Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search results redirected


  • This topic is locked This topic is locked
27 replies to this topic

#1 ac87uk

ac87uk

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 10 May 2009 - 03:30 PM

Previously: http://www.bleepingcomputer.com/forums/t/219064/rogue-dlls-wont-delete-mozuvagi-nohosizi-tuzuyege-ganoseho/

I thought we'd gotten rid of everything as the computer appeared to be running fine but now google search results get redirected to random sites. Below is the hijack this logfile.

Cheers



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:23:18, on 10/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5655 bytes

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:32 AM

Posted 24 May 2009 - 10:28 AM

Hello ac87uk,

Please advise if you have resolved your issues, or, if you are getting help elsewhere.
If you wish to get guided help here, please start with the following:
Please advise if the browser redirects are still happening, and if so, whether it is in I.E. browser or in Firefox or in other?

Let's have you create a restore point (at this time).
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. If there is a check mark next to "Turn off System Restore on all drives", then click on the line to clear it.
4. If C is your system drive (as it is in most cases) and you see other drives monitored in the list (like D, E, etc) click on the other drives, press Settings button, and get the other drives turned off.
5. we only want to monitor the drive with Windows o.s.
If you are unable to activate System Restore or if the service is disabled, then.....
from the Start button > RUN option .... type in
services.msc

look for System Restore service
If it is listed as off or inactive, press on the link at top left to Start it.

Next, See and do as outlined here http://bertk.mvps.org/html/createrp.html

After that, also do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

>
Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
=

Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTListIt2 by clicking the X at top right.
Download Security Check by screen317 and save it to your Desktop: here or here
  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):
  • copy of the MBAM scan log,
  • copy of the Eset log.txt
  • the contents of OTListIt.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 24 May 2009 - 10:29 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 28 May 2009 - 09:12 AM

Hi Maurice Nagger,

Thanks for getting back to me. Yes the problem is still happening. I am useing firefox web browser and that is where these redirects happen. I'd still appreciate your help. I will start doing the things you have suggested, and let you know what happens.

Thanks

#4 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 28 May 2009 - 09:35 AM

Hi again,

I'm as far as the ESET online scan but it keeps prompting me to install. I don't remember having to install it previously so I wanted to ask if I install it or not?

AC

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:32 AM

Posted 30 May 2009 - 06:32 AM

Yes, you "do" need to install the control for the scanning to work. Please do so and proceed forward.
Follow the prompts.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 04 June 2009 - 11:05 AM

Malwarebytes' Anti-Malware 1.37
Database version: 2187
Windows 5.1.2600 Service Pack 3

04/06/2009 15:48:07
mbam-log-2009-06-04 (15-48-07).txt

Scan type: Quick Scan
Objects scanned: 82653
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I ran the ESET online scan as requested, but nothing was found nor was a logfile created, for some reason.

#7 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 04 June 2009 - 11:10 AM

OTListIt logfile created on: 04/06/2009 17:07:15 - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Barbara\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.87% Memory free
3.84 Gb Paging File | 3.33 Gb Available in Paging File | 86.80% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.65 Gb Total Space | 39.81 Gb Free Space | 27.34% Space Free | Partition Type: NTFS
Drive D: | 2.37 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF1.02
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GISELA
Current User Name: Barbara
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2007/07/25 16:29:38 | 00,987,136 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/02/21 14:24:56 | 00,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/02/21 17:06:20 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/02/21 17:06:24 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/02/21 17:06:34 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/02/21 14:24:54 | 00,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/02/21 14:21:56 | 16,855,552 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2007/07/25 16:32:50 | 00,823,296 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
PRC - [2007/07/25 16:30:36 | 00,974,848 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
PRC - [2008/02/21 14:25:06 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\HidFind.exe
PRC - [2009/05/04 00:23:05 | 01,947,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2008/02/21 14:24:54 | 00,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apntex.exe
PRC - [2009/03/09 05:19:17 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2006/09/11 04:40:32 | 00,218,032 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2009/05/04 00:22:45 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2007/07/25 16:41:42 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/07/25 16:22:44 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2009/05/18 20:36:14 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2007/07/25 16:26:14 | 00,491,520 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2009/05/04 00:23:01 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/05/28 15:25:54 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Barbara\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/04 00:22:45 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/07/25 16:41:42 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2008/11/19 23:40:41 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [Disabled | Stopped])
SRV - [2008/06/01 17:39:39 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-010708-104812 [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/11/14 02:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/04/23 11:22:14 | 03,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe -- (KService [Disabled | Stopped])
SRV - [2007/07/25 16:22:44 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2007/07/25 16:29:38 | 00,987,136 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2007/02/05 11:11:16 | 00,112,184 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe -- (SonicStage Back-End Service [On_Demand | Stopped])
SRV - [2007/02/05 11:11:18 | 00,075,320 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV [On_Demand | Stopped])
SRV - [2007/07/11 09:33:28 | 00,069,632 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [Disabled | Stopped])
SRV - [2007/10/18 12:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [Disabled | Stopped])
SRV - [2007/07/25 16:32:34 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- (WLANKEEPER [Disabled | Stopped])
SRV - [2007/10/25 16:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/08/14 08:57:42 | 00,074,720 | ---- | M] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs [Auto | Running])
DRV - [2008/06/01 17:38:11 | 00,021,393 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2008/04/13 19:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2008/02/21 14:24:52 | 00,155,136 | ---- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\system32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2005/08/12 16:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV [System | Running])
DRV - [2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2009/05/04 00:23:11 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/04 00:23:11 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/04 00:23:04 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2007/07/23 15:04:58 | 00,037,360 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLABMFSM.SYS -- (DLABMFSM [Auto | Running])
DRV - [2007/07/23 15:04:52 | 00,032,848 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2007/07/23 14:49:44 | 00,014,576 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [Boot | Running])
DRV - [2007/07/23 15:05:20 | 00,009,104 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLADResM.SYS -- (DLADResM [Auto | Running])
DRV - [2007/07/23 15:04:50 | 00,108,752 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2007/07/23 15:04:54 | 00,027,216 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2007/07/23 15:04:52 | 00,016,304 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2007/07/23 14:49:44 | 00,030,064 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLARTL_M.SYS -- (DLARTL_M [System | Running])
DRV - [2007/07/23 15:04:56 | 00,093,552 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2007/07/23 15:04:56 | 00,098,448 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2007/07/23 14:55:44 | 00,099,808 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2007/07/23 14:43:42 | 00,052,000 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2001/08/17 12:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2008/04/13 17:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2008/02/21 17:06:38 | 05,776,928 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2008/03/17 14:54:30 | 00,305,176 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2008/02/21 14:21:58 | 04,625,408 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2007/08/12 18:05:34 | 02,211,456 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\NETw4x32.sys -- (NETw4x32 [On_Demand | Running])
DRV - [2004/08/03 22:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2008/04/13 19:56:06 | 00,088,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
DRV - [2004/08/04 05:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\nwlnknb.sys -- (NwlnkNb [Auto | Running])
DRV - [2004/08/04 05:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
DRV - [2008/02/21 14:38:24 | 00,048,472 | ---- | M] (O2Micro ) -- C:\WINDOWS\system32\DRIVERS\o2media.sys -- (O2MDRDR [On_Demand | Running])
DRV - [2008/02/21 14:38:30 | 00,043,480 | ---- | M] (O2Micro ) -- C:\WINDOWS\system32\DRIVERS\o2sd.sys -- (O2SDRDR [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/07/26 03:00:00 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2008/02/21 17:28:14 | 00,105,856 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2007/05/29 15:29:30 | 00,012,416 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
DRV - [2009/04/18 11:59:54 | 00,163,644 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Running])
DRV - [2008/04/13 19:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
DRV - [2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2008/09/12 20:05:29 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=4080602

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {d75de36c-af0d-4dc2-b63a-0d482d4b9815}:1.5.4
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.87
FF - prefs.js..extensions.enabledItems: {E4E52058-653F-4ACD-9814-95A4FFF8F64C}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/05/04 00:25:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2008/12/12 18:50:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/28 20:28:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/28 20:28:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/04/12 20:03:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS

[2008/12/16 10:33:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\mozilla\Extensions
[2008/12/16 10:33:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/02 17:15:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\mozilla\Firefox\Profiles\qccluqg1.default\extensions
[2008/11/16 23:33:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\mozilla\Firefox\Profiles\qccluqg1.default\extensions\{d75de36c-af0d-4dc2-b63a-0d482d4b9815}
[2009/06/04 15:49:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/28 20:28:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/06/12 14:21:11 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2009/02/07 19:45:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/12/12 18:50:57 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/25 11:17:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/12 17:34:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E4E52058-653F-4ACD-9814-95A4FFF8F64C}
[2009/04/28 20:28:07 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/28 20:28:07 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/04 16:52:08 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2009/04/04 16:52:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/04 16:52:08 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2009/04/04 16:52:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/04 16:52:08 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2009/04/04 16:52:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/04 16:52:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/04 16:52:08 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" ( )
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (Macrovision Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/09/19 00:21:52 | 00,000,000 | R--D | M] - D:\Autorun -- [ UDF1.02 ]
O32 - AutoRun File - [2007/09/17 19:48:04 | 00,263,744 | R--- | M] (Firaxis Games) - D:\autorun.exe -- [ UDF1.02 ]
O32 - AutoRun File - [2007/09/20 03:18:35 | 00,006,276 | R--- | M] () - D:\autorun.inf -- [ UDF1.02 ]
O33 - MountPoints2\{5f745214-2f57-11de-8e2e-9719cbcb33d3}\Shell - "" = AutoRun
O33 - MountPoints2\{5f745214-2f57-11de-8e2e-9719cbcb33d3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f745214-2f57-11de-8e2e-9719cbcb33d3}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{dbe34f27-3232-11dd-9d92-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{dbe34f27-3232-11dd-9d92-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dbe34f27-3232-11dd-9d92-806d6172696f}\Shell\AutoRun\command - "" = D:\autorun.exe -- [2007/09/17 19:48:04 | 00,263,744 | R--- | M] (Firaxis Games)
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/04 11:33:39 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/06/04 15:50:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/06/04 15:50:53 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/05/28 15:26:09 | 00,532,626 | ---- | C] () -- C:\Documents and Settings\Barbara\Desktop\SecurityCheck.exe
[2009/05/28 15:25:49 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Barbara\Desktop\OTListIt2.exe
[2009/05/28 15:17:24 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Barbara\Desktop\NTREGOPT.lnk
[2009/05/28 15:17:23 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Barbara\Desktop\ERUNT.lnk
[2009/05/28 15:17:21 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/21 20:51:36 | 00,023,550 | ---- | C] () -- C:\Documents and Settings\Barbara\My Documents\food.ods
[2009/05/07 20:22:58 | 09,459,820 | ---- | C] () -- C:\Documents and Settings\Barbara\Desktop\b.tif
[2009/05/07 19:23:47 | 09,438,180 | ---- | C] () -- C:\Documents and Settings\Barbara\Desktop\BF_T7_A10_0279.tif
[2009/05/07 19:02:54 | 00,267,132 | ---- | C] () -- C:\Documents and Settings\Barbara\Desktop\a.jpg
[2009/04/23 02:06:07 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/09/12 20:05:29 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/06/11 00:20:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2008/06/01 17:45:03 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/06/01 17:39:28 | 00,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/01 17:14:29 | 01,174,000 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/06/01 17:14:29 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2008/06/01 17:14:29 | 00,104,636 | ---- | C] () -- C:\WINDOWS\System32\igmedcompkrn.dll
[2008/06/01 17:13:03 | 00,001,202 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/05/13 02:53:16 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/05/13 02:50:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/05/13 02:50:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/05/13 02:50:08 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\divx_xx0a.dll
[2008/05/13 02:49:02 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/11 09:39:26 | 00,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll
[2008/02/11 09:39:18 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll
[2008/02/08 13:53:46 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll
[2007/07/27 14:49:02 | 00,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll
[2007/07/27 14:49:02 | 00,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll
[2005/12/05 19:25:22 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll
[2005/12/05 12:37:10 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll
[2005/11/02 13:55:16 | 00,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2004/08/11 17:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 17:00:37 | 00,000,538 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/11 17:00:35 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1998/10/11 00:07:38 | 00,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/06/04 10:15:31 | 00,473,400 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/06/04 10:15:31 | 00,402,974 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/06/04 10:15:31 | 00,063,418 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/06/04 10:12:47 | 36,794,937 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/06/04 10:12:47 | 00,064,911 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/06/04 10:11:30 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/04 10:11:00 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Barbara\Local Settings\desktop.ini
[2009/06/04 10:11:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/04 10:10:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/04 10:10:57 | 21,374,44352 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/28 15:26:14 | 00,532,626 | ---- | M] () -- C:\Documents and Settings\Barbara\Desktop\SecurityCheck.exe
[2009/05/28 15:25:54 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Barbara\Desktop\OTListIt2.exe
[2009/05/28 15:17:24 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Barbara\Desktop\NTREGOPT.lnk
[2009/05/28 15:17:23 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Barbara\Desktop\ERUNT.lnk
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/21 20:51:36 | 00,023,550 | ---- | M] () -- C:\Documents and Settings\Barbara\My Documents\food.ods
[2009/05/21 19:49:34 | 00,017,233 | ---- | M] () -- C:\Documents and Settings\Barbara\My Documents\Money.ods
[2009/05/08 19:10:30 | 00,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/05/07 20:23:00 | 09,459,820 | ---- | M] () -- C:\Documents and Settings\Barbara\Desktop\b.tif
[2009/05/07 19:24:11 | 09,438,180 | ---- | M] () -- C:\Documents and Settings\Barbara\Desktop\BF_T7_A10_0279.tif
[2009/05/07 19:02:57 | 00,267,132 | ---- | M] () -- C:\Documents and Settings\Barbara\Desktop\a.jpg
[2009/05/07 08:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== LOP Check ==========

[2009/04/22 23:28:50 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/11/23 16:22:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/04/12 20:02:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/04/21 22:12:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg8
[2008/06/17 23:08:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
[2008/06/11 00:18:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2008/06/01 17:43:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2008/11/19 23:50:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2008/06/04 13:43:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/06/01 17:39:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2008/06/01 17:37:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intel
[2008/12/15 00:25:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2009/04/22 17:20:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/16 00:10:05 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2004/08/11 17:25:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2008/06/12 14:21:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2008/06/01 17:38:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic
[2009/01/14 01:10:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony Corporation
[2009/04/23 14:06:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/06/01 17:42:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/04/22 17:07:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\U3
[2008/06/17 23:12:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/11/22 13:53:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/04/27 13:33:33 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Barbara\Application Data
[2008/11/20 00:08:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Adobe
[2008/06/04 14:49:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\CyberLink
[2008/09/02 14:51:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\DAEMON Tools
[2008/06/04 13:41:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Dell
[2008/06/09 22:50:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\DivX
[2009/05/07 22:36:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\dvdcss
[2008/12/31 13:59:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Flickr
[2008/06/04 13:43:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Google
[2008/12/07 23:13:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\ICAClient
[2004/08/11 17:20:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Identities
[2008/06/01 17:38:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\InstallShield
[2008/06/01 17:38:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Intel
[2008/06/04 13:44:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Macromedia
[2009/04/22 17:21:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Malwarebytes
[2009/04/22 17:07:33 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Barbara\Application Data\Microsoft
[2009/02/16 12:36:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Mozilla
[2009/02/07 19:47:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\OpenOffice.org
[2008/09/02 14:59:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Roxio
[2008/09/12 18:30:21 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Barbara\Application Data\SecuROM
[2009/05/08 20:22:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Skype
[2009/05/08 19:10:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\skypePM
[2009/01/14 01:14:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Sony Corporation
[2008/12/29 12:00:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\SPORE
[2008/06/01 17:32:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Sun
[2009/02/16 12:36:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Talkback
[2009/02/16 12:36:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\Thunderbird
[2009/04/22 17:11:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\U3
[2009/05/29 16:32:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\uTorrent
[2008/06/11 00:23:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Barbara\Application Data\vlc
[2004/08/04 05:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/06/04 10:11:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

< End of report >



OTListIt Extras logfile created on: 04/06/2009 17:07:15 - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Barbara\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.87% Memory free
3.84 Gb Paging File | 3.33 Gb Available in Paging File | 86.80% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.65 Gb Total Space | 39.81 Gb Free Space | 27.34% Space Free | Partition Type: NTFS
Drive D: | 2.37 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF1.02
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GISELA
Current User Name: Barbara
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/02/26 10:57:28 | 00,063,600 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX
[2008/02/26 10:57:28 | 00,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 12:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 18:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/02/26 10:57:28 | 00,063,600 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX
[2008/02/26 10:57:28 | 00,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program
[2009/05/04 00:21:55 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007/04/23 11:22:14 | 03,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service
[2008/06/04 18:03:06 | 13,994,408 | ---- | M] (Firaxis Games) -- C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4: Beyond the Sword
[2008/07/21 14:07:44 | 02,752,512 | ---- | M] (Electronic Arts) -- C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/11/02 17:27:53 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
[2007/10/18 12:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 18:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[2008/08/14 08:58:34 | 00,611,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4
[2009/04/28 20:28:07 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
[2000/08/31 22:38:50 | 02,555,949 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Barbara\Desktop\A0EII\empires2.EXE:*:Enabled:Age of Empires II
[2000/08/08 03:13:34 | 02,695,213 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Barbara\Desktop\A0EII\age2_x1.exe:*:Enabled:Age of Empires II Expansion
[2008/04/14 01:12:17 | 00,029,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper
[2008/01/08 20:57:46 | 00,131,072 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Flickr Uploadr\Flickr Uploadr.exe:*:Enabled:Flickr Uploadr
[2009/03/25 22:57:13 | 08,500,328 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe:*:Enabled:Mozilla Thunderbird
File not found -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player
[2009/05/04 00:23:01 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
[2007/07/25 16:41:42 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe:*:Enabled:EvtEng
[2007/07/25 16:32:34 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe:*:Enabled:WLKeeper
[2007/07/25 16:22:44 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe:*:Enabled:RegSrvc
[2007/07/25 16:29:38 | 00,987,136 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe:*:Enabled:S24EvMon
[2008/05/30 15:54:14 | 21,718,312 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{30D1F3D2-54CF-481D-A005-F94B0E98FEEC}" = Sid Meier's Civilization 4 Complete
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{8B7443F5-E141-42A0-AB61-ED2331AAD606}" = 4oD
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 4.3
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BF2F7927-92AF-4F5D-8B93-658F63DF8727}" = PDF Manual NW-A10003000
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}" = U3Launcher
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only
"{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"4oD" = 4oD
"7-Zip" = 7-Zip 4.60 beta
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"AVG8Uninstall" = AVG 8.5
"BAT Mod" = BAT Mod
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"EsetOnlineScanner" = ESET Online Scanner
"Fallout2" = Fallout2
"Flickr Uploadr" = Flickr Uploadr 3.0.5
"Google Desktop" = Google Desktop
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"InstallShield_{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"Mozilla Thunderbird (2.0.0.21)" = Mozilla Thunderbird (2.0.0.21)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PCFriendly" = PCFriendly
"ProInst" = Intel® PROSet/Wireless Software
"SearchAssist" = SearchAssist
"VLC media player" = VideoLAN VLC media player 0.8.6h
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BUG Mod 3.6" = BUG Mod 3.6
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 29/01/2009 19:37:46 | Computer Name = GISELA | Source = Application Error | ID = 1000
Description = Faulting application photoshop.exe, version 11.0.0.0, faulting module
kernel32.dll, version 5.1.2600.5512, fault address 0x00012aeb.

Error - 06/02/2009 17:58:37 | Computer Name = GISELA | Source = Application Error | ID = 1000
Description = Faulting application civ4beyondsword.exe, version 3.0.0.1, faulting
module cvgamecoredll.dll, version 3.1.3.0, fault address 0x0017a973.

Error - 06/02/2009 18:14:42 | Computer Name = GISELA | Source = Application Error | ID = 1000
Description = Faulting application civ4beyondsword.exe, version 3.0.0.1, faulting
module cvgamecoredll.dll, version 3.1.3.0, fault address 0x0017a973.

Error - 17/02/2009 19:28:00 | Computer Name = GISELA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3306, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 17/02/2009 19:28:00 | Computer Name = GISELA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3306, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 18/02/2009 15:43:05 | Computer Name = GISELA | Source = Application Error | ID = 1000
Description = Faulting application civ4beyondsword.exe, version 3.0.0.1, faulting
module cvgamecoredll.dll, version 3.1.7.0, fault address 0x0010e820.

Error - 18/02/2009 15:43:43 | Computer Name = GISELA | Source = Application Error | ID = 1000
Description = Faulting application civ4beyondsword.exe, version 3.0.0.1, faulting
module cvgamecoredll.dll, version 3.1.7.0, fault address 0x0010e820.

Error - 18/02/2009 17:30:59 | Computer Name = GISELA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3306, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 18/02/2009 17:54:37 | Computer Name = GISELA | Source = Application Error | ID = 1000
Description = Faulting application civ4beyondsword.exe, version 3.0.0.1, faulting
module cvgamecoredll.dll, version 3.1.7.0, fault address 0x0010e820.

Error - 22/02/2009 13:25:05 | Computer Name = GISELA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 10/05/2009 18:58:16 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 10/05/2009 18:58:27 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 10/05/2009 18:58:38 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 10/05/2009 18:58:48 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 21/05/2009 18:40:57 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 21/05/2009 18:41:07 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 21/05/2009 18:41:18 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 21/05/2009 18:41:29 | Computer Name = GISELA | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service usnjsvc with
arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 27/05/2009 10:38:40 | Computer Name = GISELA | Source = DCOM | ID = 10010
Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
with DCOM within the required timeout.

Error - 29/05/2009 10:31:10 | Computer Name = GISELA | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the avg8wd service.


< End of report >

#8 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 04 June 2009 - 11:12 AM

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
ESETOnlineScannerv3
ESETOnlineScanner
AVG8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took -61910 seconds.
`````````End of Log```````````

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:32 AM

Posted 05 June 2009 - 05:40 AM

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
=

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Reply with copy of the OTListIt2 MOvedFiles log from above
and Goored.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 10 June 2009 - 11:13 AM

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_734.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 06102009_170905

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_734.dat not found!

Registry entries deleted on Reboot...





GooredFix v1.92 by jpshortstuff
Log created at 17:12 on 10/06/2009 running Option #1 (Barbara)
Firefox version 3.0.10 (en-GB)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{E4E52058-653F-4ACD-9814-95A4FFF8F64C}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:32 AM

Posted 11 June 2009 - 10:21 AM

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6


uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp
> In top of the page (second in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 14
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.
  • Tip: Choose Custom install to select only the part(s) you need/want.
Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_14 from Sun Microsystems Inc.
=

Now, please tell me if the search / redirect issues are still around ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 13 June 2009 - 10:55 AM

Hi,

I did everything you said about updating JAVA. Unfortunately the redirects are still happening. What next?

Thanks for everything so far,
Ac

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:32 AM

Posted 14 June 2009 - 11:09 AM

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not ac87uk and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Next, Close all non-essential programs & windows that you have open.
Go here and download & SAVE Silent Runners.vbs (use IE to download it) to a new folder on your drive and run it. It generates a log too {name will start with "Startup Programs". It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created). Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious. It simply generates a report on your system, and does not do any cleanup.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt
the Silent Runners log
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 24 June 2009 - 08:14 AM

ComboFix 09-06-23.01 - Barbara 24/06/2009 14:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1542 [GMT 1:00]
Running from: c:\documents and settings\Barbara\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-22 00:08 . 2009-06-22 00:08 -------- d--h--w- c:\windows\PIF
2009-06-21 11:53 . 2009-06-22 00:09 -------- d-----w- C:\HOSPITAL
2009-06-20 20:06 . 2009-06-20 20:06 4096 ----a-w- c:\windows\d3dx.dat
2009-06-20 20:04 . 2009-06-21 00:19 -------- d-----w- c:\program files\Airport Mania
2009-06-20 20:03 . 2009-06-20 20:03 -------- d-----w- c:\program files\ReflexiveArcade
2009-06-17 08:54 . 2009-06-12 09:44 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-17 08:54 . 2009-06-12 09:44 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-13 15:51 . 2009-06-13 15:51 -------- d-----w- c:\program files\Java
2009-06-12 09:45 . 2009-06-12 09:44 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-12 09:44 . 2009-06-12 09:43 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-10 16:09 . 2009-06-10 16:09 -------- d-----w- C:\_OTListIt
2009-06-07 01:15 . 2009-06-07 01:15 -------- d-----w- c:\program files\JRE
2009-06-07 01:15 . 2009-06-07 11:48 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-07 00:24 . 2009-06-07 00:24 655872 ----a-w- c:\documents and settings\Barbara\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\5D.tmp_\sun-presenter-screen.oxt\msvcr90.dll
2009-06-07 00:24 . 2009-06-07 00:24 601088 ----a-w- c:\documents and settings\Barbara\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\5D.tmp_\sun-presenter-screen.oxt\PresenterScreen.uno.dll
2009-06-07 00:24 . 2009-06-07 00:24 568832 ----a-w- c:\documents and settings\Barbara\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\5D.tmp_\sun-presenter-screen.oxt\msvcp90.dll
2009-06-07 00:24 . 2009-06-07 00:24 224768 ----a-w- c:\documents and settings\Barbara\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\5D.tmp_\sun-presenter-screen.oxt\msvcm90.dll
2009-06-04 14:50 . 2009-06-04 14:50 -------- d-----w- c:\program files\ESET
2009-05-28 14:22 . 2009-06-21 11:33 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-28 14:17 . 2009-05-28 14:17 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 23:17 . 2009-02-16 11:36 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-22 00:36 . 2008-11-02 16:27 -------- d-----w- c:\documents and settings\Barbara\Application Data\uTorrent
2009-06-22 00:17 . 2008-06-12 13:21 -------- d-----w- c:\documents and settings\Barbara\Application Data\Skype
2009-06-21 16:14 . 2008-06-12 13:22 -------- d-----w- c:\documents and settings\Barbara\Application Data\skypePM
2009-06-21 11:34 . 2009-04-22 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 10:27 . 2009-04-22 16:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-04-22 16:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 08:54 . 2008-06-04 13:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-13 15:51 . 2008-12-12 17:50 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-13 15:23 . 2009-02-07 18:48 1 ----a-w- c:\documents and settings\Barbara\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-12 09:44 . 2008-06-04 13:51 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 00:24 . 2008-06-01 16:42 -------- d-----w- c:\program files\Microsoft Works
2009-06-10 01:29 . 2008-06-10 23:23 -------- d-----w- c:\documents and settings\Barbara\Application Data\dvdcss
2009-06-07 19:54 . 2008-06-01 16:44 38368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 01:15 . 2009-02-07 18:45 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-07 15:32 . 2004-08-11 16:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 21:22 . 2008-09-28 13:23 -------- d-----w- c:\program files\Sony
2009-05-03 23:23 . 2008-06-04 13:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-03 23:23 . 2008-06-04 13:51 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:46 . 2004-08-11 16:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-11 16:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 10:14 . 2009-04-25 10:14 152576 ----a-w- c:\documents and settings\Barbara\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-22 16:07 . 2009-04-22 16:07 1078 ----a-r- c:\documents and settings\Barbara\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe
2009-04-18 10:59 . 2004-08-11 16:00 163644 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-04-17 12:26 . 2004-08-11 16:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-11 16:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-02-07 21:46 . 2008-02-07 21:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-07 21:46 . 2008-02-07 21:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-07 21:46 . 2008-02-07 21:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-07 21:46 . 2008-02-07 21:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-07 21:46 . 2008-02-07 21:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-07 21:46 . 2008-02-07 21:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-07 21:46 . 2008-02-07 21:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 17:27 . 2007-03-16 17:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 17:27 . 2007-03-16 17:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 17:27 . 2007-03-16 17:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 12:47 . 2007-07-20 12:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-07 21:46 . 2008-02-07 21:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-21 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-13 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-02-21 16855552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 23:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Barbara^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\Barbara\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"Sony SCSI Helper Service"=3 (0x3)
"stllssvr"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"KService"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"WLANKEEPER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Barbara\\Desktop\\A0EII\\empires2.EXE"=
"c:\\Documents and Settings\\Barbara\\Desktop\\A0EII\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\WLKEEPER.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/06/2008 14:51 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/06/2008 14:51 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/09/2008 19:26 298776]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [01/06/2008 17:14 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [01/06/2008 17:14 43480]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 14:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1338439940-579728122-3991270112-1005\Software\SecuROM\License information*]
"datasecu"=hex:0b,27,25,86,3d,90,5d,0d,20,d9,c9,53,bf,0a,49,4c,2c,53,88,77,09,
f8,25,8e,4d,61,43,fe,1f,53,e7,d9,22,ed,14,e6,08,70,7e,c4,7d,70,26,e5,f0,fb,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(700)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-24 14:10
ComboFix-quarantined-files.txt 2009-06-24 13:10

Pre-Run: 40,649,936,896 bytes free
Post-Run: 40,676,282,368 bytes free

178 --- E O F --- 2009-06-12 00:24






"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ISUSPM" = ""C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler" ["Macrovision Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\DellTPad\Apoint.exe" ["Alps Electric Co., Ltd."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"IntelZeroConfig" = ""C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"]
"IntelWireless" = ""C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"]
"dscactivate" = ""C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"" [null data]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java™ Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}\(Default) = "{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}"
-> {HKLM...CLSID} = "Adobe Drive CS4"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Adobe Drive CS4\ADFSMenu.dll" ["Adobe Systems Incorporated"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

BridgeCS4ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS4"
"InvokeProgID" = "Adobe.adobebridgeCS4"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS4\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]

BridgeCS4NonVolumeHandler\
"Provider" = "Adobe Bridge CS4"
"ProgID" = "Adobe.adobebridgeMTP_1"
HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = "{1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}"
-> {HKLM...CLSID} = "Adobe Bridge CS4"
\LocalServer32\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -m" ["Adobe Systems, Inc."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

PDVDDXPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPDVDDX"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

PDVDDXPlayVideoCDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPDVDDX"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

RoxioSCAudioCDTask33\
"Provider" = "Roxio Creator Audio"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data]

RoxioSCCopyCD33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCCopyDisc33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCDataProject33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data]

RoxioSCDataTask33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data]

SonyPlayCDAudioSonicStage\
"Provider" = "@C:\Program Files\Sony\SonicStage\OmgjboxRes.dll,-57344"
"InvokeProgID" = "SonyAudioCDSonicStage"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\SonyAudioCDSonicStage\shell\play\command\(Default) = "C:\Program Files\Sony\SonicStage\Omgjbox.exe /cdplay -"%L"" ["Sony Corporation"]

SonyRecCDAudioSonicStage\
"Provider" = "@C:\Program Files\Sony\SonicStage\OmgjboxRes.dll,-57344"
"InvokeProgID" = "SonyAudioCDRecSonicStage"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\SonyAudioCDRecSonicStage\shell\play\command\(Default) = "C:\Program Files\Sony\SonicStage\Omgjbox.exe /cdrecord -"%L"" ["Sony Corporation"]

SonySonicStageBurnCDOnArrival\
"Provider" = "@C:\Program Files\Sony\SonicStage\OmgjboxRes.dll,-57344"
"InvokeProgID" = "SonyBurnCDSonicStage"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\SonyBurnCDSonicStage\shell\open\command\(Default) = "C:\Program Files\Sony\SonicStage\Omgjbox.exe" ["Sony Corporation"]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel® PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2009-06-24 14:12:42)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 36 seconds, including 16 seconds for message boxes)

#15 ac87uk

ac87uk
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 24 June 2009 - 08:17 AM

The first search I tried after running ComboFix redirected to some Firefox Update which I promptly had to CtrlAltDelete to get out of... but every search I tried after went straight to the intended page. So, whilst I hope it's all fixed, I'm not so sure it is....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users