en dator med Windows XP.doc
[2010-04-24 11:01:48 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Hans Bergströms artikel om.doc
[2010-04-24 11:01:48 | 000,006,957 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\hdsentinel.png
[2010-04-24 11:01:48 | 000,001,300 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\green.png
[2010-04-24 11:01:44 | 072,673,280 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FreeNAS-i386-LiveCD-0.7RC1.4735.iso
[2010-04-24 11:01:44 | 000,933,717 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#6PSMay50.pdf
[2010-04-24 11:01:44 | 000,169,746 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FPFAI-UK-DSLROUTERG-AA.pdf
[2010-04-24 11:01:44 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Files named @.jpg.fnd
[2010-04-24 11:01:44 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Files named @.jpg (2).fnd
[2010-04-24 11:01:43 | 006,013,893 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\EeePC4G_web.pdf
[2010-04-24 11:01:43 | 003,054,046 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#4.pdf
[2010-04-24 11:01:43 | 000,933,145 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#2.pdf
[2010-04-24 11:01:43 | 000,728,297 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\FarmTractor#5PMFM47.pdf
[2010-04-24 11:01:43 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Elpriset smyghöjs för två miljoner svenskar.doc
[2010-04-24 11:01:43 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Eftersom du bygga en brant trappa.doc
[2010-04-24 11:01:43 | 000,000,498 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\EseTLicense.reg
[2010-04-24 11:01:42 | 002,894,611 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Convertible_76_Serv_Man_1174.pdf
[2010-04-24 11:01:42 | 001,338,145 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Convertible_76_IPL_1972.pdf
[2010-04-24 11:01:42 | 000,370,473 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Customize_Joomla's_Default_Template[1].pdf
[2010-04-24 11:01:42 | 000,049,753 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Disk report 2010 03 10.html
[2010-04-24 11:01:42 | 000,013,886 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\config-freenas.local-20100306122725.xml
[2010-04-24 11:01:40 | 000,756,177 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Cement-Mixer.pdf
[2010-04-24 11:01:40 | 000,294,087 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Building a Standard Image of Windows 7 Step-by-Step Guide.doc.docx
[2010-04-24 11:01:40 | 000,083,155 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\bios.ini
[2010-04-24 11:01:40 | 000,024,093 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\Bransle_Maflex_2009.pdf
[2010-04-24 11:01:40 | 000,009,187 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\bin2iso.zip
[2010-04-24 11:01:37 | 007,198,798 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\4725.pdf
[2010-04-24 11:01:37 | 002,616,830 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\5000_Series_Op_Man_0881.pdf
[2010-04-24 11:01:37 | 000,588,661 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\37-120.pdf
[2010-04-24 11:01:37 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\6a61ng02.0
[2010-04-24 11:01:37 | 000,023,055 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\advis.mht
[2010-04-24 11:01:37 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Per\My Documents\~$You.doc
[2010-04-24 11:00:24 | 004,032,807 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\The Psychedelic Furs - Pretty In Pink.mp3
[2010-04-24 11:00:24 | 003,306,393 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Thorleifs - Aldrig nånsin glömmer jag dig.mp3
[2010-04-24 11:00:23 | 003,668,766 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Erik Grönwall - Run To The Hills.mp3
[2010-04-24 02:32:31 | 009,228,440 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\spf.exe
[2010-04-24 01:29:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010-04-24 01:29:29 | 000,077,312 | ---- | C] () -- C:\WINDOWS\mbr.exe
[2010-04-24 01:10:21 | 000,000,766 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Sandboxed Web Browser.lnk
[2010-04-24 01:10:21 | 000,000,595 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Shortcut to AboutTime.exe.lnk
