Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help with a MBR rootkit!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Need help with a MBR rootkit!

Unread postby pimse » April 28th, 2010, 10:15 am

This message popped up in the beginning of the scan:

"Detected presence of rootkit activity and must reboot the computer"

After reboot came the usual scan in 50 stages.


Combofix log


ComboFix 10-04-27.04 - Per 2010-04-28 16:06:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3197.2814 [GMT 2:00]
Running from: c:\documents and settings\Per\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\look.bat

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 12:29 . 2010-02-26 15:26 220024 ----a-w- c:\windows\sigcheck.exe
2010-04-28 12:24 . 2010-04-28 14:26 -------- d-----w- c:\windows\maxdriver
2010-04-27 15:21 . 2010-04-27 15:21 -------- d-----w- c:\documents and settings\Per\Local Settings\Application Data\ESET
2010-04-26 16:41 . 2010-04-26 16:41 -------- d-----w- c:\temp\SamsungUniversalPrintDriver
2010-04-26 16:39 . 2010-04-26 16:41 -------- d-----w- c:\program files\SAMSUNG
2010-04-26 16:39 . 2010-04-26 16:39 -------- d-----w- c:\temp\ML-1710
2010-04-26 16:29 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-04-26 16:29 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-04-25 16:00 . 2010-04-25 16:00 -------- d-----w- c:\program files\Defraggler
2010-04-25 11:25 . 2008-01-09 10:28 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2010-04-24 09:55 . 2010-04-24 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-04-24 09:55 . 2010-04-24 09:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-24 09:21 . 2010-04-24 09:21 -------- d-----w- c:\documents and settings\Per\Application Data\Foxit
2010-04-24 09:21 . 2010-04-24 09:21 -------- d-----w- c:\program files\Foxit Software
2010-04-24 09:12 . 2010-04-24 09:12 -------- d-----w- c:\documents and settings\Per\Application Data\JAM Software
2010-04-24 09:09 . 2010-04-24 09:09 -------- d-----w- c:\program files\JAM Software
2010-04-24 09:08 . 2010-04-24 09:09 -------- d-----w- c:\program files\ImgBurn
2010-04-24 09:08 . 2009-05-13 16:51 19968 ----a-w- c:\windows\system32\drivers\imdisk.sys
2010-04-24 09:08 . 2009-02-09 13:16 9216 ----a-w- c:\windows\system32\drivers\awealloc.sys
2010-04-24 09:08 . 2009-05-13 16:51 10240 ----a-w- c:\windows\system32\imdsksvc.exe
2010-04-24 09:08 . 2009-05-13 16:51 35840 ----a-w- c:\windows\system32\imdisk.exe
2010-04-24 06:43 . 2010-04-24 06:43 -------- d-----w- c:\documents and settings\Per\DoctorWeb
2010-04-24 00:37 . 2004-10-15 16:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2010-04-24 00:37 . 2004-10-15 16:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2010-04-24 00:37 . 2004-10-15 16:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2010-04-24 00:37 . 2004-10-15 16:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2010-04-24 00:37 . 2010-04-24 00:37 -------- d-----w- c:\program files\Sygate
2010-04-23 23:51 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-23 23:51 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-23 23:51 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-23 23:49 . 2010-04-23 23:50 -------- dc-h--w- c:\windows\ie8
2010-04-23 23:47 . 2010-04-23 23:47 -------- d-----w- c:\program files\Trend Micro
2010-04-23 23:41 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-23 23:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-23 23:38 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-23 23:37 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-23 23:37 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-23 23:37 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-23 23:35 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-23 23:34 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-04-23 23:08 . 2010-04-28 13:10 -------- d-----w- c:\documents and settings\Per\Local Settings\Application Data\Spotify
2010-04-23 23:08 . 2010-04-28 12:55 -------- d-----w- c:\documents and settings\Per\Application Data\Spotify
2010-04-23 22:35 . 2010-04-23 22:35 -------- d-----w- c:\program files\Common Files\Java
2010-04-23 22:35 . 2010-04-23 22:35 503808 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\msvcp71.dll
2010-04-23 22:35 . 2010-04-23 22:35 499712 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\jmc.dll
2010-04-23 22:35 . 2010-04-23 22:35 348160 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6774b8ce-n\msvcr71.dll
2010-04-23 22:35 . 2010-04-23 22:35 61440 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45960d9c-n\decora-sse.dll
2010-04-23 22:35 . 2010-04-23 22:35 12800 ----a-w- c:\documents and settings\Per\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45960d9c-n\decora-d3d.dll
2010-04-23 22:35 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-23 20:53 . 2009-02-07 05:43 24576 ----a-w- c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
2010-04-23 20:53 . 2009-05-17 17:56 11776 ----a-w- c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}\platform\WINNT_x86-msvc\components\mgMouseService.dll
2010-04-23 19:33 . 2010-04-23 19:33 -------- d-----w- c:\program files\MAPILab Ltd
2010-04-23 19:32 . 2010-04-23 19:32 -------- d-----w- c:\windows\Downloaded Installations
2010-04-23 19:15 . 2010-04-23 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-03 20:55 . 2010-04-03 20:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 20:55 . 2010-04-03 20:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 20:55 . 2010-04-03 20:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 20:55 . 2010-04-03 20:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 20:55 . 2010-04-03 20:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 20:55 . 2010-04-03 20:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 17:23 . 2010-04-03 17:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 17:23 . 2010-04-03 17:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 17:23 . 2010-04-03 17:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 17:23 . 2010-04-03 17:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:23 . 2010-04-03 17:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 17:22 . 2010-04-03 17:22 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 11:50 . 2009-04-19 08:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-25 11:24 . 2009-04-19 08:58 -------- d-----w- c:\program files\Sony Ericsson
2010-04-25 11:24 . 2009-03-13 21:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-25 11:23 . 2009-04-19 08:59 -------- d-----w- c:\program files\Avanquest update
2010-04-24 15:54 . 2009-04-22 19:18 -------- d-----w- c:\program files\Axis Communications
2010-04-24 09:59 . 2009-03-15 09:12 -------- d-----w- c:\program files\ESET
2010-04-24 08:43 . 2009-04-04 20:49 -------- d-----w- c:\documents and settings\Per\Application Data\Audacity
2010-04-23 23:31 . 2009-03-13 21:28 64752 ----a-w- c:\documents and settings\Per\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-23 22:54 . 2009-04-10 21:54 -------- d-----w- c:\program files\SpeedFan
2010-04-23 22:41 . 2009-04-04 06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 22:35 . 2009-04-08 16:54 -------- d-----w- c:\program files\Java
2010-04-23 20:28 . 2009-05-23 12:59 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 20:55 . 2009-03-14 05:16 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-03 20:55 . 2009-03-13 21:20 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 20:55 . 2007-10-04 08:14 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 20:55 . 2007-10-04 08:14 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 20:55 . 2007-10-04 08:14 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 20:55 . 2007-10-04 08:14 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 20:55 . 2007-10-04 08:14 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 20:55 . 2007-10-04 08:14 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-29 22:46 . 2009-04-04 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2009-04-04 06:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 07:49 . 2010-04-26 16:42 282624 ----a-w- c:\windows\system32\DscPnt.dll
2010-03-16 15:01 . 2010-04-26 16:42 141680 ----a-w- c:\windows\system32\SUPDSvcA.dll
2010-03-16 15:01 . 2010-04-26 16:42 132464 ----a-w- c:\windows\system32\SUPDSvc.exe
2010-03-16 15:00 . 2010-04-26 16:42 260464 ----a-w- c:\windows\SUPDRun.exe
2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-10 06:15 . 2007-07-27 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:34 . 2010-04-26 16:42 157552 ----a-w- c:\windows\system32\spd__ci.exe
2010-02-25 06:24 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-07-27 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2007-07-27 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2007-07-27 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2007-07-27 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-27_15.25.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-28 14:06 . 2010-04-28 14:06 16384 c:\windows\Temp\Perflib_Perfdata_55c.dat
