Help
This topic is locked
Hi etavares. Log below. Nothing found. Another friend of victim downloaded idump.exe approx 3 years ago. He doesn't know the source idump is from - could be either torrent or legit site.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6425
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048
23/04/2011 16:17:00
mbam-log-2011-04-23 (16-17-00).txt
Scan type: Quick scan
Objects scanned: 187555
Time elapsed: 4 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Infected with "Vista total security" or similar - virus / adware?? DDS.txt, Attach.txt & Gmer log attached.
#31
- Bleeping chocoholic
-
- Group: Malware Study Hall Senior
- Posts: 1,204
- Joined: 25-August 08
- Gender:Male
- Location:UK
Posted 24 April 2011 - 12:47 PM
Regards, dev00790
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
Back to top
#32
- Bleepin' Remover
-
- Group: Malware Response Team
- Posts: 10,743
- Joined: 16-August 08
- Gender:Male
Posted 24 April 2011 - 03:45 PM
It's looking okay. Please have them post one more OTL Quick Scan or DDS scan for me to take a peek at to ensure it still looks clean. Please also re-run GMER. The antivirus likely caught the issue, but it's better safe than sorry.
Here's a link to the beginning of the thread with my instructions in post 2 in case you need the links to download or the instructions to run them. Thanks!
http://www.bleepingcomputer.com/forums/topic386893.html
Here's a link to the beginning of the thread with my instructions in post 2 in case you need the links to download or the instructions to run them. Thanks!
http://www.bleepingcomputer.com/forums/topic386893.html
If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.
Unified Network of Instructors and Trusted Eliminators
#33
- Bleeping chocoholic
-
- Group: Malware Study Hall Senior
- Posts: 1,204
- Joined: 25-August 08
- Gender:Male
- Location:UK
Posted 27 April 2011 - 05:41 AM
Hi etavares.
I've emailed the victim your instructions this afternoon. Hopefully will receive the logs from him soon.
Regards,
dev
I've emailed the victim your instructions this afternoon. Hopefully will receive the logs from him soon.
Regards,
dev
Regards, dev00790
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
#34
- Bleeping chocoholic
-
- Group: Malware Study Hall Senior
- Posts: 1,204
- Joined: 25-August 08
- Gender:Male
- Location:UK
Posted 30 April 2011 - 03:15 PM
Hu etavares.
Sorry not to get back to you sooner.
OTL quick scan (with "show all users" option selected) was done before AVG was removed (again) see below.
AVG then flagged up idump.exe again, so I believe this was quarantined. AVG was uninstalled after this. The AVG user prefs and virus vault contents were deleted.
Finally did GMER scan. Logs below.
OTL quick scan:
OTL logfile created on: 30/04/2011 18:20:23 - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James Rudland\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 683.57 Gb Total Space | 182.80 Gb Free Space | 26.74% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 4.84 Gb Free Space | 32.29% Space Free | Partition Type: NTFS
Computer Name: PC-JAMES | User Name: James Rudland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
PRC - [2011/03/10 22:17:49 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/02/17 06:21:58 | 002,190,688 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/02/15 05:38:06 | 007,421,280 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2011/02/11 06:25:52 | 001,080,672 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2011/02/08 05:33:20 | 000,658,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2011/02/08 05:32:52 | 001,025,376 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2011/02/08 05:32:48 | 000,351,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2011/02/08 05:32:46 | 000,656,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2011/01/26 22:55:56 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/11/18 16:13:30 | 000,360,264 | ---- | M] (PC-Doctor, Inc.) -- C:\Program Files\Dell Support Center\imstrayicon.exe
PRC - [2010/10/27 22:21:54 | 001,155,072 | ---- | M] (Last.fm) -- C:\Program Files\Last.fm\LastFM.exe
PRC - [2008/10/29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
PRC - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/10/03 15:44:58 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/09/12 09:40:46 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/08/23 15:58:58 | 002,070,000 | ---- | M] () -- C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
PRC - [2007/07/31 19:02:22 | 000,151,552 | ---- | M] (Dell, Inc) -- C:\Program Files\Dell\Xcelerator\bin\ehLumaQuarkD.exe
PRC - [2007/05/23 20:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/02/13 11:43:38 | 000,715,568 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/02/13 11:43:36 | 001,600,304 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/11/08 15:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe
========== Modules (SafeList) ==========
MOD - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
MOD - [2010/08/31 16:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2011/02/15 05:38:06 | 007,421,280 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/03/04 12:25:12 | 000,621,056 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/02/17 13:06:14 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/05/29 15:08:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe -- (AffinegyService)
SRV - [2008/01/19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/14 14:25:22 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/12/14 14:25:20 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/12/14 14:25:12 | 001,112,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
========== Driver Services (SafeList) ==========
DRV - [2011/03/30 17:16:52 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 08:12:38 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/02/10 07:54:00 | 000,296,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/02/10 07:53:30 | 000,028,624 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/02/10 07:53:28 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011/01/26 22:13:12 | 000,238,592 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2011/01/19 04:32:56 | 000,032,464 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/01/07 06:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2009/12/19 19:22:01 | 000,104,512 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2008/09/26 12:30:54 | 000,651,264 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2008/05/26 16:09:42 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2008/01/19 06:53:22 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2007/11/20 08:20:32 | 001,034,496 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2007/09/12 09:44:34 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/09/12 09:40:48 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/08/29 10:33:02 | 005,734,400 | ---- | M] (Lumanate Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LazerUsb.sys -- (LazerUsb)
DRV - [2007/06/01 13:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 16:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2005/08/02 16:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt73.sys -- (RT73)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1080529
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1319
FF - prefs.js..keyword.URL: "http://uk.search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - HKLM\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/04/15 21:09:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/31 21:16:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/14 20:32:32 | 000,000,000 | ---D | M]
[2008/11/13 18:03:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Extensions
[2011/04/30 17:37:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions
[2010/07/18 15:06:53 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/06/27 16:53:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/14 20:32:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/14 20:32:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/04/15 21:09:16 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX4
[2011/04/14 20:32:16 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/03/10 22:17:53 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2011/03/10 22:17:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2011/03/10 22:17:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/22 20:32:55 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2011/03/10 22:17:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
O1 HOSTS File: ([2011/04/04 21:53:54 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Bluetooth HCI Monitor] C:\Windows\System32\HCIMNTR.DLL (Logitech Inc.)
O4 - HKLM..\Run: [DellSupportCenter] File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..\Run: [DellSupportCenter] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/30 18:03:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/16 21:23:03 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/04/15 21:11:12 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\AVG10
[2011/04/15 21:09:55 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/04/15 21:09:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2011
[2011/04/15 21:07:02 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/04/15 21:07:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2011/04/15 21:05:23 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/04/15 20:57:24 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/04/15 20:42:00 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center
[2011/04/15 20:35:31 | 000,000,000 | ---D | C] -- C:\ProgramData\PCDr
[2011/04/15 20:34:52 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\PCDr
[2011/04/14 20:33:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/04/14 20:33:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/04/07 20:43:40 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/06 21:43:39 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\Malwarebytes
[2011/04/06 21:41:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/04/06 21:41:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/04/06 21:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/06 21:31:56 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/05 21:57:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/05 21:57:01 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/04/05 21:46:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/04/04 21:42:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/04/04 21:42:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/04/04 21:42:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/04/04 21:42:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/04/04 21:41:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/01 21:24:55 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
========== Files - Modified Within 30 Days ==========
[2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/30 18:00:37 | 000,000,434 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
[2011/04/30 17:54:01 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/30 17:45:18 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/30 17:29:52 | 113,791,285 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/30 17:25:24 | 000,656,548 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/30 17:25:24 | 000,126,870 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/30 17:21:38 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2011/04/30 17:19:31 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/30 17:19:13 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/30 17:19:13 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/30 17:19:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/30 17:19:08 | 3487,485,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/29 23:32:31 | 000,002,409 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/04/24 09:36:40 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/17 20:12:15 | 000,108,393 | ---- | M] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 21:39:25 | 000,499,184 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/04/15 21:09:24 | 000,000,832 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/04/15 21:04:06 | 000,114,688 | ---- | M] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/06 21:41:22 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/04 21:53:54 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/04/01 21:24:55 | 613,674,422 | ---- | M] () -- C:\Windows\MEMORY.DMP
========== Files Created - No Company Name ==========
[2011/04/30 17:29:52 | 113,791,285 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/17 20:12:15 | 000,108,393 | ---- | C] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 21:09:24 | 000,000,832 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/04/15 20:42:20 | 000,000,564 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/15 20:42:20 | 000,000,422 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/06 21:41:22 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/04 21:42:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/04 21:42:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/04 21:42:22 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/04 21:42:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/04 21:42:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/01 21:23:56 | 613,674,422 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/01/26 22:12:00 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/12/21 02:27:22 | 000,003,113 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2010/12/17 16:00:46 | 000,227,587 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010/10/16 15:09:16 | 000,015,312 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat
[2010/01/14 19:53:10 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/04/02 20:16:36 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/04/02 20:16:32 | 000,795,648 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/04/02 20:16:31 | 000,130,048 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/04/02 20:16:31 | 000,067,584 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/02/03 23:18:45 | 000,000,680 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\d3d9caps.dat
[2008/11/19 04:00:53 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/11/19 04:00:53 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/08/05 23:02:12 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/08/05 22:58:14 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/07/01 22:34:54 | 000,114,688 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/29 22:31:29 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/05/29 22:31:27 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwxds.dll
[2008/05/29 22:31:23 | 000,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2008/05/29 15:06:59 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/05/29 14:55:58 | 000,303,104 | ---- | C] () -- C:\Windows\System32\FontZoom.exe
[2008/05/29 14:55:57 | 000,131,062 | ---- | C] () -- C:\Windows\System32\DellPM.ini
[2008/05/29 14:44:09 | 000,002,409 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/05/29 14:36:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2007/02/13 11:14:18 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,499,184 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,656,548 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,126,870 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
========== LOP Check ==========
[2010/01/07 22:19:56 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\AnvSoft
[2009/02/17 13:09:04 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Autodesk
[2011/04/15 21:11:12 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\AVG10
[2008/07/20 15:21:39 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\CopyTrans
[2010/04/12 21:34:46 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Facebook
[2010/07/18 15:16:23 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\GARMIN
[2010/02/16 21:31:03 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Nokia
[2010/02/16 21:14:46 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\PC Suite
[2011/04/15 20:36:59 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\PCDr
[2008/08/01 17:38:50 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Sony
[2011/01/25 23:06:32 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Spotify
[2011/03/22 23:13:53 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\TuneUpMedia
[2011/04/24 09:36:40 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/29 23:32:33 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/04/30 17:45:18 | 000,000,422 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job
[2011/04/30 18:00:37 | 000,000,434 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
========== Purity Check ==========
< End of report >
GMER:
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-30 19:43:24
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.GK8O
Running: gmer.exe; Driver: C:\Users\JAMESR~1\AppData\Local\Temp\ugddapow.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F410000, 0x37D761, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[2416] ntdll.dll!LdrLoadDll 77DB79B3 5 Bytes JMP 003C13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4900] USER32.dll!TrackPopupMenu 77A81417 5 Bytes JMP 6D632024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce660dd
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce660dd@a87b39467e81 0x9A 0x8D 0x15 0x23 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce660dd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce660dd@a87b39467e81 0x9A 0x8D 0x15 0x23 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x5A 0x38 0x28 0xDC ...
---- Files - GMER 1.0.15 ----
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B2.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B3.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B4.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B5.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B6.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B7.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B8.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B9.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BA.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BB.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BC.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BD.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BE.log 0 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BF.log 0 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57C0.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57C1.log 0 bytes
---- EOF - GMER 1.0.15 ----
Sorry not to get back to you sooner.
OTL quick scan (with "show all users" option selected) was done before AVG was removed (again) see below.
AVG then flagged up idump.exe again, so I believe this was quarantined. AVG was uninstalled after this. The AVG user prefs and virus vault contents were deleted.
Finally did GMER scan. Logs below.
OTL quick scan:
OTL logfile created on: 30/04/2011 18:20:23 - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James Rudland\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 683.57 Gb Total Space | 182.80 Gb Free Space | 26.74% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 4.84 Gb Free Space | 32.29% Space Free | Partition Type: NTFS
Computer Name: PC-JAMES | User Name: James Rudland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
PRC - [2011/03/10 22:17:49 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/02/17 06:21:58 | 002,190,688 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/02/15 05:38:06 | 007,421,280 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2011/02/11 06:25:52 | 001,080,672 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2011/02/08 05:33:20 | 000,658,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2011/02/08 05:32:52 | 001,025,376 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2011/02/08 05:32:48 | 000,351,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2011/02/08 05:32:46 | 000,656,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2011/01/26 22:55:56 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/11/18 16:13:30 | 000,360,264 | ---- | M] (PC-Doctor, Inc.) -- C:\Program Files\Dell Support Center\imstrayicon.exe
PRC - [2010/10/27 22:21:54 | 001,155,072 | ---- | M] (Last.fm) -- C:\Program Files\Last.fm\LastFM.exe
PRC - [2008/10/29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
PRC - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/10/03 15:44:58 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/09/12 09:40:46 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/08/23 15:58:58 | 002,070,000 | ---- | M] () -- C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
PRC - [2007/07/31 19:02:22 | 000,151,552 | ---- | M] (Dell, Inc) -- C:\Program Files\Dell\Xcelerator\bin\ehLumaQuarkD.exe
PRC - [2007/05/23 20:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/02/13 11:43:38 | 000,715,568 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/02/13 11:43:36 | 001,600,304 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/11/08 15:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe
========== Modules (SafeList) ==========
MOD - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
MOD - [2010/08/31 16:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2011/02/15 05:38:06 | 007,421,280 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/03/04 12:25:12 | 000,621,056 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/02/17 13:06:14 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/05/29 15:08:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe -- (AffinegyService)
SRV - [2008/01/19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/14 14:25:22 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/12/14 14:25:20 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/12/14 14:25:12 | 001,112,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
========== Driver Services (SafeList) ==========
DRV - [2011/03/30 17:16:52 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 08:12:38 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/02/10 07:54:00 | 000,296,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/02/10 07:53:30 | 000,028,624 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/02/10 07:53:28 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011/01/26 22:13:12 | 000,238,592 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2011/01/19 04:32:56 | 000,032,464 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/01/07 06:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2009/12/19 19:22:01 | 000,104,512 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2008/09/26 12:30:54 | 000,651,264 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2008/05/26 16:09:42 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2008/01/19 06:53:22 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2007/11/20 08:20:32 | 001,034,496 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2007/09/12 09:44:34 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/09/12 09:40:48 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/08/29 10:33:02 | 005,734,400 | ---- | M] (Lumanate Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LazerUsb.sys -- (LazerUsb)
DRV - [2007/06/01 13:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 16:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2005/08/02 16:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt73.sys -- (RT73)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1080529
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1319
FF - prefs.js..keyword.URL: "http://uk.search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - HKLM\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/04/15 21:09:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/31 21:16:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/14 20:32:32 | 000,000,000 | ---D | M]
[2008/11/13 18:03:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Extensions
[2011/04/30 17:37:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions
[2010/07/18 15:06:53 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/06/27 16:53:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/14 20:32:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/14 20:32:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/04/15 21:09:16 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX4
[2011/04/14 20:32:16 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/03/10 22:17:53 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2011/03/10 22:17:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2011/03/10 22:17:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/22 20:32:55 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2011/03/10 22:17:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
O1 HOSTS File: ([2011/04/04 21:53:54 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Bluetooth HCI Monitor] C:\Windows\System32\HCIMNTR.DLL (Logitech Inc.)
O4 - HKLM..\Run: [DellSupportCenter] File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..\Run: [DellSupportCenter] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/30 18:03:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/16 21:23:03 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/04/15 21:11:12 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\AVG10
[2011/04/15 21:09:55 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/04/15 21:09:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2011
[2011/04/15 21:07:02 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/04/15 21:07:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2011/04/15 21:05:23 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/04/15 20:57:24 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/04/15 20:42:00 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center
[2011/04/15 20:35:31 | 000,000,000 | ---D | C] -- C:\ProgramData\PCDr
[2011/04/15 20:34:52 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\PCDr
[2011/04/14 20:33:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/04/14 20:33:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/04/07 20:43:40 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/06 21:43:39 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\Malwarebytes
[2011/04/06 21:41:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/04/06 21:41:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/04/06 21:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/06 21:31:56 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/05 21:57:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/05 21:57:01 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/04/05 21:46:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/04/04 21:42:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/04/04 21:42:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/04/04 21:42:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/04/04 21:42:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/04/04 21:41:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/01 21:24:55 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
========== Files - Modified Within 30 Days ==========
[2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/30 18:00:37 | 000,000,434 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
[2011/04/30 17:54:01 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/30 17:45:18 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/30 17:29:52 | 113,791,285 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/30 17:25:24 | 000,656,548 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/30 17:25:24 | 000,126,870 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/30 17:21:38 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2011/04/30 17:19:31 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/30 17:19:13 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/30 17:19:13 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/30 17:19:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/30 17:19:08 | 3487,485,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/29 23:32:31 | 000,002,409 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/04/24 09:36:40 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/17 20:12:15 | 000,108,393 | ---- | M] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 21:39:25 | 000,499,184 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/04/15 21:09:24 | 000,000,832 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/04/15 21:04:06 | 000,114,688 | ---- | M] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/06 21:41:22 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/04 21:53:54 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/04/01 21:24:55 | 613,674,422 | ---- | M] () -- C:\Windows\MEMORY.DMP
========== Files Created - No Company Name ==========
[2011/04/30 17:29:52 | 113,791,285 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/04/17 20:12:15 | 000,108,393 | ---- | C] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 21:09:24 | 000,000,832 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/04/15 20:42:20 | 000,000,564 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/15 20:42:20 | 000,000,422 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/06 21:41:22 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/04 21:42:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/04 21:42:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/04 21:42:22 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/04 21:42:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/04 21:42:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/01 21:23:56 | 613,674,422 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/01/26 22:12:00 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/12/21 02:27:22 | 000,003,113 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2010/12/17 16:00:46 | 000,227,587 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010/10/16 15:09:16 | 000,015,312 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat
[2010/01/14 19:53:10 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/04/02 20:16:36 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/04/02 20:16:32 | 000,795,648 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/04/02 20:16:31 | 000,130,048 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/04/02 20:16:31 | 000,067,584 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/02/03 23:18:45 | 000,000,680 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\d3d9caps.dat
[2008/11/19 04:00:53 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/11/19 04:00:53 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/08/05 23:02:12 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/08/05 22:58:14 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/07/01 22:34:54 | 000,114,688 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/29 22:31:29 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/05/29 22:31:27 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwxds.dll
[2008/05/29 22:31:23 | 000,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2008/05/29 15:06:59 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/05/29 14:55:58 | 000,303,104 | ---- | C] () -- C:\Windows\System32\FontZoom.exe
[2008/05/29 14:55:57 | 000,131,062 | ---- | C] () -- C:\Windows\System32\DellPM.ini
[2008/05/29 14:44:09 | 000,002,409 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/05/29 14:36:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2007/02/13 11:14:18 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,499,184 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,656,548 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,126,870 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
========== LOP Check ==========
[2010/01/07 22:19:56 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\AnvSoft
[2009/02/17 13:09:04 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Autodesk
[2011/04/15 21:11:12 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\AVG10
[2008/07/20 15:21:39 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\CopyTrans
[2010/04/12 21:34:46 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Facebook
[2010/07/18 15:16:23 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\GARMIN
[2010/02/16 21:31:03 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Nokia
[2010/02/16 21:14:46 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\PC Suite
[2011/04/15 20:36:59 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\PCDr
[2008/08/01 17:38:50 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Sony
[2011/01/25 23:06:32 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Spotify
[2011/03/22 23:13:53 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\TuneUpMedia
[2011/04/24 09:36:40 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/29 23:32:33 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/04/30 17:45:18 | 000,000,422 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job
[2011/04/30 18:00:37 | 000,000,434 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
========== Purity Check ==========
< End of report >
GMER:
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-30 19:43:24
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.GK8O
Running: gmer.exe; Driver: C:\Users\JAMESR~1\AppData\Local\Temp\ugddapow.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F410000, 0x37D761, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[2416] ntdll.dll!LdrLoadDll 77DB79B3 5 Bytes JMP 003C13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4900] USER32.dll!TrackPopupMenu 77A81417 5 Bytes JMP 6D632024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce660dd
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce660dd@a87b39467e81 0x9A 0x8D 0x15 0x23 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce660dd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce660dd@a87b39467e81 0x9A 0x8D 0x15 0x23 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x5A 0x38 0x28 0xDC ...
---- Files - GMER 1.0.15 ----
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B2.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B3.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B4.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B5.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B6.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B7.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B8.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57B9.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BA.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BB.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BC.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BD.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BE.log 0 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57BF.log 0 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57C0.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSA57C1.log 0 bytes
---- EOF - GMER 1.0.15 ----
This post has been edited by dev00790: 30 April 2011 - 03:27 PM
Regards, dev00790
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
#35
- Bleepin' Remover
-
- Group: Malware Response Team
- Posts: 10,743
- Joined: 16-August 08
- Gender:Male
Posted 01 May 2011 - 01:06 PM
Everything seems OK on this end. You can unquarantine iDump if you believe it to be legitimate, if not, that's two things that have quarantined it now, so if you're not sure, I would uninstall iDump.
Did you reinstall another antivirus in place of AVG?
Is everything running OK now? THere were some orphaned registry entries we can take care of, but I think we are OK to clean up at this up.
Let me know.
Did you reinstall another antivirus in place of AVG?
Is everything running OK now? THere were some orphaned registry entries we can take care of, but I think we are OK to clean up at this up.
Let me know.
If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.
Unified Network of Instructors and Trusted Eliminators
#36
- Bleeping chocoholic
-
- Group: Malware Study Hall Senior
- Posts: 1,204
- Joined: 25-August 08
- Gender:Male
- Location:UK
Posted 03 May 2011 - 02:43 PM
Ok I'll ask user to uninstall it.
The PC has no antivirus currently installed. - It's disconnected from the internet. I plan to reinstall AVG before the all clean.
PC seems to be running quicker now (probably a faster boot due to temporarily not having AVG on). Yes please help me remove the orphaned reg keys from it.
If the cleanup is the standard one you mentioned earlier, I can just go and reread your one a few posts back. Let me know ta.
The PC has no antivirus currently installed. - It's disconnected from the internet. I plan to reinstall AVG before the all clean.
PC seems to be running quicker now (probably a faster boot due to temporarily not having AVG on). Yes please help me remove the orphaned reg keys from it.
If the cleanup is the standard one you mentioned earlier, I can just go and reread your one a few posts back. Let me know ta.
Regards, dev00790
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
#37
- Bleepin' Remover
-
- Group: Malware Response Team
- Posts: 10,743
- Joined: 16-August 08
- Gender:Male
Posted 03 May 2011 - 05:20 PM
Hello, dev00790.
Step 1
Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
The automatic part won't work with Vista or W7. Please backup manually using ERUNT with the following instructions:
Step 2
Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
Step 3
We need run an OTL Script
etavares
Step 1
Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
- Please download erunt-setup.exe to your desktop.
- Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
- Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
The automatic part won't work with Vista or W7. Please backup manually using ERUNT with the following instructions:
- Please locate the ERUNT icon on the desktop. If it is not there, click Start and type ERUNT into the search box.
- Right click the ERUNT icon in the desktop or the Start menu, and select Run as Administrator
- Click OK at the first message box.
- Ensure the checkboxes for both "system registry" and "current user registry" are checked. Leave the default save location in there.
- Click OK.
- Click Yes to create the new folder.
- You'll get a window saying "registry backup complete" once it's done. Click OK. If you get an error message, please STOP here and let me know. Do not proceed with any additional instructions until you check back with me.
Step 2
Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
- Download the latest version of Java Runtime Environment (JRE) Version 25..
- Save it to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
- Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version(s) shown below:
Java 6 Update 24 - Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u25-windows-i586-s.exe to install the newest version.
Step 3
We need run an OTL Script
- Please download OTL from one of the following mirrors if you do not still have it.
- Save it to your desktop.
- Double click on the
icon on your desktop. - Paste the following code under the Custom Scans/Fixes box at the bottom.
:OTL O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found. O4 - HKLM..\Run: [DellSupportCenter] File not found O4 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..\Run: [DellSupportCenter] File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found - Click the Run Fix button at the top.
- let the program run unhindered and reboot when it is done.
- You will get a log when it is done, please post that in your reply.
- Please then create a new OTL report....
- Click the "Scan All Users" checkbox.
- Push the
button. - A report will open, copy and paste it in a reply here.
etavares
If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.
Unified Network of Instructors and Trusted Eliminators
#38
- Bleeping chocoholic
-
- Group: Malware Study Hall Senior
- Posts: 1,204
- Joined: 25-August 08
- Gender:Male
- Location:UK
Posted 05 May 2011 - 03:09 PM
Hi etavares,
After step 2, victim got an error on windows starting up - on the destkop saying "ERUNT could not start." So I started msconfig, and on "startup" tab unchecked erunt from auto-starting. Also unchecked any other services that victim didn't want auto-starting (all non microsft ones).
Other than that I followed your instructions.
OTLfix log:
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DellSupportCenter deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Run\\DellSupportCenter deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\dssrequest\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ not found.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sacore\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ not found.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
OTL by OldTimer - Version 3.2.22.3 log created on 05052011_203512
OTL full scan:
OTL logfile created on: 05/05/2011 20:48:25 - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James Rudland\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 683.57 Gb Total Space | 183.87 Gb Free Space | 26.90% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 4.84 Gb Free Space | 32.29% Space Free | Partition Type: NTFS
Computer Name: PC-JAMES | User Name: James Rudland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
PRC - [2011/01/26 22:55:56 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2008/10/29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
PRC - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/10/03 15:44:58 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/09/12 09:40:46 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/08/23 15:58:58 | 002,070,000 | ---- | M] () -- C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
PRC - [2007/07/31 19:02:22 | 000,151,552 | ---- | M] (Dell, Inc) -- C:\Program Files\Dell\Xcelerator\bin\ehLumaQuarkD.exe
PRC - [2007/05/23 20:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/02/13 11:43:38 | 000,715,568 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/02/13 11:43:36 | 001,600,304 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/11/08 15:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe
========== Modules (SafeList) ==========
MOD - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
MOD - [2010/08/31 16:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/03/04 12:25:12 | 000,621,056 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/02/17 13:06:14 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/05/29 15:08:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe -- (AffinegyService)
SRV - [2008/01/19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/14 14:25:22 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/12/14 14:25:20 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/12/14 14:25:12 | 001,112,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
========== Driver Services (SafeList) ==========
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011/01/26 22:13:12 | 000,238,592 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/11/18 01:36:02 | 000,021,744 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- c:\Program Files\Dell Support Center\pcdsrvc.pkms -- (PCDSRVC{E9D79540-57D5953E-06020101}_0)
DRV - [2009/12/19 19:22:01 | 000,104,512 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2008/09/26 12:30:54 | 000,651,264 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2008/05/26 16:09:42 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2008/01/19 06:53:22 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2007/11/20 08:20:32 | 001,034,496 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2007/09/12 09:44:34 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/09/12 09:40:48 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/08/29 10:33:02 | 005,734,400 | ---- | M] (Lumanate Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LazerUsb.sys -- (LazerUsb)
DRV - [2007/06/01 13:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 16:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2005/08/02 16:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt73.sys -- (RT73)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1080529
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..keyword.URL: "http://uk.search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 18:43:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 18:43:23 | 000,000,000 | ---D | M]
[2008/11/13 18:03:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Extensions
[2011/05/05 20:32:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions
[2010/07/18 15:06:53 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/06/27 16:53:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/05 20:30:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/05/05 20:30:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/05/05 20:29:03 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/03/10 22:17:53 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2011/03/10 22:17:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2011/03/10 22:17:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/22 20:32:55 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2011/03/10 22:17:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
O1 HOSTS File: ([2011/04/04 21:53:54 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O4 - HKLM..\Run: [Bluetooth HCI Monitor] C:\Windows\System32\HCIMNTR.DLL (Logitech Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/05/05 20:47:53 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/05/05 20:32:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/05/05 20:30:22 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/05/05 20:30:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/05/05 20:30:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/05/05 20:12:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/05/05 20:12:10 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/30 18:49:48 | 000,100,480 | ---- | C] (GMER) -- C:\ugddapow.sys
[2011/04/30 18:23:56 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\Desktop\gmer
[2011/04/30 18:03:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/30 17:32:40 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2011/04/30 17:32:39 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2011/04/15 21:11:12 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\AVG10
[2011/04/15 21:09:55 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/04/15 21:07:02 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/04/15 21:05:23 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/04/15 20:57:24 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/04/15 20:42:00 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center
[2011/04/15 20:36:41 | 000,292,864 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2011/04/15 20:36:41 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2011/04/15 20:36:36 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/15 20:36:36 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/15 20:36:36 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/04/15 20:36:36 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/15 20:36:36 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/15 20:36:36 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/15 20:36:36 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/15 20:36:36 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/15 20:36:36 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/15 20:36:36 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/15 20:36:36 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/15 20:36:36 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/15 20:36:36 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/15 20:36:36 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/15 20:36:36 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/15 20:36:36 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/15 20:36:36 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/04/15 20:36:09 | 001,136,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll
[2011/04/15 20:36:08 | 001,161,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll
[2011/04/15 20:35:43 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dnscacheugc.exe
[2011/04/15 20:35:42 | 002,040,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/04/15 20:35:40 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/15 20:35:40 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/15 20:35:31 | 000,000,000 | ---D | C] -- C:\ProgramData\PCDr
[2011/04/15 20:34:52 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\PCDr
[2011/04/14 20:33:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/04/14 20:32:32 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/04/07 20:43:40 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/06 21:47:04 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2011/04/06 21:43:39 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\Malwarebytes
[2011/04/06 21:41:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/04/06 21:41:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/04/06 21:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/06 21:31:56 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/05 21:57:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/05 21:57:01 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/04/05 21:46:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
========== Files - Modified Within 30 Days ==========
[2011/05/05 20:47:18 | 000,656,548 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/05/05 20:47:18 | 000,126,870 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/05/05 20:44:21 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2011/05/05 20:42:09 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/05 20:40:57 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/05 20:40:57 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/05 20:40:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/05 20:40:49 | 3487,485,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/05 20:36:48 | 000,002,409 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/05/05 20:29:02 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/05/05 20:29:02 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/05/05 20:29:02 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/05/05 20:29:02 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/05/05 20:12:11 | 000,000,735 | ---- | M] () -- C:\Users\James Rudland\Desktop\NTREGOPT.lnk
[2011/05/05 20:12:11 | 000,000,716 | ---- | M] () -- C:\Users\James Rudland\Desktop\ERUNT.lnk
[2011/05/05 20:11:20 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/05/05 19:59:15 | 000,000,434 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
[2011/05/05 19:54:05 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/30 18:49:48 | 000,100,480 | ---- | M] (GMER) -- C:\ugddapow.sys
[2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/24 09:36:40 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/17 20:12:15 | 000,108,393 | ---- | M] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 21:39:25 | 000,499,184 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/04/15 21:04:06 | 000,114,688 | ---- | M] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/06 21:41:22 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
========== Files Created - No Company Name ==========
[2011/05/05 20:12:11 | 000,000,735 | ---- | C] () -- C:\Users\James Rudland\Desktop\NTREGOPT.lnk
[2011/05/05 20:12:11 | 000,000,716 | ---- | C] () -- C:\Users\James Rudland\Desktop\ERUNT.lnk
[2011/04/17 20:12:15 | 000,108,393 | ---- | C] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 20:42:20 | 000,000,564 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/15 20:42:20 | 000,000,422 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/06 21:41:22 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/04 21:42:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/04 21:42:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/04 21:42:22 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/04 21:42:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/04 21:42:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/01/26 22:12:00 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/12/21 02:27:22 | 000,003,113 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2010/12/17 16:00:46 | 000,227,587 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010/10/16 15:09:16 | 000,015,312 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat
[2010/01/14 19:53:10 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/04/02 20:16:36 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/04/02 20:16:32 | 000,795,648 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/04/02 20:16:31 | 000,130,048 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/04/02 20:16:31 | 000,067,584 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/02/03 23:18:45 | 000,000,680 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\d3d9caps.dat
[2008/11/19 04:00:53 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/11/19 04:00:53 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/08/05 23:02:12 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/08/05 22:58:14 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/07/01 22:34:54 | 000,114,688 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/29 22:31:29 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/05/29 22:31:27 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwxds.dll
[2008/05/29 22:31:23 | 000,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2008/05/29 15:06:59 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/05/29 14:55:58 | 000,303,104 | ---- | C] () -- C:\Windows\System32\FontZoom.exe
[2008/05/29 14:55:57 | 000,131,062 | ---- | C] () -- C:\Windows\System32\DellPM.ini
[2008/05/29 14:44:09 | 000,002,409 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/05/29 14:36:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2007/02/13 11:14:18 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,499,184 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,656,548 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,126,870 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
< End of report >
After step 2, victim got an error on windows starting up - on the destkop saying "ERUNT could not start." So I started msconfig, and on "startup" tab unchecked erunt from auto-starting. Also unchecked any other services that victim didn't want auto-starting (all non microsft ones).
Other than that I followed your instructions.
OTLfix log:
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DellSupportCenter deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Run\\DellSupportCenter deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\dssrequest\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ not found.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sacore\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ not found.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
OTL by OldTimer - Version 3.2.22.3 log created on 05052011_203512
OTL full scan:
OTL logfile created on: 05/05/2011 20:48:25 - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James Rudland\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 683.57 Gb Total Space | 183.87 Gb Free Space | 26.90% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 4.84 Gb Free Space | 32.29% Space Free | Partition Type: NTFS
Computer Name: PC-JAMES | User Name: James Rudland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
PRC - [2011/01/26 22:55:56 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2008/10/29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
PRC - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/10/03 15:44:58 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/09/12 09:40:46 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/08/23 15:58:58 | 002,070,000 | ---- | M] () -- C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
PRC - [2007/07/31 19:02:22 | 000,151,552 | ---- | M] (Dell, Inc) -- C:\Program Files\Dell\Xcelerator\bin\ehLumaQuarkD.exe
PRC - [2007/05/23 20:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/02/13 11:43:38 | 000,715,568 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/02/13 11:43:36 | 001,600,304 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/11/08 15:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe
========== Modules (SafeList) ==========
MOD - [2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
MOD - [2010/08/31 16:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2011/01/26 22:55:26 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/03/04 12:25:12 | 000,621,056 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/02/17 13:06:14 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/05/29 15:08:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe -- (AffinegyService)
SRV - [2008/01/19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/14 14:25:22 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/12/14 14:25:20 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/12/14 14:25:12 | 001,112,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
========== Driver Services (SafeList) ==========
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011/01/26 23:36:16 | 007,566,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011/01/26 22:13:12 | 000,238,592 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/11/18 01:36:02 | 000,021,744 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- c:\Program Files\Dell Support Center\pcdsrvc.pkms -- (PCDSRVC{E9D79540-57D5953E-06020101}_0)
DRV - [2009/12/19 19:22:01 | 000,104,512 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2008/09/26 12:30:54 | 000,651,264 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2008/05/26 16:09:42 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2008/01/19 06:53:22 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2007/11/20 08:20:32 | 001,034,496 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2007/09/12 09:44:34 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/09/12 09:40:48 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/08/29 10:33:02 | 005,734,400 | ---- | M] (Lumanate Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LazerUsb.sys -- (LazerUsb)
DRV - [2007/06/01 13:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 16:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2005/08/02 16:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt73.sys -- (RT73)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1080529
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..keyword.URL: "http://uk.search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 18:43:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 18:43:23 | 000,000,000 | ---D | M]
[2008/11/13 18:03:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Extensions
[2011/05/05 20:32:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions
[2010/07/18 15:06:53 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/06/27 16:53:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/05 20:30:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/05/05 20:30:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/05/05 20:29:03 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/03/10 22:17:53 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2011/03/10 22:17:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2011/03/10 22:17:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/22 20:32:55 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2011/03/10 22:17:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
O1 HOSTS File: ([2011/04/04 21:53:54 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O4 - HKLM..\Run: [Bluetooth HCI Monitor] C:\Windows\System32\HCIMNTR.DLL (Logitech Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/05/05 20:47:53 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/05/05 20:32:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/05/05 20:30:22 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/05/05 20:30:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/05/05 20:30:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/05/05 20:12:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/05/05 20:12:10 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/30 18:49:48 | 000,100,480 | ---- | C] (GMER) -- C:\ugddapow.sys
[2011/04/30 18:23:56 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\Desktop\gmer
[2011/04/30 18:03:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/30 17:32:40 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2011/04/30 17:32:39 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2011/04/15 21:11:12 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\AVG10
[2011/04/15 21:09:55 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/04/15 21:07:02 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/04/15 21:05:23 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/04/15 20:57:24 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/04/15 20:42:00 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center
[2011/04/15 20:36:41 | 000,292,864 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2011/04/15 20:36:41 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2011/04/15 20:36:36 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/15 20:36:36 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/15 20:36:36 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/04/15 20:36:36 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/15 20:36:36 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/15 20:36:36 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/15 20:36:36 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/15 20:36:36 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/15 20:36:36 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/15 20:36:36 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/15 20:36:36 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/15 20:36:36 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/15 20:36:36 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/15 20:36:36 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/15 20:36:36 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/15 20:36:36 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/15 20:36:36 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/04/15 20:36:09 | 001,136,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll
[2011/04/15 20:36:08 | 001,161,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll
[2011/04/15 20:35:43 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dnscacheugc.exe
[2011/04/15 20:35:42 | 002,040,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/04/15 20:35:40 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/15 20:35:40 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/15 20:35:31 | 000,000,000 | ---D | C] -- C:\ProgramData\PCDr
[2011/04/15 20:34:52 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\PCDr
[2011/04/14 20:33:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/04/14 20:32:32 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/04/07 20:43:40 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/06 21:47:04 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2011/04/06 21:43:39 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\AppData\Roaming\Malwarebytes
[2011/04/06 21:41:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/06 21:41:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/04/06 21:41:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/04/06 21:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/06 21:31:56 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/05 21:57:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/05 21:57:01 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/04/05 21:46:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
========== Files - Modified Within 30 Days ==========
[2011/05/05 20:47:18 | 000,656,548 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/05/05 20:47:18 | 000,126,870 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/05/05 20:44:21 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2011/05/05 20:42:09 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/05 20:40:57 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/05 20:40:57 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/05 20:40:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/05 20:40:49 | 3487,485,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/05 20:36:48 | 000,002,409 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/05/05 20:29:02 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/05/05 20:29:02 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/05/05 20:29:02 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/05/05 20:29:02 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/05/05 20:12:11 | 000,000,735 | ---- | M] () -- C:\Users\James Rudland\Desktop\NTREGOPT.lnk
[2011/05/05 20:12:11 | 000,000,716 | ---- | M] () -- C:\Users\James Rudland\Desktop\ERUNT.lnk
[2011/05/05 20:11:20 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/05/05 19:59:15 | 000,000,434 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
[2011/05/05 19:54:05 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/30 18:49:48 | 000,100,480 | ---- | M] (GMER) -- C:\ugddapow.sys
[2011/04/30 18:03:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/04/24 09:36:40 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/17 20:12:15 | 000,108,393 | ---- | M] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 21:39:25 | 000,499,184 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/04/15 21:04:06 | 000,114,688 | ---- | M] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/06 21:41:22 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
========== Files Created - No Company Name ==========
[2011/05/05 20:12:11 | 000,000,735 | ---- | C] () -- C:\Users\James Rudland\Desktop\NTREGOPT.lnk
[2011/05/05 20:12:11 | 000,000,716 | ---- | C] () -- C:\Users\James Rudland\Desktop\ERUNT.lnk
[2011/04/17 20:12:15 | 000,108,393 | ---- | C] () -- C:\Users\James Rudland\Desktop\Screenhot_of_Trojan_Generic17.JYL.jpg
[2011/04/15 20:42:20 | 000,000,564 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/15 20:42:20 | 000,000,422 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/06 21:41:22 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/04 21:42:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/04 21:42:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/04 21:42:22 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/04 21:42:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/04 21:42:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/01/26 22:12:00 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/12/21 02:27:22 | 000,003,113 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2010/12/17 16:00:46 | 000,227,587 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010/10/16 15:09:16 | 000,015,312 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat
[2010/01/14 19:53:10 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/04/02 20:16:36 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/04/02 20:16:32 | 000,795,648 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/04/02 20:16:31 | 000,130,048 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/04/02 20:16:31 | 000,067,584 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/02/03 23:18:45 | 000,000,680 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\d3d9caps.dat
[2008/11/19 04:00:53 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/11/19 04:00:53 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/08/05 23:02:12 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/08/05 22:58:14 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/07/01 22:34:54 | 000,114,688 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/29 22:31:29 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/05/29 22:31:27 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwxds.dll
[2008/05/29 22:31:23 | 000,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2008/05/29 15:06:59 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/05/29 14:55:58 | 000,303,104 | ---- | C] () -- C:\Windows\System32\FontZoom.exe
[2008/05/29 14:55:57 | 000,131,062 | ---- | C] () -- C:\Windows\System32\DellPM.ini
[2008/05/29 14:44:09 | 000,002,409 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/05/29 14:36:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2007/02/13 11:14:18 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,499,184 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,656,548 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,126,870 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
< End of report >
Regards, dev00790
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
#39
- Bleepin' Remover
-
- Group: Malware Response Team
- Posts: 10,743
- Joined: 16-August 08
- Gender:Male
Posted 05 May 2011 - 05:56 PM
Hello, dev00790.
Yup, that's the error you will get by running ERUNT on Vista and/or W7. In XP, it's able to save a backup every boot. With Vista or W7, we have to do the manual backup like we did.
At this point, everything is looking good. If you haven't rebooted yet since running OTL, please do it now.
If you agree everything is OK, please push the clean up button in OTL. Next, feel free to uninstall ERUNT if everything booted fine.
Next, we need to purge system restore points.
We need to purge your system restore so malware is not accidently restored. First, let's create a new restore point.
Now, we need to remove the old, infected points using DiskCleanup.
Now, you should be good to go. Safe surfing!
etavares
Yup, that's the error you will get by running ERUNT on Vista and/or W7. In XP, it's able to save a backup every boot. With Vista or W7, we have to do the manual backup like we did.
At this point, everything is looking good. If you haven't rebooted yet since running OTL, please do it now.
If you agree everything is OK, please push the clean up button in OTL. Next, feel free to uninstall ERUNT if everything booted fine.
Next, we need to purge system restore points.
We need to purge your system restore so malware is not accidently restored. First, let's create a new restore point.
- Go to Start and type in SystemPropertiesProtection and run that program.
- Select the System Protection tab.
- Press Create.
- Give the restore point a name and press create.
- You'll see it work, then say that it was created sucessfully.
Now, we need to remove the old, infected points using DiskCleanup.
- Click on Start --> My Computer
- Right-click on C: and select Properties.
- Click on Disk Cleanup.
- Double-click Files from all users on this computer.
- Click on More Options tab and press Clean Up... under System Restore and Shadow Copies.
- Click OK.
- You'll get a couple of prompts asking if you're sure you want do to this, select Yes for them.
- Disk cleanup will remove those restore points and close itself.
Now, you should be good to go. Safe surfing!
etavares
If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.
Unified Network of Instructors and Trusted Eliminators
#40
- Bleeping chocoholic
-
- Group: Malware Study Hall Senior
- Posts: 1,204
- Joined: 25-August 08
- Gender:Male
- Location:UK
Posted 09 May 2011 - 05:49 PM
Thanks a lot etavares.
dev00790
dev00790
Regards, dev00790
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
---------------------------------------
Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"
I do not reply to PMs asking for assistance - please use the forums instead.
Member of the Bleeping Computer A.I.I. early response team! If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM.
#41
- Bleepin' Remover
-
- Group: Malware Response Team
- Posts: 10,743
- Joined: 16-August 08
- Gender:Male
Posted 09 May 2011 - 06:29 PM
no problem. good luck with your training!
If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.
Unified Network of Instructors and Trusted Eliminators
#42
- Bleepin' Remover
-
- Group: Malware Response Team
- Posts: 10,743
- Joined: 16-August 08
- Gender:Male
Posted 14 May 2011 - 09:03 AM
It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.
Unified Network of Instructors and Trusted Eliminators