[2010-04-24 01:10:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\settings.dat
[2010-04-24 01:10:20 | 023,834,246 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\publication.pdf
[2010-04-24 01:10:20 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\NTREGOPT.lnk
[2010-04-24 01:10:18 | 000,557,056 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\LaunchEAW.exe
[2010-04-24 01:10:17 | 000,000,579 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\HTTrack Website Copier.lnk
[2010-04-24 01:10:15 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\esetsmartinstaller_enu.exe
[2010-04-24 01:10:15 | 002,162,688 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\fixntldr.iso
[2010-04-24 01:10:15 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\ERUNT.lnk
[2010-04-24 01:10:15 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\E-mail.lnk
[2010-04-24 01:10:14 | 003,704,042 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\D_Z3_SW.pdf
[2010-04-24 01:10:14 | 000,819,347 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\BoPC_KotOR_Troubleshooting.rtf
[2010-04-24 01:10:14 | 000,000,591 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\DVD Shrink 3.2.lnk
[2010-04-24 01:05:30 | 009,324,333 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Windows6.1-KB947821-x86-RC.msu
[2010-04-24 01:05:30 | 005,497,090 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\The Key To Metal Bumping.pdf
[2010-04-24 01:05:30 | 000,794,112 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\The_Comedian.exe
[2010-04-24 01:05:30 | 000,766,337 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Tröja.pdf
[2010-04-24 01:05:30 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\trappa.xls
[2010-04-24 01:05:30 | 000,000,721 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Winbuilder lx76hfcxaf.lnk
[2010-04-24 01:05:30 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\Spotify.lnk
[2010-04-24 01:05:30 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\start.bat
[2010-04-24 01:05:26 | 022,191,482 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\snoslunga.wmv
[2010-04-24 01:05:26 | 000,001,414 | ---- | C] () -- C:\Documents and Settings\Per\Desktop\shutdown.exe.lnk
[2010-04-24 01:00:59 | 001,872,472 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\SmitfraudFix.exe
[2010-04-24 01:00:52 | 001,728,150 | ---- | C] () -- C:\Documents and Settings\Per\My Documents\McafeeRootkitDetective.zip
[2010-04-24 00:35:54 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010-04-03 22:55:32 | 002,183,470 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010-04-03 22:55:32 | 000,009,046 | ---- | C] () -- C:\WINDOWS\System32\nvinfo.pb
[2010-04-03 19:22:32 | 000,276,202 | ---- | C] () -- C:\WINDOWS\System32\NvApps.xml
[2010-04-03 19:22:32 | 000,066,714 | ---- | C] () -- C:\WINDOWS\System32\NvwsApps.xml
[2009-04-24 12:48:52 | 000,000,139 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2009-04-12 16:23:21 | 000,517,120 | ---- | C] () -- C:\WINDOWS\System32\7-ZIP32.DLL
[2009-04-09 22:19:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009-04-04 22:53:35 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009-04-04 16:43:25 | 000,002,163 | ---- | C] () -- C:\WINDOWS\WINCMD.INI
[2009-03-14 19:44:48 | 000,000,486 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008-02-04 19:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007-10-04 10:14:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007-07-27 12:00:00 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2006-08-16 16:13:34 | 001,382,280 | ---- | C] () -- C:\WINDOWS\System32\fftw3.dll
[2004-10-15 18:31:56 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll
[2004-05-27 16:52:52 | 000,058,880 | ---- | C] () -- C:\WINDOWS\System32\mslffv1.dll
[2003-04-08 12:35:24 | 000,005,414 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1997-06-14 04:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[1996-04-03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009-04-19 10:59:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010-04-23 21:15:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010-04-25 13:50:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010-04-24 10:43:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Audacity
[2009-04-04 19:53:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Canneverbe_Limited
[2009-03-25 18:26:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\DeepBurner
[2009-04-18 17:17:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\FileMaker
[2010-04-24 11:21:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Foxit
[2010-04-24 11:12:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\JAM Software
[2009-05-26 23:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\MxBoost
[2009-05-26 15:57:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\MyPhoneExplorer
[2009-03-14 20:50:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\OfficeUpdate12
[2009-05-03 09:14:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Personal
[2009-04-26 10:21:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\RipIt4Me
[2010-04-28 14:55:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\Spotify
[2009-04-29 18:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\TiFiC
[2009-05-22 13:05:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per\Application Data\XnView
[2010-04-28 15:07:45 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ATAPI.SYS >
[2007-07-27 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009-03-13 23:32:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009-03-13 23:32:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008-04-13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\maxdriver\atapi.sys
[2008-04-13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004-08-03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Documents and Settings\Per\My Documents\nedladdade och installerade program\bootland\LiveXP-Recommended\Target\LiveXP\i386\System32\drivers\atapi.sys
[2004-08-04 07:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Documents and Settings\Per\My Documents\testdisk-6.10.win\testdisk-6.10\win\driverbackup\SPIDERMAN (XP) DEVICE DRIVERS\HDC\Primary IDE Channel\ATAPI.SYS
[2004-08-04 07:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Documents and Settings\Per\My Documents\testdisk-6.10.win\testdisk-6.10\win\driverbackup\SPIDERMAN (XP) DEVICE DRIVERS\HDC\Secondary IDE Channel\ATAPI.SYS
[2007-07-27 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\UBCD4Win\BartPE\I386\SYSTEM32\DRIVERS\ATAPI.SYS
[2007-07-27 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2002-10-24 15:59:48 | 000,087,040 | ---- | M] (Microsoft Corporation) MD5=F1D915C3870E741D83B5142F3B358761 -- C:\UBCD4Win\plugin\!Critical\Large IDE-Fix\files\sp2\atapi.sys
[2008-04-13 18:40:30 | 000,096,512 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94EAB850
< End of report >


tdsskiller log


15:20:30:328 1360 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
15:20:30:328 1360 ================================================================================
15:20:30:328 1360 SystemInfo:

15:20:30:328 1360 OS Version: 5.1.2600 ServicePack: 3.0
15:20:30:328 1360 Product type: Workstation
15:20:30:328 1360 ComputerName: DUO
15:20:30:328 1360 UserName: Per
15:20:30:328 1360 Windows directory: C:\WINDOWS
15:20:30:328 1360 Processor architecture: Intel x86
15:20:30:328 1360 Number of processors: 2
15:20:30:328 1360 Page size: 0x1000
15:20:30:328 1360 Boot type: Normal boot
15:20:30:328 1360 ================================================================================
15:20:30:328 1360 UnloadDriverW: NtUnloadDriver error 2
15:20:30:328 1360 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:20:30:390 1360 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:20:30:390 1360 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:20:30:390 1360 wfopen_ex: Trying to KLMD file open
15:20:30:390 1360 wfopen_ex: File opened ok (Flags 2)
15:20:30:390 1360 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:20:30:390 1360 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:20:30:390 1360 wfopen_ex: Trying to KLMD file open
15:20:30:390 1360 wfopen_ex: File opened ok (Flags 2)
15:20:30:390 1360 Initialize success
15:20:30:390 1360
15:20:30:390 1360 Scanning Services ...
15:20:30:687 1360 Raw services enum returned 356 services
15:20:30:703 1360
15:20:30:703 1360 Scanning Kernel memory ...
