Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Win32.TDSS.aegg


  • This topic is locked This topic is locked
17 replies to this topic

#1 seniab

seniab

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 15 June 2009 - 03:48 PM

Hi,
First post here and so hope I provide the correct information - have read the guidelines.

I've ended up with numerous problems on my computer - it started running very slow and freezing after about 5 minutes of being logged on. I found that I had the Internet Antivirus Pro Malware and this was stopping me accessing Google searches and installing bits and pieces (like Java updates or online scanners). The problem has got worse and now I am unable to log on to any account when the computer is not started in Safe Mode. I followed removal instructions found on the web and managed to get rid of AntivirusPro, and so can run a Google search, but I cannot install Malware Anti Malware. Have installed a version of Kaspersky and on scanning it finds Trojan Program Trojan.Win32.TDSS.aegg, in file globalroot\system32\UACxbrqrhxejhemtif.dll when I try to get Kaspersky to neutralise the infection, it comes back file not found. I've now exhausted my very limited knowledge and seem to be getting nowhere. I hope someone can help me please - I trust that the above is not too long-winded an explanation of what the problem is.

DDS log follows below, and the other log is attached as a .zip as instructed in the guidelines. Thanks in advance.

DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Administrator at 21:28:12.34 on 15/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1.#QNAN.80 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.pcservicecall.co.uk
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfinds.com/pubac/ac.php?aid=151&sid=v5
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {39fc2065-c9c7-49cd-8942-44cc2dedc844} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...00001f.0000005d
mRun: [AOL_Demo] c:\applications\tool\aol demo\DSGDemo.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1.you\startm~1\programs\startup\is-1hu9h.lnk - c:\documents and settings\administrator.your-cf7519f72b\desktop\virus removal tool\is-1hu9h\startup.exe
StartupFolder: c:\docume~1\admini~1.you\startm~1\programs\startup\is-ff7k4.lnk - c:\documents and settings\administrator.your-cf7519f72b\desktop\virus removal tool1\is-ff7k4\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {61900274-3323-4446-BDCD-91548D32AF1B} - hxxp://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-5 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-5 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-5 1095560]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
S1 is-1HU9Hdrv;is-1HU9Hdrv;c:\windows\system32\drivers\32404269.sys [2009-6-6 148496]
S1 is-FF7K4drv;is-FF7K4drv;c:\windows\system32\drivers\61881138.sys [2009-6-6 148496]
S1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-5-18 194320]
S2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2007-6-26 218376]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-3-13 24576]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176]

=============== Created Last 30 ================

2009-06-09 21:05 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 21:05 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 21:05 <DIR> --d----- c:\program files\dreft
2009-06-09 14:58 <DIR> --d----- c:\documents and settings\administrator.your-cf7519f72b\.housecall6.6
2009-06-09 12:45 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-06-09 12:45 <DIR> --d----- c:\program files\Norton Security Scan
2009-06-09 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-06-09 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-09 12:45 <DIR> --d----- c:\program files\NortonInstaller
2009-06-07 12:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-06-07 11:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 21:58 148,496 a------- c:\windows\system32\drivers\61881138.sys
2009-06-06 21:32 148,496 a------- c:\windows\system32\drivers\32404269.sys
2009-06-05 23:29 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-05 23:29 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-05 23:29 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-05 23:28 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-05 23:28 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-05 23:28 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-05 23:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-05 23:28 <DIR> --d----- c:\docume~1\admini~1.you\applic~1\PC Tools
2009-06-05 21:15 <DIR> --d----- c:\documents and settings\administrator.your-cf7519f72b\WINDOWS
2009-06-05 21:15 <DIR> --d----- c:\documents and settings\Administrator.YOUR-CF7519F72B
2009-06-05 18:22 52,000 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-05 18:22 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-05 18:22 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-05 18:22 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-31 20:57 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-31 20:57 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-31 20:51 <DIR> --d----- c:\program files\Kaspersky Lab
2009-05-31 20:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-05-28 20:56 <DIR> --d----- c:\program files\Sky Broadband

==================== Find3M ====================

2009-06-06 00:48 112,144 a------- c:\windows\system32\drivers\kl1.sys
2008-10-27 19:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat

============= FINISH: 21:30:19.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:13 PM

Posted 16 June 2009 - 09:54 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 16 June 2009 - 10:42 AM

Hi,

Thank you for taking the time to help me. I greatly appreciate it.

I have followed the steps you posted, and downloaded Combofix, saved it to my desktop, double-clicked it and pressed 'Run'. At this point the combofix button takes on a grey haze, and the little sand-timer comes up next to the cursor. After 30 or so seconds the Combofix shortcut returns to its normal colour, the sand-timer disappears, and nothing else happens. I have waited for 5 or 10 minutes, just in case something was happening in the background, but nothing changes.

