Hi all.

i'm struggling to get rid of this trojan/spyware.
i get the rapid antivirus popups all the time but have searched and deleted all files with rapid in the file name.
when i run malwarebytes anti-malware prog. it comes up with trojan.vundo.h and malware.trace which i delete.
After scanning again it comes up clear but after rebooting they're back.

i've tried spybot , smitfraud fix and also vundo fix

thanks for your help.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Hi and thanks for your help

i've just opened super antispyware after rebooting and unfortunately there doesn't appear to be a log although the boxes are checked which indicate that a log will be kept! do i need to be in safe mode still to view this log perhaps?

also during the scan i received this error message numerous times

ERR - could not find "swflash.ocx"

....and several balloons which stated that i had currupt files and that i needed to run the chkdsk utility.
i've also had annoying advertising popups since the scan/reboot and automatic updates keeps being switched off.

Thanks.

I would hold off on running chkdsk for now. Try this scan:

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on launch.exe to start the program.
• Cancel any prompts to download the latest CureIt version and click Start.
• At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
• When complete, click Select All, then choose Cure > Move incurable.
  (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• Now put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
• Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Dr. Web log:


mljbqhap.dll;c:\windows\system32;Trojan.Virtumod.448;Deleted.;
mlJBQHAP.dll;C:\WINDOWS\system32;Trojan.Virtumod.448;Deleted.;
geBsTlMd.dll;C:\WINDOWS\system32;Trojan.Virtumod.448;Deleted.;
rqRLDUlK.dll;C:\WINDOWS\system32;Trojan.Virtumod.448;Deleted.;
awtrPhIb.dll;C:\WINDOWS\system32;Trojan.Virtumod.448;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
AntiXPVSTFix.exe;C:\WINDOWS\system32;BackDoor.IRC.Dosig.15;Deleted.;
RegUBP2b-Trollope.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

How's your computer running now?

yeah i think you've done it. great work thankyou!

so far no popups or fake virus detections.
i've been refraining from using any sites that use any log in details, do you think it's safe to start logging in to email/bank accounts etc. again?

Update Malwarebytes, run the Full Scan and post the log.

Malwarebytes' Anti-Malware 1.28
Database version: 1266
Windows 5.1.2600 Service Pack 2

14/10/2008 10:54:11 AM
mbam-log-2008-10-14 (10-54-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122676
Time elapsed: 38 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lvmrwe.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{68473cc0-73c3-4b87-9101-aa900ed2b829} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\gs23d1.bho (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\kiolld (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{8e0bd2f1-9924-4a14-9cf8-51852a6525e8} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4c2979ee-ced2-42bb-ad9c-d815941bb067} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cc6c547a-4ba2-4aa3-a851-339a264bd0cc} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e81f6a44-062b-4e21-8916-53def250b5c4} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{419803e0-ebb5-418e-bcdd-8ea63647ec5e} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1f88a6f5-908c-4c28-9a81-829953c5f5c5} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{10026069-7a5f-4531-811e-c8df20643bee} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{1a00a1a9-31e3-4348-8b2c-492c85d518aa} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f88a6f5-908c-4c28-9a81-829953c5f5c5} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\LPVideoPlugin (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\AppID\LPVideo.DLL (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\LPVideoPlugin (Trojan.FakeAlert) -> No action taken.

Files Infected:
C:\WINDOWS\system32\lvmrwe.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\LPVideo.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\qavjoanw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ptejiebo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\eobvjg.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\LPVideoPlugin\5378.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\s.ico (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\wini104552664.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Trollope\Favorites\Search Online.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\Trollope\Favorites\Cheap Pharmacy Online.url (Rogue.Link) -> No action taken.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> No action taken.

Your log shows "No action taken" for the items found. At the end of the scan did you select everything and click "Remove Selected"?

Also, your log shows a Rootkit infection. These can be very nasty and your online passwords may have been compromised.

Malwarebytes' Anti-Malware 1.28
Database version: 1266
Windows 5.1.2600 Service Pack 2

14/10/2008 11:00:25 AM
mbam-log-2008-10-14 (11-00-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122676
Time elapsed: 38 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lvmrwe.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{68473cc0-73c3-4b87-9101-aa900ed2b829} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gs23d1.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kiolld (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e0bd2f1-9924-4a14-9cf8-51852a6525e8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4c2979ee-ced2-42bb-ad9c-d815941bb067} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cc6c547a-4ba2-4aa3-a851-339a264bd0cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e81f6a44-062b-4e21-8916-53def250b5c4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{419803e0-ebb5-418e-bcdd-8ea63647ec5e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f88a6f5-908c-4c28-9a81-829953c5f5c5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{10026069-7a5f-4531-811e-c8df20643bee} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{1a00a1a9-31e3-4348-8b2c-492c85d518aa} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f88a6f5-908c-4c28-9a81-829953c5f5c5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\LPVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\LPVideo.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\LPVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lvmrwe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LPVideo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qavjoanw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ptejiebo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eobvjg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\LPVideoPlugin\5378.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\s.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini104552664.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Trollope\Favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Trollope\Favorites\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Reboot your computer and run the Full Scan again. Sometimes it takes several scans to remove everything that Malwarebytes finds. Keep rebooting and rescanning until everything is gone. If after three more rescans you are still having problems post back with the last log.

i've done three scans and reboots.
the first one was clear
the second and third both came up with the following while malwarebyte was doing a heuristic scan

Malwarebytes' Anti-Malware 1.28
Database version: 1266
Windows 5.1.2600 Service Pack 2

14/10/2008 1:38:10 PM
mbam-log-2008-10-14 (13-38-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122540
Time elapsed: 35 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Try running this scan:

http://www.bleepingcomputer.com/forums/topic17258.html

SmitFraudFix v2.359

Scan done at 14:29:15.82, Tue 14/10/2008
Run from C:\Documents and Settings\Trollope\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 www.bns2.net
127.0.0.1 www.bns1.net
127.0.0.1 www.rgs2.net
127.0.0.1 www.rgs1.net
127.0.0.1 www.cms2.net
127.0.0.1 www.cms1.net
127.0.0.1 cys3.net
127.0.0.1 cys2.net
127.0.0.1 cys1.net
127.0.0.1 www.kapsules.org
127.0.0.1 www.bonzi.com
127.0.0.1 dev.bde.com.au

.....and it goes on

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

after smitfraud scan i ran MBAM and the same two registry entries were found (trojan.vundo.h. and malware.trace)

Another scan to try:

http://www.bleepingcomputer.com/forums/topic131299.html

Also, do you use a hosts file?

After running SDFix, MBAM has picked up the same files (trojan.vundo.h, malware.trace)

not sure i know what a hosts file is? would that be like spybot?


SDFix: Version 1.235
Run by Administrator on Tue 14/10/2008 at 15:51

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\O.BAT - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 15:59:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = C:\WINDOWS\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d????????F?

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\messenger\\msmsgs.exe"="C:\\Program Files\\messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\\Program Files\\Kazaa Lite\\clean.kmd"="C:\\Program Files\\Kazaa Lite\\clean.kmd:*:Enabled:clean"
"C:\\Program Files\\Kazaa Lite\\klrun.exe"="C:\\Program Files\\Kazaa Lite\\klrun.exe:*:Enabled:Kazaa Lite"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 23 Jun 2008 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\messenger\msmsgs.exe"
Tue 6 Sep 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 30 Jul 2008 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Wed 22 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Sun 14 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 20 Jan 2003 25,088 ...H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\~WRL0003.tmp"
Mon 1 Oct 2007 25,088 ...H. --- "C:\Documents and Settings\Trollope\My Documents\Joan\~WRL2085.tmp"
Sun 22 Jun 2008 25,600 ...H. --- "C:\Documents and Settings\Trollope\My Documents\Joan\~WRL0004.tmp"
Sun 22 Jun 2008 26,624 ...H. --- "C:\Documents and Settings\Trollope\My Documents\Joan\~WRL0965.tmp"
Sun 22 Jun 2008 26,624 ...H. --- "C:\Documents and Settings\Trollope\My Documents\Joan\~WRL0731.tmp"
Fri 26 Sep 2008 204,800 ...H. --- "C:\Documents and Settings\Trollope\Desktop\PLEASE CLEAN UP THESE FILES\~WRL0004.tmp"
Sun 9 May 2004 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Sun 9 May 2004 230,636 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Thu 21 Oct 2004 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Thu 21 Oct 2004 297,486 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Sun 9 May 2004 154,774 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM_old.reg"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Tue 10 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Tue 10 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Mon 10 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Tue 10 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Tue 10 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Tue 10 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Tue 10 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Mon 10 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sun 4 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Wed 11 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Mon 10 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Tue 10 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Tue 10 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Tue 10 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Tue 10 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Tue 10 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Tue 10 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Mon 10 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Mon 20 Jan 2003 25,088 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\~WRL0003.tmp"
Wed 7 Feb 2007 157,184 ...H. --- "C:\Documents and Settings\Trollope\My Documents\Issie\NMIT\~WRL3303.tmp"
Sun 18 Mar 2007 143,360 A.SH. --- "C:\Documents and Settings\Trollope\My Documents\My Pictures\100OLYMP\SIV15.tmp"
Wed 8 Nov 2000 41,984 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Honours\Data\~WRL0457.TMP"
Wed 8 Nov 2000 27,136 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Honours\Data\~WRL0498.TMP"
Wed 8 Nov 2000 39,936 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Honours\Data\~WRL0903.TMP"
Wed 15 Nov 2000 38,912 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Honours\Data\~WRL1937.TMP"
Sun 1 Jun 2003 41,472 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Outdoor Education\~WRL0727.tmp"
Sun 1 Jun 2003 34,816 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Outdoor Education\~WRL0856.tmp"
Thu 12 Jun 2003 127,488 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Professional Issues\~WRL0265.tmp"
Wed 11 Jun 2003 123,392 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Professional Issues\~WRL1646.tmp"
Wed 11 Jun 2003 126,464 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Professional Issues\~WRL2228.tmp"
Thu 12 Jun 2003 126,976 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Professional Issues\~WRL2871.tmp"
Thu 12 Jun 2003 129,024 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Professional Issues\~WRL3374.tmp"
Wed 11 Jun 2003 126,464 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Professional Issues\~WRL3700.tmp"
Wed 11 Jun 2003 48,640 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Dip Ed\Professional Issues\~WRL3972.tmp"
Tue 6 Dec 2005 3,178,496 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\CV & Applications\Moonee Ponds\~WRL0670.tmp"
Sun 1 Jun 2003 41,472 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Outdoor Education\~WRL0727.tmp"
Sun 1 Jun 2003 34,816 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Outdoor Education\~WRL0856.tmp"
Thu 12 Jun 2003 127,488 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Professional Issues\~WRL0265.tmp"
Wed 11 Jun 2003 123,392 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Professional Issues\~WRL1646.tmp"
Wed 11 Jun 2003 126,464 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Professional Issues\~WRL2228.tmp"
Thu 12 Jun 2003 126,976 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Professional Issues\~WRL2871.tmp"
Thu 12 Jun 2003 129,024 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Professional Issues\~WRL3374.tmp"
Wed 11 Jun 2003 126,464 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Professional Issues\~WRL3700.tmp"
Wed 11 Jun 2003 48,640 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Dip Ed\Professional Issues\~WRL3972.tmp"
Wed 8 Nov 2000 41,984 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Honours\Data\~WRL0457.TMP"
Wed 8 Nov 2000 27,136 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Honours\Data\~WRL0498.TMP"
Wed 8 Nov 2000 39,936 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Honours\Data\~WRL0903.TMP"
Wed 15 Nov 2000 38,912 A..H. --- "C:\Documents and Settings\Trollope\My Documents\Millie\Millie\Honours\Data\~WRL1937.TMP"

Finished!

can i use system restore to remove the infection?

i've found a folder in c:/ which had a program called mrtstub.

This is what processlibrary.com said...

Descriptionmrtstub.exe is a process belonging to an unclassified malware which can download other malicious processes and cause unwanted behavior on your computer. Should be terminated immediately

Please download OTViewIt to your desktop.

• Close all windows and double click OTViewIt
• Place a tick in the Scan all Users box
• Click Run Scan and let the program run uninterrupted
• On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.

OTViewIt logfile created on: 14/10/2008 6:23:31 PM - Run
OTViewIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\Trollope\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.25 Gb Total Physical Memory | 0.79 Gb Available Physical Memory | 63.29% Memory free
1.48 Gb Paging File | 1.08 Gb Available in Paging File | 72.91% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.60 Gb Free Space | 28.45% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name:
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2007/12/01 13:10:12 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[2007/12/01 12:46:58 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[2008/01/16 08:50:36 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[2002/09/27 15:38:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
[2002/10/30 17:40:34 | 00,028,672 | ---- | M] () -- C:\WINDOWS\htpatch.exe
[2002/02/25 01:59:00 | 00,204,800 | ---- | M] (Logitech Inc. ) -- C:\Program Files\Logitech\iTouch\iTouch.exe
[2002/02/08 05:01:24 | 00,040,960 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
[2002/01/28 09:43:00 | 00,035,328 | ---- | M] (Logitech Inc. ) -- C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
[2004/08/04 17:56:56 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\RunDll32.exe
[2004/04/30 20:56:30 | 00,356,352 | ---- | M] (GlobespanVirata, Inc.) -- C:\Program Files\D-Link\DSL-200\dslstat.exe
[2004/04/30 20:56:30 | 00,016,384 | ---- | M] () -- C:\Program Files\D-Link\DSL-200\dslagent.exe
[2008/04/26 08:49:38 | 00,579,584 | ---- | M] (GRISOFT, s.r.o.) -- C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
[2008/07/07 09:42:06 | 02,156,368 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[2008/09/03 14:07:12 | 01,576,176 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[2008/07/18 22:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/06/23 19:20:52 | 00,625,664 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2008/10/14 18:23:26 | 00,421,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trollope\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/12/01 13:10:12 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe -- (Avg7Alrt [Auto | Running])
[2007/12/01 12:46:58 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe -- (Avg7UpdSvc [Auto | Running])
[2008/01/16 08:50:36 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe -- (AVGEMS [Auto | Running])
[2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2006/11/10 19:18:02 | 00,774,144 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
[2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2002/09/27 15:38:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2007/12/01 13:09:54 | 00,821,856 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avg7core.sys -- (Avg7Core [System | Running])
[2007/12/01 12:47:08 | 00,004,224 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avg7rsw.sys -- (Avg7RsW [System | Running])
[2007/12/01 13:09:58 | 00,027,776 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avg7rsxp.sys -- (Avg7RsXP [System | Running])
[2008/01/16 08:50:40 | 00,010,760 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgclean.sys -- (AvgClean [System | Running])
[2007/12/01 12:47:12 | 00,004,960 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdi.sys -- (AvgTdi [Auto | Running])
[2001/08/10 16:33:00 | 00,078,498 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\basic2.sys -- (basic2 [On_Demand | Running])
File not found -- C:\DOCUME~1\Trollope\LOCALS~1\Temp\catchme.sys -- (catchme [On_Demand | Running])
[2002/09/30 20:24:58 | 00,417,999 | ---- | M] (C-Media Inc) -- C:\WINDOWS\system32\drivers\cmuda.sys -- (cmuda [On_Demand | Running])
[2001/07/04 17:42:00 | 00,017,776 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys -- (Cnxtdiag [Auto | Running])
[2002/03/22 23:08:12 | 00,114,944 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Stopped])
[2002/03/22 23:09:40 | 00,835,636 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Stopped])
[2002/03/22 23:09:54 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Stopped])
[2002/03/22 23:10:10 | 00,211,724 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Stopped])
[2002/03/22 23:10:20 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\emupia2k.sys -- (emupia [On_Demand | Stopped])
[2001/07/13 13:52:00 | 00,310,739 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\fallback.sys -- (Fallback [Auto | Running])
[2001/06/15 18:37:00 | 00,127,405 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\fsksnt.sys -- (Fsks [Auto | Running])
[2004/08/04 16:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
[2002/03/22 23:10:58 | 00,991,656 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Stopped])
[2001/08/17 13:28:10 | 00,542,879 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys -- (hsf_msft [On_Demand | Stopped])
[2002/09/28 12:47:38 | 00,010,496 | ---- | M] (Logitech Inc. ) -- C:\WINDOWS\System32\DRIVERS\itchfltr.sys -- (itchfltr [On_Demand | Running])
[2001/07/23 18:41:00 | 00,427,167 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\k56nt.sys -- (K56 [Auto | Running])
[2002/09/28 12:47:36 | 00,050,994 | ---- | M] (Logitech) -- C:\WINDOWS\System32\DRIVERS\L8042Pr2.sys -- (l8042pr2 [On_Demand | Stopped])
[2002/09/28 12:47:36 | 00,022,210 | ---- | M] (Logitech) -- C:\WINDOWS\System32\DRIVERS\LHidFlt2.sys -- (LHidFlt2 [On_Demand | Running])
[2002/09/28 12:47:36 | 00,005,842 | ---- | M] (Logitech) -- C:\WINDOWS\System32\DRIVERS\LKbdFlt2.sys -- (LKbdFlt2 [On_Demand | Running])
[2002/09/28 12:47:36 | 00,067,698 | ---- | M] (Logitech) -- C:\WINDOWS\System32\DRIVERS\LMouFlt2.sys -- (LMouFlt2 [On_Demand | Running])
[2001/08/17 14:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
[2001/03/15 17:08:54 | 00,042,900 | ---- | M] () -- C:\WINDOWS\System32\drivers\Nbmkmd.sys -- (Nbmkmd [On_Demand | Stopped])
[2004/08/04 15:59:50 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\NMnt.sys -- (nm [On_Demand | Stopped])
[2007/05/16 11:42:02 | 00,013,440 | ---- | M] (NoteBurn Software) -- C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys -- (ntcdrdrv [Boot | Running])
[2002/09/27 15:38:00 | 01,104,282 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
[2002/03/22 23:09:52 | 00,195,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Stopped])
[2003/03/26 12:51:52 | 00,030,336 | ---- | M] (JDSoft Inc.) -- C:\WINDOWS\system32\DRIVERS\pcnat.sys -- (PCNat [On_Demand | Stopped])
[2007/10/01 11:42:06 | 00,035,904 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\Pcouffin.sys -- (Pcouffin [On_Demand | Running])
File not found -- C:\WINDOWS\system32\drivers\PfModNT.sys -- (PfModNT [Auto | Stopped])
[2002/08/29 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
[2005/04/25 19:03:00 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2001/08/10 16:33:00 | 00,068,006 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\rksample.sys -- (Rksample [On_Demand | Running])
[2002/08/29 12:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Stopped])
[2002/04/01 09:47:36 | 00,045,312 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\R8139n51.SYS -- (rtl8139 [On_Demand | Stopped])
[2008/09/03 14:07:14 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
[2008/09/03 14:07:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
[2008/09/03 14:07:12 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
[2007/11/13 21:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2003/01/23 18:08:00 | 00,257,408 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisgrp.sys -- (SiS315 [On_Demand | Stopped])
[2002/10/31 11:58:42 | 00,030,848 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (sisagp [Boot | Running])
[2001/06/15 18:36:00 | 00,216,987 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\faxnt.sys -- (SoftFax [Auto | Running])
[2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2001/06/15 18:35:00 | 00,056,639 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\tonesnt.sys -- (Tones [Auto | Running])
[2001/07/23 18:40:00 | 00,534,605 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\v124nt.sys -- (V124 [Auto | Running])
[2004/04/30 20:56:16 | 00,150,369 | ---- | M] (GlobespanVirata Inc.) -- C:\WINDOWS\System32\DRIVERS\gwausb.sys -- (wanusb [On_Demand | Running])
[2001/08/10 16:36:00 | 00,585,152 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=C:\windows\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://global.acer.com/

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://global.acer.com/

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://global.acer.com/

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.google.com

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{003F7B66-8E81-4C69-A4C0-8B73609283C0} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{50887A3E-98E4-477F-A03A-B7CD6389BB1C} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{6277CEAA-996A-485E-8245-4A31528803C7} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{6BB4BBB4-9506-4E50-A9EE-89BA967121FD} (HKLM) -- C:\WINDOWS\system32\jkkICtqn.dll File not found
{7611D02D-AD35-46E4-B41E-438C569B3EFD} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{998DAE3E-7D4F-4952-A71F-467D8FE64407} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9C7C1C81-E002-43F3-8182-E9B0B6C59F89} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{F849FE04-066B-406C-9B9A-5701BD1C8A39} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (GRISOFT, s.r.o.)
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
"DSLAGENTEXE"=C:\Program Files\D-Link\DSL-200\dslagent.exe ()
"DSLSTATEXE"=C:\Program Files\D-Link\DSL-200\dslstat.exe icon (GlobespanVirata, Inc.)
"EM_EXEC"=C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE (Logitech Inc. )
"HTpatch"=C:\WINDOWS\htpatch.exe ()
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"SiS KHooker"=C:\WINDOWS\System32\khooker.exe (Silicon Integrated Systems Corporation)
"SiS Tray"=C:\WINDOWS\System32\sistray.EXE File not found
"UpdReg"=C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
"WINDVDPatch"=CTHELPER.EXE (Creative Technology Ltd)
"zBrowser Launcher"=C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc. )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (GRISOFT, s.r.o.)
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background File not found
"Symantec Network Driver Update Warning"=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (GRISOFT, s.r.o.)
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background File not found
"Symantec Network Driver Update Warning"=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE File not found

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (GRISOFT, s.r.o.)

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (GRISOFT, s.r.o.)

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

========== (O4) Startup Folders ==========

[2001/02/13 01:01:04 | 00,083,360 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2008/05/15 15:42:26 | 10,354,176 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2008/05/15 15:42:26 | 10,354,176 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2008/05/15 15:42:26 | 10,354,176 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2008/05/15 15:42:26 | 10,354,176 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.5.0_04\bin\npjpi150_04.dll [2005/06/03 04:09:54 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
{85d1f590-48f4-11d9-9669-0800200c9a66}: Menu: Uninstall BitDefender Online Scanner v8 -- %SystemRoot%\bdoscandel.exe [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search && Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/07/07 09:41:58 | 01,562,448 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\Network Diagnostic\xpnetdiag.exe [2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] -> [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] -> [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
Extension\.spop: -- C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll [2001/01/30 13:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{0246ECA8-996F-11D1-BE2F-00A0C9037DFE}: http://www.kvali.com/wfplayer/tdserver.cab -- TDServer Control
{04E214E5-63AF-4236-83C6-A7ADCBF9BD02}: http://housecall60.trendmicro.com/housecall/xscan60.cab -- HouseCall Control
{0CCA191D-13A6-4E29-B746-314DEE697D83}: http://upload.facebook.com/controls/Facebo...toUploader5.cab -- Facebook Photo Uploader 5
{1239CC52-59EF-4DFA-8C61-90FFA846DF7E}: http://www.musicnotes.com/download/mnviewer.cab -- Musicnotes Viewer
{166B1BCA-3F9C-11CF-8075-444553540000}: http://fpdownload.macromedia.com/get/shock...director/sw.cab -- Shockwave ActiveX Control
{17492023-C23A-453E-A040-C7C580BBF700}: http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 -- Windows Genuine Advantage Validation Tool
{2646205B-878C-11D1-B07C-0000C040BCDB}: file://D:\HD\nskey.dll -- NSIEMisc Class
{41F17733-B041-4099-A042-B518BB6A408C}: http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe -- Reg Error: Key does not exist or could not be opened.
{556DDE35-E955-11D0-A707-000000521957}: http://www.xblock.com/download/xclean_micro.exe -- Reg Error: Key does not exist or could not be opened.
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}: http://download.bitdefender.com/resources/scan8/oscan8.cab -- BDSCANONLINE Control
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://v5.windowsupdate.microsoft.com/v5co...b?1098516934953 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/microsoftu...b?1201510920343 -- MUWebControl Class
{74D05D43-3236-11D4-BDCD-00C04F9A3B61}: http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab -- HouseCall Control
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_04
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/shock...h/ultrashim.cab -- Reg Error: Value does not exist or could not be read.
{A8F2B9BD-A6A0-486A-9744-18920D898429}: http://www.sibelius.com/download/software/...tiveXPlugin.cab -- ScorchPlugin Class
{A90A5822-F108-45AD-8482-9BC8B12DD539}: http://www.crucial.com/controls/cpcScanner.cab -- Crucial cpcScan
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_04
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}: http://download.mcafee.com/molbin/iss-loc/...324/mcfscan.cab -- McFreeScan Class
DirectAnimation Java Classes: file://C:\WINDOWS\Java\classes\dajava.cab -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{050C417B-206B-40B0-9B30-40A4595A0415} (Servers: | Description: 1394 Net Adapter)
{7232C297-3E10-48A6-807C-78FF19F4F8A1} (Servers: | Description: 1394 Net Adapter)
{F14F44A7-7D56-4E33-9F13-0F6710BDFCCC} (Servers: | Description: Realtek RTL8139/810x Family Fast Ethernet NIC)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=notdtc.dll lvmrwe.dll
>[2008/10/11 10:02:36 | 00,107,520 | ---- | M] () -- C:\WINDOWS\system32\notdtc.dll
>File not found --

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
mlJBQHAP: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ]
[2006/10/21 18:44:26 | 00,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ FAT32 ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb2a09be-63c1-11da-9072-000f3d300101}\Shell\Auto\command]
""=infrom.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb2a09be-63c1-11da-9072-000f3d300101}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb2a09be-63c1-11da-9072-000f3d300101}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\Shell32.DLL -- [2007/10/26 14:34:02 | 08,460,288 | ---- | M] (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2008/10/14 18:23:15 | 00,421,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Trollope\Desktop\OTViewIt.exe
[2008/10/14 15:39:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2008/10/14 15:34:34 | 00,000,000 | ---D | C] -- C:\SDFix
[2008/10/14 15:33:58 | 01,431,710 | ---- | C] () -- C:\Documents and Settings\Trollope\Desktop\SDFix.exe
[2008/10/14 09:40:26 | 00,000,584 | ---- | C] () -- C:\Documents and Settings\Trollope\Desktop\DrWeb.csv
[2008/10/13 18:38:00 | 11,579,912 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Trollope\Desktop\drweb-cureit.exe
[2008/10/13 16:13:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2008/10/13 16:13:01 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2008/10/13 16:13:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Trollope\Application Data\SUPERAntiSpyware.com
[2008/10/13 16:12:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/10/13 16:12:11 | 06,637,592 | ---- | C] () -- C:\Documents and Settings\Trollope\Desktop\SUPERAntiSpyware.exe
[2008/10/13 09:52:13 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/10/12 22:46:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/10/12 16:43:13 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2008/10/12 16:32:47 | 00,002,548 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2008/10/12 14:39:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Trollope\Desktop\SmitfraudFix
[2008/10/12 13:06:32 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2008/10/12 13:06:32 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2008/10/12 10:11:14 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2008/10/12 10:10:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2008/10/12 10:10:38 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2008/10/12 10:09:01 | 00,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2008/10/12 10:06:26 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2008/10/11 16:50:22 | 00,000,095 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/11 16:13:26 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/10/11 16:13:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/10/11 12:22:11 | 00,000,124 | ---- | C] () -- C:\WINDOWS\netdet.ini
[2008/10/11 12:20:54 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\CyberInstallerUninstallerSystem
[2008/10/11 12:20:39 | 00,000,000 | ---D | C] -- C:\Program Files\Guitar Freak Workstation With SightReader
[2008/10/11 12:20:00 | 00,787,696 | ---- | C] (MoonLight Software Inc. 1999-2007) -- C:\WINDOWS\System32\VBOLock.ocx
[2008/10/11 12:19:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Trollope\Application Data\CyberInstaller Studio 2008
[2008/10/11 11:55:11 | 00,107,520 | ---- | C] () -- C:\WINDOWS\System32\yzepzo.dll
[2008/10/11 11:55:02 | 01,088,753 | -HS- | C] () -- C:\WINDOWS\System32\pxpqnoip.ini
[2008/10/11 11:55:02 | 00,107,520 | ---- | C] () -- C:\WINDOWS\System32\gvqrxcph.dll
[2008/10/11 10:34:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Trollope\Application Data\Malwarebytes
[2008/10/11 10:34:13 | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/10/11 10:34:12 | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/11 10:34:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/10/11 10:34:10 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/10/11 10:33:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Trollope\Application Data\0000005377
[2008/10/11 10:02:35 | 00,107,520 | ---- | C] () -- C:\WINDOWS\System32\notdtc.dll
[2008/10/11 10:02:28 | 00,107,520 | ---- | C] () -- C:\WINDOWS\System32\rllcmujo.dll
[2008/10/11 09:51:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\obqbwrih
[2008/10/11 09:25:54 | 00,000,000 | ---D | C] -- C:\Program Files\SightReader Master
[2008/10/06 09:06:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Trollope\My Documents\oct 08
[2008/09/19 23:56:06 | 00,000,000 | ---D | C] -- C:\Program Files\7-Zip

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2008/10/14 18:23:26 | 00,421,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trollope\Desktop\OTViewIt.exe
[2008/10/14 18:21:02 | 00,000,366 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2008/10/14 15:57:06 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/10/14 15:56:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/10/14 15:56:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/10/14 15:34:10 | 01,431,710 | ---- | M] () -- C:\Documents and Settings\Trollope\Desktop\SDFix.exe
[2008/10/14 14:32:16 | 00,002,548 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2008/10/14 08:20:14 | 00,000,584 | ---- | M] () -- C:\Documents and Settings\Trollope\Desktop\DrWeb.csv
[2008/10/13 18:36:56 | 11,579,912 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Trollope\Desktop\drweb-cureit.exe
[2008/10/13 16:10:50 | 06,637,592 | ---- | M] () -- C:\Documents and Settings\Trollope\Desktop\SUPERAntiSpyware.exe
[2008/10/12 22:47:42 | 00,528,784 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/10/12 22:47:42 | 00,445,870 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/10/12 22:47:42 | 00,072,824 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/10/12 22:04:22 | 00,000,124 | ---- | M] () -- C:\WINDOWS\netdet.ini
[2008/10/12 13:06:34 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/10/12 13:06:34 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2008/10/12 12:40:18 | 00,341,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/12 10:18:36 | 00,104,248 | ---- | M] () -- C:\Documents and Settings\Trollope\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/10/11 16:50:24 | 00,000,095 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2008/10/11 13:07:24 | 06,435,398 | -H-- | M] () -- C:\Documents and Settings\Trollope\Local Settings\Application Data\IconCache.db
[2008/10/11 12:33:20 | 00,001,023 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/10/11 11:55:20 | 01,088,753 | -HS- | M] () -- C:\WINDOWS\System32\pxpqnoip.ini
[2008/10/11 11:55:12 | 00,107,520 | ---- | M] () -- C:\WINDOWS\System32\yzepzo.dll
[2008/10/11 11:55:12 | 00,107,520 | ---- | M] () -- C:\WINDOWS\System32\gvqrxcph.dll
[2008/10/11 10:02:36 | 00,107,520 | ---- | M] () -- C:\WINDOWS\System32\rllcmujo.dll
[2008/10/11 10:02:36 | 00,107,520 | ---- | M] () -- C:\WINDOWS\System32\notdtc.dll
[2008/10/03 06:40:54 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/10/02 10:58:28 | 00,151,040 | -HS- | M] () -- C:\Documents and Settings\Trollope\Desktop\Thumbs.db
< End of report >

OTViewIt Extras logfile created on: 14/10/2008 6:23:31 PM - Run
OTViewIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\Trollope\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.25 Gb Total Physical Memory | 0.79 Gb Available Physical Memory | 63.29% Memory free
1.48 Gb Paging File | 1.08 Gb Available in Paging File | 72.91% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.60 Gb Free Space | 28.45% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name:
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 17:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 17:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\messenger\msmsgs.exe:*:Enabled:Windows Messenger
File not found -- C:\WINDOWS\System32\P2P Networking\P2P Networking.exe:*:Enabled:P2P Networking
[2003/07/16 19:19:52 | 02,234,368 | ---- | M] () -- C:\Program Files\Kazaa Lite\clean.kmd:*:Enabled:clean
[2003/06/25 19:52:14 | 00,018,944 | ---- | M] (Rocko) -- C:\Program Files\Kazaa Lite\klrun.exe:*:Enabled:Kazaa Lite
File not found -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
File not found -- C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/02/09 16:00:48 | 25,388,584 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
[2008/04/26 08:49:38 | 00,510,976 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe
[2007/12/01 13:10:12 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe
[2008/04/26 08:49:38 | 00,579,584 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe
[2008/01/16 08:50:36 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005/09/20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005/09/20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005/09/20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/01/24 15:22:56 | 07,255,384 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/05/10 13:45:34 | 08,069,464 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/01/12 12:50:48 | 01,828,440 | R--- | M] (Skype Technologies) C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} (HKLM) [IEProtocolHandler Class])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2007/04/19 13:57:40 | 00,046,432 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{036AA4D4-6D32-11D4-9875-00105ACE7734}"=Logitech iTouch Software
"{03F1CC67-5BD8-4C36-8394-76311B2AE69A}"=ArcSoft PhotoStudio 5
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}"=Macromedia Flash Player
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}"=Google Earth
"{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}"=Picture Package
"{2BA00471-0328-3743-93BD-FA813353A783}"=Microsoft .NET Framework 3.0 Service Pack 1
"{2F173C40-563E-11D4-89C5-0010ADDAAC33}"=EA.com Matchup
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}"=Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0150030}"=J2SE Runtime Environment 5.0 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0150040}"=J2SE Runtime Environment 5.0 Update 4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}"=Skype Plugin Manager
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}"=Microsoft Windows Journal Viewer
"{4908C75E-E5E2-43F7-B1DF-023CBA831033}"=Nero 7 Ultra Edition
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{52E9D791-5A64-474D-A575-20ADC2446B3B}"=TMPGEnc DVD Author 1.6
"{563E2BC8-A0CA-4A81-9DD2-897BB326C679}"=Cheetah DVD Burner
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}"=MouseWare 9.43
"{5D33EB1D-390F-495D-A7B6-848032301E37}"=Before You Know It 3.6
"{6249C22D-E6A8-407B-BA8B-40298848ED94}"=OmniPage SE
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}"=Power Tab Editor 1.7
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{901F0409-6000-11D3-8CFE-0050048383C9}"=Microsoft Office XP Proofing Tools
"{90280409-6000-11D3-8CFE-0050048383C9}"=Microsoft Office XP Professional with FrontPage
"{90300409-6000-11D3-8CFE-0050048383C9}"=Microsoft Office XP Media Content
"{903B0409-6000-11D3-8CFE-0050048383C9}"=Microsoft Project Professional 2002
"{90510409-6D54-11D4-BEE3-00C04F990354}"=Microsoft Visio Professional 2002 [English]
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}"=Sound Blaster Audigy
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}"=QuickTime
"{99755640-9633-11D5-AB3C-0050DAB311CC}"=InterVideo MP3 + DVD XPack
"{9AB97F52-512B-43EF-AAEC-4825C17B32ED}"=EA.com Update
"{9FC7D8E1-F14F-11D4-943A-00E02950B496}"=Microsoft Office XP Pro Step by Step Interactive
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}"=Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{AC5FF188-86D0-4081-9D04-9D32EABC82CD}_is1"=CopyToDVD Suite 3
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{B360A8E5-C171-4AAE-9777-65B3CDB0072C}"=CanoScan LiDE20,30 Manual
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}"=Microsoft .NET Framework (English)
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{BCE46757-7674-4416-BEDB-68205A60409E}"=Canon CanoScan Toolbox 4.1
"{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}"=ArcSoft PhotoBase 3
"{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}"=Sibelius Scorch (ActiveX Only)
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CBE0FCA1-4E95-11D4-9875-00105ACE7734}"=Logitech User's Guide
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}"=SUPERAntiSpyware Free Edition
"{D63691B8-C804-4B19-8CF4-9ACE5B1613A3}"=Guitar and Drum Trainer 2
"{E0BD4CFC-9F57-43DD-8D0E-B66CAC60F9F6}"=mp3 Frame Editor
"{F4BCA241-85DC-11D5-A12B-00E02959CF77}"=East Bay Technologies - LiveWire! Broadcast
"7-Zip"=7-Zip 4.57
"ABest MOV Video Converter_is1"=ABest MOV Video Converter 5.52
"Adobe Acrobat 5.0"=Adobe Acrobat 4.0, 5.0
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe SVG Viewer"=Adobe SVG Viewer 3.0
"Aspire"=Aspire Screen Saver
"AUAU MPEG WMV AVI to MOV Converter_is1"=AUAU MPEG WMV AVI to MOV Converter 4.2
"Audacity_is1"=Audacity 1.2.6
"AudioConverter Studio_is1"=AudioConverter Studio 5.4
"AVG7Uninstall"=AVG Free Edition
"AVI MPEG Video Converter"=AVI MPEG Video Converter
"AVS Video Tools 5.1_is1"=AVS Video Tools 5.1
"AVS VideoConverter 3.1_is1"=AVS VideoConverter 3.1.1.151
"AVSDiscCreator_is1"=AVS Disc Creator version 2.1
"BB_is1"=Band-in-a-Box 2005
"Blaze Audio RipEditBurn PLUS Trial_is1"=Blaze Audio RipEditBurn PLUS Trial
"Bridge_Base_Online"=Bridge Base Online
"CCleaner"=CCleaner (remove only)
"D-Link DSL-200 ADSL Modem"=D-Link DSL-200 ADSL Modem
"DVD Decrypter"=DVD Decrypter (Remove Only)
"DVD Shrink_is1"=DVD Shrink 3.2
"EarMaster Pro 5_is1"=EarMaster Pro 5
"e-tax 2005"=e-tax 2005
"e-tax 2006"=e-tax 2006
"e-tax 2007"=e-tax 2007
"e-tax 2008"=e-tax 2008
"FLVPlayer"=FLV Player 1.3.3
"GoldWave v5.14"=GoldWave v5.14
"Guitar Freak Workstation With SightReader"=Guitar Freak Workstation With SightReader
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"ImTOO MPEG Encoder"=ImTOO MPEG Encoder
"kazaalite202_is1"=Kazaa Lite 2.6.1
"KB870669"=Microsoft Data Access Components KB870669
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5"=Microsoft .NET Framework 3.5
"Microsoft .NET Framework Full v1.0.3705 (1033)"=Microsoft .NET Framework (English) v1.0.3705
"Movavi Video Converter 5.5"=Movavi Video Converter 5.5
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"Multiquence v2.54"=Multiquence v2.54
"Musicnotes Player_is1"=Musicnotes Player V1.22.3
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"Pdf995"=Pdf995
"PE Builder_is1"=PE Builder 3.1.10a
"PG Music DirectX Plugins_is1"=PG Music DirectX Plugins 1.3.3.1
"QuickTime MOV Files Converter_is1"=QuickTime MOV Files Converter 2.2
"RealPlayer 6.0"=RealPlayer
"Shareaza_is1"=Shareaza version 2.2.1.0
"Sibelius 4"=Sibelius 4
"SightReaderMaster_is1"=SightReader Master
"SiS315 V2.04WHQL"=SiS315 V2.04WHQL
"Skype_is1"=Skype 3.0
"ST6UNST #1"=Hazard Perception Test Demo
"ST6UNST #2"=Hazard Perception Test Demo (c:\Program Files\Hazard Perception\)
"ST6UNST #3"=Hazard Perception Test Demo (c:\Program Files\Hazard Perception\) #3
"ST6UNST #4"=Tunchy
"SUPER ©"=SUPER © Version 2007.bld.23 (July 4, 2007)
"UltimateZip 3.0_is1"=UltimateZip 3.0.3
"VLC media player"=VideoLAN VLC media player 0.8.2
"WavePad"=WavePad Uninstall
"WIC"=Windows Imaging Component
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 2
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0
"XviD"=XviD MPEG-4 Codec

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/10/2008 10:23:51 PM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/10/2008 10:24:17 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting
module msvcrt.dll, version 7.0.2600.2180, fault address 0x0001a61d.

Error - 11/10/2008 10:24:32 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting
module msvcrt.dll, version 7.0.2600.2180, fault address 0x0001a61d.

Error - 11/10/2008 10:24:32 PM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/10/2008 10:28:55 PM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/10/2008 10:37:07 PM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/10/2008 7:07:20 AM | Computer Name = HOME | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office XP Professional with FrontPage -- Error
1706. Setup cannot find the required files. Check your connection to the network,
or CD-ROM drive. For other potential solutions to this problem, see C:\Program
Files\Microsoft Office\Office10\1033\SETUP.HLP.

Error - 12/10/2008 7:07:29 AM | Computer Name = HOME | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office XP Professional with FrontPage - Update
'{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 13/10/2008 3:04:13 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00011e58.

Error - 13/10/2008 3:21:29 AM | Computer Name = HOME | Source = pctsSvc.exe | ID = 0
Description =

[ System Events ]
Error - 14/10/2008 12:38:46 AM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 14/10/2008 12:38:48 AM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/10/2008 12:38:50 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 14/10/2008 12:38:50 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 14/10/2008 12:38:50 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 14/10/2008 12:38:50 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 14/10/2008 12:38:50 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Avg7Core Avg7RsW Avg7RsXP Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV
SASKUTIL
Tcpip

Error - 14/10/2008 12:56:56 AM | Computer Name = HOME | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 14/10/2008 12:56:58 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The PfModNT service failed to start due to the following error: %%2

Error - 14/10/2008 12:56:58 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >

Boot your computer into Safe Mode and delete the following files:

C:\WINDOWS\System32\yzepzo.dll
C:\WINDOWS\System32\pxpqnoip.ini
C:\WINDOWS\System32\gvqrxcph.dll
C:\WINDOWS\System32\notdtc.dll
C:\WINDOWS\System32\rllcmujo.dll
C:\WINDOWS\System32\pxpqnoip.ini
C:\WINDOWS\System32\yzepzo.dll
C:\WINDOWS\System32\gvqrxcph.dll
C:\WINDOWS\System32\rllcmujo.dll
C:\WINDOWS\System32\notdtc.dll

Reboot back into normal mode.

Update your Java. Go Start > Control Panel and double click Java. Select the Update Tab and click Update Now. Then in the Control Panel double click Add or Remove Programs and delete all the Java entries except the latest one. You'll probably see these two entries that need to be removed:

J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4


Please download FileLook by jpshortstuff from one of these mirrors:
Link 1
Link 2

• Double-click FileLook.exe to run it.
• Ensure that the BBCode Ouput checkbox is checked.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  C:\WINDOWS\System32\drivers\Nbmkmd.sys
• Click the FileLook button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at C:\fl_log.txt


Please download DirLook by jpshortstuff from here.

• Double-click DirLook.exe to run it.
• Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
• Copy the content of the following codebox into the textfield labeled "Directory:":
  
  CODE
  C:\Documents and Settings\All Users\Application Data\obqbwrih
• Click the DirLook button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)

Note: Scanning may take longer for large folders.

Here are the logs.

I could not find a file named pxpqnoip.ini anywhere

Before I looked at your instructions I also scanned with Spydoctor which removed a bunch of stuff. It did however leave behind about 6 strange files located in
local settings\temp\WPDNSE which I can’t find a way to delete. Most of them have strange symbols as their file names.

A strange thing also happens when I open local settings folder. About 4 windows come up saying that the windows live id cannot connect.

FileLook.exe v1.0 by jpshortstuff
Log created at 22:26:14 on 15/10/2008

==============================
FileLook - Nbmkmd.sys

Filename: Nbmkmd.sys
Path: C:\WINDOWS\System32\drivers\
Created: 00:19:45 on 22/01/2004
Modified: 06:08:54 on 15/03/2001
Size: 42900 bytes
Attributes: Archive
-------------------------

==============================

=EOF=

DirLook.exe v2.0 by jpshortstuff
Log created at 09:30 on 16/10/2008
==================================
Contents of "C:\Documents and Settings\All Users\Application Data\obqbwrih"

---FOLDERS---

(none found)

---FILES---

qxulofql.exe (57344 bytes - created on 10/10/2008 at 22:51, modified on 10/10/2008 at 22:51) --a---

==================================
=EOF=

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.

• Open a command window by going to Start > Run and typing: cmd
• Copy/paste or type the following in the command window: C:\fsbl.exe /expert
• Hit "Enter" to start the program and then close the cmd box.
• Accept the user agreement and click "Next".
• Click "Scan".
• After the scan is complete, click "Next", then "Exit".
• BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
• The log will have a list of all items found. Do not choose to rename any yet!
  I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
• Exit Blacklight and post the contents of the log in your next reply.

FSBL did not come up with anything...here's the log

10/16/08 13:39:01 [Info]: BlackLight Engine 2.2.1092 initialized
10/16/08 13:39:01 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/16/08 13:39:01 [Note]: 7019 4
10/16/08 13:39:01 [Note]: 7005 0
10/16/08 13:39:07 [Note]: 7006 0
10/16/08 13:39:07 [Note]: 7022 0
10/16/08 13:39:07 [Note]: 7011 236
10/16/08 13:39:07 [Note]: 7035 0
10/16/08 13:39:08 [Note]: 7026 0
10/16/08 13:39:08 [Note]: 7026 0
10/16/08 13:39:08 [Note]: FSRAW library version 1.7.1024
10/16/08 13:40:03 [Error]: 5001 51989
10/16/08 13:44:28 [Note]: 7007 0

Please upload the following file at Jotti for analysis:

C:\Documents and Settings\All Users\Application Data\obqbwrih\qxulofql.exe

Post back the results.

Also, update Malwarebytes and run another full scan.

here are results from jotti, will now do mbam scan..

Scan taken on 16 Oct 2008 03:02:42 (GMT)
A-Squared Found Virus.Win32.PureMorph!IK
AntiVir Found TR/Dldr.Obfuscated.dtj
ArcaVir Found nothing
Avast Found Win32:PureMorph
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Obfuscated.dtj
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Obfuscated.dtj
G DATA Found Win32:PureMorph
Ikarus Found Virus.Win32.PureMorph
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Obfuscated.dtj
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Obfuscated.dtj

Delete that file using Malwarebytes FileASSASSIN, which is under the More Tools tab.

After deleting that file, MBAM doesn't come up with any infections. no more trojan.vundo.h and malware.trace.

when i run spydoctor, it still finds six files (high risk) in local settings/temp/WPDNSE
File assassin can't seem to get rid of them either, even though it says it has removed them successfully.

When right clicking the files and clicking delete, the error message says this:
cannot read from the source file or disk

Please go to the Malware Upload Channel and upload the following file by reproducing the below steps:

• Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
• Then click "Browse" on the line below and navigate to the following file:
  
  C:\WINDOWS\System32\drivers\Nbmkmd.sys (the file path should now appear in the text box next to the browse button)
  
  
• In the comment section, please make a note that I asked you to upload the file here: Budapest
• Click Send File

Please let me know when the submission has finished. Thanks.

Done.

Can you upload a couple of those problem files in local settings/temp/WPDNSE at Jotti for analysis.

scan says..

the file is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

Run FileLook.exe on a couple of those files and post back the logs.

it keeps saying ' unable to find file '