15:20:30:703 1360 Devices to scan: 5
15:20:30:703 1360
15:20:30:703 1360 Driver Name: Disk
15:20:30:703 1360 IRP_MJ_CREATE : B811EBB0
15:20:30:703 1360 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:30:703 1360 IRP_MJ_CLOSE : B811EBB0
15:20:30:703 1360 IRP_MJ_READ : B8118D1F
15:20:30:703 1360 IRP_MJ_WRITE : B8118D1F
15:20:30:703 1360 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_EA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_EA : 804F4562
15:20:30:703 1360 IRP_MJ_FLUSH_BUFFERS : B81192E2
15:20:30:703 1360 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_DEVICE_CONTROL : B81193BB
15:20:30:703 1360 IRP_MJ_INTERNAL_DEVICE_CONTROL : B811CF28
15:20:30:703 1360 IRP_MJ_SHUTDOWN : B81192E2
15:20:30:703 1360 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_CLEANUP : 804F4562
15:20:30:703 1360 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_SET_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_POWER : B811AC82
15:20:30:703 1360 IRP_MJ_SYSTEM_CONTROL : B811F99E
15:20:30:703 1360 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_QUOTA : 804F4562
15:20:30:703 1360 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:30:703 1360
15:20:30:703 1360 Driver Name: Disk
15:20:30:703 1360 IRP_MJ_CREATE : B811EBB0
15:20:30:703 1360 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:30:703 1360 IRP_MJ_CLOSE : B811EBB0
15:20:30:703 1360 IRP_MJ_READ : B8118D1F
15:20:30:703 1360 IRP_MJ_WRITE : B8118D1F
15:20:30:703 1360 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_EA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_EA : 804F4562
15:20:30:703 1360 IRP_MJ_FLUSH_BUFFERS : B81192E2
15:20:30:703 1360 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_DEVICE_CONTROL : B81193BB
15:20:30:703 1360 IRP_MJ_INTERNAL_DEVICE_CONTROL : B811CF28
15:20:30:703 1360 IRP_MJ_SHUTDOWN : B81192E2
15:20:30:703 1360 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_CLEANUP : 804F4562
15:20:30:703 1360 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_SET_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_POWER : B811AC82
15:20:30:703 1360 IRP_MJ_SYSTEM_CONTROL : B811F99E
15:20:30:703 1360 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_QUOTA : 804F4562
15:20:30:703 1360 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:30:703 1360
15:20:30:703 1360 Driver Name: Disk
15:20:30:703 1360 IRP_MJ_CREATE : B811EBB0
15:20:30:703 1360 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:30:703 1360 IRP_MJ_CLOSE : B811EBB0
15:20:30:703 1360 IRP_MJ_READ : B8118D1F
15:20:30:703 1360 IRP_MJ_WRITE : B8118D1F
15:20:30:703 1360 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_EA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_EA : 804F4562
15:20:30:703 1360 IRP_MJ_FLUSH_BUFFERS : B81192E2
15:20:30:703 1360 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_DEVICE_CONTROL : B81193BB
15:20:30:703 1360 IRP_MJ_INTERNAL_DEVICE_CONTROL : B811CF28
15:20:30:703 1360 IRP_MJ_SHUTDOWN : B81192E2
15:20:30:703 1360 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_CLEANUP : 804F4562
15:20:30:703 1360 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_SET_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_POWER : B811AC82
15:20:30:703 1360 IRP_MJ_SYSTEM_CONTROL : B811F99E
15:20:30:703 1360 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_QUOTA : 804F4562
15:20:30:703 1360 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:30:703 1360
15:20:30:703 1360 Driver Name: Disk
15:20:30:703 1360 IRP_MJ_CREATE : B811EBB0
15:20:30:703 1360 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:30:703 1360 IRP_MJ_CLOSE : B811EBB0
15:20:30:703 1360 IRP_MJ_READ : B8118D1F