+ 2007-07-27 12:00 . 2010-04-28 14:00 72108 c:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2010-04-27 15:17 72108 c:\windows\system32\perfc009.dat
+ 2006-09-28 18:00 . 2006-09-28 18:00 82944 c:\windows\maxdriver\WudfRd.sys
+ 2006-09-28 17:55 . 2006-09-28 17:55 77568 c:\windows\maxdriver\WudfPf.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 12032 c:\windows\maxdriver\ws2ifsl.sys
+ 2010-04-24 00:37 . 2004-10-15 16:18 21075 c:\windows\maxdriver\wpsdrvnt.sys
+ 2006-10-18 19:00 . 2006-10-18 19:00 38528 c:\windows\maxdriver\wpdusb.sys
+ 2007-07-27 12:00 . 2008-04-13 18:41 52352 c:\windows\maxdriver\volsnap.sys
+ 2007-07-27 12:00 . 2008-04-13 18:44 81664 c:\windows\maxdriver\videoprt.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 42240 c:\windows\maxdriver\viaagp.sys
+ 2007-07-27 12:00 . 2008-04-13 18:44 20992 c:\windows\maxdriver\vga.sys
+ 2009-04-04 15:22 . 2004-10-15 16:32 14568 c:\windows\maxdriver\wg6n.sys
+ 2009-04-04 15:22 . 2004-10-15 16:32 14568 c:\windows\maxdriver\wg5n.sys
+ 2009-04-04 15:22 . 2004-10-15 16:32 14568 c:\windows\maxdriver\wg4n.sys
+ 2010-04-24 00:37 . 2004-10-15 16:32 14568 c:\windows\maxdriver\wg3n.sys
+ 2001-08-17 14:02 . 2007-07-27 12:00 58112 c:\windows\maxdriver\vdmindvd.sys
+ 2009-03-13 21:23 . 2008-04-13 19:17 83072 c:\windows\maxdriver\wdmaud.sys
+ 2008-03-27 14:27 . 2008-03-27 14:27 35040 c:\windows\maxdriver\wdfldr.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 25471 c:\windows\maxdriver\watv10nt.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 22271 c:\windows\maxdriver\watv06nt.sys
+ 2007-07-27 12:00 . 2008-04-13 18:57 34560 c:\windows\maxdriver\wanarp.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 11935 c:\windows\maxdriver\wadv11nt.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 11871 c:\windows\maxdriver\wadv09nt.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 11295 c:\windows\maxdriver\wadv08nt.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 11807 c:\windows\maxdriver\wadv07nt.sys
+ 2008-04-13 18:43 . 2008-04-13 18:43 14208 c:\windows\maxdriver\wacompen.sys
+ 2009-03-13 21:24 . 2008-04-13 18:45 26368 c:\windows\maxdriver\usbstor.sys
+ 2010-04-26 16:29 . 2008-04-13 17:47 25856 c:\windows\maxdriver\usbprint.sys
+ 2007-07-27 12:00 . 2008-04-13 18:45 17152 c:\windows\maxdriver\usbohci.sys
+ 2004-08-03 23:08 . 2008-04-13 18:45 15872 c:\windows\maxdriver\usbintel.sys
+ 2007-07-27 12:00 . 2008-04-13 17:45 59520 c:\windows\maxdriver\usbhub.sys
+ 2007-07-27 12:00 . 2008-04-13 18:45 30208 c:\windows\maxdriver\usbehci.sys
+ 2009-04-18 21:16 . 2008-04-13 17:45 32128 c:\windows\maxdriver\usbccgp.sys
+ 2001-08-17 14:03 . 2008-04-13 18:45 25728 c:\windows\maxdriver\usbcamd2.sys
+ 2001-08-17 14:03 . 2008-04-13 18:45 25600 c:\windows\maxdriver\usbcamd.sys
+ 2008-04-13 18:56 . 2008-04-13 18:56 12800 c:\windows\maxdriver\usb8023x.sys
+ 2007-07-27 12:00 . 2008-04-13 18:56 12800 c:\windows\maxdriver\usb8023.sys
+ 2007-07-27 12:00 . 2008-04-13 18:32 66048 c:\windows\maxdriver\udfs.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 44672 c:\windows\maxdriver\uagp35.sys
+ 2004-08-03 23:03 . 2008-04-13 18:56 12288 c:\windows\maxdriver\tunmp.sys
+ 2001-08-17 14:06 . 2007-07-27 12:00 21376 c:\windows\maxdriver\tsbvcap.sys
+ 2001-08-17 14:01 . 2007-07-27 12:00 51712 c:\windows\maxdriver\tosdvd.sys
+ 2009-03-14 04:29 . 2008-04-14 00:13 40840 c:\windows\maxdriver\termdd.sys
+ 2010-04-24 00:37 . 2004-10-15 16:17 60496 c:\windows\maxdriver\Teefer.sys
+ 2009-03-14 04:29 . 2008-04-14 00:13 21896 c:\windows\maxdriver\tdtcp.sys
+ 2009-03-14 04:29 . 2008-04-14 00:13 12040 c:\windows\maxdriver\tdpipe.sys
+ 2007-07-27 12:00 . 2008-04-13 19:00 19072 c:\windows\maxdriver\tdi.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 14976 c:\windows\maxdriver\tape.sys
+ 2009-03-13 21:22 . 2008-04-13 19:15 60800 c:\windows\maxdriver\sysaudio.sys
+ 2009-03-13 21:23 . 2008-04-13 18:45 56576 c:\windows\maxdriver\swmidi.sys
+ 2004-08-03 23:08 . 2008-04-13 18:45 49408 c:\windows\maxdriver\stream.sys
+ 2009-03-14 04:31 . 2008-04-13 18:36 73472 c:\windows\maxdriver\sr.sys
+ 2004-08-03 23:09 . 2008-04-13 18:46 25344 c:\windows\maxdriver\sonydcam.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 14592 c:\windows\maxdriver\smclib.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 13240 c:\windows\maxdriver\slwdmsup.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 95424 c:\windows\maxdriver\slnthal.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 40960 c:\windows\maxdriver\sisagp.sys
+ 2005-08-24 13:55 . 2005-08-24 13:55 66560 c:\windows\maxdriver\sfvfs02.sys
+ 2005-08-10 14:06 . 2005-08-10 14:06 19968 c:\windows\maxdriver\sfsync02.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 11392 c:\windows\maxdriver\sfloppy.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 11008 c:\windows\maxdriver\sffp_sd.sys
+ 2008-04-13 18:40 . 2008-04-13 18:40 10240 c:\windows\maxdriver\sffp_mmc.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 11904 c:\windows\maxdriver\sffdisk.sys
+ 2005-08-10 12:44 . 2005-08-10 12:44 50688 c:\windows\maxdriver\sfdrv01.sys
+ 2007-07-27 12:00 . 2008-04-13 19:15 64512 c:\windows\maxdriver\serial.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 15744 c:\windows\maxdriver\serenum.sys
+ 2010-04-25 11:25 . 2008-01-09 10:28 27632 c:\windows\maxdriver\seehcri.sys
+ 2007-07-27 12:00 . 2008-04-13 16:39 20480 c:\windows\maxdriver\secdrv.sys
+ 2007-07-27 12:00 . 2008-04-13 18:36 79232 c:\windows\maxdriver\sdbus.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 96384 c:\windows\maxdriver\scsiport.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 12200 c:\windows\maxdriver\s0016whnt.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 12200 c:\windows\maxdriver\s0016wh.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 25512 c:\windows\maxdriver\s0016nd5.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 15016 c:\windows\maxdriver\s0016mdfl.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 10792 c:\windows\maxdriver\s0016cr.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 12200 c:\windows\maxdriver\s0016cmnt.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 12200 c:\windows\maxdriver\s0016cm.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 89256 c:\windows\maxdriver\s0016bus.sys
+ 2008-04-13 18:56 . 2008-04-13 18:56 30592 c:\windows\maxdriver\rndismpx.sys
+ 2007-07-27 12:00 . 2008-04-13 18:56 30592 c:\windows\maxdriver\rndismp.sys
+ 2001-08-17 13:24 . 2007-07-27 12:00 12032 c:\windows\maxdriver\riodrv.sys
+ 2001-08-17 13:24 . 2007-07-27 12:00 12032 c:\windows\maxdriver\rio8drv.sys
+ 2008-04-13 18:46 . 2008-04-13 18:46 59136 c:\windows\maxdriver\rfcomm.sys
+ 2009-03-14 03:19 . 2008-04-13 18:40 57600 c:\windows\maxdriver\redbook.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 13776 c:\windows\maxdriver\recagent.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 34432 c:\windows\maxdriver\rawwan.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 16512 c:\windows\maxdriver\raspti.sys
+ 2007-07-27 12:00 . 2008-04-13 19:19 48384 c:\windows\maxdriver\raspptp.sys
+ 2007-07-27 12:00 . 2008-04-13 18:57 41472 c:\windows\maxdriver\raspppoe.sys
+ 2007-07-27 12:00 . 2008-04-13 19:19 51328 c:\windows\maxdriver\rasl2tp.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 17792 c:\windows\maxdriver\ptilink.sys
+ 2007-07-27 12:00 . 2008-04-13 18:56 69120 c:\windows\maxdriver\psched.sys
+ 2004-08-03 22:59 . 2008-04-13 18:31 35840 c:\windows\maxdriver\processr.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 24960 c:\windows\maxdriver\pciidex.sys
+ 2007-07-27 12:00 . 2008-04-13 18:36 68224 c:\windows\maxdriver\pci.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 19712 c:\windows\maxdriver\partmgr.sys
+ 2004-08-03 22:59 . 2008-04-13 18:40 80128 c:\windows\maxdriver\parport.sys
+ 2004-08-03 22:59 . 2008-04-13 18:31 42752 c:\windows\maxdriver\p3.sys
+ 2007-07-27 12:00 . 2008-04-13 18:46 61696 c:\windows\maxdriver\ohci1394.sys
+ 2007-09-20 17:07 . 2008-08-01 16:36 22016 c:\windows\maxdriver\nvnetbus.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 55936 c:\windows\maxdriver\nwlnkspx.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 63232 c:\windows\maxdriver\nwlnknb.sys
+ 2007-07-27 12:00 . 2008-04-13 18:56 88320 c:\windows\maxdriver\nwlnkipx.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 32512 c:\windows\maxdriver\nwlnkfwd.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 12416 c:\windows\maxdriver\nwlnkflt.sys
+ 2007-11-10 02:20 . 2007-11-10 02:20 29728 c:\windows\maxdriver\nvhda32.sys
+ 2007-09-20 17:07 . 2008-08-01 16:36 54784 c:\windows\maxdriver\NVENETFD.sys
+ 2007-07-27 12:00 . 2008-04-13 18:32 30848 c:\windows\maxdriver\npfs.sys
+ 2007-07-27 12:00 . 2008-04-13 18:53 40320 c:\windows\maxdriver\nmnt.sys
+ 2001-08-17 13:24 . 2007-07-27 12:00 12032 c:\windows\maxdriver\nikedrv.sys
+ 2004-08-03 22:58 . 2008-04-13 18:51 61824 c:\windows\maxdriver\nic1394.sys
+ 2007-07-27 12:00 . 2008-04-13 18:56 34688 c:\windows\maxdriver\netbios.sys
+ 2007-07-27 12:00 . 2008-04-13 18:57 40576 c:\windows\maxdriver\ndproxy.sys
+ 2007-07-27 12:00 . 2008-04-13 19:20 91520 c:\windows\maxdriver\ndiswan.sys
+ 2004-08-03 23:03 . 2008-04-13 18:55 14592 c:\windows\maxdriver\ndisuio.sys
+ 2007-07-27 12:00 . 2008-04-13 18:57 10112 c:\windows\maxdriver\ndistapi.sys
+ 2008-04-13 18:43 . 2008-04-13 18:43 12672 c:\windows\maxdriver\mutohpen.sys
+ 2004-08-03 23:07 . 2008-04-13 18:36 15488 c:\windows\maxdriver\mssmbios.sys
+ 2007-07-27 12:00 . 2008-04-13 18:56 35072 c:\windows\maxdriver\msgpc.sys
+ 2009-04-10 20:36 . 2001-08-17 12:02 35200 c:\windows\maxdriver\msgame.sys
+ 2007-07-27 12:00 . 2008-04-13 18:32 19072 c:\windows\maxdriver\msfs.sys
+ 2007-07-27 12:00 . 2008-04-13 18:39 92544 c:\windows\maxdriver\mqac.sys
+ 2007-07-27 12:00 . 2008-04-13 18:39 42368 c:\windows\maxdriver\mountmgr.sys
+ 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\maxdriver\mouclass.sys
+ 2004-08-03 23:08 . 2008-04-13 19:00 30080 c:\windows\maxdriver\modem.sys
+ 2004-08-03 23:07 . 2008-04-13 18:36 63744 c:\windows\maxdriver\mf.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 11868 c:\windows\maxdriver\mdmxsdk.sys
+ 2009-04-04 06:46 . 2010-03-29 22:46 38224 c:\windows\maxdriver\mbamswissarmy.sys
+ 2009-04-04 06:46 . 2010-03-29 22:45 20824 c:\windows\maxdriver\mbam.sys
+ 2009-05-02 10:57 . 2004-05-12 13:02 18432 c:\windows\maxdriver\maplom.sys
+ 2007-07-27 12:00 . 2009-06-24 11:18 92928 c:\windows\maxdriver\ksecdd.sys
+ 2007-07-27 12:00 . 2008-04-13 18:39 24576 c:\windows\maxdriver\kbdclass.sys
+ 2007-07-27 12:00 . 2008-04-13 18:36 37248 c:\windows\maxdriver\isapnp.sys
+ 2009-03-14 03:18 . 2008-04-13 18:54 11264 c:\windows\maxdriver\irenum.sys
+ 2008-04-13 18:45 . 2008-04-13 18:45 46592 c:\windows\maxdriver\irbus.sys
+ 2007-07-27 12:00 . 2008-04-13 19:19 75264 c:\windows\maxdriver\ipsec.sys
+ 2007-07-27 12:00 . 2008-04-13 18:57 20864 c:\windows\maxdriver\ipinip.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 32896 c:\windows\maxdriver\ipfltdrv.sys
+ 2007-07-27 12:00 . 2008-04-13 18:53 36608 c:\windows\maxdriver\ip6fw.sys
+ 2007-07-27 12:00 . 2008-04-13 18:31 36352 c:\windows\maxdriver\intelppm.sys
+ 2010-04-24 09:08 . 2009-05-13 16:51 19968 c:\windows\maxdriver\imdisk.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 42112 c:\windows\maxdriver\imapi.sys
+ 2007-07-27 12:00 . 2008-04-13 19:18 52480 c:\windows\maxdriver\i8042prt.sys
+ 2009-05-01 06:53 . 2008-04-13 17:45 10368 c:\windows\maxdriver\hidusb.sys
+ 2007-07-27 12:00 . 2008-04-13 18:45 24960 c:\windows\maxdriver\hidparse.sys
+ 2008-04-13 18:45 . 2008-04-13 18:45 19200 c:\windows\maxdriver\hidir.sys
+ 2007-07-27 12:00 . 2008-04-13 18:45 36864 c:\windows\maxdriver\hidclass.sys
+ 2008-04-13 18:46 . 2008-04-13 18:46 25600 c:\windows\maxdriver\hidbth.sys
+ 2009-04-19 10:41 . 2009-04-19 11:08 24616 c:\windows\maxdriver\ggsemc.sys
+ 2009-04-19 10:41 . 2009-04-19 11:08 13224 c:\windows\maxdriver\ggflt.sys
+ 2009-04-10 20:03 . 2008-04-13 17:45 10624 c:\windows\maxdriver\gameenum.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 46464 c:\windows\maxdriver\gagp30kx.sys
+ 2001-08-17 13:57 . 2007-07-27 12:00 12160 c:\windows\maxdriver\fsvga.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 20480 c:\windows\maxdriver\flpydisk.sys
+ 2007-07-27 12:00 . 2008-04-13 18:33 44544 c:\windows\maxdriver\fips.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 27392 c:\windows\maxdriver\fdc.sys
+ 2009-04-10 20:03 . 2001-08-17 10:19 40704 c:\windows\maxdriver\es1371mp.sys
+ 2009-11-16 07:06 . 2009-11-16 07:06 96408 c:\windows\maxdriver\epfwtdir.sys
+ 2005-05-03 15:34 . 2005-05-03 15:34 27392 c:\windows\maxdriver\ElbyCDFL.sys
+ 2007-07-27 12:00 . 2008-04-13 18:38 71168 c:\windows\maxdriver\dxg.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 10496 c:\windows\maxdriver\dxapi.sys
+ 2009-03-13 21:22 . 2008-04-13 18:45 60160 c:\windows\maxdriver\drmk.sys
+ 2009-03-13 21:23 . 2008-04-13 18:45 52864 c:\windows\maxdriver\dmusic.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 14208 c:\windows\maxdriver\diskdump.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 36352 c:\windows\maxdriver\disk.sys
+ 2004-08-03 22:59 . 2008-04-13 18:31 36736 c:\windows\maxdriver\crusoe.sys
+ 2001-08-17 13:24 . 2007-07-27 12:00 11776 c:\windows\maxdriver\cpqdap01.sys
+ 2007-07-27 12:00 . 2008-04-13 19:16 49536 c:\windows\maxdriver\classpnp.sys
+ 2007-07-27 12:00 . 2008-04-13 18:40 62976 c:\windows\maxdriver\cdrom.sys
+ 2007-07-27 12:00 . 2008-04-13 19:14 63744 c:\windows\maxdriver\cdfs.sys
+ 2001-08-17 13:52 . 2007-07-27 12:00 18688 c:\windows\maxdriver\cdaudio.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 13952 c:\windows\maxdriver\cbidf2k.sys
+ 2008-04-13 18:46 . 2008-04-13 18:46 18944 c:\windows\maxdriver\bthusb.sys
+ 2008-04-13 18:46 . 2008-04-13 18:46 36480 c:\windows\maxdriver\bthprint.sys
+ 2008-04-13 18:46 . 2008-04-13 18:46 37888 c:\windows\maxdriver\bthmodem.sys
+ 2008-04-13 18:46 . 2008-04-13 18:46 17024 c:\windows\maxdriver\bthenum.sys
+ 2007-07-27 12:00 . 2008-04-13 18:53 71552 c:\windows\maxdriver\bridge.sys
+ 2007-07-27 12:00 . 2008-04-13 18:51 55808 c:\windows\maxdriver\atmlane.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 31360 c:\windows\maxdriver\atmepvc.sys
+ 2007-07-27 12:00 . 2008-04-13 18:51 59904 c:\windows\maxdriver\atmarpc.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 63488 c:\windows\maxdriver\atinxsxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 31744 c:\windows\maxdriver\atinxbxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 73216 c:\windows\maxdriver\atintuxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 13824 c:\windows\maxdriver\atinttxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 28672 c:\windows\maxdriver\atinsnxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 52224 c:\windows\maxdriver\atinraxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 14336 c:\windows\maxdriver\atinpdxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 13824 c:\windows\maxdriver\atinmdxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 57856 c:\windows\maxdriver\atinbtxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 34735 c:\windows\maxdriver\ati1xsxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 29455 c:\windows\maxdriver\ati1xbxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 36463 c:\windows\maxdriver\ati1tuxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 21343 c:\windows\maxdriver\ati1ttxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 26367 c:\windows\maxdriver\ati1snxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 63663 c:\windows\maxdriver\ati1rvxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 30671 c:\windows\maxdriver\ati1raxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 12047 c:\windows\maxdriver\ati1pdxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 11615 c:\windows\maxdriver\ati1mdxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 56623 c:\windows\maxdriver\ati1btxx.sys
+ 2007-07-27 10:00 . 2008-04-13 16:40 96512 c:\windows\maxdriver\atapi.sys
+ 2007-07-27 12:00 . 2008-04-13 18:57 14336 c:\windows\maxdriver\asyncmac.sys
+ 2004-08-03 22:58 . 2008-04-13 18:51 60800 c:\windows\maxdriver\arp1394.sys
+ 2004-08-03 22:59 . 2008-04-13 18:31 37760 c:\windows\maxdriver\amdk7.sys
+ 2004-08-03 22:59 . 2008-04-13 18:31 37376 c:\windows\maxdriver\amdk6.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 43008 c:\windows\maxdriver\amdagp.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 42752 c:\windows\maxdriver\alim1541.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 44928 c:\windows\maxdriver\agpcpq.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 42368 c:\windows\maxdriver\agp440.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 11648 c:\windows\maxdriver\acpiec.sys
+ 2007-07-27 12:00 . 2008-04-13 18:46 53376 c:\windows\maxdriver\1394bus.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 4352 c:\windows\maxdriver\wmilib.sys
+ 2009-03-14 03:19 . 2008-04-13 18:36 8832 c:\windows\maxdriver\wmiacpi.sys
+ 2007-07-27 12:00 . 2001-08-17 12:03 4736 c:\windows\maxdriver\usbd.sys
+ 2004-08-03 22:58 . 2008-04-13 18:39 4352 c:\windows\maxdriver\swenum.sys
+ 2009-03-13 21:23 . 2008-04-13 18:45 6272 c:\windows\maxdriver\splitter.sys
+ 2008-04-13 18:36 . 2008-04-13 18:36 5888 c:\windows\maxdriver\smbali.sys
+ 2005-05-16 13:20 . 2005-05-16 13:20 6656 c:\windows\maxdriver\sfhlp02.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 5888 c:\windows\maxdriver\rootmdm.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 4224 c:\windows\maxdriver\rdpcdd.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 8832 c:\windows\maxdriver\rasacd.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 3328 c:\windows\maxdriver\pciide.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 6784 c:\windows\maxdriver\parvdm.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 3456 c:\windows\maxdriver\oprghdlr.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 2944 c:\windows\maxdriver\null.sys
+ 2009-03-13 21:22 . 2008-04-13 18:39 4992 c:\windows\maxdriver\mspqm.sys
+ 2009-03-13 21:22 . 2008-04-13 18:39 5376 c:\windows\maxdriver\mspclock.sys
+ 2009-03-13 21:22 . 2008-04-13 18:39 7552 c:\windows\maxdriver\mskssrv.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 4224 c:\windows\maxdriver\mnmdd.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 7680 c:\windows\maxdriver\mcd.sys
+ 2009-04-10 20:28 . 2001-08-17 12:02 8576 c:\windows\maxdriver\hidgame.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 7936 c:\windows\maxdriver\fs_rec.sys
+ 2009-03-14 03:19 . 2001-08-17 13:46 6400 c:\windows\maxdriver\enum1394.sys
+ 2006-04-22 01:44 . 2006-04-22 01:44 8064 c:\windows\maxdriver\ElbyCDIO.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 3328 c:\windows\maxdriver\dxgthk.sys
+ 2009-03-13 21:22 . 2008-04-13 18:45 2944 c:\windows\maxdriver\drmkaud.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 5888 c:\windows\maxdriver\dmload.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 4224 c:\windows\maxdriver\beep.sys
+ 2003-03-28 09:58 . 2003-03-28 09:58 8640 c:\windows\maxdriver\axskbus.sys
+ 2010-04-24 09:08 . 2009-02-09 13:16 9216 c:\windows\maxdriver\awealloc.sys
+ 2009-03-14 03:20 . 2001-08-17 13:59 3072 c:\windows\maxdriver\audstub.sys
+ 2009-04-04 15:02 . 2004-04-30 07:33 5248 c:\windows\maxdriver\a347scsi.sys
+ 2007-07-27 12:00 . 2010-04-28 14:00 444358 c:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2010-04-27 15:17 444358 c:\windows\system32\perfh009.dat
+ 2008-03-27 14:27 . 2008-03-27 14:27 503008 c:\windows\maxdriver\wdf01000.sys
+ 2008-04-13 18:46 . 2008-04-13 18:46 121984 c:\windows\maxdriver\usbvideo.sys
+ 2007-07-27 12:00 . 2008-04-13 18:45 143872 c:\windows\maxdriver\usbport.sys
+ 2007-07-27 12:00 . 2008-04-13 18:39 384768 c:\windows\maxdriver\update.sys
+ 2007-07-27 12:00 . 2010-02-11 12:02 226880 c:\windows\maxdriver\tcpip6.sys
+ 2007-07-27 12:00 . 2008-06-20 11:51 361600 c:\windows\maxdriver\tcpip.sys
+ 2007-07-27 12:00 . 2009-12-31 16:50 353792 c:\windows\maxdriver\srv.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 404990 c:\windows\maxdriver\slntamr.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 129535 c:\windows\maxdriver\slnt7554.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 166912 c:\windows\maxdriver\s3gnbm.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 115752 c:\windows\maxdriver\s0016unic.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 110632 c:\windows\maxdriver\s0016obex.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 114216 c:\windows\maxdriver\s0016mgmt.sys
+ 2009-04-18 21:27 . 2008-05-16 09:33 120744 c:\windows\maxdriver\s0016mdm.sys
+ 2007-07-27 12:00 . 2008-05-08 14:02 203136 c:\windows\maxdriver\rmcast.sys
+ 2009-03-14 04:29 . 2008-04-14 00:13 139656 c:\windows\maxdriver\rdpwd.sys
+ 2009-03-14 04:29 . 2008-04-13 18:32 196224 c:\windows\maxdriver\rdpdr.sys
+ 2007-07-27 12:00 . 2008-04-13 19:28 175744 c:\windows\maxdriver\rdbss.sys
+ 2004-03-16 09:58 . 2008-04-13 19:19 146048 c:\windows\maxdriver\portcls.sys
+ 2007-07-27 12:00 . 2008-04-13 18:36 120192 c:\windows\maxdriver\pcmcia.sys
+ 2007-07-27 12:00 . 2008-04-13 18:34 163584 c:\windows\maxdriver\nwrdr.sys
+ 2007-09-20 17:07 . 2008-08-01 16:35 955520 c:\windows\maxdriver\nvnrm.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 180360 c:\windows\maxdriver\ntmtlfax.sys
+ 2007-07-27 12:00 . 2008-04-13 19:15 574976 c:\windows\maxdriver\ntfs.sys
+ 2007-07-27 12:00 . 2008-04-13 19:21 162816 c:\windows\maxdriver\netbt.sys
+ 2007-07-27 12:00 . 2008-04-13 19:20 182656 c:\windows\maxdriver\ndis.sys
+ 2007-07-27 12:00 . 2008-04-13 19:17 105344 c:\windows\maxdriver\mup.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 452736 c:\windows\maxdriver\mtxparhm.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 126686 c:\windows\maxdriver\mtlmnt5.sys
+ 2007-07-27 12:00 . 2010-02-24 13:11 455680 c:\windows\maxdriver\mrxsmb.sys
+ 2007-07-27 12:00 . 2008-04-13 18:32 180608 c:\windows\maxdriver\mrxdav.sys
+ 2004-08-03 23:15 . 2008-04-13 19:16 141056 c:\windows\maxdriver\ks.sys
+ 2009-03-13 21:22 . 2008-04-13 18:45 172416 c:\windows\maxdriver\kmixer.sys
+ 2007-07-27 12:00 . 2008-04-13 18:57 152832 c:\windows\maxdriver\ipnat.sys
+ 2007-07-27 12:00 . 2009-10-20 16:20 265728 c:\windows\maxdriver\http.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 685056 c:\windows\maxdriver\hsfcxts2.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 220032 c:\windows\maxdriver\hsfbs2s2.sys
+ 2005-01-07 16:07 . 2005-01-07 16:07 145920 c:\windows\maxdriver\Hdaudio.sys
+ 2005-01-07 16:07 . 2008-04-13 16:36 144384 c:\windows\maxdriver\hdaudbus.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 125056 c:\windows\maxdriver\ftdisk.sys
+ 2009-03-14 04:31 . 2008-04-13 18:32 129792 c:\windows\maxdriver\fltmgr.sys
+ 2007-07-27 12:00 . 2008-04-13 19:14 143744 c:\windows\maxdriver\fastfat.sys
+ 2009-11-16 07:03 . 2009-11-16 07:03 108792 c:\windows\maxdriver\ehdrv.sys
+ 2009-11-16 06:56 . 2009-11-16 06:56 116520 c:\windows\maxdriver\eamon.sys
+ 2007-07-27 12:00 . 2008-04-13 18:44 153344 c:\windows\maxdriver\dmio.sys
+ 2007-07-27 12:00 . 2008-04-13 18:44 799744 c:\windows\maxdriver\dmboot.sys
+ 2001-08-17 14:02 . 2007-07-27 12:00 262528 c:\windows\maxdriver\cinemst2.sys
+ 2008-04-13 18:46 . 2008-06-13 11:05 272128 c:\windows\maxdriver\bthport.sys
+ 2008-04-13 18:51 . 2008-04-13 18:51 101120 c:\windows\maxdriver\bthpan.sys
+ 2003-03-30 19:38 . 2003-03-30 19:38 102624 c:\windows\maxdriver\axsaki.sys
+ 2007-07-27 12:00 . 2007-07-27 12:00 352256 c:\windows\maxdriver\atmuni.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 104960 c:\windows\maxdriver\atinrvxx.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 701440 c:\windows\maxdriver\ati2mtag.sys
+ 2009-03-13 21:31 . 2004-08-03 21:29 327040 c:\windows\maxdriver\ati2mtaa.sys
+ 2007-07-27 12:00 . 2008-08-14 10:04 138496 c:\windows\maxdriver\afd.sys
+ 2009-03-13 21:22 . 2008-04-13 16:39 142592 c:\windows\maxdriver\aec.sys
+ 2007-07-27 12:00 . 2008-04-13 18:36 187776 c:\windows\maxdriver\acpi.sys
+ 2009-04-04 15:02 . 2004-04-30 07:37 160640 c:\windows\maxdriver\a347bus.sys
+ 2009-03-13 21:21 . 2007-09-19 09:16 4617728 c:\windows\maxdriver\RtkHDAud.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 1309184 c:\windows\maxdriver\mtlstrm.sys
+ 2009-03-13 21:31 . 2004-08-03 21:41 1041536 c:\windows\maxdriver\hsfdpsp2.sys
+ 2007-10-04 08:14 . 2010-04-03 20:55 10232128 c:\windows\maxdriver\nv4_mini.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"Hard Disk Sentinel"="g:\program files\Hard Disk Sentinel\HDSentinel.exe" [2009-02-24 3198464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-10-12 614400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BankID Security Application.lnk - c:\program files\Personal\bin\Personal.exe [2009-5-3 939536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2007-11-10 29728]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-04-25 27632]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2010-04-25 90112]
S3 AWEAlloc;AWE Memory Allocation Driver;c:\windows\system32\drivers\awealloc.sys [2010-04-24 9216]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-04-19 13224]
S3 ImDisk;ImDisk Virtual Disk Driver;c:\windows\system32\drivers\imdisk.sys [2010-04-24 19968]
S3 ImDskSvc;ImDisk Virtual Disk Driver Helper;c:\windows\system32\imdsksvc.exe [2010-04-24 10240]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-04-18 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-04-18 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-04-18 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-04-18 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-04-18 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-04-18 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-04-18 115752]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-04-26 132464]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2009-04-04 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2009-04-04 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-04-28 c:\windows\Tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://81.232.99.43:60108/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.leta.se/
FF - component: c:\documents and settings\Per\Application Data\Mozilla\Firefox\Profiles\9l23s4zn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1844237615-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:34,16,57,02,3b,e5,67,7e,51,a1,ab,35,30,1a,60,b1,b1,bf,5b,05,40,89,12,
96,a7,85,da,07,ef,fa,f4,8e,87,76,cb,87,cd,98,ac,b8,36,d6,e1,e0,16,94,85,ad,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"D140111900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Completion time: 2010-04-28 16:09:34
ComboFix-quarantined-files.txt 2010-04-28 14:09
ComboFix2.txt 2010-04-27 15:27

