Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP SP2 mozilla/ecata redirect =PITA problem?


  • This topic is locked This topic is locked
14 replies to this topic

#1 nic-303

nic-303

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 14 January 2009 - 03:54 PM

i was told to post here by garmanma (thanx dude) in another forum.
when using mozilla, it gets google results from ecata.info (takes ages)
then, any link i click will open an adware site.
also when clicking on pages like myspace, adware opens repeatedly in new windows.
the only way to browse is to repeatedly copy and paste new adresses into the adr bar.

ive read a solution on another thread and ran combofix, but to no avail, i thinks i needs some advice!
all will be greatly recieved!

have run HJT as requested, results......

thanks in advance for your assistance
:D


DDS (Ver_09-01-07.01) - NTFSx86
Run by NIC PERSONAL at 20:44:03.73 on 14/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1450 [GMT 0:00]

AV: avast! antivirus 4.8.1296 [VPS 090114-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\WLTRAY.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\stsystra.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Documents and Settings\NIC PERSONAL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.iesearch.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxserv2.paisley.ac.uk:8080
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - d:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - d:\program files\msn toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
uRun: [CTFMON.EXE] d:\windows\system32\ctfmon.exe
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Broadcom Wireless Manager UI] d:\windows\system32\WLTRAY.exe
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
mRun: [TkBellExe] "d:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] d:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "d:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "d:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [WinampAgent] "d:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
uPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - d:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - d:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\nicper~1\applic~1\mozilla\firefox\profiles\98bspfq9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: d:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: d:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2008-4-2 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\alwil software\avast4\ashMaiSv.exe [2008-3-22 254040]
R3 avast! Web Scanner;avast! Web Scanner;d:\program files\alwil software\avast4\ashWebSv.exe [2008-3-22 352920]
R4 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2008-4-2 20560]
R4 avast! Antivirus;avast! Antivirus;d:\program files\alwil software\avast4\ashServ.exe [2008-3-22 155160]
S3 Ndisprot;ArcNet NDIS Protocol Driver;d:\windows\system32\drivers\ndisprot.sys [2008-11-17 27904]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;d:\windows\system32\drivers\usbscan.sys [2008-9-27 15104]
S4 gupdate1c96fa3795166a0;Google Update Service (gupdate1c96fa3795166a0);d:\program files\google\update\GoogleUpdate.exe [2009-1-6 133104]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-01-12 16:43 <DIR> -cd----- d:\program files\MSN Toolbar
2009-01-12 14:44 <DIR> -cd----- d:\program files\CCleaner
2009-01-07 20:10 16,384 ac------ d:\documents and settings\nic personal\svc012.exe
2009-01-06 03:41 <DIR> -cd----- d:\program files\common files\Common Share
2009-01-06 03:41 <DIR> -cd----- d:\program files\OJOsoft
2009-01-06 02:39 <DIR> -cd----- d:\docume~1\nicper~1\applic~1\AVS4YOU
2009-01-06 02:39 <DIR> -cd----- d:\docume~1\alluse~1\applic~1\AVS4YOU
2009-01-06 02:37 <DIR> -cd----- d:\program files\common files\AVSMedia
2009-01-06 02:37 974,848 ac------ d:\windows\system32\mfc70.dll
2009-01-06 02:37 24,576 ac------ d:\windows\system32\msxml3a.dll
2009-01-06 02:37 <DIR> -cd----- d:\program files\AVS4YOU
2009-01-03 21:31 <DIR> -cd----- d:\program files\common files\Macrovision Shared
2008-12-17 16:01 <DIR> -cd----- d:\docume~1\alluse~1\applic~1\Soulseek

==================== Find3M ====================

2008-11-18 21:06 4,212 -c--h--- d:\windows\system32\zllictbl.dat
2008-11-17 19:10 27,904 ac------ d:\windows\system32\drivers\ndisprot.sys
2008-10-22 22:54 293,248 ac------ d:\program files\ImportContacts.exe
2008-03-24 15:37 0 ac------ d:\docume~1\nicper~1\applic~1\wklnhst.dat

============= FINISH: 20:44:18.31 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/03/2008 16:51:44
System Uptime: 14/01/2009 17:32:18 (3 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel® CPU T2130 @ 1.86GHz | Microprocessor | 782/133mhz
Processor: Genuine Intel® CPU T2130 @ 1.86GHz | Microprocessor | 1061/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 20 GiB total, 1.981 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 1.393 GiB free.
E: is FIXED (NTFS) - 110 GiB total, 7.481 GiB free.
F: is CDROM (UDF)
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Service:

==== System Restore Points ===================

RP218: 14/01/2009 17:55:52 - System Checkpoint
RP219: 14/01/2009 17:56:31 - post combo fix

==== Installed Programs ======================

Ableton Live v7.0.1
Adobe Acrobat 5.0
Adobe Anchor Service CS3
Adobe Director 11
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Premiere Pro CS3
Adobe Setup
ASIO4ALL
avast! Antivirus
BitLord 1.1
Broadcom 440x 10/100 Integrated Controller
CCleaner (remove only)
Creative ASR
Creative Jukebox Driver
Creative NOMAD II Driver
Dell Resource CD
Dell Wireless WLAN Card
FreeKapture 2.00 - Freeware
Google Earth
Google Gears
Google Update
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 5
LimeWire 4.18.8
MagicDisc 2.6.93
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSN Toolbar
MSXML 6.0 Parser (KB933579)
OJOsoft Total Video Converter
PeerGuardian 2.0
QuickSet
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
SigmaTel Audio
Sonic Activation Module
Sound Blaster ADVANCED MB Drivers
Sound Blaster Extigy
VLC media player 0.9.8a
WebFldrs XP
Winamp
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
XviD MPEG-4 Codec

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 24 January 2009 - 11:45 PM

Hello, nic-303
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 nic-303

nic-303
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 25 January 2009 - 12:02 PM

hiya billy, thanks for getting back to me, your assistance is greatly apreciated.
heres the first set of logs:

OTViewIt logfile created on: 25/01/2009 16:57:37 - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = D:\Documents and Settings\NIC PERSONAL\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 75.00% Memory free
3.84 Gb Paging File | 3.42 Gb Available in Paging File | 89.08% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 19.53 Gb Total Space | 1.97 Gb Free Space | 10.09% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 2.73 Gb Free Space | 13.98% Space Free | Partition Type: NTFS
Drive E: | 109.97 Gb Total Space | 8.00 Gb Free Space | 7.27% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NIC-PERSONAL
Current User Name: NIC PERSONAL
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2007/03/16 18:10:46 | 00,020,480 | ---- | M] () -- D:\WINDOWS\system32\WLTRYSVC.EXE
[2007/03/16 18:10:42 | 01,253,376 | ---- | M] (Dell Inc.) -- D:\WINDOWS\system32\BCMWLTRY.EXE
[2008/11/26 17:12:08 | 00,018,752 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[2008/11/26 17:18:46 | 00,155,160 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashServ.exe
[2008/11/26 17:18:51 | 00,081,000 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashDisp.exe
[2007/03/16 18:10:46 | 01,392,640 | ---- | M] (Dell Inc.) -- D:\WINDOWS\system32\WLTRAY.EXE
[2005/12/13 17:41:08 | 00,077,824 | ---- | M] (Intel Corporation) -- D:\WINDOWS\system32\hkcmd.exe
[2005/12/13 17:45:00 | 00,118,784 | ---- | M] (Intel Corporation) -- D:\WINDOWS\system32\igfxpers.exe
[2006/02/28 12:00:00 | 00,033,280 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\rundll32.exe
[2008/03/24 23:43:27 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- D:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2005/12/13 17:41:00 | 00,159,744 | ---- | M] (Intel Corporation) -- D:\WINDOWS\system32\igfxsrvc.exe
[2006/10/27 00:47:42 | 00,031,016 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[2006/03/24 16:30:44 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- D:\WINDOWS\stsystra.exe
[2006/10/03 10:37:04 | 00,081,920 | ---- | M] (Macrovision Corporation) -- D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[2006/11/05 10:22:16 | 00,221,184 | ---- | M] (Sonic Solutions) -- D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[2008/03/27 06:35:38 | 00,036,352 | ---- | M] () -- D:\Program Files\Winamp\winampa.exe
[1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\system32\CTSVCCDA.EXE
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- D:\Program Files\Dell\QuickSet\NicConfigSvc.exe
[2009/01/06 02:06:45 | 00,133,104 | ---- | M] (Google Inc.) -- D:\Program Files\Google\Update\GoogleUpdate.exe
[2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\MsPMSPSv.exe
[2008/11/26 17:18:32 | 00,254,040 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[2008/11/26 17:16:23 | 00,352,920 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[2006/02/28 12:00:00 | 00,218,112 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wbem\wmiprvse.exe
[2006/02/28 12:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscntfy.exe
[2006/11/05 09:55:48 | 00,010,752 | ---- | M] (Sonic Solutions) -- D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wuauclt.exe
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\Messenger\msnmsgr.exe
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\Messenger\usnsvc.exe
[2006/02/28 12:00:00 | 00,093,184 | -HS- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\IEXPLORE.EXE
[2007/09/20 10:35:36 | 00,118,336 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
[2006/02/28 12:00:00 | 00,135,680 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\taskmgr.exe
[2008/03/27 06:36:26 | 01,307,136 | ---- | M] (Nullsoft) -- D:\Program Files\Winamp\winamp.exe
[2009/01/25 16:56:19 | 00,422,912 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\NIC PERSONAL\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/11/26 17:12:08 | 00,018,752 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
[2008/11/26 17:18:46 | 00,155,160 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
[2008/11/26 17:18:32 | 00,254,040 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
[2008/11/26 17:16:23 | 00,352,920 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access [Auto | Running])
[2009/01/03 21:31:41 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2007/10/09 11:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2009/01/06 02:06:45 | 00,133,104 | ---- | M] (Google Inc.) -- D:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c96fa3795166a0 [Auto | Stopped])
[2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- D:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2007/10/11 08:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
[2007/10/11 08:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- D:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC [Auto | Running])
[2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2006/11/05 10:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
[2006/11/05 10:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
[2006/09/14 13:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) -- D:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Running])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2007/03/16 18:10:46 | 00,020,480 | ---- | M] () -- D:\WINDOWS\system32\WLTRYSVC.EXE -- (wltrysvc [Auto | Running])
[2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2008/11/26 17:15:35 | 00,026,944 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
[2005/08/12 16:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- D:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV [System | Running])
[2008/11/26 17:17:25 | 00,020,560 | ---- | M] (ALWIL Software) -- D:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
[2008/11/26 17:18:18 | 00,094,032 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
[2008/11/26 17:16:29 | 00,023,152 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
[2008/11/26 17:17:36 | 00,111,184 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
[2008/11/26 17:16:38 | 00,050,864 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
[2007/03/16 18:10:46 | 00,604,928 | ---- | M] (Broadcom Corporation) -- D:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX [On_Demand | Running])
[2006/08/17 08:55:16 | 00,044,544 | R--- | M] (Broadcom Corporation) -- D:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
[2005/01/10 17:15:00 | 00,138,752 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2005/05/25 16:34:00 | 00,158,464 | ---- | M] (Creative Technology Ltd.) -- D:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN [On_Demand | Running])
[2006/10/26 15:21:34 | 00,035,096 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM [Auto | Running])
[2006/10/26 15:21:28 | 00,032,472 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
[2007/02/08 19:05:30 | 00,012,856 | ---- | M] (Roxio) -- D:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
[2006/10/26 15:22:02 | 00,009,400 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM [Auto | Running])
[2006/10/26 15:21:24 | 00,104,536 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
[2006/10/26 15:21:30 | 00,026,296 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
[2006/10/26 15:21:26 | 00,014,520 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
[2007/02/08 19:05:30 | 00,028,120 | ---- | M] (Roxio) -- D:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M [System | Running])
[2006/10/26 15:21:34 | 00,094,648 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
[2006/10/26 15:21:32 | 00,097,848 | ---- | M] (Roxio) -- D:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
[2006/07/21 10:21:26 | 00,099,176 | ---- | M] (Sonic Solutions) -- D:\WINDOWS\system32\drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
[2007/02/09 11:34:16 | 00,051,768 | ---- | M] (Roxio) -- D:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
[2004/08/12 17:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) -- D:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2005/12/13 18:09:34 | 01,364,574 | ---- | M] (Intel Corporation) -- D:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2008/02/18 16:29:16 | 00,096,256 | ---- | M] (MagicISO, Inc.) -- D:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus [On_Demand | Running])
[2006/01/04 14:41:48 | 01,389,056 | ---- | M] (Creative Technology Ltd.) -- D:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt [On_Demand | Running])
[2008/11/17 19:10:37 | 00,027,904 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- D:\WINDOWS\system32\drivers\ndisprot.sys -- (Ndisprot [On_Demand | Stopped])
[2005/01/10 17:15:00 | 00,106,496 | ---- | M] (Creative Technology Ltd.) -- D:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[2001/09/17 18:07:54 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- D:\WINDOWS\system32\PfModNT.sys -- (PfModNT [Auto | Running])
[2005/09/18 18:02:52 | 00,005,632 | ---- | M] () -- D:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter [On_Demand | Stopped])
[2006/02/28 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 23:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- D:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2006/11/15 00:16:24 | 00,032,256 | ---- | M] (REDC) -- D:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk [Auto | Running])
[2006/11/14 19:42:46 | 00,043,520 | ---- | M] (REDC) -- D:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk [Auto | Running])
[2006/11/14 17:35:20 | 00,037,376 | ---- | M] (REDC) -- D:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp [Auto | Running])
[2004/08/03 21:59:58 | 00,043,136 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\sbp2port.sys -- (sbp2port [Boot | Running])
[2006/02/28 12:00:00 | 00,067,584 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\sdbus.sys -- (sdbus [On_Demand | Running])
[2006/02/28 12:00:00 | 00,027,440 | ---- | M] () -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2006/03/24 16:34:30 | 01,156,648 | ---- | M] (SigmaTel, Inc.) -- D:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
[2004/08/03 23:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])
[2004/08/03 23:07:42 | 00,008,832 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Local Page"=http://www.iesearch.com/
"Local Page Restore"=
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.co.uk/
"Start Page Restore"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.co.uk/
"Start Page Restore"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (HKLM) -- D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} (HKLM) -- D:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll (Google Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- D:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- D:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- D:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll (Microsoft Corporation)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudCtrl"=RunDll32 AudCtrl.dll,RCMonitor ()
"avast!"=D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
"Broadcom Wireless Manager UI"=D:\WINDOWS\system32\WLTRAY.exe (Dell Inc.)
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
"igfxhkcmd"=D:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"igfxpers"=D:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"igfxtray"=D:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"ISUSPM Startup"=D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (Macrovision Corporation)
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (Macrovision Corporation)
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
"RoxWatchTray"="D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" (Sonic Solutions)
"SigmatelSysTrayApp"=stsystra.exe (SigmaTel, Inc.)
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" ()

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
""=
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
""=
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2006/10/27 15:07:36 | 17,891,112 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2006/10/27 15:07:36 | 17,891,112 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5}: Menu: &Gears Settings -- %ProgramFiles%\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll [2008/11/29 16:27:46 | 01,667,072 | ---- | M] (Google Inc.)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Button: Send to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2006/10/26 20:32:42 | 00,604,000 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Menu: S&end to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2006/10/26 20:32:42 | 00,604,000 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | -HS- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} [HKLM] -> %ProgramFiles%\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll [&Gears Settings] -> [2008/11/29 16:27:46 | 01,667,072 | ---- | M] (Google Inc.)
CmdMapping\\{2670000A-7350-4f3c-8081-5663EE0C6C49} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2006/10/26 20:32:42 | 00,604,000 | ---- | M] (Microsoft Corporation)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | -HS- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | -HS- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | -HS- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1292428093-1935655697-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} [HKLM] -> %ProgramFiles%\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll [&Gears Settings] -> [2008/11/29 16:27:46 | 01,667,072 | ---- | M] (Google Inc.)
CmdMapping\\{2670000A-7350-4f3c-8081-5663EE0C6C49} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2006/10/26 20:32:42 | 00,604,000 | ---- | M] (Microsoft Corporation)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | -HS- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
Extension\.spop: -- D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll [2001/01/30 13:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{48DD0448-9209-4F81-9F6D-D83562940134}: http://lads.myspace.com/upload/MySpaceUploader1006.cab -- MySpace Uploader Control
{4F1E5B1A-2A80-42CA-8532-2D05CB959537}: http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab -- MSN Photo Upload Tool
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwa...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{6F1B337F-1B04-4B04-8333-D4D6F8C21C81} (Servers: | Description: Broadcom 440x 10/100 Integrated Controller)
{E4E97D08-1167-4BF4-A530-13E76D425066} (Servers: | Description: 1394 Net Adapter)
{FAFF642D-3FE9-4238-A8D4-135E27CE26B2} (Servers: | Description: Dell Wireless 1390 WLAN Mini-Card)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- D:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" (HKLM) -- D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/03/22 17:38:51 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e14c4fa-55cc-11dd-acc0-001d09be23b3}\Shell\Auto\command]
""=msnmsgr_plus.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e14c4fa-55cc-11dd-acc0-001d09be23b3}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e14c4fa-55cc-11dd-acc0-001d09be23b3}\Shell\AutoRun\command]
""=D:\WINDOWS\system32\shell32.dll -- [2006/02/28 12:00:00 | 08,384,000 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{60480a06-2661-11dd-ac42-001d09be23b3}\Shell\AutoRun\command]
""=RavMon.exe


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{60480a06-2661-11dd-ac42-001d09be23b3}\Shell\explore\Command]
""=RavMon.exe -e


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{60480a06-2661-11dd-ac42-001d09be23b3}\Shell\open\Command]
""=RavMon.exe


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{94f39e26-7ea0-11dd-ad0e-001d09be23b3}\Shell\AutoRun\command]
""=RavMon.exe


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{94f39e26-7ea0-11dd-ad0e-001d09be23b3}\Shell\explore\Command]
""=RavMon.exe -e


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{94f39e26-7ea0-11dd-ad0e-001d09be23b3}\Shell\open\Command]
""=RavMon.exe

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\*.tmp files]
[2009/01/25 16:56:42 | 00,000,000 | ---D | C] -- D:\Documents and Settings\NIC PERSONAL\Desktop\bleeping1
[2009/01/25 16:56:16 | 00,422,912 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\NIC PERSONAL\Desktop\OTViewIt.exe
[2009/01/23 12:50:23 | 00,010,572 | ---- | C] () -- D:\Documents and Settings\NIC PERSONAL\My Documents\virgin termination lett.docx
[2009/01/19 20:58:33 | 00,000,000 | -HSD | C] -- D:\RECYCLER
[2009/01/15 16:54:06 | 00,986,533 | ---- | C] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\02_Heartsrevolution_-_Ultraviolence_Chateau_Marmont_remix_Mastered_11-12.mp3
[2009/01/15 10:17:43 | 03,377,636 | ---- | C] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\Hostage - The New Gun.mp3
[2009/01/14 17:42:11 | 00,000,000 | ---D | C] -- D:\WINDOWS\ERDNT
[2009/01/12 16:47:46 | 00,001,848 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Windows Live Messenger .lnk
[2009/01/12 16:47:01 | 00,000,000 | ---D | C] -- D:\Program Files\Windows Live
[2009/01/12 16:43:10 | 00,000,000 | ---D | C] -- D:\Program Files\MSN Toolbar
[2009/01/12 14:52:34 | 00,000,000 | ---D | C] -- D:\Documents and Settings\NIC PERSONAL\My Documents\ccleaner backup
[2009/01/12 14:44:29 | 00,001,569 | ---- | C] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\CCleaner.lnk
[2009/01/12 14:44:29 | 00,000,000 | ---D | C] -- D:\Program Files\CCleaner
[2009/01/09 19:03:04 | 00,000,000 | ---D | C] -- D:\Documents and Settings\NIC PERSONAL\Desktop\MMD
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\NIC PERSONAL\Desktop\MMD:Roxio EMC Stream
[2009/01/06 03:41:58 | 00,001,951 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\OJOsoft Total Video Converter.lnk
[2009/01/06 03:41:50 | 00,000,000 | ---D | C] -- D:\Program Files\Common Files\Common Share
[2009/01/06 03:41:48 | 00,000,000 | ---D | C] -- D:\Program Files\OJOsoft
[2009/01/06 03:16:29 | 00,000,000 | ---D | C] -- D:\Documents and Settings\NIC PERSONAL\Desktop\progs for back up disk
[2009/01/06 02:39:08 | 00,000,000 | ---D | C] -- D:\Documents and Settings\NIC PERSONAL\Application Data\AVS4YOU
[2009/01/06 02:39:02 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/01/06 02:37:35 | 00,000,000 | ---D | C] -- D:\Program Files\Common Files\AVSMedia
[2009/01/06 02:37:11 | 00,974,848 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\mfc70.dll
[2009/01/06 02:37:10 | 00,024,576 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\msxml3a.dll
[2009/01/06 02:37:10 | 00,000,000 | ---D | C] -- D:\Program Files\AVS4YOU
[2009/01/06 02:23:50 | 00,001,625 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/01/06 02:23:30 | 00,000,000 | ---D | C] -- D:\Program Files\Common Files\Apple
[2009/01/06 02:23:24 | 00,000,000 | ---D | C] -- D:\Program Files\QuickTime
[2009/01/04 16:11:12 | 00,000,858 | ---- | C] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\Adobe Director 11.lnk
[2009/01/03 21:52:49 | 00,000,000 | ---D | C] -- D:\Documents and Settings\NIC PERSONAL\Desktop\harry potter
[2009/01/03 21:35:27 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/01/03 21:31:41 | 00,000,000 | ---D | C] -- D:\Program Files\Common Files\Macrovision Shared
[2009/01/03 20:33:19 | 00,000,000 | ---D | C] -- D:\Documents and Settings\NIC PERSONAL\Application Data\vlc
[2009/01/03 19:48:47 | 00,000,740 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\VLC media player.lnk

========== Files - Modified Within 30 Days ==========

[6 D:\WINDOWS\System32\*.tmp files]
[4 D:\WINDOWS\*.tmp files]
[2009/01/25 16:56:19 | 00,422,912 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\NIC PERSONAL\Desktop\OTViewIt.exe
[2009/01/25 16:40:50 | 00,000,602 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\My Documents\My Sharing Folders.lnk
[2009/01/25 16:38:45 | 00,513,724 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2009/01/25 16:38:45 | 00,436,328 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2009/01/25 16:38:45 | 00,068,806 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2009/01/25 16:35:48 | 00,002,626 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2009/01/25 16:34:38 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2009/01/25 16:34:35 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2009/01/25 16:34:33 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2009/01/23 12:50:23 | 00,010,572 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\My Documents\virgin termination lett.docx
[2009/01/23 12:39:57 | 00,002,515 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\WORD.lnk
[2009/01/19 21:04:59 | 00,017,408 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/19 03:30:00 | 00,000,416 | ---- | M] () -- D:\WINDOWS\tasks\ErrorSmart Scheduled Scan.job
[2009/01/15 16:54:06 | 00,986,533 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\02_Heartsrevolution_-_Ultraviolence_Chateau_Marmont_remix_Mastered_11-12.mp3
[2009/01/15 10:47:46 | 03,377,636 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\Hostage - The New Gun.mp3
[2009/01/14 17:46:03 | 00,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2009/01/12 16:47:46 | 00,001,848 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Windows Live Messenger .lnk
[2009/01/12 14:44:29 | 00,001,569 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\CCleaner.lnk
[2009/01/06 03:41:58 | 00,001,951 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\OJOsoft Total Video Converter.lnk
[2009/01/06 02:23:50 | 00,001,625 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/01/06 00:13:41 | 00,054,156 | -H-- | M] () -- D:\WINDOWS\QTFont.qfn
[2009/01/04 16:11:12 | 00,000,858 | ---- | M] () -- D:\Documents and Settings\NIC PERSONAL\Desktop\Adobe Director 11.lnk
[2009/01/03 19:48:47 | 00,000,740 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\VLC media player.lnk
< End of report >



OTViewIt Extras logfile created on: 25/01/2009 16:57:37 - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = D:\Documents and Settings\NIC PERSONAL\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 75.00% Memory free
3.84 Gb Paging File | 3.42 Gb Available in Paging File | 89.08% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 19.53 Gb Total Space | 1.97 Gb Free Space | 10.09% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 2.73 Gb Free Space | 13.98% Space Free | Partition Type: NTFS
Drive E: | 109.97 Gb Total Space | 8.00 Gb Free Space | 7.27% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NIC-PERSONAL
Current User Name: NIC PERSONAL
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- Reg Error: Key does not exist or could not be opened. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/02/28 12:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2006/02/28 12:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2004/08/04 01:06:34 | 01,667,584 | -HS- | M] (Microsoft Corporation) -- D:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2005/05/07 00:47:08 | 02,224,128 | ---- | M] (www.BitLord.com) -- D:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord
[2006/10/27 15:16:48 | 12,813,096 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
[2006/10/27 15:37:44 | 00,338,216 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove
[2006/10/27 15:03:04 | 01,018,664 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
[2008/09/18 18:50:21 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- D:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2006/02/28 12:00:00 | 00,083,456 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test
[2008/12/17 17:06:29 | 00,307,704 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/10/27 00:48:02 | 00,222,512 | ---- | M] (Microsoft Corporation) D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (grooveLocalGWS:{88FED34C-F0CA-4636-A375-3CB6248B04CD} (HKLM) [Local Groove Web Services Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006/10/26 19:49:48 | 01,011,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006/10/26 19:49:48 | 01,011,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006/10/26 19:49:48 | 01,011,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/10/26 13:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 21:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}"=Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}"=Roxio Creator Data
"{2A9C3F41-DACA-37AB-84FB-2E6193C42151}"=Google Gears
"{2BA00471-0328-3743-93BD-FA813353A783}"=Microsoft .NET Framework 3.0 Service Pack 1
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}"=Roxio Drag-to-Disc
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}"=Microsoft .NET Framework 3.5
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}"=Sonic Activation Module
"{3B45D262-3BEE-477F-8652-EC24950D3F65}"=Adobe Director 11
"{42929F0F-CE14-47AF-9FC7-FF297A603021}"=Dell Resource CD
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}"=Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}"=Roxio Express Labeler
"{6CDE6C4F-6FD7-4F24-A116-F0D173432FFC}"=Adobe Setup
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{83FFCFC7-88C6-41c6-8752-958A45325C82}"=Roxio Creator Audio
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Graphics Media Accelerator Driver
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}"=Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}"=Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}"=Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}"=Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}"=Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}"=Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}"=Microsoft Office Access Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}"=Adobe Anchor Service CS3
"{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}"=Google Earth
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}"=Broadcom 440x 10/100 Integrated Controller
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}"=SigmaTel Audio
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}"=Google Update
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{BB81360F-041C-4CF7-B15E-71380D154244}"=Adobe Setup
"{C5074CC4-0E26-4716-A307-960272A90040}"=QuickSet
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}"=Roxio Creator DE
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}"=Roxio MyDVD DE
"4569969E1360D2854474C661EF9B4D54F143EB16"=Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"Ableton Live_is1"=Ableton Live v7.0.1
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe_2755fefb5e3352ee2921713793bdbf8"=Adobe Director 11
"Adobe_8e01ce24e400b32648659751aec668e"=Adobe Premiere Pro CS3
"ASIO4ALL"=ASIO4ALL
"Audio Stream Recorder"=Creative ASR
"avast!"=avast! Antivirus
"BitLord"=BitLord 1.1
"Broadcom 802.11b Network Adapter"=Dell Wireless WLAN Card
"CCleaner"=CCleaner (remove only)
"Creative Jukebox Driver"=Creative Jukebox Driver
"Creative NOMAD II Driver"=Creative NOMAD II Driver
"ENTERPRISE"=Microsoft Office Enterprise 2007
"FreeKapture 2.00 - Freeware_is1"=FreeKapture 2.00 - Freeware
"LimeWire"=LimeWire 4.18.8
"MagicDisc 2.6.93"=MagicDisc 2.6.93
"Microsoft .NET Framework 3.5"=Microsoft .NET Framework 3.5
"Mozilla Firefox (3.0.5)"=Mozilla Firefox (3.0.5)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Toolbar"=MSN Toolbar
"OJOsoft Total Video Converter2.5.1.1121"=OJOsoft Total Video Converter
"PeerGuardian_is1"=PeerGuardian 2.0
"RealPlayer 6.0"=RealPlayer
"SAMB_ADVMB_FILTER_DRV"=Sound Blaster ADVANCED MB Drivers
"Sound Blaster Extigy"=Sound Blaster Extigy
"VLC media player"=VLC media player 0.9.8a
"WIC"=Windows Imaging Component
"Winamp"=Winamp
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD"=XviD MPEG-4 Codec

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 02/09/2008 06:23:38 | Computer Name = NIC-PERSONAL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
H:\ADOBER.EXE failed, 0000A420.

Error - 02/09/2008 06:26:50 | Computer Name = NIC-PERSONAL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
H:\ADOBER.EXE failed, 0000A420.

Error - 15/11/2008 11:13:01 | Computer Name = NIC-PERSONAL | Source = avast! | ID = 33554522
Description = Error in aswChestS: chest s_NewFile Error 112.

Error - 15/11/2008 11:13:01 | Computer Name = NIC-PERSONAL | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 112.

Error - 14/01/2009 09:43:16 | Computer Name = NIC-PERSONAL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
D:\Program Files\BitLord\Downloads\80's Night (DJ Collections)\Covers\03-4_BACK.jpg
failed, 0000A420.

Error - 19/01/2009 18:31:13 | Computer Name = NIC-PERSONAL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.darwinawards.com/darwin/darwin2008.html failed, 0000A413.

[ Application Events ]
Error - 18/01/2009 17:27:52 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 19/01/2009 14:32:47 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/01/2009 21:13:26 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/01/2009 21:19:40 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/01/2009 21:24:09 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/01/2009 21:32:44 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/01/2009 21:43:07 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 20/01/2009 17:08:02 | Computer Name = NIC-PERSONAL | Source = Google Update | ID = 20
Description =

Error - 20/01/2009 18:08:02 | Computer Name = NIC-PERSONAL | Source = Google Update | ID = 20
Description =

Error - 24/01/2009 09:51:25 | Computer Name = NIC-PERSONAL | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 27/12/2008 05:16:28 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 29/12/2008 11:40:08 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 31/12/2008 14:05:35 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 03/01/2009 15:31:32 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 03/01/2009 15:41:01 | Computer Name = NIC-PERSONAL | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.2 for the Network Card with network
address 001F3A19437C has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 05/01/2009 15:31:33 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 07/01/2009 15:56:36 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/01/2009 03:39:28 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/01/2009 09:40:02 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 14/01/2009 09:40:03 | Computer Name = NIC-PERSONAL | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >



will post the others in a min.... :thumbsup:

#4 nic-303

nic-303
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 25 January 2009 - 12:26 PM

here we go, the final log...
eagerly awaiting your reply, thanks again for the help sir :thumbsup:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-25 17:24:26
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA8345576]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA8345432]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA8345910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA834500A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA834550C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA8344F4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA8344FAE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA834562C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA83455EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA834576C]

---- User code sections - GMER 1.0.14 ----

.text D:\Program Files\Windows Live\Messenger\msnmsgr.exe[3824] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 0056DBBD D:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT D:\WINDOWS\system32\services.exe[940] @ D:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT D:\WINDOWS\system32\services.exe[940] @ D:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxrqjgtqgw.sys
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxrqjgtqgw.sys
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxygbrjuun.dll

---- EOF - GMER 1.0.14 ----

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 25 January 2009 - 04:12 PM

Hello, nic-303
We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    msqpdxserv.sys
    :reg
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

In your next reply, please include the following:
  • OTMoveIt3's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 nic-303

nic-303
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 26 January 2009 - 07:56 AM

hello again, thanks for the speedy reply.
i've run those two apps as directed, heres the logs,
cheers,
nic
:thumbsup:

========== SERVICES/DRIVERS ==========
Unable to stop service msqpdxserv.sys .
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys\\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01262009_125201


GooredFix v1.83 by jpshortstuff
Log created at 12:53 on 26/01/2009 running Option #1 (NIC PERSONAL)
Firefox version 3.0.5 (en-GB)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="D:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="D:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="D:\Program Files\Google\Google Gears\Firefox\"

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 26 January 2009 - 03:56 PM

Hello, nic-303
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 nic-303

nic-303
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 26 January 2009 - 04:43 PM

thanks yet again.
ran combo fix whilst off line
have now restarted avast, it does all my firewall/virus stuff, do recon its adequate btw?
heres the log....
cheers,
nic

ComboFix 09-01-21.04 - NIC PERSONAL 2009-01-26 21:27:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1613 [GMT 0:00]
Running from: d:\documents and settings\NIC PERSONAL\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090126-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

2009-01-26 12:52 . 2009-01-26 12:52 <DIR> d----c--- D:\_OTMoveIt
2009-01-25 17:10 . 2009-01-25 17:10 250 --a--c--- d:\windows\gmer.ini
2009-01-16 17:01 . 2003-05-22 16:31 55,808 --a--c--- d:\windows\system32\lfpsd13n.dll
2009-01-12 16:47 . 2009-01-12 16:47 <DIR> d----c--- d:\program files\Windows Live
2009-01-12 16:43 . 2009-01-12 16:43 <DIR> d----c--- d:\program files\MSN Toolbar
2009-01-12 14:44 . 2009-01-12 14:44 <DIR> d----c--- d:\program files\CCleaner
2009-01-07 20:10 . 2009-01-08 07:30 16,384 --a--c--- d:\documents and settings\NIC PERSONAL\svc012.exe
2009-01-06 03:42 . 2009-01-06 03:42 <DIR> d----c--- d:\documents and settings\My Documents\OJOsoft Corporation
2009-01-06 03:42 . 2009-01-06 03:42 <DIR> d----c--- d:\documents and settings\My Documents
2009-01-06 03:41 . 2009-01-06 03:41 <DIR> d----c--- d:\program files\OJOsoft
2009-01-06 03:41 . 2009-01-06 03:41 <DIR> d----c--- d:\program files\Common Files\Common Share
2009-01-06 02:39 . 2009-01-06 02:39 <DIR> d----c--- d:\documents and settings\NIC PERSONAL\Application Data\AVS4YOU
2009-01-06 02:39 . 2009-01-06 02:39 <DIR> d----c--- d:\documents and settings\All Users\Application Data\AVS4YOU
2009-01-06 02:37 . 2009-01-06 03:16 <DIR> d----c--- d:\program files\Common Files\AVSMedia
2009-01-06 02:37 . 2009-01-06 03:17 <DIR> d----c--- d:\program files\AVS4YOU
2009-01-06 02:37 . 2007-02-27 18:36 974,848 --a--c--- d:\windows\system32\mfc70.dll
2009-01-06 02:37 . 2007-02-27 18:36 24,576 --a--c--- d:\windows\system32\msxml3a.dll
2009-01-06 02:23 . 2009-01-06 02:24 <DIR> d----c--- d:\program files\QuickTime
2009-01-06 02:23 . 2009-01-06 02:23 <DIR> d----c--- d:\program files\Common Files\Apple
2009-01-03 21:35 . 2009-01-03 21:35 <DIR> d----c--- d:\documents and settings\All Users\Application Data\FLEXnet
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d----c--- d:\program files\Common Files\Macrovision Shared
2009-01-03 20:33 . 2009-01-03 20:41 <DIR> d----c--- d:\documents and settings\NIC PERSONAL\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 20:48 --------- dc----w d:\documents and settings\NIC PERSONAL\Application Data\dvdcss
2009-01-16 19:52 --------- dc----w d:\documents and settings\NIC PERSONAL\Application Data\LimeWire
2009-01-12 14:24 --------- dc----w d:\documents and settings\All Users\Application Data\iolo
2009-01-12 13:55 --------- dc----w d:\program files\FriendBlasterPro
2009-01-06 02:23 --------- dc----w d:\documents and settings\All Users\Application Data\Apple Computer
2009-01-06 02:07 --------- dc----w d:\program files\Google
2009-01-03 21:31 --------- dc----w d:\program files\Common Files\Adobe
2009-01-03 19:48 --------- dc----w d:\program files\VideoLAN
2008-12-18 13:41 --------- dc----w d:\program files\PeerGuardian2
2008-12-17 16:01 --------- dc----w d:\documents and settings\All Users\Application Data\Soulseek
2008-11-27 17:26 --------- dc----w d:\program files\Windows Live(2)
2008-11-27 17:20 --------- dc----w d:\documents and settings\All Users\Application Data\WLInstaller
2008-10-22 22:54 293,248 -c--a-w d:\program files\ImportContacts.exe
2008-03-24 15:37 0 -c--a-w d:\documents and settings\NIC PERSONAL\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"igfxtray"="d:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="d:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-24 185896]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ISUSPM Startup"="d:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="d:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-03-27 36352]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AudCtrl"="AudCtrl.dll" [2001-12-20 d:\windows\system32\AudCtrl.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 d:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= d:\windows\system32\ctmp3.acm
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf d:\documents and settings\NIC PERSONAL\Application Data\iolo\

[HKLM\~\startupfolder\D:^Documents and Settings^NIC PERSONAL^Start Menu^Programs^Startup^MagicDisc.lnk]
path=d:\documents and settings\NIC PERSONAL\Start Menu\Programs\Startup\MagicDisc.lnk
backup=d:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\BitLord\\BitLord.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18722:TCP"= 18722:TCP:NortonAV
"12429:TCP"= 12429:TCP:NortonAV
"16279:TCP"= 16279:TCP:NortonAV

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2008-04-02 111184]
R4 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2008-04-02 20560]
S3 Ndisprot;ArcNet NDIS Protocol Driver;d:\windows\system32\drivers\ndisprot.sys [2008-11-17 27904]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;d:\windows\system32\drivers\usbscan.sys [2008-09-27 15104]
S4 gupdate1c96fa3795166a0;Google Update Service (gupdate1c96fa3795166a0);d:\program files\Google\Update\GoogleUpdate.exe [2009-01-06 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e14c4fa-55cc-11dd-acc0-001d09be23b3}]
\Shell\Auto\command - msnmsgr_plus.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msnmsgr_plus.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60480a06-2661-11dd-ac42-001d09be23b3}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94f39e26-7ea0-11dd-ad0e-001d09be23b3}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-26 d:\windows\Tasks\ErrorSmart Scheduled Scan.job
- d:\program files\ErrorSmart\ErrorSmart.exe []

2009-01-26 d:\windows\Tasks\ErrorSmart Scheduled Scan.job
- d:\program files\ErrorSmart []

2009-01-26 d:\windows\Tasks\GoogleUpdateTaskMachine.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-01-06 02:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxserv2.paisley.ac.uk:8080
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\NIC PERSONAL\Application Data\Mozilla\Firefox\Profiles\98bspfq9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: d:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: d:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 21:28:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
d:\windows\System32\BCMLogon.dll
.
Completion time: 2009-01-26 21:30:26
ComboFix-quarantined-files.txt 2009-01-26 21:30:24
ComboFix2.txt 2009-01-14 17:47:19

Pre-Run: 2,482,651,136 bytes free
Post-Run: 2,475,343,872 bytes free

160 --- E O F --- 2008-04-01 00:58:01

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 26 January 2009 - 05:09 PM

Hello, nic-303

do recon its adequate btw?

I'm sorry... I don't understand what you mean here.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    d:\documents and settings\NIC PERSONAL\svc012.exe
    d:\windows\Tasks\ErrorSmart Scheduled Scan.job
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e14c4fa-55cc-11dd-acc0-001d09be23b3}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60480a06-2661-11dd-ac42-001d09be23b3}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94f39e26-7ea0-11dd-ad0e-001d09be23b3}]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "18722:TCP"=-
    "12429:TCP"=-
    "16279:TCP"=
    folder::
    d:\program files\ErrorSmart
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 nic-303

nic-303
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 27 January 2009 - 06:11 PM

hi again, followed the combo fix steps as directed.
what i was asking before was, do you think avast is adequate anti virus/firewall protection?
heres the log, and thanks yet again for your help.
cheers,
nic.

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 27 January 2009 - 07:26 PM

Yes, avast is fine :thumbsup:

You forgot the log though...

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 nic-303

nic-303
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 27 January 2009 - 10:02 PM

arrrg!
sorry, just forgot to paste, here you go......
:thumbsup:

ComboFix 09-01-21.04 - NIC PERSONAL 2009-01-27 23:03:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1520 [GMT 0:00]
Running from: d:\documents and settings\NIC PERSONAL\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\NIC PERSONAL\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090127-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
d:\documents and settings\NIC PERSONAL\svc012.exe
d:\windows\Tasks\ErrorSmart Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\NIC PERSONAL\svc012.exe
d:\windows\Tasks\ErrorSmart Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-26 12:52 . 2009-01-26 12:52 <DIR> d----c--- D:\_OTMoveIt
2009-01-25 17:10 . 2009-01-25 17:10 250 --a--c--- d:\windows\gmer.ini
2009-01-16 17:01 . 2003-05-22 16:31 55,808 --a--c--- d:\windows\system32\lfpsd13n.dll
2009-01-12 16:47 . 2009-01-12 16:47 <DIR> d----c--- d:\program files\Windows Live
2009-01-12 16:43 . 2009-01-12 16:43 <DIR> d----c--- d:\program files\MSN Toolbar
2009-01-12 14:44 . 2009-01-12 14:44 <DIR> d----c--- d:\program files\CCleaner
2009-01-06 03:42 . 2009-01-06 03:42 <DIR> d----c--- d:\documents and settings\My Documents\OJOsoft Corporation
2009-01-06 03:42 . 2009-01-06 03:42 <DIR> d----c--- d:\documents and settings\My Documents
2009-01-06 03:41 . 2009-01-06 03:41 <DIR> d----c--- d:\program files\OJOsoft
2009-01-06 03:41 . 2009-01-06 03:41 <DIR> d----c--- d:\program files\Common Files\Common Share
2009-01-06 02:39 . 2009-01-06 02:39 <DIR> d----c--- d:\documents and settings\NIC PERSONAL\Application Data\AVS4YOU
2009-01-06 02:39 . 2009-01-06 02:39 <DIR> d----c--- d:\documents and settings\All Users\Application Data\AVS4YOU
2009-01-06 02:37 . 2009-01-06 03:16 <DIR> d----c--- d:\program files\Common Files\AVSMedia
2009-01-06 02:37 . 2009-01-06 03:17 <DIR> d----c--- d:\program files\AVS4YOU
2009-01-06 02:37 . 2007-02-27 18:36 974,848 --a--c--- d:\windows\system32\mfc70.dll
2009-01-06 02:37 . 2007-02-27 18:36 24,576 --a--c--- d:\windows\system32\msxml3a.dll
2009-01-06 02:23 . 2009-01-06 02:24 <DIR> d----c--- d:\program files\QuickTime
2009-01-06 02:23 . 2009-01-06 02:23 <DIR> d----c--- d:\program files\Common Files\Apple
2009-01-03 21:35 . 2009-01-03 21:35 <DIR> d----c--- d:\documents and settings\All Users\Application Data\FLEXnet
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d----c--- d:\program files\Common Files\Macrovision Shared
2009-01-03 20:33 . 2009-01-03 20:41 <DIR> d----c--- d:\documents and settings\NIC PERSONAL\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 20:48 --------- dc----w d:\documents and settings\NIC PERSONAL\Application Data\dvdcss
2009-01-16 19:52 --------- dc----w d:\documents and settings\NIC PERSONAL\Application Data\LimeWire
2009-01-12 14:24 --------- dc----w d:\documents and settings\All Users\Application Data\iolo
2009-01-12 13:55 --------- dc----w d:\program files\FriendBlasterPro
2009-01-06 02:23 --------- dc----w d:\documents and settings\All Users\Application Data\Apple Computer
2009-01-06 02:07 --------- dc----w d:\program files\Google
2009-01-03 21:31 --------- dc----w d:\program files\Common Files\Adobe
2009-01-03 19:48 --------- dc----w d:\program files\VideoLAN
2008-12-18 13:41 --------- dc----w d:\program files\PeerGuardian2
2008-12-17 16:01 --------- dc----w d:\documents and settings\All Users\Application Data\Soulseek
2008-11-27 17:26 --------- dc----w d:\program files\Windows Live(2)
2008-11-27 17:20 --------- dc----w d:\documents and settings\All Users\Application Data\WLInstaller
2008-10-22 22:54 293,248 -c--a-w d:\program files\ImportContacts.exe
2008-03-24 15:37 0 -c--a-w d:\documents and settings\NIC PERSONAL\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-26_21.29.24.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-26 17:00:40 68,806 ----a-w d:\windows\system32\perfc009.dat
+ 2009-01-27 22:26:55 68,806 ----a-w d:\windows\system32\perfc009.dat
- 2009-01-26 17:00:40 436,328 ----a-w d:\windows\system32\perfh009.dat
+ 2009-01-27 22:26:55 436,328 ----a-w d:\windows\system32\perfh009.dat
+ 2009-01-27 22:22:44 16,384 -c--atw d:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"igfxtray"="d:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="d:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-24 185896]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ISUSPM Startup"="d:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="d:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-03-27 36352]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AudCtrl"="AudCtrl.dll" [2001-12-20 d:\windows\system32\AudCtrl.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 d:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= d:\windows\system32\ctmp3.acm
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\D:^Documents and Settings^NIC PERSONAL^Start Menu^Programs^Startup^MagicDisc.lnk]
path=d:\documents and settings\NIC PERSONAL\Start Menu\Programs\Startup\MagicDisc.lnk
backup=d:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\BitLord\\BitLord.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16279:TCP"= 16279:TCP:NortonAV

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2008-04-02 111184]
R4 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2008-04-02 20560]
S3 Ndisprot;ArcNet NDIS Protocol Driver;d:\windows\system32\drivers\ndisprot.sys [2008-11-17 27904]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;d:\windows\system32\drivers\usbscan.sys [2008-09-27 15104]
S4 gupdate1c96fa3795166a0;Google Update Service (gupdate1c96fa3795166a0);d:\program files\Google\Update\GoogleUpdate.exe [2009-01-06 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 d:\windows\Tasks\GoogleUpdateTaskMachine.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-01-06 02:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1233071794&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D381052701&id=64855
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxserv2.paisley.ac.uk:8080
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\NIC PERSONAL\Application Data\Mozilla\Firefox\Profiles\98bspfq9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: d:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: d:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 23:04:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
d:\windows\System32\BCMLogon.dll
.
Completion time: 2009-01-27 23:06:20
ComboFix-quarantined-files.txt 2009-01-27 23:06:18
ComboFix2.txt 2009-01-26 21:30:28
ComboFix3.txt 2009-01-14 17:47:19

Pre-Run: 2,626,416,640 bytes free
Post-Run: 2,611,347,456 bytes free

151 --- E O F --- 2008-04-01 00:58:01

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 28 January 2009 - 06:24 AM

Hello, nic-303
Thinks are looking better.... are you still having redirects? How are things running?

I'm sorry... I made a typo in the script that caused it to miss one of the entries :thumbsup:

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :reg
    [HKEY_LOCAL_MACHINE\System\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "16279:TCP"=-
    :commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • OTMoveIt3's Log
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 03 February 2009 - 08:35 PM

Hello, nic-303
Are you still here?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:53 PM

Posted 06 February 2009 - 07:52 PM

Hello, nic-303
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users