15:20:30:703 1360 IRP_MJ_WRITE : B8118D1F
15:20:30:703 1360 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_EA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_EA : 804F4562
15:20:30:703 1360 IRP_MJ_FLUSH_BUFFERS : B81192E2
15:20:30:703 1360 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:30:703 1360 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_DEVICE_CONTROL : B81193BB
15:20:30:703 1360 IRP_MJ_INTERNAL_DEVICE_CONTROL : B811CF28
15:20:30:703 1360 IRP_MJ_SHUTDOWN : B81192E2
15:20:30:703 1360 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:30:703 1360 IRP_MJ_CLEANUP : 804F4562
15:20:30:703 1360 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_SET_SECURITY : 804F4562
15:20:30:703 1360 IRP_MJ_POWER : B811AC82
15:20:30:703 1360 IRP_MJ_SYSTEM_CONTROL : B811F99E
15:20:30:703 1360 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:30:703 1360 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:30:703 1360 IRP_MJ_SET_QUOTA : 804F4562
15:20:30:703 1360 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:30:703 1360
15:20:30:703 1360 Driver Name: atapi
15:20:30:703 1360 IRP_MJ_CREATE : 8A8F95C0
15:20:30:703 1360 IRP_MJ_CREATE_NAMED_PIPE : 8A8F95C0
15:20:30:703 1360 IRP_MJ_CLOSE : 8A8F95C0
15:20:30:703 1360 IRP_MJ_READ : 8A8F95C0
15:20:30:703 1360 IRP_MJ_WRITE : 8A8F95C0
15:20:30:703 1360 IRP_MJ_QUERY_INFORMATION : 8A8F95C0
15:20:30:703 1360 IRP_MJ_SET_INFORMATION : 8A8F95C0
15:20:30:703 1360 IRP_MJ_QUERY_EA : 8A8F95C0
15:20:30:703 1360 IRP_MJ_SET_EA : 8A8F95C0
15:20:30:703 1360 IRP_MJ_FLUSH_BUFFERS : 8A8F95C0
15:20:30:703 1360 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A8F95C0
15:20:30:703 1360 IRP_MJ_SET_VOLUME_INFORMATION : 8A8F95C0
15:20:30:703 1360 IRP_MJ_DIRECTORY_CONTROL : 8A8F95C0
15:20:30:703 1360 IRP_MJ_FILE_SYSTEM_CONTROL : 8A8F95C0
15:20:30:703 1360 IRP_MJ_DEVICE_CONTROL : 8A8F95C0
15:20:30:703 1360 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A907B20
15:20:30:703 1360 IRP_MJ_SHUTDOWN : 8A8F95C0
15:20:30:703 1360 IRP_MJ_LOCK_CONTROL : 8A8F95C0
15:20:30:703 1360 IRP_MJ_CLEANUP : 8A8F95C0
15:20:30:703 1360 IRP_MJ_CREATE_MAILSLOT : 8A8F95C0
15:20:30:703 1360 IRP_MJ_QUERY_SECURITY : 8A8F95C0
15:20:30:703 1360 IRP_MJ_SET_SECURITY : 8A8F95C0
15:20:30:703 1360 IRP_MJ_POWER : 8A8F95C0
15:20:30:703 1360 IRP_MJ_SYSTEM_CONTROL : 8A8F95C0
15:20:30:703 1360 IRP_MJ_DEVICE_CHANGE : 8A8F95C0
15:20:30:703 1360 IRP_MJ_QUERY_QUOTA : 8A8F95C0
15:20:30:703 1360 IRP_MJ_SET_QUOTA : 8A8F95C0
15:20:30:703 1360 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
15:20:30:703 1360
15:20:30:703 1360 Completed
15:20:30:703 1360
15:20:30:703 1360 Results:
15:20:30:703 1360 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:20:30:718 1360 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:20:30:718 1360 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:20:30:718 1360
15:20:30:718 1360 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:20:30:718 1360 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:20:30:718 1360 KLMD(ARK) unloaded successfully
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 28th, 2010, 9:48 am

Hi pimse,

Defogger
Disable Drivers
Please download DeFogger... by jpshortstuff. Save it to your desktop.
  1. Double click DeFogger.exe to run the tool. The application window will appear.
  2. Click the Disable button to disable your CD Emulation drivers.
  3. Click Yes to continue. A 'Finished!' message will appear. Click OK.
  4. Click OK when DeFogger asks to reboot the machine.
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Now please run a new scan with Combofix and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware