Inactive System-check got to my laptop

OTLPE Log #2

OTL logfile created on: 1/8/2012 6:00:38 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 138.10 Gb Free Space | 92.66% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2011/06/26 01:45:56 | 000,256,000 | R--- | M] () [Auto] -- C:\your_name\pev.3XE -- (PEVSystemStart)
SRV - [2010/09/18 00:14:22 | 000,460,144 | -H-- | M] () [Auto] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/04/21 00:58:54 | 000,237,650 | -H-- | M] (IDT, Inc.) [Auto] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2010/01/10 14:01:26 | 000,060,928 | -H-- | M] () [Auto] -- C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe -- (InstallFilterService)
SRV - [2009/12/09 20:48:26 | 002,320,920 | -H-- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2009/12/09 20:48:24 | 000,268,824 | -H-- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2009/09/21 16:55:12 | 000,858,384 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2009/09/21 16:50:04 | 000,364,544 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2009/09/21 16:44:48 | 000,954,368 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2009/09/21 16:31:36 | 000,473,360 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Boot] -- -- (PBADRV)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2010/04/21 00:58:54 | 001,660,051 | -H-- | M] (IDT, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2010/03/19 18:39:08 | 000,059,904 | -H-- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\risdpe86.sys -- (risdpcie)
DRV - [2010/02/27 01:31:24 | 000,132,480 | -H-- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Impcd.sys -- (Impcd)
DRV - [2010/01/19 14:50:12 | 000,235,520 | -H-- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV - [2010/01/18 09:56:26 | 000,042,672 | -H-- | M] (ST Microelectronics) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Accelern.sys -- (Acceler)
DRV - [2010/01/18 09:56:26 | 000,017,072 | -H-- | M] (ST Microelectronics) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\stdfltn.sys -- (stdflt)
DRV - [2009/12/11 02:14:56 | 000,214,568 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/09/17 17:54:14 | 000,041,088 | -H-- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2009/09/15 13:34:10 | 005,977,216 | -H-- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2009/08/10 02:46:38 | 000,013,952 | -H-- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2009/04/22 00:13:34 | 000,113,664 | -H-- | M] (Andrea Electronics Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\egriffin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/homex.asp?Q=Homepage
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\sobyrne_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2012/01/07 14:06:08 | 000,001,626 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\sobyrne_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nvusd.k12.ca.us
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/13 13:51:18 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/08 00:22:27 | 000,000,000 | --SD | C] -- C:\your_name
[2012/01/07 19:49:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin\Start Menu\Programs\Administrative Tools
[2012/01/07 18:20:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/07 18:20:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/07 18:20:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/07 18:20:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/07 18:20:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/07 18:20:05 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/01/07 18:20:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/07 18:19:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\My Videos
[2012/01/07 18:19:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Start Menu\Programs\Administrative Tools
[2012/01/07 14:32:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\egriffin\Recent
[2012/01/07 14:06:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/06 22:04:58 | 000,000,000 | -H-D | C] -- C:\ReimageUndo
[2012/01/06 21:51:59 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2012/01/06 21:51:59 | 000,000,000 | -H-D | C] -- C:\rei
[2012/01/06 21:51:44 | 000,000,000 | -H-D | C] -- C:\Program Files\Reimage
[2012/01/06 21:48:46 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IECompatCache
[2012/01/05 18:38:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\Sun
[2012/01/04 23:28:19 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Application Data\dvdcss
[2011/12/31 11:21:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Local Settings\Application Data\Help
[2011/12/31 11:21:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Application Data\Help
[2010/07/13 14:15:17 | 000,004,096 | -H-- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2012/06/27 22:13:09 | 000,000,664 | -H-- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/08 00:20:30 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/08 00:17:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/08 00:11:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/01/08 00:11:44 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/01/08 00:11:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2012/01/08 00:11:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2012/01/08 00:11:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\AutoEnginuity
[2012/01/08 00:11:43 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
[2012/01/06 21:52:31 | 000,000,286 | -H-- | M] () -- C:\WINDOWS\reimage.ini
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Intel PROSet Wireless
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom
[2012/01/05 23:27:39 | 000,497,480 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/05 23:27:39 | 000,085,798 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/04 23:33:19 | 000,000,782 | -H-- | M] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
[2011/12/31 13:45:42 | 000,015,202 | -H-- | M] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
[2011/12/16 12:30:01 | 000,002,515 | -H-- | M] () -- C:\Documents and Settings\egriffin\Desktop\Microsoft Office Word 2007.lnk
[2011/12/15 13:11:22 | 000,270,984 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/15 13:09:34 | 000,001,393 | -H-- | M] () -- C:\WINDOWS\imsins.BAK

========== Files Created - No Company Name ==========

[2012/01/08 00:11:42 | 000,002,347 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/01/08 00:11:42 | 000,000,825 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\FlipShare.lnk
[2012/01/08 00:11:42 | 000,000,786 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/01/07 18:20:17 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/07 18:20:17 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/07 18:20:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/07 18:20:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/07 18:20:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/06 21:52:17 | 000,000,286 | -H-- | C] () -- C:\WINDOWS\reimage.ini
[2012/01/04 23:33:19 | 000,000,782 | -H-- | C] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
[2012/01/02 10:49:42 | 000,000,664 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/31 13:32:06 | 000,015,202 | -H-- | C] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
[2011/06/16 12:20:29 | 000,003,584 | -H-- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/06 14:18:35 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\egriffin\ntuser.pol
[2010/07/13 19:08:13 | 000,000,061 | -H-- | C] () -- C:\WINDOWS\smscfg.ini
[2010/07/13 15:07:41 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\hbcikrnl.ini
[2010/07/13 14:15:17 | 000,870,560 | -H-- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2010/07/13 14:15:17 | 000,127,868 | -H-- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2010/07/13 14:15:17 | 000,000,151 | -H-- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2010/07/13 13:53:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/13 13:47:47 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/13 06:38:21 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/13 06:37:10 | 000,270,984 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 07:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 07:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 07:00:00 | 000,497,480 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 07:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 07:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 07:00:00 | 000,085,798 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 07:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 07:00:00 | 000,039,936 | -H-- | C] () -- C:\WINDOWS\System32\svchost.exe
[2008/04/14 07:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 07:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 07:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 07:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 07:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/12/06 10:27:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 07:00:00 | 001,058,816 | -H-- | M] (Microsoft Corporation) MD5=2F58E8791C7A1F61FD35BAEB73B0E9BE -- C:\WINDOWS\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 07:00:00 | 000,039,936 | -H-- | M] (Microsoft Corporation) MD5=A3DF98E72C2594B60EB9F614CBD2FC63 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 07:00:00 | 000,039,936 | -H-- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 07:00:00 | 000,026,112 | -H-- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 07:00:00 | 000,026,112 | -H-- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 07:00:00 | 000,545,280 | -H-- | M] (Microsoft Corporation) MD5=B0E1A6D16B717F1D19055D6EC86556A1 -- C:\WINDOWS\system32\winlogon.exe
< End of report >
 
Do this on the computer you are posting from:
Copy the text in the codebox below:


Code:
:OTL

:Services

:Reg

:Files
C:\WINDOWS\system32\svchost.exe|C:\WINDOWS\system32\dllcache\svchost.exe /replace

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Attempt to reboot normally into Windows.


See if Combofix will run now.
 
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File C:\WINDOWS\system32\svchost.exe successfully replaced with C:\WINDOWS\system32\dllcache\svchost.exe
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 01082012_184726
 
ComboFix Log

ComboFix 12-01-07.04 - egriffin 01/08/2012 18:56:57.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2934.2429 [GMT -8:00]
Running from: E:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\windows\explorer.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\explorer.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\explorer.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
.
.
2012-01-09 02:57 . 2012-01-09 02:57 596194 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-01-08 23:45 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe
2012-01-07 19:06 . 2012-01-07 19:06 -------- d-----w- C:\_OTL
2012-01-07 03:04 . 2012-01-07 03:04 -------- d-----w- C:\ReimageUndo
2012-01-07 02:51 . 2012-01-07 03:04 -------- d-----w- C:\rei
2012-01-07 02:51 . 2012-01-07 02:51 -------- d--h--w- c:\program files\Reimage
2012-01-07 02:48 . 2012-01-07 02:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2012-01-05 23:38 . 2012-01-05 23:38 -------- d--h--w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2008-04-14 12:00 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-14 12:00 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-14 12:00 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-14 12:00 385024 ---ha-w- c:\windows\system32\html.iec
2011-11-03 15:11 . 2011-11-03 15:11 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 16:07 . 2008-04-14 12:00 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-14 12:00 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 12:00 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2008-04-14 12:00 186880 ---ha-w- c:\windows\system32\encdec.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . B0E1A6D16B717F1D19055D6EC86556A1 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2008-04-14 . A3DF98E72C2594B60EB9F614CBD2FC63 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-04-14 . 2F58E8791C7A1F61FD35BAEB73B0E9BE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe" [2011-11-03 247968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1994533243-519649135-1800150966-20230\Scripts\Logon\0\0]
"Script"=MapR3000.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1994533243-519649135-1800150966-33745\Scripts\Logon\0\0]
"Script"=MapR3000.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
2009-07-07 09:06 737280 ---ha-w- c:\windows\system32\AESTFltr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-04-27 06:08 170008 ---ha-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-04-27 06:08 136216 ---ha-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-09-21 21:34 1206544 ---ha-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2009-09-21 21:49 1392640 ---ha-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-04-27 06:08 145432 ---ha-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2010-04-21 05:58 495708 ---ha-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [7/13/2010 12:15 PM 17072]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [7/13/2010 11:52 AM 59904]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [7/13/2010 11:45 AM 2320920]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [7/13/2010 12:15 PM 42672]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/13/2010 11:12 AM 113664]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [7/13/2010 11:15 AM 132480]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [7/13/2010 11:15 AM 235520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [7/13/2010 12:15 PM 60928]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhs.nvusd.k12.ca.us/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-08 18:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b0,35,07,03,03,15,4d,8b,cf,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b0,35,07,03,03,15,4d,8b,cf,0b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2012-01-08 19:02:40
ComboFix-quarantined-files.txt 2012-01-09 03:02
.
Pre-Run: 148,195,848,192 bytes free
Post-Run: 148,273,823,744 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5A8D84195AB1C15D993294B391A08662
 
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- c:\windows\explorer.exe
- c:\windows\system32\svchost.exe
- c:\windows\system32\winlogon.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
 
The laptop is not allowing me to access the page. I get "internet explorer alert. Visiting this site may pose a security threat to your system!" How do I turn this off?
 
Desktop turned black again but there is still 5 icons on it. System Check popped up again. This is very frustrating. You must be a very patient person. Where should I go from here? Thank you.

James
 
explorer.exe log/results

TableTabulatedCSVHTMLBBCodeShow positives only.Antivirus Version Last update Result
AhnLab-V3 2012.01.08.00 2012.01.08 -
AntiVir 7.11.20.196 2012.01.09 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2012.01.09 Trojan/Win32.Patched.gen
Avast 6.0.1289.0 2012.01.08 Win32:patched-ADQ [Trj]
AVG 10.0.0.1190 2012.01.09 Win32/Patched
BitDefender 7.2 2012.01.09 Trojan.Generic.7082907
ByteHero 1.0.0.1 2011.12.31 -
CAT-QuickHeal 12.00 2012.01.08 -
ClamAV 0.97.3.0 2012.01.09 -
Commtouch 5.3.2.6 2012.01.07 -
Comodo 11218 2012.01.09 UnclassifiedMalware
DrWeb 5.0.2.03300 2012.01.09 -
Emsisoft 5.1.0.11 2012.01.09 Trojan.Win32.Patched!IK
eSafe 7.0.17.0 2012.01.08 Win32.TRPatched
eTrust-Vet None 2012.01.06 -
F-Prot 4.6.5.141 2012.01.07 -
F-Secure 9.0.16440.0 2012.01.09 Trojan.Generic.7082907
Fortinet 4.3.388.0 2012.01.09 W32/Patched.A!tr
GData 22 2012.01.09 Trojan.Generic.7082907
Ikarus T3.1.1.109.0 2012.01.09 Trojan.Win32.Patched
Jiangmin 13.0.900 2012.01.08 -
K7AntiVirus 9.123.5881 2012.01.06 Trojan
Kaspersky 9.0.0.837 2012.01.09 Trojan.Win32.Patched.nn
McAfee 5.400.0.1158 2012.01.09 Artemis!2F58E8791C7A
McAfee-GW-Edition 2010.1E 2012.01.08 Artemis!2F58E8791C7A
Microsoft 1.7903 2012.01.08 Virus:Win32/Bamital.P
NOD32 6777 2012.01.09 -
Norman 6.07.13 2012.01.08 -
nProtect 2012-01-08.01 2012.01.08 -
Panda 10.0.3.5 2012.01.08 Suspicious file
PCTools 8.0.0.5 2012.01.09 -
Prevx 3.0 2012.01.09 -
Rising 23.91.04.02 2012.01.06 Trojan.Win32.Generic.12ADF86E
Sophos 4.73.0 2012.01.09 W32/Footle-A
SUPERAntiSpyware 4.40.0.1006 2012.01.07 -
Symantec 20111.2.0.82 2012.01.09 -
TheHacker 6.7.0.1.373 2012.01.08 -
TrendMicro 9.500.0.1008 2012.01.09 PE_BAMITAL.SME
TrendMicro-HouseCall 9.500.0.1008 2012.01.09 PE_BAMITAL.SME
VBA32 3.12.16.4 2012.01.06 -
VIPRE 11371 2012.01.08 Virus.Win32.Footle.a (v)
ViRobot 2012.1.9.4870 2012.01.09 -
VirusBuster 14.1.157.0 2012.01.08 -
MD5: 2f58e8791c7a1f61fd35baeb73b0e9be
SHA1: 8454ce95a2a14eb8438adba9c2a28f1778748725
SHA256: 6a16be25cb1914b117fdafe0520a1a48b5ea334876989a574cee47689b584c50
File size: 1058816 bytes
Scan date: 2012-01-09 04:08:17 (UTC)
Antivirus Version Last update ResultAhnLab-V3 2012.01.08.00 2012.01.08 -AntiVir 7.11.20.196 2012.01.09 TR/Patched.GenAntiy-AVL 2.0.3.7 2012.01.09 Trojan/Win32.Patched.genAvast 6.0.1289.0 2012.01.08 Win32:patched-ADQ [Trj]AVG 10.0.0.1190 2012.01.09 Win32/PatchedBitDefender 7.2 2012.01.09 Trojan.Generic.7082907ByteHero 1.0.0.1 2011.12.31 -CAT-QuickHeal 12.00 2012.01.08 -ClamAV 0.97.3.0 2012.01.09 -Commtouch 5.3.2.6 2012.01.07 -Comodo 11218 2012.01.09 UnclassifiedMalwareDrWeb 5.0.2.03300 2012.01.09 -Emsisoft 5.1.0.11 2012.01.09 Trojan.Win32.Patched!IKeSafe 7.0.17.0 2012.01.08 Win32.TRPatchedeTrust-Vet None 2012.01.06 -F-Prot 4.6.5.141 2012.01.07 -F-Secure 9.0.16440.0 2012.01.09 Trojan.Generic.7082907Fortinet 4.3.388.0 2012.01.09 W32/Patched.A!trGData 22 2012.01.09 Trojan.Generic.7082907Ikarus T3.1.1.109.0 2012.01.09 Trojan.Win32.PatchedJiangmin 13.0.900 2012.01.08 -K7AntiVirus 9.123.5881 2012.01.06 TrojanKaspersky 9.0.0.837 2012.01.09 Trojan.Win32.Patched.nnMcAfee 5.400.0.1158 2012.01.09 Artemis!2F58E8791C7AMcAfee-GW-Edition 2010.1E 2012.01.08 Artemis!2F58E8791C7AMicrosoft 1.7903 2012.01.08 Virus:Win32/Bamital.PNOD32 6777 2012.01.09 -Norman 6.07.13 2012.01.08 -nProtect 2012-01-08.01 2012.01.08 -Panda 10.0.3.5 2012.01.08 Suspicious filePCTools 8.0.0.5 2012.01.09 -Prevx 3.0 2012.01.09 -Rising 23.91.04.02 2012.01.06 Trojan.Win32.Generic.12ADF86ESophos 4.73.0 2012.01.09 W32/Footle-ASUPERAntiSpyware 4.40.0.1006 2012.01.07 -Symantec 20111.2.0.82 2012.01.09 -TheHacker 6.7.0.1.373 2012.01.08 -TrendMicro 9.500.0.1008 2012.01.09 PE_BAMITAL.SMETrendMicro-HouseCall 9.500.0.1008 2012.01.09 PE_BAMITAL.SMEVBA32 3.12.16.4 2012.01.06 -VIPRE 11371 2012.01.08 Virus.Win32.Footle.a (v)ViRobot 2012.1.9.4870 2012.01.09 -VirusBuster 14.1.157.0 2012.01.08 -MD5: 2f58e8791c7a1f61fd35baeb73b0e9beSHA1: 8454ce95a2a14eb8438adba9c2a28f1778748725SHA256: 6a16be25cb1914b117fdafe0520a1a48b5ea334876989a574cee47689b584c50File size: 1058816 bytesScan date: 2012-01-09 04:08:17 (UTC)
"Antivirus", "Version", "Last update", "Result"
"AhnLab-V3", "2012.01.08.00", "2012.01.08", "-"
"AntiVir", "7.11.20.196", "2012.01.09", "TR/Patched.Gen"
"Antiy-AVL", "2.0.3.7", "2012.01.09", "Trojan/Win32.Patched.gen"
"Avast", "6.0.1289.0", "2012.01.08", "Win32:patched-ADQ [Trj]"
"AVG", "10.0.0.1190", "2012.01.09", "Win32/Patched"
"BitDefender", "7.2", "2012.01.09", "Trojan.Generic.7082907"
"ByteHero", "1.0.0.1", "2011.12.31", "-"
"CAT-QuickHeal", "12.00", "2012.01.08", "-"
"ClamAV", "0.97.3.0", "2012.01.09", "-"
"Commtouch", "5.3.2.6", "2012.01.07", "-"
"Comodo", "11218", "2012.01.09", "UnclassifiedMalware"
"DrWeb", "5.0.2.03300", "2012.01.09", "-"
"Emsisoft", "5.1.0.11", "2012.01.09", "Trojan.Win32.Patched!IK"
"eSafe", "7.0.17.0", "2012.01.08", "Win32.TRPatched"
"eTrust-Vet", "None", "2012.01.06", "-"
"F-Prot", "4.6.5.141", "2012.01.07", "-"
"F-Secure", "9.0.16440.0", "2012.01.09", "Trojan.Generic.7082907"
"Fortinet", "4.3.388.0", "2012.01.09", "W32/Patched.A!tr"
"GData", "22", "2012.01.09", "Trojan.Generic.7082907"
"Ikarus", "T3.1.1.109.0", "2012.01.09", "Trojan.Win32.Patched"
"Jiangmin", "13.0.900", "2012.01.08", "-"
"K7AntiVirus", "9.123.5881", "2012.01.06", "Trojan"
"Kaspersky", "9.0.0.837", "2012.01.09", "Trojan.Win32.Patched.nn"
"McAfee", "5.400.0.1158", "2012.01.09", "Artemis!2F58E8791C7A"
"McAfee-GW-Edition", "2010.1E", "2012.01.08", "Artemis!2F58E8791C7A"
"Microsoft", "1.7903", "2012.01.08", "Virus:Win32/Bamital.P"
"NOD32", "6777", "2012.01.09", "-"
"Norman", "6.07.13", "2012.01.08", "-"
"nProtect", "2012-01-08.01", "2012.01.08", "-"
"Panda", "10.0.3.5", "2012.01.08", "Suspicious file"
"PCTools", "8.0.0.5", "2012.01.09", "-"
"Prevx", "3.0", "2012.01.09", "-"
"Rising", "23.91.04.02", "2012.01.06", "Trojan.Win32.Generic.12ADF86E"
"Sophos", "4.73.0", "2012.01.09", "W32/Footle-A"
"SUPERAntiSpyware", "4.40.0.1006", "2012.01.07", "-"
"Symantec", "20111.2.0.82", "2012.01.09", "-"
"TheHacker", "6.7.0.1.373", "2012.01.08", "-"
"TrendMicro", "9.500.0.1008", "2012.01.09", "PE_BAMITAL.SME"
"TrendMicro-HouseCall", "9.500.0.1008", "2012.01.09", "PE_BAMITAL.SME"
"VBA32", "3.12.16.4", "2012.01.06", "-"
"VIPRE", "11371", "2012.01.08", "Virus.Win32.Footle.a (v)"
"ViRobot", "2012.1.9.4870", "2012.01.09", "-"
"VirusBuster", "14.1.157.0", "2012.01.08", "-"
"MD5", "2f58e8791c7a1f61fd35baeb73b0e9be"
"SHA1", "8454ce95a2a14eb8438adba9c2a28f1778748725"
"SHA256", "6a16be25cb1914b117fdafe0520a1a48b5ea334876989a574cee47689b584c50"
"File size", "1058816 bytes"
"Scan date", "2012-01-09 04:08:17 (UTC)"

<table id="filescan">
<tr>
<th>Antivirus</th>
<th>Version</th>
<th>Last update</th>
<th>Result</th>
</tr>
<tr>
<td>AhnLab-V3</td>
<td>2012.01.08.00</td>
<td>2012.01.08</td>
<td>-</td>
</tr>
<tr>
<td>AntiVir</td>
<td>7.11.20.196</td>
<td>2012.01.09</td>
<td class="positive">TR/Patched.Gen</td>
</tr>
<tr>
<td>Antiy-AVL</td>
<td>2.0.3.7</td>
<td>2012.01.09</td>
<td class="positive">Trojan/Win32.Patched.gen</td>
</tr>
<tr>
<td>Avast</td>
<td>6.0.1289.0</td>
<td>2012.01.08</td>
<td class="positive">Win32:patched-ADQ [Trj]</td>
</tr>
<tr>
<td>AVG</td>
<td>10.0.0.1190</td>
<td>2012.01.09</td>
<td class="positive">Win32/Patched</td>
</tr>
<tr>
<td>BitDefender</td>
<td>7.2</td>
<td>2012.01.09</td>
<td class="positive">Trojan.Generic.7082907</td>
</tr>
<tr>
<td>ByteHero</td>
<td>1.0.0.1</td>
<td>2011.12.31</td>
<td>-</td>
</tr>
<tr>
<td>CAT-QuickHeal</td>
<td>12.00</td>
<td>2012.01.08</td>
<td>-</td>
</tr>
<tr>
<td>ClamAV</td>
<td>0.97.3.0</td>
<td>2012.01.09</td>
<td>-</td>
</tr>
<tr>
<td>Commtouch</td>
<td>5.3.2.6</td>
<td>2012.01.07</td>
<td>-</td>
</tr>
<tr>
<td>Comodo</td>
<td>11218</td>
<td>2012.01.09</td>
<td class="positive">UnclassifiedMalware</td>
</tr>
<tr>
<td>DrWeb</td>
<td>5.0.2.03300</td>
<td>2012.01.09</td>
<td>-</td>
</tr>
<tr>
<td>Emsisoft</td>
<td>5.1.0.11</td>
<td>2012.01.09</td>
<td class="positive">Trojan.Win32.Patched!IK</td>
</tr>
<tr>
<td>eSafe</td>
<td>7.0.17.0</td>
<td>2012.01.08</td>
<td class="positive">Win32.TRPatched</td>
</tr>
<tr>
<td>eTrust-Vet</td>
<td>None</td>
<td>2012.01.06</td>
<td>-</td>
</tr>
<tr>
<td>F-Prot</td>
<td>4.6.5.141</td>
<td>2012.01.07</td>
<td>-</td>
</tr>
<tr>
<td>F-Secure</td>
<td>9.0.16440.0</td>
<td>2012.01.09</td>
<td class="positive">Trojan.Generic.7082907</td>
</tr>
<tr>
<td>Fortinet</td>
<td>4.3.388.0</td>
<td>2012.01.09</td>
<td class="positive">W32/Patched.A!tr</td>
</tr>
<tr>
<td>GData</td>
<td>22</td>
<td>2012.01.09</td>
<td class="positive">Trojan.Generic.7082907</td>
</tr>
<tr>
<td>Ikarus</td>
<td>T3.1.1.109.0</td>
<td>2012.01.09</td>
<td class="positive">Trojan.Win32.Patched</td>
</tr>
<tr>
<td>Jiangmin</td>
<td>13.0.900</td>
<td>2012.01.08</td>
<td>-</td>
</tr>
<tr>
<td>K7AntiVirus</td>
<td>9.123.5881</td>
<td>2012.01.06</td>
<td class="positive">Trojan</td>
</tr>
<tr>
<td>Kaspersky</td>
<td>9.0.0.837</td>
<td>2012.01.09</td>
<td class="positive">Trojan.Win32.Patched.nn</td>
</tr>
<tr>
<td>McAfee</td>
<td>5.400.0.1158</td>
<td>2012.01.09</td>
<td class="positive">Artemis!2F58E8791C7A</td>
</tr>
<tr>
<td>McAfee-GW-Edition</td>
<td>2010.1E</td>
<td>2012.01.08</td>
<td class="positive">Artemis!2F58E8791C7A</td>
</tr>
<tr>
<td>Microsoft</td>
<td>1.7903</td>
<td>2012.01.08</td>
<td class="positive">Virus:Win32/Bamital.P</td>
</tr>
<tr>
<td>NOD32</td>
<td>6777</td>
<td>2012.01.09</td>
<td>-</td>
</tr>
<tr>
<td>Norman</td>
<td>6.07.13</td>
<td>2012.01.08</td>
<td>-</td>
</tr>
<tr>
<td>nProtect</td>
<td>2012-01-08.01</td>
<td>2012.01.08</td>
<td>-</td>
</tr>
<tr>
<td>Panda</td>
<td>10.0.3.5</td>
<td>2012.01.08</td>
<td class="positive">Suspicious file</td>
</tr>
<tr>
<td>PCTools</td>
<td>8.0.0.5</td>
<td>2012.01.09</td>
<td>-</td>
</tr>
<tr>
<td>Prevx</td>
<td>3.0</td>
<td>2012.01.09</td>
<td>-</td>
</tr>
<tr>
<td>Rising</td>
<td>23.91.04.02</td>
<td>2012.01.06</td>
<td class="positive">Trojan.Win32.Generic.12ADF86E</td>
</tr>
<tr>
<td>Sophos</td>
<td>4.73.0</td>
<td>2012.01.09</td>
<td class="positive">W32/Footle-A</td>
</tr>
<tr>
<td>SUPERAntiSpyware</td>
<td>4.40.0.1006</td>
<td>2012.01.07</td>
<td>-</td>
</tr>
<tr>
<td>Symantec</td>
<td>20111.2.0.82</td>
<td>2012.01.09</td>
<td>-</td>
</tr>
<tr>
<td>TheHacker</td>
<td>6.7.0.1.373</td>
<td>2012.01.08</td>
<td>-</td>
</tr>
<tr>
<td>TrendMicro</td>
<td>9.500.0.1008</td>
<td>2012.01.09</td>
<td class="positive">PE_BAMITAL.SME</td>
</tr>
<tr>
<td>TrendMicro-HouseCall</td>
<td>9.500.0.1008</td>
<td>2012.01.09</td>
<td class="positive">PE_BAMITAL.SME</td>
</tr>
<tr>
<td>VBA32</td>
<td>3.12.16.4</td>
<td>2012.01.06</td>
<td>-</td>
</tr>
<tr>
<td>VIPRE</td>
<td>11371</td>
<td>2012.01.08</td>
<td class="positive">Virus.Win32.Footle.a (v)</td>
</tr>
<tr>
<td>ViRobot</td>
<td>2012.1.9.4870</td>
<td>2012.01.09</td>
<td>-</td>
</tr>
<tr>
<td>VirusBuster</td>
<td>14.1.157.0</td>
<td>2012.01.08</td>
<td>-</td>
</tr>
<table>

<table id="fileinfo">
<tr>
<th>Additional information</th>
</tr>
<tr>
<td><strong>MD5:</strong> 2f58e8791c7a1f61fd35baeb73b0e9be</td>
</tr>
<tr>
<td><strong>SHA1:</strong> 8454ce95a2a14eb8438adba9c2a28f1778748725</td>
</tr>
<tr>
<td><strong>SHA256:</strong> 6a16be25cb1914b117fdafe0520a1a48b5ea334876989a574cee47689b584c50</td>
</tr>
<tr>
<td><strong>File size:</strong> 1058816 bytes</td>
</tr>
<tr>
<td><strong>Scan date:</strong> 2012-01-09 04:08:17 (UTC)</td>
</tr>
</table>

Antivirus results
AhnLab-V3 - 2012.01.08.00 - 2012.01.08 - -
AntiVir - 7.11.20.196 - 2012.01.09 - TR/Patched.Gen
Antiy-AVL - 2.0.3.7 - 2012.01.09 - Trojan/Win32.Patched.gen
Avast - 6.0.1289.0 - 2012.01.08 - Win32:patched-ADQ [Trj]
AVG - 10.0.0.1190 - 2012.01.09 - Win32/Patched
BitDefender - 7.2 - 2012.01.09 - Trojan.Generic.7082907
ByteHero - 1.0.0.1 - 2011.12.31 - -
CAT-QuickHeal - 12.00 - 2012.01.08 - -
ClamAV - 0.97.3.0 - 2012.01.09 - -
Commtouch - 5.3.2.6 - 2012.01.07 - -
Comodo - 11218 - 2012.01.09 - UnclassifiedMalware
DrWeb - 5.0.2.03300 - 2012.01.09 - -
Emsisoft - 5.1.0.11 - 2012.01.09 - Trojan.Win32.Patched!IK
eSafe - 7.0.17.0 - 2012.01.08 - Win32.TRPatched
eTrust-Vet - None - 2012.01.06 - -
F-Prot - 4.6.5.141 - 2012.01.07 - -
F-Secure - 9.0.16440.0 - 2012.01.09 - Trojan.Generic.7082907
Fortinet - 4.3.388.0 - 2012.01.09 - W32/Patched.A!tr
GData - 22 - 2012.01.09 - Trojan.Generic.7082907
Ikarus - T3.1.1.109.0 - 2012.01.09 - Trojan.Win32.Patched
Jiangmin - 13.0.900 - 2012.01.08 - -
K7AntiVirus - 9.123.5881 - 2012.01.06 - Trojan
Kaspersky - 9.0.0.837 - 2012.01.09 - Trojan.Win32.Patched.nn
McAfee - 5.400.0.1158 - 2012.01.09 - Artemis!2F58E8791C7A
McAfee-GW-Edition - 2010.1E - 2012.01.08 - Artemis!2F58E8791C7A
Microsoft - 1.7903 - 2012.01.08 - Virus:Win32/Bamital.P
NOD32 - 6777 - 2012.01.09 - -
Norman - 6.07.13 - 2012.01.08 - -
nProtect - 2012-01-08.01 - 2012.01.08 - -
Panda - 10.0.3.5 - 2012.01.08 - Suspicious file
PCTools - 8.0.0.5 - 2012.01.09 - -
Prevx - 3.0 - 2012.01.09 - -
Rising - 23.91.04.02 - 2012.01.06 - Trojan.Win32.Generic.12ADF86E
Sophos - 4.73.0 - 2012.01.09 - W32/Footle-A
SUPERAntiSpyware - 4.40.0.1006 - 2012.01.07 - -
Symantec - 20111.2.0.82 - 2012.01.09 - -
TheHacker - 6.7.0.1.373 - 2012.01.08 - -
TrendMicro - 9.500.0.1008 - 2012.01.09 - PE_BAMITAL.SME
TrendMicro-HouseCall - 9.500.0.1008 - 2012.01.09 - PE_BAMITAL.SME
VBA32 - 3.12.16.4 - 2012.01.06 - -
VIPRE - 11371 - 2012.01.08 - Virus.Win32.Footle.a (v)
ViRobot - 2012.1.9.4870 - 2012.01.09 - -
VirusBuster - 14.1.157.0 - 2012.01.08 - -
File info:
MD5: 2f58e8791c7a1f61fd35baeb73b0e9be
SHA1: 8454ce95a2a14eb8438adba9c2a28f1778748725
SHA256: 6a16be25cb1914b117fdafe0520a1a48b5ea334876989a574cee47689b584c50
File size: 1058816 bytes
Scan date: 2012-01-09 04:08:17 (UTC)
 
Yeah, this is not good.

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=================================================================

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

==============================================================

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

  • Double click on downloaded file to run it.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log (FRST.txt) on your desktop.
  • Please copy and paste it to your reply.
 
bootkit remover log

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 99ed1954602173ef14b43a708afaa354

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
aswMBR

Sorry...




aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 20:26:45
-----------------------------
20:26:45.562 OS Version: Windows 5.1.2600 Service Pack 3
20:26:45.562 Number of processors: 4 586 0x2505
20:26:45.562 ComputerName: NHS-H-11-LAPTOP UserName: egriffin
20:26:47.265 Initialize success
20:27:03.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:27:03.343 Disk 0 Vendor: ST9160412AS D005SDM1 Size: 152627MB BusType: 3
20:27:03.375 Disk 0 MBR read successfully
20:27:03.375 Disk 0 MBR scan
20:27:03.375 Disk 0 unknown MBR code
20:27:03.375 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63
20:27:03.375 Disk 0 scanning sectors +312576705
20:27:03.453 Disk 0 scanning C:\WINDOWS\system32\drivers
20:27:08.468 Service scanning
20:27:09.234 Modules scanning
20:27:12.859 Disk 0 trace - called modules:
20:27:12.890 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys stdfltn.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
20:27:12.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a3a5ab8]
20:27:12.890 3 CLASSPNP.SYS[b9988fd7] -> nt!IofCallDriver -> [0x8a324e00]
20:27:12.890 5 stdfltn.sys[b9ce970c] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a3dcb00]
20:27:12.890 Scan finished successfully
20:27:56.281 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
20:27:56.281 The log file has been saved successfully to "E:\aswMBR.txt"
20:28:12.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\egriffin\Desktop\MBR.dat"
20:28:12.984 The log file has been saved successfully to "C:\Documents and Settings\egriffin\Desktop\aswMBR.txt"
 
Frst

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.2
Ran by egriffin at 2012-01-08 20:38:30
Running from C:\Documents and Settings\egriffin\Desktop
Service Pack 3 (X86) OS Language: English(US)
Attention: Could not load system hive.
Error: The process cannot access the file because it is being used by another process.
========================== Registry (Whitelisted) =============

HKU\Administrator\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\Default User\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\egriffin.NHS-H-11-LAPTOP\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\sobyrne\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]

================================ Services (Whitelisted) ==================


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-01-08 20:37 - 2012-01-08 20:38 - 0000000 ____D C:\FRST
2012-01-08 20:37 - 2012-01-08 20:37 - 0859264 ____A C:\Documents and Settings\egriffin\Desktop\FRST.exe
2012-01-08 20:36 - 2012-01-08 20:36 - 0000831 ____A C:\Documents and Settings\All Users\Application Data\mqgqaaa.tmp
2012-01-08 20:35 - 2012-01-08 20:35 - 0000861 ____A C:\Documents and Settings\All Users\Application Data\iqgqaaa.tmp
2012-01-08 20:35 - 2012-01-08 20:35 - 0000842 ____A C:\Documents and Settings\All Users\Application Data\jqgqaaa.tmp
2012-01-08 20:35 - 2012-01-08 20:35 - 0000830 ____A C:\Documents and Settings\All Users\Application Data\kqgqaaa.tmp
2012-01-08 20:31 - 2012-01-08 20:32 - 0000000 ____D C:\Documents and Settings\egriffin\Desktop\bootkit_remover
2012-01-08 20:30 - 2012-01-08 20:30 - 0044607 ____A C:\Documents and Settings\egriffin\Desktop\bootkit_remover.zip
2012-01-08 20:28 - 2012-01-08 20:28 - 0001742 ____A C:\Documents and Settings\egriffin\Desktop\aswMBR.txt
2012-01-08 20:28 - 2012-01-08 20:28 - 0000512 ____A C:\Documents and Settings\egriffin\Desktop\MBR.dat
2012-01-08 20:05 - 2012-01-08 20:37 - 0000865 ____A C:\Documents and Settings\All Users\Application Data\lqgqaaa.tmp
2012-01-08 20:01 - 2012-01-08 20:08 - 0000000 ____D C:\ComboFix
2012-01-08 19:17 - 2012-01-08 19:36 - 0009694 __ASH C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
2012-01-08 19:17 - 2012-01-08 19:17 - 0009584 __ASH C:\Documents and Settings\All Users\Application Data\912613170
2012-01-08 19:10 - 2012-01-08 19:36 - 0009694 __ASH C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
2012-01-08 19:02 - 2012-01-08 20:08 - 0046800 ____A C:\ComboFix.txt
2012-01-08 18:57 - 2012-01-08 20:04 - 0596194 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-01-08 18:56 - 2012-01-08 18:56 - 0000000 RASHD C:\cmdcons
2012-01-08 18:56 - 2011-05-13 10:46 - 0000211 ____A C:\Boot.bak
2012-01-08 18:56 - 2004-08-03 23:00 - 0260272 _RASH C:\cmldr
2012-01-08 15:45 - 2011-07-12 18:55 - 2237440 ___RA (OldTimer Tools) C:\OTLPE.exe
2012-01-07 15:20 - 2012-01-08 20:06 - 0000000 ____D C:\Qoobox
2012-01-07 15:20 - 2012-01-08 20:05 - 0000000 ____D C:\Windows\ERDNT
2012-01-07 15:20 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-01-07 15:20 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-01-07 15:20 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-01-07 15:20 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-01-07 15:20 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-01-07 15:20 - 2000-08-30 16:00 - 0212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2012-01-07 15:20 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-01-07 15:20 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-01-07 15:20 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-01-07 15:19 - 2012-01-07 15:19 - 0000000 ___RD C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\My Videos
2012-01-07 15:18 - 2012-01-07 16:48 - 0000359 ____A C:\rkill.log
2012-01-07 11:06 - 2012-01-07 11:06 - 0000000 ____D C:\_OTL
2012-01-07 10:36 - 2012-01-08 15:04 - 0042462 ____A C:\OTL.Txt
2012-01-06 19:28 - 2012-01-07 21:30 - 1088006 ____A C:\Windows\ntbtlog.txt
2012-01-06 19:04 - 2012-01-06 19:04 - 0000000 ____D C:\ReimageUndo
2012-01-06 18:52 - 2012-01-06 18:52 - 0000286 ____A C:\Windows\reimage.ini
2012-01-06 18:51 - 2012-01-06 19:04 - 0000000 ____D C:\rei
2012-01-06 18:51 - 2012-01-06 18:51 - 0000000 ____D C:\Program Files\Reimage
2012-01-05 15:38 - 2012-01-05 15:38 - 0000000 ____D C:\Windows\Sun
2012-01-04 20:33 - 2012-01-04 20:33 - 0000782 ____A C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
2012-01-04 20:28 - 2012-01-04 20:28 - 0000000 ____D C:\Documents and Settings\egriffin\Application Data\dvdcss
2012-01-02 07:49 - 2012-01-08 20:33 - 0000664 ____A C:\Windows\System32\d3d9caps.dat
2011-12-31 10:32 - 2011-12-31 10:45 - 0015202 ____A C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
2011-12-31 08:21 - 2011-12-31 08:21 - 0000000 ____D C:\Documents and Settings\egriffin\Local Settings\Application Data\Help
2011-12-31 08:21 - 2011-12-31 08:21 - 0000000 ____D C:\Documents and Settings\egriffin\Application Data\Help
2011-12-15 14:34 - 2011-12-15 14:34 - 0011928 ____A C:\Documents and Settings\egriffin\My Documents\adam letter.docx
2011-12-15 10:09 - 2011-12-15 10:09 - 0015717 ____A C:\Windows\KB2618444-IE8.log
2011-12-15 10:09 - 2011-12-15 10:09 - 0000000 ___DC C:\Windows\$NtUninstallKB2639417$
2011-12-15 10:09 - 2011-12-15 10:09 - 0000000 ___DC C:\Windows\$NtUninstallKB2624667$
2011-12-15 10:07 - 2011-12-15 10:07 - 0006644 ____A C:\Windows\KB2618451.log
2011-12-15 10:07 - 2011-12-15 10:07 - 0004043 ____A C:\Windows\KB2633952.log
2011-12-15 10:07 - 2011-12-15 10:07 - 0000000 ___DC C:\Windows\$NtUninstallKB2633952$
2011-12-15 10:07 - 2011-12-15 10:07 - 0000000 ___DC C:\Windows\$NtUninstallKB2619339$
2011-12-15 10:07 - 2011-12-15 10:07 - 0000000 ___DC C:\Windows\$NtUninstallKB2618451$
2011-12-15 10:06 - 2011-12-15 10:06 - 0000000 ___DC C:\Windows\$NtUninstallKB2633171$
2011-12-15 10:06 - 2011-12-15 10:06 - 0000000 ___DC C:\Windows\$NtUninstallKB2620712$
2011-12-14 10:00 - 2011-12-15 10:09 - 0017733 ____A C:\Windows\KB2639417.log
2011-12-14 10:00 - 2011-12-15 10:09 - 0016766 ____A C:\Windows\KB2624667.log
2011-12-14 09:58 - 2011-12-15 10:07 - 0011157 ____A C:\Windows\KB2619339.log
2011-12-14 09:57 - 2011-12-15 10:06 - 0014066 ____A C:\Windows\KB2633171.log
2011-12-14 09:57 - 2011-12-15 10:06 - 0011234 ____A C:\Windows\KB2620712.log

============ 3 Months Modified Files and Folders ===============

2012-01-08 20:38 - 2012-01-08 20:37 - 0000000 ____D C:\FRST
2012-01-08 20:37 - 2012-01-08 20:37 - 0859264 ____A C:\Documents and Settings\egriffin\Desktop\FRST.exe
2012-01-08 20:37 - 2012-01-08 20:05 - 0000865 ____A C:\Documents and Settings\All Users\Application Data\lqgqaaa.tmp
2012-01-08 20:36 - 2012-01-08 20:36 - 0000831 ____A C:\Documents and Settings\All Users\Application Data\mqgqaaa.tmp
2012-01-08 20:35 - 2012-01-08 20:35 - 0000861 ____A C:\Documents and Settings\All Users\Application Data\iqgqaaa.tmp
2012-01-08 20:35 - 2012-01-08 20:35 - 0000842 ____A C:\Documents and Settings\All Users\Application Data\jqgqaaa.tmp
2012-01-08 20:35 - 2012-01-08 20:35 - 0000830 ____A C:\Documents and Settings\All Users\Application Data\kqgqaaa.tmp
2012-01-08 20:33 - 2012-01-02 07:49 - 0000664 ____A C:\Windows\System32\d3d9caps.dat
2012-01-08 20:32 - 2012-01-08 20:31 - 0000000 ____D C:\Documents and Settings\egriffin\Desktop\bootkit_remover
2012-01-08 20:30 - 2012-01-08 20:30 - 0044607 ____A C:\Documents and Settings\egriffin\Desktop\bootkit_remover.zip
2012-01-08 20:28 - 2012-01-08 20:28 - 0001742 ____A C:\Documents and Settings\egriffin\Desktop\aswMBR.txt
2012-01-08 20:28 - 2012-01-08 20:28 - 0000512 ____A C:\Documents and Settings\egriffin\Desktop\MBR.dat
2012-01-08 20:09 - 2011-06-06 11:18 - 0000000 __SHD C:\Documents and Settings\egriffin\Local Settings\Temporary Internet Files
2012-01-08 20:09 - 2010-07-13 10:56 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-01-08 20:08 - 2012-01-08 20:01 - 0000000 ____D C:\ComboFix
2012-01-08 20:08 - 2012-01-08 19:02 - 0046800 ____A C:\ComboFix.txt
2012-01-08 20:06 - 2012-01-07 15:20 - 0000000 ____D C:\Qoobox
2012-01-08 20:05 - 2012-01-07 15:20 - 0000000 ____D C:\Windows\ERDNT
2012-01-08 20:05 - 2011-11-29 12:55 - 0000000 __SHD C:\Documents and Settings\sobyrne\Local Settings\Temporary Internet Files
2012-01-08 20:05 - 2010-07-13 14:41 - 0000000 __SHD C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
2012-01-08 20:05 - 2010-07-13 10:54 - 0000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
2012-01-08 20:05 - 2008-04-14 04:00 - 0000227 ____A C:\Windows\system.ini
2012-01-08 20:05 - 2008-04-14 04:00 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-01-08 20:04 - 2012-01-08 18:57 - 0596194 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-01-08 20:01 - 2010-07-13 10:55 - 0024392 ____A C:\Windows\SchedLgU.Txt
2012-01-08 20:00 - 2011-06-06 11:18 - 0000062 __ASH C:\Documents and Settings\egriffin\Local Settings\desktop.ini
2012-01-08 20:00 - 2008-04-14 04:00 - 0002206 ____A C:\Windows\System32\wpa.dbl
2012-01-08 19:59 - 2010-07-13 10:55 - 0000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-01-08 19:59 - 2010-07-13 10:54 - 0000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-01-08 19:59 - 2010-07-13 03:41 - 0000048 ____A C:\Windows\wiaservc.log
2012-01-08 19:36 - 2012-01-08 19:17 - 0009694 __ASH C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
2012-01-08 19:36 - 2012-01-08 19:10 - 0009694 __ASH C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
2012-01-08 19:17 - 2012-01-08 19:17 - 0009584 __ASH C:\Documents and Settings\All Users\Application Data\912613170
2012-01-08 19:17 - 2011-06-06 11:18 - 0000000 ____D C:\Documents and Settings\egriffin\Templates
2012-01-08 19:10 - 2010-07-13 10:50 - 1267755 ____A C:\Windows\WindowsUpdate.log
2012-01-08 18:59 - 2011-08-11 11:08 - 0000000 __SHD C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Local Settings\Temporary Internet Files
2012-01-08 18:56 - 2012-01-08 18:56 - 0000000 RASHD C:\cmdcons
2012-01-08 18:56 - 2010-07-13 03:36 - 0000327 _RASH C:\boot.ini
2012-01-08 18:53 - 2010-07-13 10:48 - 0000000 ____D C:\Windows\System32\Restore
2012-01-08 15:04 - 2012-01-07 10:36 - 0042462 ____A C:\OTL.Txt
2012-01-07 21:30 - 2012-01-06 19:28 - 1088006 ____A C:\Windows\ntbtlog.txt
2012-01-07 21:30 - 2010-07-13 10:54 - 0000178 ___SH C:\Documents and Settings\NetworkService\ntuser.ini
2012-01-07 21:20 - 2011-08-11 11:08 - 0000062 __ASH C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Local Settings\desktop.ini
2012-01-07 16:48 - 2012-01-07 15:18 - 0000359 ____A C:\rkill.log
2012-01-07 16:44 - 2010-07-13 10:55 - 0000178 ___SH C:\Documents and Settings\LocalService\ntuser.ini
2012-01-07 16:31 - 2011-06-06 11:18 - 0000178 ___SH C:\Documents and Settings\egriffin\ntuser.ini
2012-01-07 15:51 - 2011-06-06 10:59 - 0310342 ____A C:\Windows\setupapi.log
2012-01-07 15:19 - 2012-01-07 15:19 - 0000000 ___RD C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\My Videos
2012-01-07 15:19 - 2011-08-11 11:08 - 0000000 ___RD C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents
2012-01-07 11:06 - 2012-01-07 11:06 - 0000000 ____D C:\_OTL
2012-01-06 19:04 - 2012-01-06 19:04 - 0000000 ____D C:\ReimageUndo
2012-01-06 19:04 - 2012-01-06 18:51 - 0000000 ____D C:\rei
2012-01-06 18:52 - 2012-01-06 18:52 - 0000286 ____A C:\Windows\reimage.ini
2012-01-06 18:51 - 2012-01-06 18:51 - 0000000 ____D C:\Program Files\Reimage
2012-01-06 18:41 - 2010-07-13 03:37 - 0000000 ___RD C:\Documents and Settings\All Users\Start Menu
2012-01-06 18:38 - 2010-07-13 03:40 - 0000159 ____A C:\Windows\wiadebug.log
2012-01-05 20:27 - 2010-07-13 03:38 - 0594696 ____A C:\Windows\System32\PerfStringBackup.INI
2012-01-05 15:38 - 2012-01-05 15:38 - 0000000 ____D C:\Windows\Sun
2012-01-04 20:33 - 2012-01-04 20:33 - 0000782 ____A C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
2012-01-04 20:33 - 2010-07-13 10:47 - 0020999 ____A C:\Windows\wmsetup.log
2012-01-04 20:28 - 2012-01-04 20:28 - 0000000 ____D C:\Documents and Settings\egriffin\Application Data\dvdcss
2012-01-04 20:28 - 2011-06-06 11:18 - 0000000 ____D C:\Documents and Settings\egriffin\Application Data\vlc
2012-01-03 14:57 - 2010-07-13 12:01 - 0000000 ____D C:\Windows\Microsoft.NET
2011-12-31 10:45 - 2011-12-31 10:32 - 0015202 ____A C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
2011-12-31 10:43 - 2011-06-06 11:18 - 0000000 ___RD C:\Documents and Settings\egriffin\My Documents
2011-12-31 08:21 - 2011-12-31 08:21 - 0000000 ____D C:\Documents and Settings\egriffin\Local Settings\Application Data\Help
2011-12-31 08:21 - 2011-12-31 08:21 - 0000000 ____D C:\Documents and Settings\egriffin\Application Data\Help
2011-12-31 08:21 - 2010-07-13 03:30 - 0000000 ____D C:\Windows\Help
2011-12-16 10:56 - 2011-05-16 08:39 - 0003056 ____A C:\Windows\System32\config\netlogon.ftl
2011-12-16 10:50 - 2010-07-13 03:30 - 0000000 ____D C:\Windows\security
2011-12-16 09:30 - 2011-06-15 08:24 - 0002515 ____A C:\Documents and Settings\egriffin\Desktop\Microsoft Office Word 2007.lnk
2011-12-15 14:34 - 2011-12-15 14:34 - 0011928 ____A C:\Documents and Settings\egriffin\My Documents\adam letter.docx
2011-12-15 10:11 - 2010-07-13 03:37 - 0270984 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-15 10:09 - 2011-12-15 10:09 - 0015717 ____A C:\Windows\KB2618444-IE8.log
2011-12-15 10:09 - 2011-12-15 10:09 - 0000000 ___DC C:\Windows\$NtUninstallKB2639417$
2011-12-15 10:09 - 2011-12-15 10:09 - 0000000 ___DC C:\Windows\$NtUninstallKB2624667$
2011-12-15 10:09 - 2011-12-14 10:00 - 0017733 ____A C:\Windows\KB2639417.log
2011-12-15 10:09 - 2011-12-14 10:00 - 0016766 ____A C:\Windows\KB2624667.log
2011-12-15 10:09 - 2010-07-13 12:53 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2011-12-15 10:09 - 2010-07-13 11:29 - 0074553 ____A C:\Windows\updspapi.log
2011-12-15 10:09 - 2010-07-13 11:22 - 0000000 ____D C:\Windows\$hf_mig$
2011-12-15 10:09 - 2010-07-13 03:38 - 1222839 ____A C:\Windows\iis6.log
2011-12-15 10:09 - 2010-07-13 03:38 - 1067447 ____A C:\Windows\FaxSetup.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0529198 ____A C:\Windows\ocgen.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0498723 ____A C:\Windows\tsoc.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0370469 ____A C:\Windows\comsetup.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0338266 ____A C:\Windows\msmqinst.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0223598 ____A C:\Windows\ntdtcsetup.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0187978 ____A C:\Windows\netfxocm.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0074519 ____A C:\Windows\MedCtrOC.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0059985 ____A C:\Windows\ocmsn.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0054122 ____A C:\Windows\tabletoc.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0053969 ____A C:\Windows\msgsocm.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0001393 ____A C:\Windows\imsins.log
2011-12-15 10:09 - 2010-07-13 03:38 - 0001393 ____A C:\Windows\imsins.BAK
2011-12-15 10:08 - 2010-07-13 11:31 - 52988224 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2011-12-15 10:07 - 2011-12-15 10:07 - 0006644 ____A C:\Windows\KB2618451.log
2011-12-15 10:07 - 2011-12-15 10:07 - 0004043 ____A C:\Windows\KB2633952.log
2011-12-15 10:07 - 2011-12-15 10:07 - 0000000 ___DC C:\Windows\$NtUninstallKB2633952$
2011-12-15 10:07 - 2011-12-15 10:07 - 0000000 ___DC C:\Windows\$NtUninstallKB2619339$
2011-12-15 10:07 - 2011-12-15 10:07 - 0000000 ___DC C:\Windows\$NtUninstallKB2618451$
2011-12-15 10:07 - 2011-12-14 09:58 - 0011157 ____A C:\Windows\KB2619339.log
2011-12-15 10:07 - 2010-07-13 11:35 - 0017596 ____A C:\Windows\System32\TZLog.log
2011-12-15 10:06 - 2011-12-15 10:06 - 0000000 ___DC C:\Windows\$NtUninstallKB2633171$
2011-12-15 10:06 - 2011-12-15 10:06 - 0000000 ___DC C:\Windows\$NtUninstallKB2620712$
2011-12-15 10:06 - 2011-12-14 09:57 - 0014066 ____A C:\Windows\KB2633171.log
2011-12-15 10:06 - 2011-12-14 09:57 - 0011234 ____A C:\Windows\KB2620712.log
2011-12-14 13:27 - 2008-04-14 04:00 - 0000698 ____A C:\Windows\win.ini
2011-12-07 14:16 - 2011-11-30 14:46 - 0042496 ____A C:\Documents and Settings\egriffin\Desktop\final exam_written 2010.doc
2011-12-06 08:42 - 2011-06-14 09:37 - 0070472 ____A C:\Documents and Settings\egriffin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2011-12-06 07:32 - 2011-12-06 07:32 - 0000000 ____A C:\foo.txt
2011-12-06 07:28 - 2011-12-06 07:28 - 0001015 ___RA C:\logFile.xsl
2011-12-06 07:28 - 2011-12-06 07:28 - 0000000 ____D C:\Documents and Settings\egriffin\My Documents\My Videos
2011-12-06 07:28 - 2011-06-16 09:20 - 0003584 ____A C:\Documents and Settings\egriffin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-06 07:27 - 2011-12-06 07:27 - 0000000 ____D C:\Program Files\Flip Video
2011-12-06 07:27 - 2011-12-06 07:27 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Flip Video
2011-12-01 10:02 - 2011-08-11 11:08 - 0000178 ___SH C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\ntuser.ini
2011-12-01 09:52 - 2011-10-18 10:54 - 0000000 ____D C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Sp 2 Ch 3
2011-11-29 14:27 - 2010-07-13 12:07 - 0006596 _RASH C:\Documents and Settings\All Users\ntuser.pol
2011-11-29 12:58 - 2011-06-06 11:18 - 0000008 _RASH C:\Documents and Settings\egriffin\ntuser.pol
2011-11-29 12:57 - 2011-11-29 12:55 - 0000178 __ASH C:\Documents and Settings\sobyrne\ntuser.ini
2011-11-29 12:55 - 2011-11-29 12:55 - 0000782 ____A C:\Documents and Settings\sobyrne\Desktop\Windows Media Player.lnk
2011-11-29 12:55 - 2011-11-29 12:55 - 0000062 __ASH C:\Documents and Settings\sobyrne\Local Settings\desktop.ini
2011-11-29 12:55 - 2010-07-13 10:51 - 0002039 ____A C:\Windows\OEWABLog.txt
2011-11-29 12:54 - 2010-07-13 14:41 - 0000178 __ASH C:\Documents and Settings\Administrator\ntuser.ini
2011-11-29 12:44 - 2010-07-13 14:41 - 0000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2011-11-29 12:41 - 2011-11-29 12:41 - 0000104 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Desktop\Shortcut to egriffin on NHS-H-11-LAPTOP.lnk
2011-11-23 05:25 - 2008-04-14 04:00 - 1859584 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\win32k.sys
2011-11-23 05:25 - 2008-04-14 04:00 - 1859584 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-18 14:29 - 2011-11-18 14:29 - 0000000 ___DC C:\Windows\$NtUninstallKB2544893-v2$
2011-11-18 14:29 - 2011-11-09 07:59 - 0014486 ____A C:\Windows\KB2544893-v2.log
2011-11-18 14:28 - 2011-11-18 14:28 - 0000000 ___DC C:\Windows\$NtUninstallKB2641690$
2011-11-18 14:28 - 2011-11-11 03:34 - 0011751 ____A C:\Windows\KB2641690.log
2011-11-18 11:36 - 2011-11-17 11:52 - 0000000 ____D C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Application Data\U3
2011-11-18 11:13 - 2011-10-17 10:43 - 0002483 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Desktop\Microsoft Office PowerPoint 2007.lnk
2011-11-18 10:48 - 2011-11-18 10:48 - 0797939 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Desktop\Mi viaje a Tierro Media por lorenzo en la clase de periodo cuatro.pptx
2011-11-18 09:56 - 2011-11-18 09:56 - 0457681 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\jason fehring powerpoint.pptx
2011-11-17 15:11 - 2011-11-17 15:11 - 1066195 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\powerpoint taco y dinero.pptx
2011-11-17 11:09 - 2011-11-17 11:09 - 0708880 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Jefe and Chuy 2.pptx
2011-11-17 10:58 - 2011-11-17 10:58 - 0538410 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Jefe and Chuy.pptx
2011-11-17 10:12 - 2011-11-17 10:12 - 1402751 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\rocio.pptx
2011-11-17 10:04 - 2011-08-11 11:08 - 0000000 ___RD C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\My Pictures
2011-11-17 10:01 - 2011-11-17 10:01 - 0568982 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Paco Kimbrel.pptx
2011-11-16 09:13 - 2011-11-16 09:13 - 0845950 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Mi viaje a Hawai por Marielena Reed.pptx
2011-11-15 15:45 - 2011-11-15 15:45 - 0412160 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Nuestro viaje a Miami.ppt
2011-11-15 15:36 - 2011-11-15 15:36 - 0370206 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Nuestro viaje a Miami.pptx
2011-11-15 15:12 - 2011-11-15 15:09 - 0360960 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\EZzra morgan.ppt
2011-11-15 15:05 - 2011-11-15 15:05 - 0502064 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Nuestro viaje a Hawai.pptx
2011-11-15 14:13 - 2011-10-18 09:49 - 0267776 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\La tarjeta rubric.doc
2011-11-15 14:12 - 2011-06-15 08:24 - 0002515 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Desktop\Microsoft Office Word 2007 (2).lnk
2011-11-15 14:10 - 2010-07-13 10:50 - 0000000 ___SD C:\Windows\Downloaded Program Files
2011-11-15 14:05 - 2011-11-14 14:52 - 0036352 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\chapter 3 quiz_vocab_conj.doc
2011-11-15 13:32 - 2011-11-15 14:11 - 3911939 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\WonderfulThings_jpg.mht
2011-11-15 13:32 - 2011-11-15 13:32 - 3911939 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Desktop\WonderfulThings_jpg.mht
2011-11-15 12:49 - 2011-11-15 12:49 - 0271610 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\chuykorbpp.pptx
2011-11-15 08:40 - 2011-11-15 08:40 - 0049152 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Desktop\Document Scrap '(llegar) a la es...'.shs
2011-11-14 14:42 - 2011-11-14 14:42 - 0010817 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\presentation listening activity.docx
2011-11-14 12:45 - 2011-11-14 12:45 - 2822376 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\carnazpla bennett pp.pptx
2011-11-14 07:59 - 2011-11-14 07:59 - 0000162 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\~$ tarjeta rubric.doc
2011-11-10 15:07 - 2011-11-10 15:02 - 0011423 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Calendario del Español.docx
2011-11-10 14:58 - 2011-11-10 14:56 - 2889518 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Practice oral.pptx
2011-11-09 08:20 - 2011-10-18 12:27 - 0000000 ____D C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Sp 2 Ch 2
2011-11-08 05:46 - 2008-04-14 04:00 - 0046080 ____A (Microsoft Corporation) C:\Windows\System32\tzchange.exe
2011-11-04 11:20 - 2010-07-13 11:32 - 2000384 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\iertutil.dll
2011-11-04 11:20 - 2010-07-13 11:32 - 11081728 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ieframe.dll
2011-11-04 11:20 - 2010-07-13 11:32 - 0743424 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\iedvtool.dll
2011-11-04 11:20 - 2010-07-13 11:32 - 0602112 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msfeeds.dll
2011-11-04 11:20 - 2010-07-13 11:32 - 0247808 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ieproxy.dll
2011-11-04 11:20 - 2010-07-13 11:32 - 0055296 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msfeedsbs.dll
2011-11-04 11:20 - 2010-07-13 11:32 - 0012800 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\xpshims.dll
2011-11-04 11:20 - 2009-03-08 03:39 - 11081728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-11-04 11:20 - 2009-03-08 03:32 - 2000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-11-04 11:20 - 2009-03-08 03:32 - 0602112 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2011-11-04 11:20 - 2009-03-08 03:31 - 0055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 5978112 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 5978112 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 1469440 ____N (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-11-04 11:20 - 2008-04-14 04:00 - 1469440 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\inetcpl.cpl
2011-11-04 11:20 - 2008-04-14 04:00 - 1212416 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\urlmon.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 1212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0916992 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\wininet.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0611840 ____N (Microsoft Corporation) C:\Windows\System32\mstime.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0611840 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mstime.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0387584 ____N (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0387584 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iedkcs32.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0206848 ____N (Microsoft Corporation) C:\Windows\System32\occache.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0206848 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\occache.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0184320 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\iepeers.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0105984 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\url.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0066560 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mshtmled.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0066560 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0043520 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\licmgr10.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0025600 ____N (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-11-04 11:20 - 2008-04-14 04:00 - 0025600 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\jsproxy.dll
2011-11-04 03:24 - 2008-04-14 04:00 - 0174080 ____N (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2011-11-04 03:24 - 2008-04-14 04:00 - 0174080 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\ie4uinit.exe
2011-11-04 03:23 - 2008-04-14 04:00 - 0385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2011-11-03 07:11 - 2011-11-03 07:11 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-11-02 08:27 - 2011-11-02 08:26 - 0011638 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Estimado estudiante.docx
2011-11-02 07:10 - 2011-11-01 14:12 - 0011387 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Our daddy is on a hunting trip.docx
2011-11-01 13:28 - 2011-11-01 13:28 - 0011795 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\tener phrases intro.docx
2011-11-01 11:37 - 2011-11-01 11:37 - 0000162 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\~$m letter.docx
2011-11-01 10:59 - 2011-10-20 10:10 - 0020338 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Wedding Rehearsal.docx
2011-11-01 08:07 - 2008-04-14 04:00 - 1288704 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ole32.dll
2011-11-01 08:07 - 2008-04-14 04:00 - 1288704 ____A (Microsoft Corporation) C:\Windows\System32\ole32.dll
2011-10-28 13:40 - 2011-10-28 13:40 - 0014546 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Mexican Día de los Muertos Celebrations.docx
2011-10-28 13:02 - 2011-10-28 13:02 - 0012113 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\calendar.docx
2011-10-27 21:31 - 2008-04-14 04:00 - 0033280 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\csrsrv.dll
2011-10-27 21:31 - 2008-04-14 04:00 - 0033280 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-10-25 11:32 - 2011-10-25 11:32 - 0458752 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Academic Team Award.doc
2011-10-25 05:37 - 2010-07-13 11:24 - 2148864 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlmp.exe
2011-10-25 05:37 - 2008-04-14 04:00 - 2148864 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2011-10-25 05:33 - 2010-07-13 11:24 - 2192768 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntoskrnl.exe
2011-10-25 04:52 - 2010-07-13 11:24 - 2027008 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrpamp.exe
2011-10-25 04:52 - 2009-02-07 18:02 - 2069376 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlpa.exe
2011-10-25 04:52 - 2008-04-13 16:01 - 2027008 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2011-10-20 07:01 - 2011-11-15 14:08 - 0421882 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Los verbos reflexivos explanation.pptx
2011-10-19 14:20 - 2011-10-31 19:06 - 0012573 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\kam letter.docx
2011-10-19 09:20 - 2011-11-15 14:08 - 0710066 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Los verbos reflexivos.pptx
2011-10-19 07:07 - 2011-08-23 06:39 - 0070472 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2011-10-18 12:52 - 2011-06-06 11:05 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2011-10-18 12:50 - 2011-10-18 12:50 - 0010834 ____A C:\Windows\KB2564958.log
2011-10-18 12:50 - 2011-10-18 12:50 - 0000000 ___DC C:\Windows\$NtUninstallKB2564958$
2011-10-18 12:48 - 2011-10-28 07:01 - 0018973 ____A C:\Windows\KB2567053.log
2011-10-18 12:48 - 2011-10-18 12:48 - 0010808 ____A C:\Windows\KB2592799.log
2011-10-18 12:48 - 2011-10-18 12:48 - 0000000 ___DC C:\Windows\$NtUninstallKB2592799$
2011-10-18 12:48 - 2011-10-18 12:48 - 0000000 ___DC C:\Windows\$NtUninstallKB2567053$
2011-10-18 12:47 - 2011-10-18 12:47 - 0014964 ____A C:\Windows\KB2586448-IE8.log
2011-10-18 03:13 - 2008-04-14 04:00 - 0186880 ___AC C:\Windows\System32\dllcache\encdec.dll
2011-10-18 03:13 - 2008-04-14 04:00 - 0186880 ____A C:\Windows\System32\encdec.dll
2011-10-15 11:09 - 2011-10-13 12:42 - 0020306 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\prep test ch 1.docx
2011-10-15 11:09 - 2011-10-13 11:36 - 0020994 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\chapter 1 exam.docx
2011-10-13 12:42 - 2011-10-13 12:42 - 0012558 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\How well do you know your looping teacher.docx
2011-10-12 13:52 - 2011-10-12 13:52 - 0066739 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Please autograph m1.pdf
2011-10-12 13:41 - 2011-10-12 13:41 - 0036160 ____A C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\Please autograph my.pdf

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2008-04-14 04:00] - [2008-04-14 04:00] - 1058816 ____A (Microsoft Corporation) 2f58e8791c7a1f61fd35baeb73b0e9be

C:\Windows\System32\winlogon.exe
[2008-04-14 04:00] - [2008-04-14 04:00] - 0545280 ____A (Microsoft Corporation) b0e1a6d16b717f1d19055d6ec86556a1

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================

RP: -> 2012-01-08 18:53 - 028672 _restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1


========================= Memory info ======================

Percentage of memory in use: 26%
Total physical RAM: 2933.85 MB
Available physical RAM: 2160.52 MB
Total Pagefile: 4819.38 MB
Available Pagefile: 4161.83 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.08 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:149.05 GB) (Free:138.09 GB) NTFS ==>[Drive with boot components]
2 Drive d: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
3 Drive e: (KINGSTON) (Removable) (Total:1.88 GB) (Free:0.08 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 32 KB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 149 GB Healthy System
 
svchost.exe analysis

Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: svchost.exe
Submission date: 2012-01-09 04:15:44 (UTC)
Current status: queued (#3) queued (#3) analysing finished


Result: 24/ 43 (55.8%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2012.01.08.00 2012.01.08 Trojan/Win32.Patched
AntiVir 7.11.20.196 2012.01.09 TR/Offend.7083917.1
Antiy-AVL 2.0.3.7 2012.01.09 Trojan/Win32.Patched.gen
Avast 6.0.1289.0 2012.01.08 Win32:patched-ADQ [Trj]
AVG 10.0.0.1190 2012.01.09 Win32/Patched
BitDefender 7.2 2012.01.09 Trojan.Generic.7083917
ByteHero 1.0.0.1 2011.12.31 -
CAT-QuickHeal 12.00 2012.01.08 -
ClamAV 0.97.3.0 2012.01.09 -
Commtouch 5.3.2.6 2012.01.07 -
Comodo 11218 2012.01.09 UnclassifiedMalware
DrWeb 5.0.2.03300 2012.01.09 -
Emsisoft 5.1.0.11 2012.01.09 Trojan.Patched!IK
eSafe 7.0.17.0 2012.01.08 Win32.TROffend
eTrust-Vet 37.0.9668 2012.01.06 -
F-Prot 4.6.5.141 2012.01.07 -
F-Secure 9.0.16440.0 2012.01.09 Trojan.Generic.7083917
Fortinet 4.3.388.0 2012.01.09 W32/Patched.A!tr
GData 22 2012.01.09 Trojan.Generic.7083917
Ikarus T3.1.1.109.0 2012.01.09 Trojan.Patched
Jiangmin 13.0.900 2012.01.08 -
K7AntiVirus 9.123.5881 2012.01.06 Trojan
Kaspersky 9.0.0.837 2012.01.09 Trojan.Win32.Patched.nn
McAfee 5.400.0.1158 2012.01.09 Generic.dx!bcl4
McAfee-GW-Edition 2010.1E 2012.01.08 Generic.dx!bcl4
Microsoft 1.7903 2012.01.08 Virus:Win32/Bamital.P
NOD32 6777 2012.01.09 -
Norman 6.07.13 2012.01.08 -
nProtect 2012-01-08.01 2012.01.08 -
Panda 10.0.3.5 2012.01.08 Suspicious file
PCTools 8.0.0.5 2012.01.09 -
Prevx 3.0 2012.01.09 -
Rising 23.91.04.02 2012.01.06 Trojan.Win32.Generic.12AE000C
Sophos 4.73.0 2012.01.09 W32/Footle-A
SUPERAntiSpyware 4.40.0.1006 2012.01.07 -
Symantec 20111.2.0.82 2012.01.09 -
TheHacker 6.7.0.1.373 2012.01.08 -
TrendMicro 9.500.0.1008 2012.01.09 PE_BAMITAL.SME
TrendMicro-HouseCall 9.500.0.1008 2012.01.09 PE_BAMITAL.SME
VBA32 3.12.16.4 2012.01.06 -
VIPRE 11371 2012.01.08 Virus.Win32.Footle.a (v)
ViRobot 2012.1.9.4870 2012.01.09 -
VirusBuster 14.1.157.0 2012.01.08 -
Additional informationShow all
MD5 : a3df98e72c2594b60eb9f614cbd2fc63
SHA1 : cb2342a653f2647fbbf36bc25ec64760aeed5e88
SHA256: 49af91e0015ae12ee2cdb387b1debe314d65149f18e1b5b222563cfda835078d
ssdeep: 768:vNcG6xlCRaJLGOA7SYTv2QJmvjCJfPwpmYc3W0YMdRdB62J:VcG6yWzKSQ0+dAmY1QFJ
File size : 39936 bytes
First seen: 2012-01-02 17:21:47
Last seen : 2012-01-09 04:15:44
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Generic Host Process for Win32 Services
original name: svchost.exe
internal name: svchost.exe
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2509
timedatestamp....: 0x48020000 (Sun Apr 13 12:43:44 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x2C00, 0x2C00, 6.29, 51af92d73a9f509f021d2511252eba60
.data, 0x4000, 0x6410, 0x6600, 7.84, 299257620faabf2922824bbd878c4e02
.rsrc, 0xB000, 0x408, 0x600, 2.51, 0ce411030b6d3ec8e6dd25d861233cc9

[[ 4 import(s) ]]
ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 11264
CompanyName: Microsoft Corporation
EntryPoint: 0x2509
FileDescription: Generic Host Process for Win32 Services
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 39 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 5.1
InitializedDataSize: 2560
InternalName: svchost.exe
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: svchost.exe
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:04:13 14:43:44+02:00
UninitializedDataSize: 0

Symantec reputation:Suspicious.Insight


VT Community

0
This fil
 
winlogon.exe analysis

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: winlogon.exe
Submission date: 2012-01-09 04:38:46 (UTC)
Current status: queued queued (#1) analysing finished


Result: 23/ 43 (53.5%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2012.01.08.00 2012.01.08 -
AntiVir 7.11.20.196 2012.01.09 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2012.01.09 Trojan/Win32.Patched.gen
Avast 6.0.1289.0 2012.01.08 Win32:patched-ADQ [Trj]
AVG 10.0.0.1190 2012.01.09 Win32/Patched
BitDefender 7.2 2012.01.09 Trojan.Generic.7083324
ByteHero 1.0.0.1 2011.12.31 Trojan.Win32.Heur.098
CAT-QuickHeal 12.00 2012.01.08 -
ClamAV 0.97.3.0 2012.01.09 -
Commtouch 5.3.2.6 2012.01.07 -
Comodo 11218 2012.01.09 UnclassifiedMalware
DrWeb 5.0.2.03300 2012.01.09 -
Emsisoft 5.1.0.11 2012.01.09 Trojan.Win32.Patched!IK
eSafe 7.0.17.0 2012.01.08 -
eTrust-Vet 37.0.9668 2012.01.06 -
F-Prot 4.6.5.141 2012.01.07 -
F-Secure 9.0.16440.0 2012.01.09 Trojan.Generic.7083324
Fortinet 4.3.388.0 2012.01.09 W32/Patched.A!tr
GData 22 2012.01.09 Trojan.Generic.7083324
Ikarus T3.1.1.109.0 2012.01.09 Trojan.Win32.Patched
Jiangmin 13.0.900 2012.01.08 -
K7AntiVirus 9.123.5881 2012.01.06 Trojan
Kaspersky 9.0.0.837 2012.01.09 Trojan.Win32.Patched.nn
McAfee 5.400.0.1158 2012.01.09 Generic.dx!bcln
McAfee-GW-Edition 2010.1E 2012.01.08 Generic.dx!bcln
Microsoft 1.7903 2012.01.08 Virus:Win32/Bamital.P
NOD32 6777 2012.01.09 -
Norman 6.07.13 2012.01.08 -
nProtect 2012-01-08.01 2012.01.08 -
Panda 10.0.3.5 2012.01.08 Suspicious file
PCTools 8.0.0.5 2012.01.09 -
Prevx 3.0 2012.01.09 -
Rising 23.91.04.02 2012.01.06 Trojan.Win32.Generic.12ADFFB3
Sophos 4.73.0 2012.01.09 W32/Footle-A
SUPERAntiSpyware 4.40.0.1006 2012.01.07 -
Symantec 20111.2.0.82 2012.01.09 -
TheHacker 6.7.0.1.373 2012.01.08 -
TrendMicro 9.500.0.1008 2012.01.09 PE_BAMITAL.SME
TrendMicro-HouseCall 9.500.0.1008 2012.01.09 PE_BAMITAL.SME
VBA32 3.12.16.4 2012.01.06 -
VIPRE 11372 2012.01.09 Virus.Win32.Footle.a (v)
ViRobot 2012.1.9.4870 2012.01.09 -
VirusBuster 14.1.157.0 2012.01.08 -
Additional informationShow all
MD5 : b0e1a6d16b717f1d19055d6ec86556a1
SHA1 : 1aa2df0a4ed608dae420d90b213f919705cd95fe
SHA256: 4568465d9894690d5cd84044c2b7260a9a41a60468997e9186f21fea6b9079ba
ssdeep: 6144:ENZlxEdL5RvGlcHF37newMLao6nTnKHOD13XRnCfOVSePfLtisgZYl50gAI:Ddz+lcDKao
6nzKHsRqOMgxZg4
File size : 545280 bytes
First seen: 2012-01-02 17:17:59
Last seen : 2012-01-09 04:38:46
TrID:
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows NT Logon Application
original name: WINLOGON.EXE
internal name: winlogon
file version.: 5.1.2600.5512 (xpsp.080413-2113)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x3E5E1
timedatestamp....: 0x48020000 (Sun Apr 13 12:43:44 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x70991, 0x70A00, 6.82, 5b61e6434706d420a206594d23255eee
.data, 0x72000, 0xB070, 0xB200, 6.26, ecbc8607b9ef94426b4ec608413a45fd
.rsrc, 0x7E000, 0x9020, 0x9200, 3.62, 2125d2aebebda4c2fcf377ebf03d5275

[[ 20 import(s) ]]
ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
GDI32.dll: RemoveFontResourceW, AddFontResourceW
KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
NDdeApi.dll: -, -, -, -
ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
WS2_32.dll: -, -, getaddrinfo

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 461312
CompanyName: Microsoft Corporation
EntryPoint: 0x3e5e1
FileDescription: Windows NT Logon Application
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 532 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 21315.20512
InitializedDataSize: 57856
InternalName: winlogon
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: WINLOGON.EXE
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:04:13 14:43:44+02:00
UninitializedDataSize: 0

Symantec reputation:Suspicious.Insight


VT Community

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team
 
Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
 
Back