Pre-Run: 29 362 298 880 bytes free
Post-Run: 29 327 077 376 bytes free

- - End Of File - - 6D24CFD4471BAF12ABCA71A914CD250B
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm
Advertisement
Register to Remove

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 28th, 2010, 10:38 am

Hi pimse,

go to Start > Run, and copy/paste the following then press Enter.

maxlook –cleanup

Please open Notepad and copy/paste the contents in the quote box below, into Notepad.

@echo off
@mbr -t
@start mbr.log


Save this as look.bat Choose to "Save type as - All Files"

Double click on look.bat to run it. Please post the log it produces.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 28th, 2010, 2:56 pm

Kaspersky scan is running. After three hours it´s on 35%.


Here is the log from look.bat

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A9702B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a9702b0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 28th, 2010, 3:16 pm

Hi pimse,

Kaspersky scan is running. After three hours it´s on 35%.


Please cancel the scan.

Use "Recovery Console" command "fixmbr" to clear infection !


Please follow the instructions from earlier when we ran maxlook to boot into the Recovery Console

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

fixmbr

Then type Exit to restart your computer then logon in normal mode.

Now please double click on look.bat to run it. Please post the log it produces.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 28th, 2010, 3:44 pm

Here is the latest log of look.bat:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A966300]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a966300
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !


After entering fixmbr I pressed the Enter key and this text showed up:

Caution

this computer appears to have a non-standard or invalid master boot record
fixmbr may damage your partition tables if you proceed
this could cause all the partitions on the current hard disk to become inaccessible
if you are not having problems accessing your drive do not continue
are you sure you want to write a new MBR


After pressing y the following text confirmed the action

A new mbr was successfully written
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 28th, 2010, 4:13 pm

Hi pimse,

This is indeed a tricky one to track down. I will need to research this further and will get back to you as soon as possible.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 29th, 2010, 4:15 am

Hi pimse,

We need to try to get a full log from GMER

Please boot to Safe Mode and run GMER

Uncheck the following

IAT/EAT
Drives/Partition other than Systemdrive (typically only C:\ should be checked)
Show All (don't miss this one)


If this still fails then please try again with Sections also unchecked.

Please save the log (if successful) and reboot to normal mode.

Please post the GMER log and also post the log defogger_disable which should be on your desktop.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 29th, 2010, 11:37 am

The defogger log is at the bottom of this message, but it seems to be from yesterday...?


I´m sorry, I can´t get a full log out of Gmer

I´m getting a blue screen both in normal and safe mode

NO_MORE_IRP_STACK_LOCATIONS

stop 0x00000035

BUT, if I also uncheck "devices", Gmer runs a whole scan and find the MBR copy
and "f:program hidden NMSAccessU


I have managed to stop the scan just before the BSOD and saved the result so far a couple of times

The BSOD appears at the same point of the scan every time.



NO:1

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-29 17:02:18
Windows 5.1.2600 Service Pack 3
Running: z10hn0xd.exe; Driver: C:\DOCUME~1\Per\LOCALS~1\Temp\pxtdapob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 30: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- Services - GMER 1.0.15 ----

Service f:\Program (*** hidden *** ) [AUTO] NMSAccessU <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


NO:2


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 17:19:05
Windows 5.1.2600 Service Pack 3
Running: z10hn0xd.exe; Driver: C:\DOCUME~1\Per\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB71ACB30]
SSDT 897BD580 ZwAssignProcessToJobObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB71AC6F0]
SSDT 897BE100 ZwDebugActiveProcess
SSDT 897BDB30 ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB71AC470]
SSDT 897BCCC0 ZwOpenProcess
SSDT 897BCFC0 ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB71ACC50]
SSDT 897BD860 ZwSetContextThread
SSDT 897BD6E0 ZwSetInformationThread
SSDT 897BA700 ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB71AC990]
SSDT 897BD420 ZwSuspendProcess
SSDT 897BD2C0 ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB71AC8D0]
SSDT 897BD150 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB71ACD60]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB721D380, 0x566445, 0xE8000020]
.text tcpip.sys!IPTransmit + 10FC B43F4D3A 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B43F6690 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B440C454 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B71BF3FD 7 Bytes CALL B7DF3FA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- EOF - GMER 1.0.15 ----


NO:3


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 17:20:07
Windows 5.1.2600 Service Pack 3
Running: z10hn0xd.exe; Driver: C:\DOCUME~1\Per\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB71ACB30]
SSDT 897BD580 ZwAssignProcessToJobObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB71AC6F0]
SSDT 897BE100 ZwDebugActiveProcess
SSDT 897BDB30 ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB71AC470]
SSDT 897BCCC0 ZwOpenProcess
SSDT 897BCFC0 ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB71ACC50]
SSDT 897BD860 ZwSetContextThread
SSDT 897BD6E0 ZwSetInformationThread
SSDT 897BA700 ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB71AC990]
SSDT 897BD420 ZwSuspendProcess
SSDT 897BD2C0 ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB71AC8D0]
SSDT 897BD150 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB71ACD60]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB721D380, 0x566445, 0xE8000020]
.text tcpip.sys!IPTransmit + 10FC B43F4D3A 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B43F6690 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B440C454 6 Bytes CALL B7DF3E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B71BF3FD 7 Bytes CALL B7DF3FA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1768] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Cdrom \Device\CdRom0 8AA3DA60
Device \Driver\Cdrom \Device\CdRom0 8A9AF348
Device \Driver\atapi \Device\Ide\IdePort0 8A8C0940
Device \Driver\atapi \Device\Ide\IdePort1 8A8C0940
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-e 8A8C0940
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-6 8A8C0940
Device \Driver\atapi \Device\Ide\IdePort2 8A8C0940
Device \Driver\atapi \Device\Ide\IdePort3 8A8C0940
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- EOF - GMER 1.0.15 ----




defogger_disable by jpshortstuff (23.02.10.1)
Log created at 15:54 on 28/04/2010 (Per)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
a347bus -> Disabled (Service running -> reboot required)
a347scsi -> Disabled (Service running -> reboot required)
Unable to read atapi.sys


-=E.O.F=-
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 29th, 2010, 3:57 pm

Hi pimse,

Please try one more GMER scan in safe mode with only the sections option selected.

Unless we make further rapid progress this evening then please run an online Kaspersky scan over night tonight.

Could you let me know approximately when you first became aware of the rootkit infection on this computer.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 29th, 2010, 4:39 pm

Gmer scan with only "Section" checked found nothing, log file completely empty

I´m afraid that the computer has run slower and slower for a rather long time... say two or three months... it´s difficult to say.
Firefox have taken longer and longer time to start, and for two weeks I decided it was enough.
I started various scanning and found some malware, Esellerateengine.dll was one of them I cleaned the computer from.

I was left with a copy of MBR and a feeling that there might be something more left in the computer.

Then I asked for help here.

About the Kaspersky scan, scanning C: can that be enough?

pimse
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 29th, 2010, 4:45 pm

Hi pimse,

About the Kaspersky scan, scanning C: can that be enough?


Yes that should be fine.

Disable service
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop NMSAccessU
sc config NMSAccessU start= disabled
exit


Double click FixServices.bat. A window will open and close. This is normal.

Now reboot the computer

Next run look.bat and post the log that it produces.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 29th, 2010, 4:59 pm

The log from the latest look.bat run:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A930738]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a930738
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby pimse » April 30th, 2010, 12:41 am

Kaspersky log


KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, April 30, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, April 29, 2010 21:23:06
Records in database: 4004514
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases no
Scan area Folder
C:\
Scan statistics
Objects scanned 73378
Threats found 15
Infected objects found 46
Suspicious objects found 0
Scan duration 00:54:16

File name Threat Threats count
C:\Documents and Settings\Per\Desktop\New Folder (2)\genvägar\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Documents and Settings\Per\My Documents\Hämtade filer\USB_MultiBoot_10\USB_MultiBoot_10\MULTI_CONTENT\wintools\commandline\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\Documents and Settings\Per\My Documents\Hämtade filer\USB_MultiBoot_10\USB_MultiBoot_10\MULTI_CONTENT\wintools\othertools\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i 1
C:\Documents and Settings\Per\My Documents\Hämtade filer\U_XP_SET.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\Documents and Settings\Per\My Documents\nedladdade och installerade program\bootland\U_XP_SET\USB_XP_Setup\makebt\MBRFIX.EXE Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\Documents and Settings\Per\My Documents\nedladdade och installerade program\bootland\U_XP_SET\USB_XP_Setup\X_CONTENT\wintools\commandline\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\Documents and Settings\Per\My Documents\nedladdade och installerade program\bootland\U_XP_SET.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 2
C:\Documents and Settings\Per\My Documents\UBCD4WinV350.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\Documents and Settings\Per\My Documents\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Documents and Settings\Per\My Documents\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\Documents and Settings\Per\My Documents\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 2
C:\Documents and Settings\Per\My Documents\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2
C:\Documents and Settings\Per\My Documents\vnc-4_1_3-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2
C:\UBCD4Win\BartPE\PROGRAMS\Crossloop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\UBCD4Win\BartPE\PROGRAMS\Crossloop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\UBCD4Win\BartPE\PROGRAMS\ESET\infected\1DBB0EAA.NQF Infected: Trojan-Downloader.Win32.Agent.aoqi 1
C:\UBCD4Win\BartPE\PROGRAMS\ESET\infected\2GX0L1CA.NQF Infected: Backdoor.Win32.Bifrose.aiqv 1
C:\UBCD4Win\BartPE\PROGRAMS\ESET\infected\IWCFVSDA.NQF Infected: Backdoor.Win32.VB.bax 1
C:\UBCD4Win\BartPE\PROGRAMS\ESET\infected\QFGJMZDA.NQF Infected: not-a-virus:PSWTool.Win32.Cain.281 1
C:\UBCD4Win\BartPE\PROGRAMS\ESET\infected\QMIU2XCA.NQF Infected: Trojan-Dropper.Win32.Agent.usv 1
C:\UBCD4Win\BartPE\PROGRAMS\IPScan\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\UBCD4Win\BartPE\PROGRAMS\mbrfix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\UBCD4Win\BartPE\PROGRAMS\PassPro\PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1
C:\UBCD4Win\plugin\AntiVirus\nod32c\ESET\infected\1DBB0EAA.NQF Infected: Trojan-Downloader.Win32.Agent.aoqi 1
C:\UBCD4Win\plugin\AntiVirus\nod32c\ESET\infected\2GX0L1CA.NQF Infected: Backdoor.Win32.Bifrose.aiqv 1
C:\UBCD4Win\plugin\AntiVirus\nod32c\ESET\infected\IWCFVSDA.NQF Infected: Backdoor.Win32.VB.bax 1
C:\UBCD4Win\plugin\AntiVirus\nod32c\ESET\infected\QFGJMZDA.NQF Infected: not-a-virus:PSWTool.Win32.Cain.281 1
C:\UBCD4Win\plugin\AntiVirus\nod32c\ESET\infected\QMIU2XCA.NQF Infected: Trojan-Dropper.Win32.Agent.usv 1
C:\UBCD4Win\plugin\Disk\Partition\MbrFix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\UBCD4Win\plugin\Network\CrossLoop\files\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\UBCD4Win\plugin\Network\CrossLoop\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\UBCD4Win\plugin\Network\ipscan\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\UBCD4Win\plugin\Network\ultravnc\files\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\UBCD4Win\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\UBCD4Win\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\VNCServer\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Password\passwordspro\files\PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1
Selected area has been scanned.
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm

Re: Need help with a MBR rootkit!

Unread postby deltalima » April 30th, 2010, 8:41 am

Hi pimse,

Please reboot into the Recovery Console

Execute the following bolded command at the c:\windows> prompt

copy c:\windows\system32\drivers\atapi.sys c:\atapi.sys

Now type exit to reboot into normal mode.

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
c:\atapi.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

SystemLook

Download SystemLook and save it to your Desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    atapi.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Questions

Please let me know if Alcohol 120% has ever been installed on this computer.

I see that you have downloaded UBCD4Win please let me know if you have been successful in booting from this disk as we may need to use this at some stage.

Disable service
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop ImDskSvc
sc config ImDskSvc start= disabled
exit


Double click FixServices.bat. A window will open and close. This is normal.

Now reboot the computer

look.bat

Next run look.bat and post the log that it produces.

HAMeb_check

Download and run HAMeb_check.exe
Post the contents of the resulting log.

RSIT (Random's System Information Tool)

Please download RSIT by random/random... and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... 2 logs files...will be produced.
  • The first one, "log.txt", << will be maximized
  • The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.

Next post

So in the next reply please include
  • Results from Virustotal
  • SystemLook.txt
  • If Alcohol 120% has ever been installed
  • If you can boot from UBCD4Win
  • log from look.bat
  • log from HAMeb_check.exe
  • log.txt and info.txt from RSIT
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Need help with a MBR rootkit!

Unread postby pimse » April 30th, 2010, 10:16 am

Hi deltalima

Thanks for your patience!

Alcohol 120 is installed on this computer and yes I should be able to boot from a ubcd4win cd

Virustotal log


Fil atapi.sys mottagen 2010.04.30 11:40:22 (UTC)
Närvarande status: genomförd
Resultat: 1/40 (2.50%)
Compact Compact
Skriv ut resultat Skriv ut resultat
Antivirus Version Senaste Uppdatering Resultat
a-squared 4.5.0.50 2010.04.30 -
AhnLab-V3 2010.04.30.02 2010.04.30 -
AntiVir 8.2.1.224 2010.04.30 -
Antiy-AVL 2.0.3.7 2010.04.30 -
Authentium 5.2.0.5 2010.04.30 -
Avast 4.8.1351.0 2010.04.30 -
Avast5 5.0.332.0 2010.04.30 -
AVG 9.0.0.787 2010.04.30 -
BitDefender 7.2 2010.04.30 -
CAT-QuickHeal 10.00 2010.04.29 -
ClamAV 0.96.0.3-git 2010.04.30 -
Comodo 4718 2010.04.30 -
DrWeb 5.0.2.03300 2010.04.30 -
eSafe 7.0.17.0 2010.04.29 Win32.Rootkit
eTrust-Vet 35.2.7460 2010.04.30 -
F-Prot 4.5.1.85 2010.04.30 -
F-Secure 9.0.15370.0 2010.04.30 -
Fortinet 4.0.14.0 2010.04.27 -
GData 21 2010.04.30 -
Ikarus T3.1.1.80.0 2010.04.30 -
Jiangmin 13.0.900 2010.04.29 -
Kaspersky 7.0.0.125 2010.04.30 -
McAfee 5.400.0.1158 2010.04.30 -
McAfee-GW-Edition 6.8.5 2010.04.30 -
Microsoft 1.5703 2010.04.30 -
NOD32 5074 2010.04.30 -
Norman 6.04.12 2010.04.30 -
nProtect 2010-04-30.01 2010.04.30 -
Panda 10.0.2.7 2010.04.29 -
PCTools 7.0.3.5 2010.04.30 -
Prevx 3.0 2010.04.30 -
Rising 22.45.04.03 2010.04.30 -
Sophos 4.53.0 2010.04.30 -
Sunbelt 6241 2010.04.30 -
Symantec 20091.2.0.41 2010.04.30 -
TheHacker 6.5.2.0.274 2010.04.30 -
TrendMicro 9.120.0.1004 2010.04.30 -
VBA32 3.12.12.4 2010.04.30 -
ViRobot 2010.4.29.2296 2010.04.30 -
VirusBuster 5.0.27.0 2010.04.29 -
Övrig information
File size: 96512 bytes
MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 : a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159F7
timedatestamp.....: 0x4802539D (Sun Apr 13 20:40:29 2008)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97BA 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9B80 0x18E8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xB480 0xA64 0xA80 4.31 8523651899e28819a14bf9415af25708
.data 0xBF00 0xD94 0xE00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xCD00 0x157F 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xE280 0x61DA 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22BE 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3E0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16B80 0xD20 0xD80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx ... 712cfa2674
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set
-


Systemlook log

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:54 on 30/04/2010 by Per (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\atapi.sys --a--- 96512 bytes [10:00 27/07/2007] [16:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\Documents and Settings\Per\My Documents\nedladdade och installerade program\bootland\LiveXP-Recommended\Target\LiveXP\i386\System32\drivers\atapi.sys --a--- 95360 bytes [08:52 24/04/2010] [20:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Documents and Settings\Per\My Documents\testdisk-6.10.win\testdisk-6.10\win\driverbackup\SPIDERMAN (XP) DEVICE DRIVERS\HDC\Primary IDE Channel\ATAPI.SYS --a--- 95360 bytes [12:53 18/04/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Documents and Settings\Per\My Documents\testdisk-6.10.win\testdisk-6.10\win\driverbackup\SPIDERMAN (XP) DEVICE DRIVERS\HDC\Secondary IDE Channel\ATAPI.SYS --a--- 95360 bytes [12:53 18/04/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\UBCD4Win\BartPE\I386\SYSTEM32\DRIVERS\ATAPI.SYS --a--- 95360 bytes [14:25 12/04/2009] [12:00 27/07/2007] CDFE4411A69C224BD1D11B2DA92DAC51
C:\UBCD4Win\plugin\!Critical\Large IDE-Fix\files\sp2\atapi.sys --a--- 87040 bytes [15:18 25/03/2009] [13:59 24/10/2002] F1D915C3870E741D83B5142F3B358761
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [21:33 13/03/2009] [12:00 27/07/2007] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [14:09 28/04/2010] [16:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\maxdriver\atapi.sys --a--- 96512 bytes [10:00 27/07/2007] [16:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [10:00 27/07/2007] [16:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [10:00 27/07/2007] [16:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-


mbr.log


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8D5E58]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a8d5e58
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !


HAlog.log


C:\Documents and Settings\Per\Desktop\HAMeb_check.exe
2010-04-30 at 16:06:07,25

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8D5E58]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a8d5e58
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 30 !
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


log.txt


Logfile of random's system information tool 1.06 (written by random/random)
Run by Per at 2010-04-30 16:07:35
Microsoft Windows XP Professional Service Pack 3
System drive C: has 28 GB (55%) free of 50 GB
Total RAM: 3197 MB (84% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:07:39, on 2010-04-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
G:\Program Files\Hard Disk Sentinel\HDSentinel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Per\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Per.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Hard Disk Sentinel] "G:\Program Files\Hard Disk Sentinel\HDSentinel.exe" /AUTORUN
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BankID Security Application.lnk = C:\Program Files\Personal\bin\Personal.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2062205156
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://81.232.99.43:60108/activex/AMC.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\WINDOWS\system32\SUPDSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5066 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{E51E9111-755F-4990-99AB-39BEABF9B266}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-12 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-12 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-09-19 16844800]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-11-16 2054360]
"SmcService"=C:\PROGRA~1\Sygate\SPF\smc.exe [2004-10-15 2577632]
"Hard Disk Sentinel"=G:\Program Files\Hard Disk Sentinel\HDSentinel.exe [2009-02-24 3198464]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2010-04-03 110696]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2010-04-03 13670504]
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe [2009-10-12 614400]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BankID Security Application.lnk - C:\Program Files\Personal\bin\Personal.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"G:\Program Files\Spotify\spotify.exe"="G:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"
"C:\WINDOWS\system32\SUPDSvc.exe"="C:\WINDOWS\system32\SUPDSvc.exe:*:Enabled:Samsung UPD Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-04-30 16:07:35 ----D---- C:\rsit
2010-04-29 22:07:35 ----A---- C:\WINDOWS\system32\SM4725CI.exe
2010-04-29 22:07:35 ----A---- C:\WINDOWS\system32\SM4725CI.dll
2010-04-29 22:07:35 ----A---- C:\WINDOWS\system32\scx425lk.DLL
2010-04-28 22:07:53 ----SHD---- C:\RECYCLER
2010-04-28 16:09:34 ----A---- C:\ComboFix.txt
2010-04-28 16:04:11 ----D---- C:\ComboFix
2010-04-28 14:29:00 ----A---- C:\WINDOWS\sigcheck.exe
2010-04-28 14:29:00 ----A---- C:\looklog.txt
2010-04-28 14:24:18 ----D---- C:\WINDOWS\maxdriver
2010-04-27 17:17:10 ----A---- C:\Boot.bak
2010-04-27 17:17:07 ----RASHD---- C:\cmdcons
2010-04-27 17:16:41 ----A---- C:\WINDOWS\zip.exe
2010-04-27 17:16:41 ----A---- C:\WINDOWS\PEV.exe
2010-04-27 17:16:41 ----A---- C:\WINDOWS\NIRCMD.exe
2010-04-27 17:16:41 ----A---- C:\WINDOWS\grep.exe
2010-04-27 17:16:40 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-04-27 17:16:40 ----A---- C:\WINDOWS\SWSC.exe
2010-04-27 17:16:36 ----D---- C:\WINDOWS\ERDNT
2010-04-27 17:16:32 ----D---- C:\Qoobox
2010-04-27 16:06:01 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-26 18:42:29 ----A---- C:\WINDOWS\system32\msxml2a.dll
2010-04-26 18:42:29 ----A---- C:\WINDOWS\ssndii.exe
2010-04-26 18:42:28 ----D---- C:\WINDOWS\Samsung
2010-04-26 18:42:28 ----A---- C:\WINDOWS\system32\msxml4r.dll
2010-04-26 18:42:28 ----A---- C:\WINDOWS\system32\msxml4a.dll
2010-04-26 18:42:28 ----A---- C:\WINDOWS\system32\msxml4.dll
2010-04-26 18:42:01 ----A---- C:\WINDOWS\system32\SUPDSvcA.dll
2010-04-26 18:42:01 ----A---- C:\WINDOWS\system32\SUPDSvc.exe
2010-04-26 18:42:01 ----A---- C:\WINDOWS\system32\spd__l.dll
2010-04-26 18:42:01 ----A---- C:\WINDOWS\system32\spd__ci.exe
2010-04-26 18:42:01 ----A---- C:\WINDOWS\system32\spd__ci.dll
2010-04-26 18:42:01 ----A---- C:\WINDOWS\system32\SIPDUtil.dll
2010-04-26 18:42:01 ----A---- C:\WINDOWS\system32\DscPnt.dll
2010-04-26 18:42:01 ----A---- C:\WINDOWS\SUPDRun.exe
2010-04-26 18:39:23 ----D---- C:\Program Files\SAMSUNG
2010-04-25 18:00:42 ----D---- C:\Program Files\Defraggler
2010-04-24 11:55:39 ----D---- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2010-04-24 11:55:29 ----D---- C:\Program Files\NVIDIA Corporation
2010-04-24 11:47:41 ----HDC---- C:\WINDOWS\$NtUninstallKB971513$
2010-04-24 11:47:37 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-04-24 11:47:33 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-04-24 11:46:34 ----HDC---- C:\WINDOWS\$NtUninstallKB926141$
2010-04-24 11:21:22 ----D---- C:\Documents and Settings\Per\Application Data\Foxit
2010-04-24 11:21:09 ----D---- C:\Program Files\Foxit Software
2010-04-24 11:12:16 ----D---- C:\Documents and Settings\Per\Application Data\JAM Software
2010-04-24 11:09:43 ----D---- C:\Program Files\JAM Software
2010-04-24 11:08:56 ----D---- C:\Program Files\ImgBurn
2010-04-24 11:08:27 ----A---- C:\WINDOWS\system32\imdsksvc.exe
2010-04-24 11:08:27 ----A---- C:\WINDOWS\system32\imdisk.exe
2010-04-24 02:37:42 ----A---- C:\WINDOWS\system32\SSSensor.dll
2010-04-24 02:37:39 ----D---- C:\Program Files\Sygate
2010-04-24 01:56:13 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-24 01:56:10 ----HDC---- C:\WINDOWS\$NtUninstallKB981349$
2010-04-24 01:55:29 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-24 01:55:23 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-24 01:55:20 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-24 01:55:16 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-24 01:55:12 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-24 01:54:53 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-04-24 01:54:46 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-04-24 01:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-04-24 01:54:39 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-04-24 01:54:34 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-04-24 01:54:29 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-04-24 01:54:24 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-04-24 01:54:19 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-04-24 01:54:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-04-24 01:54:12 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-04-24 01:54:07 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-04-24 01:54:02 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-04-24 01:53:58 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-04-24 01:53:54 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-04-24 01:53:50 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-04-24 01:53:46 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-04-24 01:53:42 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-04-24 01:53:37 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-04-24 01:53:33 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-04-24 01:53:31 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-04-24 01:53:27 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-04-24 01:53:23 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-04-24 01:53:20 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-04-24 01:53:16 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-04-24 01:51:52 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2010-04-24 01:51:49 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-04-24 01:51:46 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-04-24 01:49:57 ----HDC---- C:\WINDOWS\ie8
2010-04-24 01:47:43 ----D---- C:\Program Files\Trend Micro
2010-04-24 01:41:27 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-04-24 01:41:23 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-04-24 01:41:19 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-04-24 01:41:16 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-04-24 01:41:13 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-04-24 01:41:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-04-24 01:41:04 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-04-24 01:41:03 ----A---- C:\WINDOWS\system32\wmpns.dll
2010-04-24 01:41:00 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2010-04-24 01:40:49 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-04-24 01:40:44 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-04-24 01:38:46 ----N---- C:\WINDOWS\system32\browserchoice.exe
2010-04-24 01:29:30 ----A---- C:\WINDOWS\swreg.exe
2010-04-24 01:29:30 ----A---- C:\WINDOWS\sed.exe
2010-04-24 01:29:29 ----A---- C:\WINDOWS\mbr.exe
2010-04-24 01:26:45 ----D---- C:\WINDOWS\system32\appmgmt
2010-04-24 01:08:03 ----D---- C:\Documents and Settings\Per\Application Data\Spotify
2010-04-24 00:39:04 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2010-04-24 00:35:54 ----A---- C:\WINDOWS\imsins.BAK
2010-04-24 00:35:27 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-04-24 00:35:25 ----D---- C:\Program Files\Common Files\Java
2010-04-24 00:35:17 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-04-24 00:35:16 ----A---- C:\WINDOWS\system32\javaws.exe
2010-04-24 00:35:16 ----A---- C:\WINDOWS\system32\javaw.exe
2010-04-24 00:35:16 ----A---- C:\WINDOWS\system32\java.exe
2010-04-23 21:33:08 ----D---- C:\Program Files\MAPILab Ltd
2010-04-23 21:32:45 ----D---- C:\WINDOWS\Downloaded Installations
2010-04-23 21:15:20 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\OpenCL.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvcuvid.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvcuvenc.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvcuda.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvcompiler.dll
2010-04-03 19:23:18 ----A---- C:\WINDOWS\system32\nvmccs.dll
2010-04-03 19:23:16 ----A---- C:\WINDOWS\system32\nvsvc32.exe
2010-04-03 19:23:16 ----A---- C:\WINDOWS\system32\nvmctray.dll
2010-04-03 19:23:16 ----A---- C:\WINDOWS\system32\nvcpl.dll
2010-04-03 19:23:16 ----A---- C:\WINDOWS\system32\nvcolor.exe
2010-04-03 19:22:54 ----A---- C:\WINDOWS\system32\nvwddi.dll

======List of files/folders modified in the last 1 months======

2010-04-30 16:06:07 ----D---- C:\WINDOWS\Prefetch
2010-04-30 16:05:08 ----D---- C:\WINDOWS\Temp
2010-04-30 16:03:31 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-30 15:53:52 ----D---- C:\WINDOWS\system32
2010-04-30 15:53:52 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-30 11:40:21 ----A---- C:\WINDOWS\WINCMD.INI
2010-04-30 11:13:34 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-29 22:16:04 ----D---- C:\WINDOWS
2010-04-29 22:15:39 ----D---- C:\WINDOWS\Minidump
2010-04-29 22:07:41 ----HD---- C:\WINDOWS\inf
2010-04-29 22:05:50 ----D---- C:\WINDOWS\system32\drivers
2010-04-29 22:05:38 ----D---- C:\Temp
2010-04-28 16:09:38 ----D---- C:\WINDOWS\system32\LogFiles
2010-04-28 16:08:57 ----A---- C:\WINDOWS\system.ini
2010-04-28 16:08:12 ----D---- C:\WINDOWS\AppPatch
2010-04-28 16:08:10 ----D---- C:\Program Files\Common Files
2010-04-27 17:21:20 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-27 17:19:53 ----D---- C:\WINDOWS\system32\config
2010-04-27 17:17:10 ----RASH---- C:\boot.ini
2010-04-26 18:39:23 ----RD---- C:\Program Files
2010-04-25 13:50:18 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-04-25 13:25:29 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-04-25 13:24:46 ----HD---- C:\Program Files\InstallShield Installation Information
2010-04-25 13:24:46 ----D---- C:\Program Files\Sony Ericsson
2010-04-25 13:23:41 ----D---- C:\Program Files\Avanquest update
2010-04-25 09:04:56 ----D---- C:\WINDOWS\Microsoft.NET
2010-04-25 09:04:42 ----RSD---- C:\WINDOWS\assembly
2010-04-24 17:54:52 ----D---- C:\Program Files\Axis Communications
2010-04-24 11:59:32 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-04-24 11:59:29 ----D---- C:\Program Files\ESET
2010-04-24 11:57:34 ----D---- C:\Config.Msi
2010-04-24 11:55:54 ----D---- C:\WINDOWS\Help
2010-04-24 11:55:51 ----SHD---- C:\WINDOWS\Installer
2010-04-24 11:50:02 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-24 11:49:02 ----D---- C:\WINDOWS\WinSxS
2010-04-24 10:43:30 ----D---- C:\Documents and Settings\Per\Application Data\Audacity
2010-04-24 02:19:20 ----D---- C:\WINDOWS\system32\en-us
2010-04-24 02:19:19 ----D---- C:\WINDOWS\Media
2010-04-24 02:19:19 ----D---- C:\Program Files\Internet Explorer
2010-04-24 01:54:54 ----D---- C:\Program Files\Movie Maker
2010-04-24 01:41:14 ----D---- C:\Program Files\Outlook Express
2010-04-24 01:32:56 ----D---- C:\WINDOWS\SoftwareDistribution
2010-04-24 00:55:02 ----D---- C:\WINDOWS\system32\wbem
2010-04-24 00:54:12 ----D---- C:\Program Files\SpeedFan
2010-04-24 00:41:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-24 00:35:12 ----D---- C:\Program Files\Java
2010-04-24 00:30:05 ----A---- C:\WINDOWS\ODBC.INI
2010-04-24 00:29:39 ----A---- C:\WINDOWS\win.ini
2010-04-23 22:43:33 ----D---- C:\Program Files\Mozilla Firefox
2010-04-23 21:41:43 ----A---- C:\WINDOWS\wcx_ftp.ini
2010-04-06 10:52:56 ----A---- C:\WINDOWS\system32\MRT.exe
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvudisp.exe
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvoglnt.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvcodins.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvcod.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nvapi.dll
2010-04-03 22:55:32 ----A---- C:\WINDOWS\system32\nv4_disp.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-11-16 96408]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R1 wpsdrvnt;wpsdrvnt; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2006-04-22 8064]
R2 wg3n;SyGate for NT, wg3n; C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [2004-10-15 14568]
R2 wg4n;SyGate for NT, wg4n; C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [2004-10-15 14568]
R2 wg5n;SyGate for NT, wg5n; C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [2004-10-15 14568]
R2 wg6n;SyGate for NT, wg6n; C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [2004-10-15 14568]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 axsaki;axsaki; C:\WINDOWS\system32\DRIVERS\axsaki.sys [2003-03-30 102624]
R3 axskbus;axskbus; C:\WINDOWS\system32\DRIVERS\axskbus.sys [2003-03-28 8640]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2005-05-03 27392]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-09-19 4617728]
R3 Maplom;Maplom; C:\WINDOWS\system32\drivers\Maplom.sys [2004-05-12 18432]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2010-04-03 10232128]
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver; C:\WINDOWS\system32\drivers\nvhda32.sys [2007-11-10 29728]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 seehcri;Sony Ericsson seehcri Device Driver; C:\WINDOWS\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 AWEAlloc;AWE Memory Allocation Driver; C:\WINDOWS\system32\DRIVERS\awealloc.sys [2009-02-09 9216]
S3 catchme;catchme; \??\C:\DOCUME~1\Per\LOCALS~1\Temp\catchme.sys []
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 ggflt;SEMC USB Flash Driver Filter; C:\WINDOWS\system32\DRIVERS\ggflt.sys [2009-04-19 13224]
S3 ggsemc;SEMC USB Flash Driver; C:\WINDOWS\system32\DRIVERS\ggsemc.sys [2009-04-19 24616]
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\system32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 ImDisk;ImDisk Virtual Disk Driver; C:\WINDOWS\system32\DRIVERS\imdisk.sys [2009-05-13 19968]
S3 mbr;mbr; \??\C:\DOCUME~1\Per\LOCALS~1\Temp\mbr.sys []
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\system32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM); C:\WINDOWS\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS); C:\WINDOWS\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM); C:\WINDOWS\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 a347bus;a347bus; C:\WINDOWS\system32\DRIVERS\a347bus.sys [2004-04-30 160640]
S4 a347scsi;a347scsi; C:\WINDOWS\System32\Drivers\a347scsi.sys [2004-04-30 5248]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2007-07-27 12032]
S4 vsdatant;vsdatant; C:\WINDOWS\system32\drivers\vsdatant.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2010-04-03 154216]
R2 OMSI download service;Sony Ericsson OMSI download service; C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
R2 SmcService;Sygate Personal Firewall; C:\Program Files\Sygate\SPF\smc.exe [2004-10-15 2577632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-11-16 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Samsung UPD Service;Samsung UPD Service; C:\WINDOWS\system32\SUPDSvc.exe [2010-03-16 132464]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 ImDskSvc;ImDisk Virtual Disk Driver Helper; C:\WINDOWS\system32\imdsksvc.exe [2009-05-13 10240]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NMSAccessU;NMSAccessU; f:\Program Files\CDBurnerXP\NMSAccessU.exe []

-----------------EOF-----------------


info.txt


info.txt logfile of random's system information tool 1.06 2010-04-30 16:07:40

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Media Player-->MsiExec.exe /X{9455959E-D588-EFAE-329C-F66CC797F32A}
Adobe Shockwave Player 11.5-->C:\WINDOWS\system32\Adobe\uninstaller.exe
Alcohol 120%-->MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
Avanquest update-->"C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -runfromtemp -l0x001d -removeonly
BankID Security Application 4.10.2-->"C:\Program Files\Personal\bin\persinst.exe" -u
BurnInTest v5.3 Standard-->"C:\Program Files\BurnInTest\unins000.exe"
Colin McRae Rally 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19B72AA9-985A-11D4-9C8A-00D0B75D1498}\setup.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Defraggler-->"C:\Program Files\Defraggler\uninst.exe"
Duplicate Email Remover-->MsiExec.exe /I{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gordon's Gate Flash Driver 1.1.0.12-->C:\Program Files\Sony Ericsson\Gordons Gate\uninst.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
IL-2 Sturmovik 1946-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{79438F1E-DEC3-443D-9DCD-FECE2D68C605} /l1033
ImDisk Virtual Disk Driver-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\imdisk.inf
ImgBurn-->"C:\Program Files\ImgBurn\uninstall.exe"
Interactive Repair Manuals-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Briggs and Stratton\Manuals\DeIsL1.isu" -c"C:\Program Files\Briggs and Stratton\Manuals\_ISREG32.DLL"
Jane's Combat Simulations WWII Fighters-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Jane's Combat Simulations\WWII Fighters\Uninst.isu"
Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
LAME v3.98.2 for Audacity-->"C:\Program Files\Lame for Audacity\unins000.exe"
Look@LAN 2.50 Build 35-->C:\WINDOWS\iun6002.exe "f:\Program Files\Look@LAN\irunin.ini"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{9111041D-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MyPhoneExplorer-->C:\Program Files\MyPhoneExplorer\uninstall.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA nView Desktop Manager-->C:\Program Files\NVIDIA Corporation\nView\nViewSetup.exe -uninstall
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Samsung SCX-4725 Series PS-->C:\Program Files\Samsung\Samsung SCX-4725 Series PS\Install\Setup.exe /R
Samsung Universal Print Driver-->C:\Program Files\Samsung\Samsung Universal Print Driver\Install\Setup.exe /R
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sony Ericsson PC Suite 6.009.00-->"C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\ISAdmin.exe" -runfromtemp -l0x001d -removeonly
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Sygate Personal Firewall-->MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
ToolBook II 6.1 Runtime Files-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Asymetrix\Shared Tools\TBSystem\DeIsL1.isu" -c"C:\Program Files\Asymetrix\Shared Tools\TBSystem\_ISREG32.DLL"
Total Commander (Remove or Repair)-->F:\totalcmd\tcuninst.exe
TreeSize Free V2.3.1-->"C:\Program Files\JAM Software\TreeSize Free\unins000.exe"
UBCD4Win 3.22-->"C:\UBCD4Win\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Windows (KB971513)-->"C:\WINDOWS\$NtUninstallKB971513$\spuninst\spuninst.exe"
Update for Windows Internet Explorer 7 (KB980182)-->"C:\WINDOWS\ie7updates\KB980182-IE7\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980302)-->"C:\WINDOWS\ie8updates\KB980302-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB943729)-->"C:\WINDOWS\$NtUninstallKB943729$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update Service-->C:\Program Files\Sony Ericsson\Update Service\uninst.exe
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows PowerShell(TM) 1.0 MUI pack-->"C:\WINDOWS\$NtUninstallKB926141$\spuninst\spuninst.exe"
Windows PowerShell(TM) 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XAMPP 1.7.1-->"c:\xampp\uninstall.exe"

======Security center information======

AV: ESET NOD32 Antivirus 4.0
FW: Sygate Personal Firewall

======System event log======

Computer Name: DUO
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{460B7472-DF7A-4506-B93B-B15ADC2A2C26}.

Record Number: 2628
Source Name: Server
Time Written: 20090501090006.000000+120
Event Type: warning
User:

Computer Name: DUO
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 001FD0D59FD4. The IP address being used is 169.254.38.104.

Record Number: 2627
Source Name: Dhcp
Time Written: 20090501090000.000000+120
Event Type: warning
User:

Computer Name: DUO
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001FD0D59FD4. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 2626
Source Name: Dhcp
Time Written: 20090501085955.000000+120
Event Type: warning
User:

Computer Name: DUO
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001FD0D59FD4. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 2625
Source Name: Dhcp
Time Written: 20090501085928.000000+120
Event Type: warning
User:

Computer Name: DUO
Event Code: 1002
Message: The IP address lease 192.168.0.201 for the Network Card with network address 001FD0D59FD4 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Record Number: 2577
Source Name: Dhcp
Time Written: 20090430154257.000000+120
Event Type: error
User:

=====Application event log=====

Computer Name: DUO
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x057c6a80.

Record Number: 1977
Source Name: Application Error
Time Written: 20090521002035.000000+120
Event Type: error
User:

Computer Name: DUO
Event Code: 1000
Message: Faulting application maxthon.exe, version 1.6.5.18, faulting module urlmon.dll, version 8.0.6001.18702, fault address 0x00039c84.

Record Number: 1974
Source Name: Application Error
Time Written: 20090520165246.000000+120
Event Type: error
User:

Computer Name: DUO
Event Code: 1000
Message: Faulting application maxthon.exe, version 1.6.5.18, faulting module urlmon.dll, version 8.0.6001.18702, fault address 0x00039c84.

Record Number: 1973
Source Name: Application Error
Time Written: 20090520164945.000000+120
Event Type: error
User:

Computer Name: DUO
Event Code: 1000
Message: Faulting application maxthon.exe, version 1.6.5.18, faulting module urlmon.dll, version 8.0.6001.18702, fault address 0x00039c84.

Record Number: 1956
Source Name: Application Error
Time Written: 20090518154910.000000+120
Event Type: error
User:

Computer Name: DUO
Event Code: 1000
Message: Faulting application maxthon.exe, version 1.6.5.18, faulting module urlmon.dll, version 8.0.6001.18702, fault address 0x00039c84.

Record Number: 1955
Source Name: Application Error
Time Written: 20090518154231.000000+120
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\WINDOWS\system32\WindowsPowerShell\v1.0
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------
pimse
Regular Member
 
Posts: 24
Joined: April 23rd, 2010, 7:38 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware