Solved Trojan Horse Crypt.AQLW

[RedEd]

is this not a problem?:

C:\Windows\System32\drivers\dfsc.sys a variant of Win32/Rootkit.Kryptik.JV trojan unable to clean

 

[RedEd]

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ed
->Temp folder emptied: 161841 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 7530047 bytes
->Flash cache emptied: 0 bytes

User: Jan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 23016 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Ed
->Flash cache emptied: 0 bytes

User: Jan
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Ed
->Java cache emptied: 0 bytes

User: Jan

User: Public

Total Java Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.34.0 log created on 03012012_221007

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

Good eye

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\drivers\dfsc.sys
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[RedEd]

SHA256: 991902675cce7263777e105a4097236f2ce5f8560cdc441b59b0f6078b58b2bb
SHA1: f2ada5a90add677b2ab871c75159e3fa43175753
MD5: 8a317bad308374d417220eb687f3afba
File size: 76.5 KB ( 78336 bytes )
File name: dfsc.sys
File type: Win32 DLL
Detection ratio: 9 / 43
Analysis date: 2012-03-01 22:31:13 UTC ( 2 minutes ago )
0
0
Antivirus Result Update
AhnLab-V3 - 20120301
AntiVir TR/Rootkit.Gen2 20120301
Antiy-AVL - 20120301
Avast Win32:Alureon-AQW [Rtk] 20120301
AVG - 20120301
BitDefender - 20120301
ByteHero - 20120225
CAT-QuickHeal - 20120301
ClamAV - 20120301
Commtouch - 20120301
Comodo TrojWare.Win32.Rootkit.ZAcces.HL 20120301
DrWeb - 20120301
Emsisoft Rootkit.Win32.ZAccess!IK 20120301
eSafe - 20120229
eTrust-Vet - 20120301
F-Prot - 20120301
F-Secure - 20120301
Fortinet - 20120301
GData Win32:Alureon-AQW 20120301
Ikarus Rootkit.Win32.ZAccess 20120301
Jiangmin - 20120301
K7AntiVirus - 20120301
Kaspersky HEUR:Trojan.Win32.Generic 20120301
McAfee - 20120301
McAfee-GW-Edition - 20120301
Microsoft - 20120301
NOD32 a variant of Win32/Rootkit.Kryptik.JV 20120301
Norman - 20120229
nProtect - 20120301
Panda - 20120301
PCTools - 20120228
Prevx - 20120301
Rising - 20120301
Sophos - 20120301
SUPERAntiSpyware Trojan.Agent/Gen-Sirefef 20120301
Symantec - 20120301
TheHacker - 20120301
TrendMicro - 20120301
TrendMicro-HouseCall - 20120301
VBA32 - 20120301
VIPRE - 20120301
ViRobot - 20120301
VirusBuster - 20120301

 

[Broni]

Re-run OTL.

Make sure all other windows are closed and to let it run uninterrupted.

Use the following settings:

• Check Scan All Users.
• For Processes choose none.
• For Modules choose none.
• For Services choose none.
• For Drivers choose none.
• For Standard Registry choose none.
• For Extra Registry choose none.
• For Files Created Within choose none.
• For Files Modified Within choose none.
• Under Custom Scans/Fixes paste:

/md5start
dfsc.sys
/md5stop

• Finally hit Run Scan and wait for the log to open.
• Please post the content of the log into your next reply.

 

[RedEd]

OTL logfile created on: 01/03/2012 22:48:50 - Run 1
OTL by OldTimer - Version 3.2.34.0 Folder = C:\Users\Ed\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.75 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 57.20% Memory free
5.49 Gb Paging File | 4.08 Gb Available in Paging File | 74.26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 114.40 Gb Total Space | 62.05 Gb Free Space | 54.24% Space Free | Partition Type: NTFS

Computer Name: ED-PC | User Name: Ed | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========



< MD5 for: DFSC.SYS >
[2011/04/27 02:33:46 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=83D1ECEA8FAAE75604C0FA49AC7AD996 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys
[2011/04/27 02:24:42 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=886E8C1608146CC355DDD455F5C8DD87 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.20953_none_8818997a6076855b\dfsc.sys
[2010/11/20 08:42:32 | 000,078,336 | ---- | M] () MD5=8A317BAD308374D417220EB687F3AFBA -- C:\Windows\System32\drivers\dfsc.sys
[2010/11/20 08:42:32 | 000,078,336 | ---- | M] () MD5=8A317BAD308374D417220EB687F3AFBA -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys
[2009/07/13 23:14:17 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=8E09E52EE2E3CEB199EF3DD99CF9E3FB -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16385_none_87708401476f7a4f\dfsc.sys

< End of report >

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\Windows\System32\drivers\dfsc.sys|C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys /replace
  C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys|C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys /replace
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

Then...

Re-run OTL with the same settings as in my reply #30.

 

[RedEd]

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: C:\Windows\System32\drivers\dfsc.sys with C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys without a reboot.
Unable to replace file: C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys with C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ed
->Temp folder emptied: 157799 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 85988530 bytes
->Flash cache emptied: 670 bytes

User: Jan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 46032 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 82.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Ed
->Java cache emptied: 0 bytes

User: Jan

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Ed
->Flash cache emptied: 0 bytes

User: Jan
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.34.0 log created on 03012012_230010

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[RedEd]

OTL logfile created on: 01/03/2012 23:06:04 - Run 2
OTL by OldTimer - Version 3.2.34.0 Folder = C:\Users\Ed\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.75 Gb Total Physical Memory | 1.54 Gb Available Physical Memory | 56.23% Memory free
5.49 Gb Paging File | 4.07 Gb Available in Paging File | 74.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 114.40 Gb Total Space | 62.06 Gb Free Space | 54.25% Space Free | Partition Type: NTFS

Computer Name: ED-PC | User Name: Ed | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========



< MD5 for: DFSC.SYS >
[2011/04/27 02:33:46 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=83D1ECEA8FAAE75604C0FA49AC7AD996 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys
[2011/04/27 02:24:42 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=886E8C1608146CC355DDD455F5C8DD87 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.20953_none_8818997a6076855b\dfsc.sys
[2010/11/20 08:42:32 | 000,078,336 | ---- | M] () MD5=8A317BAD308374D417220EB687F3AFBA -- C:\Windows\System32\drivers\dfsc.sys
[2010/11/20 08:42:32 | 000,078,336 | ---- | M] () MD5=8A317BAD308374D417220EB687F3AFBA -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys
[2009/07/13 23:14:17 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=8E09E52EE2E3CEB199EF3DD99CF9E3FB -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16385_none_87708401476f7a4f\dfsc.sys

< End of report >

 

[Broni]

OK, that didn't work.

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

• Click OK at the warning.
• Click the Script tab and copy/paste the following text there:

CopyFile:
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys C:\Windows\System32\drivers\dfsc.sys
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys

• Click Execute Now. Your computer will need to reboot in order to replace the files.
• When done, post the report created by Blitzblank.
  You can find it in the root of the drive, normally C:\

Post new OTL log as well (same settings as before).

 

[RedEd]

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\w2ww4sh.com__", destinationFile = "(null)", replaceWithDummy = 0


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys", destinationFile = "\??\c:\windows\system32\drivers\dfsc.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
CopyFile: ZwCreateFile failed: status = c0000022
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys", destinationFile = "\??\c:\windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
CopyFile: ZwCreateFile failed: status = c0000022

 

[RedEd]

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: C:\Windows\System32\drivers\dfsc.sys with C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys without a reboot.
Unable to replace file: C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys with C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ed
->Temp folder emptied: 206747 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 28623848 bytes
->Flash cache emptied: 0 bytes

User: Jan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 46032 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 28.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Ed
->Java cache emptied: 0 bytes

User: Jan

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Ed
->Flash cache emptied: 0 bytes

User: Jan
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.34.0 log created on 03012012_235032

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

It looks like we'll have to do it in different way.

Please download OTLPE (filesize 120,9 MB)

• When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
• Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Under the Custom Scan box paste this in:
  
  /md5start
  dfsc.sys
  /md5stop
  
  
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.

 

[RedEd]

OTL logfile created on: 3/2/2012 12:34:55 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows 7 Ultimate Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\Windows | %ProgramFiles% = E:\Program Files
Drive C: | 100.00 Mb Total Space | 65.48 Mb Free Space | 65.49% Space Free | Partition Type: NTFS
Drive E: | 114.40 Gb Total Space | 61.94 Gb Free Space | 54.14% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (z800mdfl)
SRV - File not found [Auto] -- -- (X10UIF)
SRV - File not found [Auto] -- -- (WmVirHid)
SRV - File not found [Auto] -- -- (wdm_au8820)
SRV - File not found [Auto] -- -- (W8100PCI)
SRV - File not found [Auto] -- -- (w800mdfl)
SRV - File not found [Auto] -- -- (vzupsvc)
SRV - File not found [Auto] -- -- (vet-filt)
SRV - File not found [Auto] -- -- (vetefile)
SRV - File not found [Auto] -- -- (VCAM)
SRV - File not found [Auto] -- -- (VAIOMediaPlatform-VideoServer-UPnP)
SRV - File not found [Auto] -- -- (uphclean)
SRV - File not found [Auto] -- -- (umpusbxp)
SRV - File not found [Auto] -- -- (tvichw32)
SRV - File not found [Auto] -- -- (transactional)
SRV - File not found [Auto] -- -- (thotkey)
SRV - File not found [Auto] -- -- (SymIM)
SRV - File not found [Auto] -- -- (sis162u)
SRV - File not found [Auto] -- -- (Si3132)
SRV - File not found [Auto] -- -- (se59mgmt)
SRV - File not found [Auto] -- -- (SE2Bmdfl)
SRV - File not found [Auto] -- -- (SE27mdm)
SRV - File not found [Auto] -- -- (se26nd5)
SRV - File not found [Auto] -- -- (SaiMini)
SRV - File not found [Auto] -- -- (s117obex)
SRV - File not found [Auto] -- -- (rslinx)
SRV - File not found [Auto] -- -- (roxwatch9)
SRV - File not found [Auto] -- -- (roxupnpserver)
SRV - File not found [Auto] -- -- (PGPsdkDriver)
SRV - File not found [Auto] -- -- (pdlndldl)
SRV - File not found [Auto] -- -- (pctfw1)
SRV - File not found [Auto] -- -- (PciBus)
SRV - File not found [Auto] -- -- (ooclevercacheagent)
SRV - File not found [Auto] -- -- (NWSNS)
SRV - File not found [Auto] -- -- (NsTrcNT)
SRV - File not found [Auto] -- -- (npfmntor)
SRV - File not found [Auto] -- -- (nHancer)
SRV - File not found [Auto] -- -- (NeroMediaHomeService.4)
SRV - File not found [Auto] -- -- (mssql$soshome22)
SRV - File not found [Auto] -- -- (MSICPL)
SRV - File not found [Auto] -- -- (mlkkbdntdriver)
SRV - File not found [Auto] -- -- (mcafeeframework)
SRV - File not found [Auto] -- -- (licenseservice)
SRV - File not found [Auto] -- -- (inotask)
SRV - File not found [Auto] -- -- (ibmsmbus)
SRV - File not found [Auto] -- -- (hsfhwbs2)
SRV - File not found [Auto] -- -- (HSFHWALI)
SRV - File not found [Auto] -- -- (hpqddsvc)
SRV - File not found [Auto] -- -- (hpdskflt)
SRV - File not found [Auto] -- -- (fsma)
SRV - File not found [Auto] -- -- (epstnt01)
SRV - File not found [Auto] -- -- (Eplpdx02)
SRV - File not found [Auto] -- -- (enxpsvc)
SRV - File not found [Auto] -- -- (DSDrv4)
SRV - File not found [Auto] -- -- (dpti2o)
SRV - File not found [Auto] -- -- (dlcf_device)
SRV - File not found [Auto] -- -- (dbmanagerscheduler)
SRV - File not found [Auto] -- -- (cm102u32)
SRV - File not found [Auto] -- -- (cdvp)
SRV - File not found [Auto] -- -- (cdr4_2k)
SRV - File not found [Auto] -- -- (bwsvc)
SRV - File not found [Auto] -- -- (bcm4sbxp)
SRV - File not found [Auto] -- -- (avgtdi)
SRV - File not found [Auto] -- -- (atmarpc)
SRV - File not found [Auto] -- -- (AtiHdmiService)
SRV - File not found [Auto] -- -- (aswrdr)
SRV - File not found [Auto] -- -- (adobeversioncue)
SRV - [2012/01/13 09:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto] -- E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/01/07 07:21:24 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2012/01/04 08:32:36 | 000,718,888 | ---- | M] (Nokia) [On_Demand] -- E:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2011/08/02 01:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- E:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/06/12 06:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2011/04/19 21:04:08 | 000,176,128 | ---- | M] (AMD) [Auto] -- E:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/04/16 11:10:58 | 000,036,864 | ---- | M] (Realtek) [Auto] -- E:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe -- (Realtek11nCU)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/10/30 15:51:44 | 000,492,720 | ---- | M] () [Auto] -- E:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 15:07:38 | 000,427,288 | ---- | M] (Acronis) [Auto] -- E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (VGPU)
DRV - File not found [Kernel | On_Demand] -- -- (tsusbhub)
DRV - File not found [Kernel | On_Demand] -- -- (Synth3dVsc)
DRV - [2012/02/04 07:59:55 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot] -- E:\Windows\System32\drivers\timntr.sys -- (timounter)
DRV - [2012/02/04 07:59:55 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto] -- E:\Windows\System32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2012/02/04 07:59:19 | 000,129,248 | ---- | M] (Acronis) [Kernel | Boot] -- E:\Windows\System32\drivers\snapman.sys -- (snapman)
DRV - [2012/02/04 07:59:01 | 000,368,544 | ---- | M] (Acronis) [Kernel | Boot] -- E:\Windows\System32\drivers\tdrpman.sys -- (tdrpman)
DRV - [2012/01/07 12:23:59 | 000,231,376 | ---- | M] (TrueCrypt Foundation) [Kernel | System] -- E:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2011/12/19 09:12:00 | 000,104,752 | ---- | M] (Oracle Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV - [2011/12/19 09:11:58 | 000,158,512 | ---- | M] (Oracle Corporation) [Kernel | System] -- E:\Windows\System32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2011/12/19 09:11:58 | 000,116,016 | ---- | M] (Oracle Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\VBoxNetFlt.sys -- (VBoxNetFlt)
DRV - [2011/12/19 09:11:58 | 000,091,440 | ---- | M] (Oracle Corporation) [Kernel | System] -- E:\Windows\System32\drivers\VBoxUSBMon.sys -- (VBoxUSBMon)
DRV - [2011/12/10 10:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- E:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/11/01 05:07:26 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2011/11/01 05:07:26 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand] -- E:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2011/11/01 05:07:24 | 000,023,168 | ---- | M] (Nokia) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2011/10/07 01:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- E:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/09/13 01:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- E:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 01:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- E:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/10 20:14:12 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot] -- E:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/04/19 21:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011/04/19 20:22:10 | 000,243,712 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2011/02/10 20:35:44 | 000,728,064 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- E:\Windows\System32\drivers\RTL8192cu.sys -- (RTL8192cu)
DRV - [2010/11/20 07:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- E:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 07:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- E:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 07:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 04:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 04:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/11/20 03:42:32 | 000,078,336 | ---- | M] () [File_System | System] -- E:\Windows\System32\drivers\dfsc.sys -- (DfsC)
DRV - [2009/10/20 15:23:24 | 000,047,104 | ---- | M] (Texas Instruments Inc) [Kernel | On_Demand] -- E:\Windows\System32\drivers\umpusbvista.sys -- (umpusbvista)
DRV - [2008/08/26 04:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand] -- E:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Ed_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\Ed_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8C 34 32 F3 59 F5 CC 01 [binary data]
IE - HKU\Ed_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Ed_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\Jan_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\Jan_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\Jan_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A 23 E0 58 E3 F2 CC 01 [binary data]
IE - HKU\Jan_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf: E:\Program Files\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: E:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: E:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: E:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: E:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: E:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: E:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\virtualKeyboard@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\KavAntiBanner@Kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\KavAntiBanner@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\linkfilter@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fe_9.0@nokia.com: C:\Program Files\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_9.0 [2012/02/24 17:49:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/07 05:52:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/01 14:27:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/07 12:41:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2012/01/07 05:53:00 | 000,000,000 | ---D | M] (No name found) -- E:\Users\Ed\AppData\Roaming\Mozilla\Extensions
[2012/02/15 12:00:14 | 000,000,000 | ---D | M] (No name found) -- E:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\extensions
[2012/02/15 12:00:14 | 000,000,000 | ---D | M] (HP Detect) -- E:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
[2012/03/01 17:04:03 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files\Mozilla Firefox\extensions
[2012/03/01 14:27:55 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- E:\USERS\ED\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X7UOIU9S.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- E:\USERS\ED\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X7UOIU9S.DEFAULT\EXTENSIONS\{E0204BD5-9D31-402B-A99D-A6AA8FFEBDCA}.XPI
[2011/12/21 02:47:04 | 000,121,816 | ---- | M] (Mozilla Foundation) -- E:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/03/01 14:27:43 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/07/29 08:33:40 | 000,108,480 | ---- | M] ( ) -- E:\Program Files\mozilla firefox\plugins\npwangwang.dll
[2011/12/21 00:14:26 | 000,001,538 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/12/21 00:02:40 | 000,002,252 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/21 00:14:26 | 000,000,947 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/12/21 00:14:26 | 000,001,180 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/12/21 00:14:26 | 000,001,135 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/02/29 17:10:02 | 000,000,027 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - E:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [APSDaemon] E:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] E:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCSSync] E:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] E:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [TrueImageMonitor.exe] E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\Ed_ON_E..\Run: [NokiaSuite.exe] E:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe (Nokia)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Ed_ON_E\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Ed_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\Jan_ON_E\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_E\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_E\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\systemprofile_ON_E\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - E:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - E:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - E:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - E:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - E:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - E:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - E:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - E:\Windows\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart) - E:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/01 19:12:58 | 127,231,689 | ---- | C] (Igor Pavlov) -- E:\Users\Ed\Desktop\OTLPENet.exe
[2012/03/01 18:42:41 | 001,153,912 | ---- | C] (Emsi Software GmbH) -- E:\Users\Ed\Desktop\BlitzBlank.exe
[2012/03/01 18:00:10 | 000,000,000 | ---D | C] -- E:\_OTL
[2012/03/01 17:40:21 | 000,584,704 | ---- | C] (OldTimer Tools) -- E:\Users\Ed\Desktop\OTL.exe
[2012/03/01 14:36:03 | 000,000,000 | ---D | C] -- E:\Program Files\ESET
[2012/03/01 14:34:17 | 000,446,464 | ---- | C] (OldTimer Tools) -- E:\Users\Ed\Desktop\TFC.exe
[2012/03/01 14:30:12 | 000,000,000 | ---D | C] -- E:\Users\Ed\Desktop\JavaRa-1.16-16-12-11
[2012/03/01 14:28:16 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Java
[2012/03/01 14:27:52 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaws.exe
[2012/03/01 14:27:52 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaw.exe
[2012/03/01 14:27:52 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- E:\Windows\System32\java.exe
[2012/03/01 14:22:32 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\AVG2012
[2012/03/01 14:21:51 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2012
[2012/03/01 14:21:18 | 000,000,000 | ---D | C] -- E:\ProgramData\AVG2012
[2012/03/01 14:21:18 | 000,000,000 | ---D | C] -- E:\Windows\System32\drivers\AVG
[2012/03/01 13:17:53 | 000,000,000 | ---D | C] -- E:\Windows\temp
[2012/03/01 12:47:33 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Local\temp
[2012/03/01 12:46:52 | 000,000,000 | -HSD | C] -- E:\$RECYCLE.BIN
[2012/02/29 15:24:02 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\temp
[2012/02/29 14:38:45 | 000,000,000 | ---D | C] -- E:\Windows\ERDNT
[2012/02/29 13:17:06 | 000,000,000 | ---D | C] -- E:\Users\Ed\Desktop\RK_Quarantine
[2012/02/29 06:02:24 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Malwarebytes
[2012/02/29 06:02:06 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/29 06:02:05 | 000,000,000 | ---D | C] -- E:\ProgramData\Malwarebytes
[2012/02/29 06:02:04 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- E:\Windows\System32\drivers\mbam.sys
[2012/02/29 06:02:03 | 000,000,000 | ---D | C] -- E:\Program Files\Malwarebytes' Anti-Malware
[2012/02/28 15:21:02 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ReliefJet Essentials
[2012/02/28 15:21:00 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\ReliefJet Essentials
[2012/02/28 15:01:22 | 000,581,632 | ---- | C] (Joshua F. Madison) -- E:\Users\Ed\Desktop\CONVERT.EXE
[2012/02/28 14:47:03 | 000,000,000 | -H-D | C] -- E:\ProgramData\Common Files
[2012/02/28 14:43:53 | 000,000,000 | ---D | C] -- E:\Program Files\AVG
[2012/02/28 14:36:43 | 000,000,000 | ---D | C] -- E:\ProgramData\MFAData
[2012/02/28 13:07:01 | 000,000,000 | ---D | C] -- E:\Users\Ed\Desktop\email
[2012/02/28 05:23:19 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\{928C28D1-CF31-40B0-80C6-40ED46AAD963}
[2012/02/28 05:23:07 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\{59D9C12F-AE5C-45A0-B534-62DAC15E1F5E}
[2012/02/27 11:49:36 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\{306C849C-CB13-48A1-863E-C353BF9A5A5C}
[2012/02/27 11:49:24 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\{1EEB30EC-52DA-4E18-A50C-AF2326DB4178}
[2012/02/27 11:49:12 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Windows Live Writer
[2012/02/27 11:49:12 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\Windows Live Writer
[2012/02/27 11:43:42 | 000,000,000 | ---D | C] -- E:\Program Files\Windows Live
[2012/02/27 11:38:08 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\Windows Live
[2012/02/27 11:38:00 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Windows Live
[2012/02/26 10:30:20 | 000,000,000 | ---D | C] -- E:\Jan
[2012/02/26 08:51:56 | 000,000,000 | ---D | C] -- E:\Program Files\MSXML 4.0
[2012/02/24 18:01:36 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Nokia Suite
[2012/02/24 17:59:00 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\NokiaAccount
[2012/02/24 17:50:02 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Nokia
[2012/02/24 17:50:02 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\Nokia
[2012/02/24 17:49:57 | 000,000,000 | ---D | C] -- E:\ProgramData\PC Suite
[2012/02/24 17:49:55 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\PC Suite
[2012/02/24 17:49:07 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nokia
[2012/02/24 17:49:00 | 000,000,000 | ---D | C] -- E:\ProgramData\Nokia
[2012/02/24 17:49:00 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Nokia
[2012/02/24 17:48:03 | 000,000,000 | ---D | C] -- E:\Program Files\DIFX
[2012/02/24 17:48:01 | 000,018,816 | ---- | C] (Nokia) -- E:\Windows\System32\drivers\pccsmcfd.sys
[2012/02/24 17:47:40 | 000,000,000 | ---D | C] -- E:\Program Files\PC Connectivity Solution
[2012/02/24 17:47:20 | 000,075,264 | ---- | C] (Nokia) -- E:\Windows\System32\nmwcdcls.dll
[2012/02/24 17:46:44 | 000,000,000 | ---D | C] -- E:\ProgramData\NokiaInstallerCache
[2012/02/24 17:46:44 | 000,000,000 | ---D | C] -- E:\Program Files\Nokia
[2012/02/24 17:17:10 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Blackberry Desktop
[2012/02/24 17:12:26 | 000,000,000 | ---D | C] -- E:\Users\Ed\Documents\BlackBerry
[2012/02/24 17:05:47 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\Research In Motion
[2012/02/24 17:05:46 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Research In Motion
[2012/02/24 17:03:37 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlackBerry
[2012/02/24 17:03:33 | 000,000,000 | ---D | C] -- E:\ProgramData\Research In Motion
[2012/02/24 17:03:20 | 000,000,000 | ---D | C] -- E:\Program Files\Research In Motion
[2012/02/24 17:03:20 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Research In Motion
[2012/02/24 12:20:47 | 000,000,000 | ---D | C] -- E:\Windows\System32\aliedit
[2012/02/24 12:20:39 | 000,000,000 | ---D | C] -- E:\Program Files\Trademanager
[2012/02/24 12:17:47 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\Alibaba
[2012/02/24 05:59:18 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Roaming\Adobe
[2012/02/18 06:19:03 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Scooter Software
[2012/02/18 06:18:57 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Beyond Compare 3
[2012/02/18 06:18:56 | 000,000,000 | ---D | C] -- E:\Program Files\Beyond Compare 3
[2012/02/17 13:41:55 | 000,000,000 | ---D | C] -- E:\Users\Ed\Documents\Outlook Files
[2012/02/17 13:05:07 | 000,000,000 | ---D | C] -- E:\Users\Ed\Documents\thunderbird emails for import
[2012/02/17 12:57:03 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMAPSize
[2012/02/17 12:57:03 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\IMAPSize
[2012/02/17 12:57:03 | 000,000,000 | ---D | C] -- E:\Program Files\IMAPSize
[2012/02/17 12:09:45 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Helios
[2012/02/17 12:09:08 | 000,000,000 | ---D | C] -- E:\Program Files\TextPad 5
[2012/02/15 12:21:11 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Local\ElevatedDiagnostics
[2012/02/15 12:02:43 | 000,000,000 | ---D | C] -- E:\Program Files\Hewlett-Packard
[2012/02/15 12:02:07 | 000,000,000 | ---D | C] -- E:\Program Files\HP
[2012/02/15 11:32:45 | 002,382,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mshtml.tlb
[2012/02/15 11:32:44 | 001,798,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\jscript9.dll
[2012/02/15 11:32:44 | 000,716,800 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\jscript.dll
[2012/02/15 11:32:43 | 000,065,024 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\jsproxy.dll
[2012/02/15 11:32:42 | 000,231,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\url.dll
[2012/02/15 11:32:42 | 000,176,640 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ieui.dll
[2012/02/15 11:32:39 | 001,427,456 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\inetcpl.cpl
[2012/02/15 10:16:33 | 002,343,424 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\win32k.sys
[2012/02/12 08:38:02 | 000,000,000 | ---D | C] -- E:\Users\Ed\Documents\Building Regulations
[2012/02/12 06:37:55 | 000,000,000 | ---D | C] -- E:\Users\Ed\Documents\MS Project
[2012/02/07 03:07:38 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Roaming\Apple Computer
[2012/02/07 03:07:25 | 000,000,000 | R--D | C] -- E:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/02/07 03:07:25 | 000,000,000 | R--D | C] -- E:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/02/07 03:07:25 | 000,000,000 | -H-D | C] -- E:\Users\Jan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/02/07 03:07:17 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Roaming\Identities
[2012/02/07 03:06:47 | 000,000,000 | -HSD | C] -- E:\Users\Jan\AppData\Local\Temporary Internet Files
[2012/02/07 03:06:47 | 000,000,000 | -HSD | C] -- E:\Users\Jan\Documents\My Videos
[2012/02/07 03:06:47 | 000,000,000 | -HSD | C] -- E:\Users\Jan\Documents\My Pictures
[2012/02/07 03:06:47 | 000,000,000 | -HSD | C] -- E:\Users\Jan\Documents\My Music
[2012/02/07 03:06:47 | 000,000,000 | -HSD | C] -- E:\Users\Jan\AppData\Local\History
[2012/02/07 03:06:47 | 000,000,000 | -HSD | C] -- E:\Users\Jan\AppData\Local\Application Data
[2012/02/07 03:06:47 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\LocalLow
[2012/02/07 03:06:46 | 000,000,000 | --SD | C] -- E:\Users\Jan\AppData\Roaming\Microsoft
[2012/02/07 03:06:46 | 000,000,000 | R--D | C] -- E:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/02/07 03:06:46 | 000,000,000 | R--D | C] -- E:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/02/07 03:06:46 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Roaming
[2012/02/07 03:06:46 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Local\Microsoft
[2012/02/07 03:06:46 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Roaming\Media Center Programs
[2012/02/07 03:06:46 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Roaming\Macromedia
[2012/02/07 03:06:46 | 000,000,000 | ---D | C] -- E:\Users\Jan\AppData\Local
[2012/02/07 03:06:46 | 000,000,000 | ---D | C] -- E:\Users\Jan
[2012/02/04 08:00:23 | 000,000,000 | ---D | C] -- E:\ProgramData\Acronis
[2012/02/04 07:59:55 | 000,441,760 | ---- | C] (Acronis) -- E:\Windows\System32\drivers\timntr.sys
[2012/02/04 07:59:55 | 000,044,384 | ---- | C] (Acronis) -- E:\Windows\System32\drivers\tifsfilt.sys
[2012/02/04 07:59:19 | 000,129,248 | ---- | C] (Acronis) -- E:\Windows\System32\drivers\snapman.sys
[2012/02/04 07:59:01 | 000,368,544 | ---- | C] (Acronis) -- E:\Windows\System32\drivers\tdrpman.sys
[2012/02/04 07:58:52 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Acronis
[2012/02/04 07:58:41 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Acronis
[2012/02/04 07:58:41 | 000,000,000 | ---D | C] -- E:\Program Files\Acronis
[2012/02/01 17:42:55 | 000,000,000 | ---D | C] -- E:\Users\Ed\AppData\Roaming\River Past G2
[2012/02/01 16:25:28 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
[2012/02/01 16:25:28 | 000,000,000 | ---D | C] -- E:\Program Files\7-Zip
[2012/02/01 15:13:51 | 000,000,000 | ---D | C] -- E:\Windows\Sun
[2012/01/28 14:37:18 | 000,047,360 | ---- | C] (VSO Software) -- E:\Users\Ed\AppData\Roaming\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2012/03/01 19:25:58 | 000,067,584 | --S- | M] () -- E:\Windows\bootstat.dat
[2012/03/01 19:25:51 | 000,010,320 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/01 19:25:51 | 000,010,320 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/01 19:20:00 | 000,000,878 | ---- | M] () -- E:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/01 19:16:04 | 127,231,689 | ---- | M] (Igor Pavlov) -- E:\Users\Ed\Desktop\OTLPENet.exe
[2012/03/01 18:51:54 | 000,000,874 | ---- | M] () -- E:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/01 18:51:25 | 2212,306,944 | -HS- | M] () -- E:\hiberfil.sys
[2012/03/01 18:42:42 | 001,153,912 | ---- | M] (Emsi Software GmbH) -- E:\Users\Ed\Desktop\BlitzBlank.exe
[2012/03/01 17:53:57 | 000,007,600 | ---- | M] () -- E:\Users\Ed\AppData\Local\Resmon.ResmonCfg
[2012/03/01 17:40:22 | 000,584,704 | ---- | M] (OldTimer Tools) -- E:\Users\Ed\Desktop\OTL.exe
[2012/03/01 14:34:18 | 000,446,464 | ---- | M] (OldTimer Tools) -- E:\Users\Ed\Desktop\TFC.exe
[2012/03/01 14:33:30 | 000,337,137 | ---- | M] () -- E:\Users\Ed\Desktop\FSS.exe
[2012/03/01 14:31:41 | 000,869,194 | ---- | M] () -- E:\Users\Ed\Desktop\SecurityCheck.exe
[2012/03/01 14:29:58 | 000,160,639 | ---- | M] () -- E:\Users\Ed\Desktop\JavaRa-1.16-16-12-11.zip
[2012/03/01 14:27:43 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\deployJava1.dll
[2012/03/01 14:27:43 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaws.exe
[2012/03/01 14:27:43 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaw.exe
[2012/03/01 14:27:43 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\java.exe
[2012/03/01 14:23:47 | 058,399,941 | ---- | M] () -- E:\Windows\System32\drivers\AVG\incavi.avm
[2012/03/01 14:21:52 | 000,000,935 | ---- | M] () -- E:\Users\Public\Desktop\AVG 2012.lnk
[2012/03/01 14:21:52 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2012
[2012/02/29 17:10:02 | 000,000,027 | ---- | M] () -- E:\Windows\System32\drivers\etc\hosts
[2012/02/29 16:38:24 | 000,015,535 | ---- | M] () -- E:\Users\Ed\Desktop\34119_WMT0920_IMG_01_0000.JPG
[2012/02/29 13:16:18 | 000,000,512 | ---- | M] () -- E:\Users\Ed\Desktop\MBR.dat
[2012/02/29 07:32:14 | 000,302,592 | ---- | M] () -- E:\Users\Ed\Desktop\p5vthjdp.exe
[2012/02/29 06:02:12 | 000,001,067 | ---- | M] () -- E:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/29 06:02:12 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/29 02:45:22 | 281,060,764 | ---- | M] () -- E:\Windows\MEMORY.DMP
[2012/02/29 02:43:38 | 000,000,112 | ---- | M] () -- E:\ProgramData\aSShX6D.dat
[2012/02/28 19:13:21 | 000,709,350 | ---- | M] () -- E:\Windows\System32\perfh00C.dat
[2012/02/28 19:13:21 | 000,704,028 | ---- | M] () -- E:\Windows\System32\perfh010.dat
[2012/02/28 19:13:21 | 000,658,756 | ---- | M] () -- E:\Windows\System32\perfh007.dat
[2012/02/28 19:13:21 | 000,638,064 | ---- | M] () -- E:\Windows\System32\perfh005.dat
[2012/02/28 19:13:21 | 000,630,928 | ---- | M] () -- E:\Windows\System32\perfh009.dat
[2012/02/28 19:13:21 | 000,463,506 | ---- | M] () -- E:\Windows\System32\perfh014.dat
[2012/02/28 19:13:21 | 000,448,308 | ---- | M] () -- E:\Windows\System32\perfh00B.dat
[2012/02/28 19:13:21 | 000,414,656 | ---- | M] () -- E:\Windows\System32\perfh012.dat
[2012/02/28 19:13:21 | 000,392,790 | ---- | M] () -- E:\Windows\System32\prfh0404.dat
[2012/02/28 19:13:21 | 000,376,688 | ---- | M] () -- E:\Windows\System32\prfh0804.dat
[2012/02/28 19:13:21 | 000,134,804 | ---- | M] () -- E:\Windows\System32\perfc00C.dat
[2012/02/28 19:13:21 | 000,134,204 | ---- | M] () -- E:\Windows\System32\perfc007.dat
[2012/02/28 19:13:21 | 000,131,808 | ---- | M] () -- E:\Windows\System32\perfc010.dat
[2012/02/28 19:13:21 | 000,126,452 | ---- | M] () -- E:\Windows\System32\perfc005.dat
[2012/02/28 19:13:21 | 000,111,052 | ---- | M] () -- E:\Windows\System32\perfc009.dat
[2012/02/28 19:13:21 | 000,109,340 | ---- | M] () -- E:\Windows\System32\perfc012.dat
[2012/02/28 19:13:21 | 000,108,912 | ---- | M] () -- E:\Windows\System32\prfc0804.dat
[2012/02/28 19:13:21 | 000,103,998 | ---- | M] () -- E:\Windows\System32\prfc0404.dat
[2012/02/28 19:13:21 | 000,086,812 | ---- | M] () -- E:\Windows\System32\perfc00B.dat
[2012/02/28 19:13:21 | 000,081,760 | ---- | M] () -- E:\Windows\System32\perfc014.dat
[2012/02/27 11:46:02 | 000,001,404 | ---- | M] () -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
[2012/02/27 09:31:59 | 000,006,907 | ---- | M] () -- E:\Users\Ed\AppData\Roaming\Comma Separated Values (Windows).EML
[2012/02/27 09:07:26 | 000,000,948 | ---- | M] () -- E:\Windows\Active Setup Log.BAK
[2012/02/24 17:57:34 | 000,000,000 | -H-- | M] () -- E:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
[2012/02/24 17:57:19 | 000,000,000 | -H-- | M] () -- E:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
[2012/02/24 17:49:08 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nokia
[2012/02/24 17:49:07 | 000,002,047 | ---- | M] () -- E:\Users\Public\Desktop\Nokia Suite.lnk
[2012/02/24 17:12:24 | 000,000,000 | -H-- | M] () -- E:\Windows\System32\drivers\Msft_Kernel_RimUsb_01007.Wdf
[2012/02/24 17:04:14 | 000,000,000 | -H-- | M] () -- E:\Windows\System32\drivers\Msft_Kernel_RimSerial_01007.Wdf
[2012/02/24 17:03:38 | 000,002,189 | ---- | M] () -- E:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
[2012/02/24 17:03:37 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlackBerry
[2012/02/24 05:59:12 | 000,001,407 | ---- | M] () -- E:\Users\Jan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/02/18 06:18:57 | 000,000,953 | ---- | M] () -- E:\Users\Ed\Desktop\Beyond Compare 3.lnk
[2012/02/17 14:51:25 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pool-Mate Pro
[2012/02/17 14:51:03 | 000,286,720 | ---- | M] (Microsoft Corporation) -- E:\Windows\Setup1.exe
[2012/02/17 14:50:59 | 000,073,216 | ---- | M] (Microsoft Corporation) -- E:\Windows\ST6UNST.EXE
[2012/02/17 13:42:01 | 000,001,101 | ---- | M] () -- E:\Users\Ed\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2012/02/17 12:57:04 | 000,000,913 | ---- | M] () -- E:\Users\Jan\Desktop\IMAPSize.lnk
[2012/02/17 12:57:04 | 000,000,913 | ---- | M] () -- E:\Users\Ed\Desktop\IMAPSize.lnk
[2012/02/17 12:57:04 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\IMAPSize
[2012/02/17 05:58:27 | 000,024,099 | ---- | M] () -- E:\Users\Ed\Desktop\Public-Swimming-Pool-Timetable-November-2011.pdf
[2012/02/17 05:55:39 | 003,465,897 | ---- | M] () -- E:\Users\Ed\Desktop\flcpooltimetablejanuary2012.pdf
[2012/02/15 11:47:29 | 000,408,048 | ---- | M] () -- E:\Windows\System32\FNTCACHE.DAT
[2012/02/14 08:36:49 | 000,227,764 | ---- | M] () -- E:\enters sink waste here.jpg
[2012/02/14 08:36:19 | 000,218,793 | ---- | M] () -- E:\spaghetti.jpg
[2012/02/14 08:35:43 | 000,225,357 | ---- | M] () -- E:\drains enter here.jpg
[2012/02/14 08:27:46 | 002,346,306 | ---- | M] () -- E:\CIMG5848.JPG
[2012/02/14 08:27:42 | 002,288,281 | ---- | M] () -- E:\CIMG5847.JPG
[2012/02/14 08:27:24 | 002,312,729 | ---- | M] () -- E:\CIMG5846.JPG
[2012/02/12 06:36:05 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012/02/04 07:59:55 | 000,441,760 | ---- | M] (Acronis) -- E:\Windows\System32\drivers\timntr.sys
[2012/02/04 07:59:55 | 000,044,384 | ---- | M] (Acronis) -- E:\Windows\System32\drivers\tifsfilt.sys
[2012/02/04 07:59:19 | 000,129,248 | ---- | M] (Acronis) -- E:\Windows\System32\drivers\snapman.sys
[2012/02/04 07:59:01 | 000,368,544 | ---- | M] (Acronis) -- E:\Windows\System32\drivers\tdrpman.sys
[2012/02/04 07:58:59 | 000,001,129 | ---- | M] () -- E:\Users\Ed\Desktop\Acronis*True*Image*Home 11.0.lnk
[2012/02/02 16:31:32 | 000,000,073 | ---- | M] () -- E:\Windows\cdplayer.ini
[2012/02/02 16:31:17 | 000,001,534 | ---- | M] () -- E:\ProgramData\ss.ini
[2012/02/01 16:25:28 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip

========== Files Created - No Company Name ==========

[2012/03/01 14:33:30 | 000,337,137 | ---- | C] () -- E:\Users\Ed\Desktop\FSS.exe
[2012/03/01 14:31:41 | 000,869,194 | ---- | C] () -- E:\Users\Ed\Desktop\SecurityCheck.exe
[2012/03/01 14:29:58 | 000,160,639 | ---- | C] () -- E:\Users\Ed\Desktop\JavaRa-1.16-16-12-11.zip
[2012/03/01 14:23:47 | 058,399,941 | ---- | C] () -- E:\Windows\System32\drivers\AVG\incavi.avm
[2012/03/01 14:21:52 | 000,000,935 | ---- | C] () -- E:\Users\Public\Desktop\AVG 2012.lnk
[2012/02/29 16:38:21 | 000,015,535 | ---- | C] () -- E:\Users\Ed\Desktop\34119_WMT0920_IMG_01_0000.JPG
[2012/02/29 13:16:18 | 000,000,512 | ---- | C] () -- E:\Users\Ed\Desktop\MBR.dat
[2012/02/29 07:32:04 | 000,302,592 | ---- | C] () -- E:\Users\Ed\Desktop\p5vthjdp.exe
[2012/02/29 06:02:12 | 000,001,067 | ---- | C] () -- E:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/28 20:02:32 | 000,000,112 | ---- | C] () -- E:\ProgramData\aSShX6D.dat
[2012/02/27 11:45:45 | 000,001,404 | ---- | C] () -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
[2012/02/27 09:31:59 | 000,006,907 | ---- | C] () -- E:\Users\Ed\AppData\Roaming\Comma Separated Values (Windows).EML
[2012/02/27 09:07:15 | 000,000,948 | ---- | C] () -- E:\Windows\Active Setup Log.BAK
[2012/02/24 17:57:34 | 000,000,000 | -H-- | C] () -- E:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
[2012/02/24 17:57:19 | 000,000,000 | -H-- | C] () -- E:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
[2012/02/24 17:49:05 | 000,002,047 | ---- | C] () -- E:\Users\Public\Desktop\Nokia Suite.lnk
[2012/02/24 17:12:24 | 000,000,000 | -H-- | C] () -- E:\Windows\System32\drivers\Msft_Kernel_RimUsb_01007.Wdf
[2012/02/24 17:04:14 | 000,000,000 | -H-- | C] () -- E:\Windows\System32\drivers\Msft_Kernel_RimSerial_01007.Wdf
[2012/02/24 17:03:38 | 000,002,189 | ---- | C] () -- E:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
[2012/02/24 05:59:11 | 000,001,407 | ---- | C] () -- E:\Users\Jan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/02/18 06:18:57 | 000,000,953 | ---- | C] () -- E:\Users\Ed\Desktop\Beyond Compare 3.lnk
[2012/02/17 13:42:01 | 000,001,101 | ---- | C] () -- E:\Users\Ed\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2012/02/17 12:57:04 | 000,000,913 | ---- | C] () -- E:\Users\Jan\Desktop\IMAPSize.lnk
[2012/02/17 12:57:04 | 000,000,913 | ---- | C] () -- E:\Users\Ed\Desktop\IMAPSize.lnk
[2012/02/17 12:09:12 | 000,000,957 | ---- | C] () -- E:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TextPad.lnk
[2012/02/17 05:58:59 | 000,024,099 | ---- | C] () -- E:\Users\Ed\Desktop\Public-Swimming-Pool-Timetable-November-2011.pdf
[2012/02/17 05:57:12 | 003,465,897 | ---- | C] () -- E:\Users\Ed\Desktop\flcpooltimetablejanuary2012.pdf
[2012/02/14 08:36:48 | 000,227,764 | ---- | C] () -- E:\enters sink waste here.jpg
[2012/02/14 08:36:19 | 000,218,793 | ---- | C] () -- E:\spaghetti.jpg
[2012/02/14 08:35:43 | 000,225,357 | ---- | C] () -- E:\drains enter here.jpg
[2012/02/14 08:32:35 | 002,346,306 | ---- | C] () -- E:\CIMG5848.JPG
[2012/02/14 08:32:35 | 002,312,729 | ---- | C] () -- E:\CIMG5846.JPG
[2012/02/14 08:32:35 | 002,288,281 | ---- | C] () -- E:\CIMG5847.JPG
[2012/02/07 03:07:26 | 000,001,413 | ---- | C] () -- E:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/02/07 03:06:46 | 000,000,290 | ---- | C] () -- E:\Users\Jan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/02/07 03:06:46 | 000,000,272 | ---- | C] () -- E:\Users\Jan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2012/02/04 07:58:59 | 000,001,129 | ---- | C] () -- E:\Users\Ed\Desktop\Acronis*True*Image*Home 11.0.lnk
[2012/02/01 17:42:56 | 000,000,073 | ---- | C] () -- E:\Windows\cdplayer.ini
[2012/02/01 17:39:45 | 000,001,534 | ---- | C] () -- E:\ProgramData\ss.ini
[2012/01/28 14:37:18 | 000,007,887 | ---- | C] () -- E:\Users\Ed\AppData\Roaming\pcouffin.cat
[2012/01/28 14:37:18 | 000,001,144 | ---- | C] () -- E:\Users\Ed\AppData\Roaming\pcouffin.inf
[2012/01/24 16:31:31 | 000,003,584 | ---- | C] () -- E:\Users\Ed\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/22 15:27:00 | 000,175,616 | ---- | C] () -- E:\Windows\System32\unrar.dll
[2012/01/22 15:26:56 | 000,650,752 | ---- | C] () -- E:\Windows\System32\xvidcore.dll
[2012/01/22 15:26:56 | 000,243,200 | ---- | C] () -- E:\Windows\System32\xvidvfw.dll
[2012/01/22 15:26:55 | 000,079,360 | ---- | C] () -- E:\Windows\System32\ff_vfw.dll
[2012/01/08 11:56:06 | 000,007,600 | ---- | C] () -- E:\Users\Ed\AppData\Local\Resmon.ResmonCfg

 

[RedEd]

[2012/01/07 07:14:05 | 000,080,896 | ---- | C] () -- E:\Windows\System32\RDVGHelper.exe
[2012/01/07 07:13:33 | 000,252,928 | ---- | C] () -- E:\Windows\System32\DShowRdpFilter.dll
[2012/01/07 07:12:22 | 000,066,048 | ---- | C] () -- E:\Windows\System32\PrintBrmUi.exe
[2012/01/07 07:12:18 | 000,078,336 | ---- | C] () -- E:\Windows\System32\drivers\dfsc.sys
[2012/01/07 05:34:13 | 000,448,308 | ---- | C] () -- E:\Windows\System32\perfh00B.dat
[2012/01/07 05:34:13 | 000,279,790 | ---- | C] () -- E:\Windows\System32\perfi00B.dat
[2012/01/07 05:34:13 | 000,086,812 | ---- | C] () -- E:\Windows\System32\perfc00B.dat
[2012/01/07 05:34:13 | 000,038,258 | ---- | C] () -- E:\Windows\System32\perfd00B.dat
[2012/01/07 05:34:12 | 000,463,506 | ---- | C] () -- E:\Windows\System32\perfh014.dat
[2012/01/07 05:34:12 | 000,392,790 | ---- | C] () -- E:\Windows\System32\prfh0404.dat
[2012/01/07 05:34:12 | 000,376,688 | ---- | C] () -- E:\Windows\System32\prfh0804.dat
[2012/01/07 05:34:12 | 000,298,300 | ---- | C] () -- E:\Windows\System32\perfi014.dat
[2012/01/07 05:34:12 | 000,117,840 | ---- | C] () -- E:\Windows\System32\prfi0404.dat
[2012/01/07 05:34:12 | 000,111,310 | ---- | C] () -- E:\Windows\System32\prfi0804.dat
[2012/01/07 05:34:12 | 000,103,998 | ---- | C] () -- E:\Windows\System32\prfc0404.dat
[2012/01/07 05:34:12 | 000,081,760 | ---- | C] () -- E:\Windows\System32\perfc014.dat
[2012/01/07 05:34:12 | 000,036,156 | ---- | C] () -- E:\Windows\System32\perfd014.dat
[2012/01/07 05:34:12 | 000,031,548 | ---- | C] () -- E:\Windows\System32\prfd0804.dat
[2012/01/07 05:34:12 | 000,031,548 | ---- | C] () -- E:\Windows\System32\prfd0404.dat
[2012/01/07 05:34:11 | 000,704,028 | ---- | C] () -- E:\Windows\System32\perfh010.dat
[2012/01/07 05:34:11 | 000,658,756 | ---- | C] () -- E:\Windows\System32\perfh007.dat
[2012/01/07 05:34:11 | 000,638,064 | ---- | C] () -- E:\Windows\System32\perfh005.dat
[2012/01/07 05:34:11 | 000,335,478 | ---- | C] () -- E:\Windows\System32\perfi010.dat
[2012/01/07 05:34:11 | 000,295,922 | ---- | C] () -- E:\Windows\System32\perfi007.dat
[2012/01/07 05:34:11 | 000,292,004 | ---- | C] () -- E:\Windows\System32\perfi005.dat
[2012/01/07 05:34:11 | 000,134,204 | ---- | C] () -- E:\Windows\System32\perfc007.dat
[2012/01/07 05:34:11 | 000,126,452 | ---- | C] () -- E:\Windows\System32\perfc005.dat
[2012/01/07 05:34:11 | 000,108,912 | ---- | C] () -- E:\Windows\System32\prfc0804.dat
[2012/01/07 05:34:11 | 000,038,104 | ---- | C] () -- E:\Windows\System32\perfd007.dat
[2012/01/07 05:34:11 | 000,037,534 | ---- | C] () -- E:\Windows\System32\perfd010.dat
[2012/01/07 05:34:11 | 000,036,232 | ---- | C] () -- E:\Windows\System32\perfd005.dat
[2012/01/07 05:34:10 | 000,709,350 | ---- | C] () -- E:\Windows\System32\perfh00C.dat
[2012/01/07 05:34:10 | 000,414,656 | ---- | C] () -- E:\Windows\System32\perfh012.dat
[2012/01/07 05:34:10 | 000,344,522 | ---- | C] () -- E:\Windows\System32\perfi00C.dat
[2012/01/07 05:34:10 | 000,157,694 | ---- | C] () -- E:\Windows\System32\perfi012.dat
[2012/01/07 05:34:10 | 000,134,804 | ---- | C] () -- E:\Windows\System32\perfc00C.dat
[2012/01/07 05:34:10 | 000,131,808 | ---- | C] () -- E:\Windows\System32\perfc010.dat
[2012/01/07 05:34:10 | 000,109,340 | ---- | C] () -- E:\Windows\System32\perfc012.dat
[2012/01/07 05:34:10 | 000,038,160 | ---- | C] () -- E:\Windows\System32\perfd00C.dat
[2012/01/07 05:34:10 | 000,031,548 | ---- | C] () -- E:\Windows\System32\perfd012.dat
[2012/01/07 05:01:56 | 000,000,000 | ---- | C] () -- E:\Windows\ativpsrm.bin
[2012/01/06 14:20:36 | 000,451,072 | ---- | C] () -- E:\Windows\System32\ISSRemoveSP.exe
[2011/04/19 20:21:02 | 000,037,376 | ---- | C] () -- E:\Windows\System32\atitmpxx.dll
[2011/03/17 12:51:46 | 000,003,929 | ---- | C] () -- E:\Windows\System32\atipblag.dat
[2011/02/28 16:30:06 | 000,233,012 | ---- | C] () -- E:\Windows\System32\atiicdxx.dat
[2009/07/13 23:57:37 | 000,067,584 | --S- | C] () -- E:\Windows\bootstat.dat
[2009/07/13 23:33:53 | 000,408,048 | ---- | C] () -- E:\Windows\System32\FNTCACHE.DAT
[2009/07/13 21:05:48 | 000,630,928 | ---- | C] () -- E:\Windows\System32\perfh009.dat
[2009/07/13 21:05:48 | 000,291,294 | ---- | C] () -- E:\Windows\System32\perfi009.dat
[2009/07/13 21:05:48 | 000,111,052 | ---- | C] () -- E:\Windows\System32\perfc009.dat
[2009/07/13 21:05:48 | 000,031,548 | ---- | C] () -- E:\Windows\System32\perfd009.dat
[2009/07/13 21:05:05 | 000,000,741 | ---- | C] () -- E:\Windows\System32\NOISE.DAT
[2009/07/13 21:04:11 | 000,215,943 | ---- | C] () -- E:\Windows\System32\dssec.dat
[2009/07/13 18:55:01 | 000,043,131 | ---- | C] () -- E:\Windows\mib.bin
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- E:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- E:\Windows\System32\BWContextHandler.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- E:\Windows\System32\mlang.dat

========== LOP Check ==========

[2012/01/29 11:04:59 | 000,000,000 | ---D | M] -- E:\ProgramData\5Spice Analysis
[2012/02/07 14:35:06 | 000,000,000 | ---D | M] -- E:\ProgramData\Acronis
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Application Data
[2012/03/01 14:25:00 | 000,000,000 | ---D | M] -- E:\ProgramData\AVG2012
[2012/02/28 14:47:03 | 000,000,000 | -H-D | M] -- E:\ProgramData\Common Files
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Desktop
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Documents
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favorites
[2012/03/01 14:24:02 | 000,000,000 | ---D | M] -- E:\ProgramData\MFAData
[2012/02/24 17:49:00 | 000,000,000 | ---D | M] -- E:\ProgramData\Nokia
[2012/02/24 17:46:44 | 000,000,000 | ---D | M] -- E:\ProgramData\NokiaInstallerCache
[2012/02/24 17:57:29 | 000,000,000 | ---D | M] -- E:\ProgramData\PC Suite
[2012/02/24 17:03:33 | 000,000,000 | ---D | M] -- E:\ProgramData\Research In Motion
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Start Menu
[2012/01/29 13:40:24 | 000,000,000 | ---D | M] -- E:\ProgramData\TEMP
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- E:\ProgramData\Templates
[2012/01/28 15:55:19 | 000,000,000 | ---D | M] -- E:\ProgramData\vsosdk
[2012/01/08 17:40:01 | 000,000,000 | ---D | M] -- E:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/07/13 23:53:46 | 000,027,892 | ---- | M] () -- E:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: DFSC.SYS >
[2011/04/26 21:33:46 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=83D1ECEA8FAAE75604C0FA49AC7AD996 -- E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys
[2011/04/26 21:24:42 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=886E8C1608146CC355DDD455F5C8DD87 -- E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.20953_none_8818997a6076855b\dfsc.sys
[2010/11/20 03:42:32 | 000,078,336 | ---- | M] () MD5=8A317BAD308374D417220EB687F3AFBA -- E:\Windows\System32\drivers\dfsc.sys
[2010/11/20 03:42:32 | 000,078,336 | ---- | M] () MD5=8A317BAD308374D417220EB687F3AFBA -- E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys
[2009/07/13 18:14:17 | 000,078,336 | ---- | M] (Microsoft Corporation) MD5=8E09E52EE2E3CEB199EF3DD99CF9E3FB -- E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16385_none_87708401476f7a4f\dfsc.sys

========== Files - Unicode (All) ==========
[2012/02/24 12:28:53 | 000,000,142 | ---- | M] ()(E:\Users\Jan\Desktop\???????????.lnk) -- E:\Users\Jan\Desktop\欢迎光临阿里巴巴国际站.lnk
[2012/02/24 12:28:53 | 000,000,142 | ---- | C] ()(E:\Users\Jan\Desktop\???????????.lnk) -- E:\Users\Jan\Desktop\欢迎光临阿里巴巴国际站.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> E:\ProgramData\TEMP:7BB5E748
< End of report >

 

[Broni]

Do this on the computer you are posting from:
Copy the text in the codebox below:

:OTL

:Services

:Reg

:Files
E:\Windows\System32\drivers\dfsc.sys|E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys /replace
E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys|E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys /replace

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

• Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
  
  • (The content of Fix.txt should appear in the box)
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log produced (you'll need to transfer it with USB stick)
• Remove the CD and shut down computer manually.
• Reboot normally into Windows.

Re-run OTL following instructions from my reply #30.

 

[RedEd]

========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys not found.
File E:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys not found.
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 03022012_012535

 

[Broni]

I think OTLPE sees your drives letter differently.

Let's try this adjusted code....

:OTL

:Services

:Reg

:Files
c:\Windows\System32\drivers\dfsc.sys|c:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys /replace
c:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys|c:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys /replace

:Commands
[purity]

 

[RedEd]

That gave the same result ie could not find file.

The Windows drive is e: so I then changed the 3 references to c: in above script and tried again. This time it ran and said it needed a reboot. When I rebooted with the boot disc nothing happened ie I wasn't presented with a log file.

I then booted into Windows normally and there are no log files that I can find.

 

[RedEd]

I tried step 43 again.

This time after rebooting into PE I ran OTLPE and was presented with a log file:

========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: e:\Windows\System32\drivers\dfsc.sys with e:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys without a reboot.
Unable to replace file: e:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys with e:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys without a reboot.
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 03022012_183416

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[RedEd]

I then repeated step 28. The results are:

Home
Community
Statistics
Documentation
FAQ
About

Join our community
Sign in

VirusTotal
SHA256: 991902675cce7263777e105a4097236f2ce5f8560cdc441b59b0f6078b58b2bb
File name: dfsc.sys
Detection ratio: 16 / 43
Analysis date: 2012-03-02 19:09:40 UTC ( 0 minutes ago )
0
0
Antivirus Result Update
AhnLab-V3 - 20120302
AntiVir TR/Rootkit.Gen2 20120302
Antiy-AVL - 20120302
Avast Win32:Alureon-AQW [Rtk] 20120302
AVG Agent_r.BCA 20120302
BitDefender Trojan.Generic.7260932 20120302
ByteHero - None
CAT-QuickHeal - 20120302
ClamAV - 20120302
Commtouch - 20120302
Comodo TrojWare.Win32.Rootkit.ZAcces.HL 20120302
DrWeb - 20120302
Emsisoft Rootkit.Win32.ZAccess!IK 20120302
eSafe - 20120229
eTrust-Vet - 20120302
F-Prot - 20120302
F-Secure Trojan.Generic.7260932 20120302
Fortinet - 20120302
GData Trojan.Generic.7260932 20120302
Ikarus Rootkit.Win32.ZAccess 20120302
Jiangmin - 20120301
K7AntiVirus Riskware 20120302
Kaspersky HEUR:Trojan.Win32.Generic 20120302
McAfee Artemis!8A317BAD3083 20120301
McAfee-GW-Edition Artemis!8A317BAD3083 20120302
Microsoft - 20120302
NOD32 a variant of Win32/Rootkit.Kryptik.JV 20120302
Norman - 20120302
nProtect - 20120302
Panda - 20120302
PCTools - 20120228
Prevx - 20120302
Rising - 20120302
Sophos - 20120302
SUPERAntiSpyware Trojan.Agent/Gen-Sirefef 20120301
Symantec - 20120302
TheHacker - 20120302
TrendMicro - 20120302
TrendMicro-HouseCall - 20120302
VBA32 - 20120302
VIPRE Trojan.Win32.Generic!BT 20120302
ViRobot - 20120302
VirusBuster - 20120302

Comments
Additional information

No comments

You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community
Blog | Twitter | contact@virustotal.com | Google groups | TOS & Privacy Policy

 

[RedEd]

Re your post 38.

"When asked Do you wish to load the remote registry, select Yes"

I am not asked this question in OTLPE.

 

[RedEd]

I was thinking a reinstall was the only solution so tried something using the info found at http://www.howtogeek.com/howto/windows-vista/how-to-delete-a-system-file-in-windows-vista/

I replaced these two files:

c:\Windows\System32\drivers\dfsc.sys
c:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys

with

c:Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys

I then rebooted and retested all three dfcs.sys files listed above using virustotal and it tells me all is clean.

 

[Broni]

You did perfectly fine
I'm not sure why my script didn't want to work.

You should be good to go

 

[RedEd]

I hope so. Thanks ever so much for your help.

Can you recommend some checks now to be certain that this is cleared up?