I opened up Windows Task Manager, and the only item listed under the Applications tab is Internet Explorer. Under the Processes tab ComboFix.exe is listed using 0%CPU and a memory usage of 2,420. After 10 minutes or so this too disappears. I have tried this three times, and the same thing happens every time.

Thanks.

PS I am running in Safe Mode as that seems to be the only way to get the computer to operate.

Edited by seniab, 16 June 2009 - 10:44 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:13 PM

Posted 16 June 2009 - 04:52 PM

Let's try something different.
Delete combofix.exe off your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 17 June 2009 - 09:09 AM

Hi,

Managed finally to get Combofix to run in Safe Mode - followed the on-screen prompts and let the computer re-boot without touching anything (as advised in the prompt boxes), but of course it re-booted normally and once logged on the machine crashed. I ran the scan again in Safe Mode, and this time the machine did not re-boot. Below is the generated Combofix log:

ComboFix 09-06-16.05 - Administrator 17/06/2009 14:50.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.246.127 [GMT 1:00]
Running from: c:\documents and settings\Administrator.YOUR-CF7519F72B\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACD.SYS
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-16 20:21 . 2009-06-16 20:23 -------- d-----w- c:\documents and settings\Julie\Application Data\MSNInstaller
2009-06-16 20:05 . 2009-06-16 20:05 -------- d-----w- c:\documents and settings\Julie\Application Data\Malwarebytes
2009-06-16 16:55 . 2009-06-16 16:55 -------- d-----w- c:\program files\Alwil Software
2009-06-13 22:15 . 2009-06-13 22:15 152576 ----a-w- c:\documents and settings\Julie\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 20:05 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 20:05 . 2009-06-16 20:05 -------- d-----w- c:\program files\dreft
2009-06-09 20:05 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 13:58 . 2009-06-09 13:58 -------- d-----w- c:\documents and settings\Administrator.YOUR-CF7519F72B\.housecall6.6
2009-06-09 11:45 . 2009-06-16 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-09 11:45 . 2009-06-09 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-09 11:43 . 2009-06-09 11:44 -------- d-----w- c:\documents and settings\Administrator.YOUR-CF7519F72B\Local Settings\Application Data\Deployment
2009-06-07 11:36 . 2009-06-07 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-07 10:57 . 2009-06-07 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-07 10:18 . 2009-06-07 10:18 -------- d-----w- c:\documents and settings\Administrator.YOUR-CF7519F72B\Application Data\AdobeUM
2009-06-07 10:17 . 2009-06-07 10:18 -------- d-----w- c:\documents and settings\Administrator.YOUR-CF7519F72B\Local Settings\Application Data\Adobe
2009-06-06 20:58 . 2008-07-08 13:54 148496 ----a-w- c:\windows\system32\drivers\61881138.sys
2009-06-06 20:32 . 2008-07-08 13:54 148496 ----a-w- c:\windows\system32\drivers\32404269.sys
2009-06-05 23:48 . 2009-06-05 23:48 112144 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\X86\kl1.sys
2009-06-05 23:48 . 2009-06-05 23:48 682512 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\updater.dll
2009-06-05 23:48 . 2009-06-05 23:48 194320 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\klif.sys
2009-06-05 23:47 . 2009-06-05 23:47 342544 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\ckahum.dll
2009-06-05 23:47 . 2009-06-05 23:47 150032 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\diffs.dll
2009-06-05 22:29 . 2009-06-16 20:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-05 17:42 . 2009-06-13 18:51 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-05 17:22 . 2009-06-17 13:35 553760 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-05 17:22 . 2009-06-17 13:31 17952 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-31 19:57 . 2009-06-05 23:48 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-31 19:57 . 2009-06-05 23:48 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-31 19:51 . 2009-06-17 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-05-31 19:51 . 2009-05-31 19:51 -------- d-----w- c:\program files\Kaspersky Lab
2009-05-28 19:56 . 2009-05-28 19:56 -------- d-----w- c:\program files\Sky Broadband
2009-05-25 10:48 . 2009-05-25 10:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 22:28 . 2009-06-05 17:22 8180 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-16 22:28 . 2009-06-05 17:22 2636 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-16 20:42 . 2008-11-29 11:53 -------- d-----w- c:\program files\Windows Live
2009-06-16 20:38 . 2005-12-05 14:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 20:28 . 2008-10-27 17:00 -------- d-----w- c:\documents and settings\Julie\Application Data\SAMSUNG
2009-06-16 20:24 . 2007-06-16 18:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-16 20:19 . 2009-01-08 19:18 -------- d-----w- c:\program files\Hazard Perception 2003
2009-06-16 20:19 . 2008-10-13 15:14 -------- d-----w- c:\program files\Google
2009-06-16 20:18 . 2009-01-08 19:09 -------- d-----w- c:\program files\Driving Test Success Plus 2003
2009-06-09 11:44 . 2009-06-05 20:15 66360 ----a-w- c:\documents and settings\Administrator.YOUR-CF7519F72B\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-05 23:48 . 2007-04-28 15:51 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-05-10 19:58 . 2007-06-22 11:18 158 ----a-w- c:\documents and settings\Julie\Application Data\wklnhst.dat
2009-04-12 20:45 . 2007-06-16 18:46 66360 ----a-w- c:\documents and settings\Julie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-07-08 1953887]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-02-28 636072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL_Demo"="c:\applications\Tool\AOL Demo\DSGDemo.exe" [2005-12-01 177178]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-12-08 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-12-08 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-12-08 118784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-12-08 16270848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-12-08 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2006-12-19 593920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [04/04/2007 14:58 24344]
S1 is-1HU9Hdrv;is-1HU9Hdrv;c:\windows\system32\drivers\32404269.sys [06/06/2009 21:32 148496]
S1 is-FF7K4drv;is-FF7K4drv;c:\windows\system32\drivers\61881138.sys [06/06/2009 21:58 148496]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
.
Contents of the 'Scheduled Tasks' folder

2009-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-06-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pcservicecall.co.uk
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfinds.com/pubac/ac.php?aid=151&sid=v5
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\klogon.dll
.
Completion time: 2009-06-17 14:59
ComboFix-quarantined-files.txt 2009-06-17 13:59

Pre-Run: 19,406,516,224 bytes free
Post-Run: 19,387,453,440 bytes free

142 --- E O F --- 2009-05-13 21:03


Thanks.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:13 PM

Posted 17 June 2009 - 11:02 AM

It looks like combofix may have been able to remove the rootkit. If so, we should be able to run Malwarebytes now.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 17 June 2009 - 02:45 PM

Hi,

I did exactly as instructed and Malwarebytes found 4 infections and deleted these. Unfortunately it has not saved a copy of the report under the 'Logs' tab, so I am unable to post it here.

Whilst I can now run the computer in normal mode, it is extremely slow - from powering on to opening this website, doing nothing else, took over half an hour. The CPU usage is 0% most of the time, but in Task Manager PF Usage is not less than 7 bars, and usually 8. If it is useful I will re-run Malwarebytes and try to post the resulting log.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:13 PM

Posted 18 June 2009 - 10:00 AM

We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 19 June 2009 - 12:33 PM

Hi, below follows the OTL report. Cheers.

OTL logfile created on: 19/06/2009 18:28:40 - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\Andrew\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

246.11 Mb Total Physical Memory | 21.62 Mb Available Physical Memory | 8.78% Memory free
601.83 Mb Paging File | 141.11 Mb Available in Paging File | 23.45% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.95 Gb Total Space | 17.99 Gb Free Space | 54.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-CF7519F72B
Current User Name: Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2003/02/25 05:52:00 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2003/02/25 05:50:00 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/12/08 09:04:21 | 00,077,824 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2006/12/08 09:05:26 | 00,118,784 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2006/12/08 04:12:03 | 16,270,848 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2005/01/12 04:01:32 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2008/11/20 14:20:54 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/06/26 16:53:12 | 00,218,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
PRC - [2005/07/08 17:01:56 | 01,953,887 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
PRC - [2006/03/15 10:30:24 | 00,593,920 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\RALINK\Common\RaUI.exe
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/06/26 16:53:12 | 00,218,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2005/01/14 09:32:38 | 00,053,248 | ---- | M] () -- C:\WINDOWS\System32\PAStiSvc.exe
PRC - [2004/08/11 02:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2009/04/25 06:27:50 | 00,636,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/06/19 18:28:06 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andrew\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/06/26 16:53:12 | 00,218,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe -- (AVP [Auto | Running])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/04/23 07:19:11 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2003/02/25 05:52:00 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2005/01/14 09:32:38 | 00,053,248 | ---- | M] () -- C:\WINDOWS\System32\PAStiSvc.exe -- (STI Simulator [Auto | Running])
SRV - [2004/08/11 02:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2007/10/25 16:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/12/19 12:15:42 | 00,020,747 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2004/08/04 13:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2008/04/13 19:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Boot | Running])
DRV - [2004/04/03 07:35:08 | 00,043,392 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
DRV - [2004/04/03 07:32:20 | 00,024,576 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2004/08/04 13:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Boot | Running])
DRV - [2008/04/17 14:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 17:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2008/03/07 13:46:38 | 00,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])
DRV - [2006/12/08 09:04:39 | 01,166,972 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2006/12/08 04:08:20 | 04,225,920 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/07/08 14:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\32404269.sys -- (is-1HU9Hdrv [System | Stopped])
DRV - [2008/07/08 14:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\61881138.sys -- (is-FF7K4drv [System | Stopped])
DRV - [2009/06/06 00:48:10 | 00,112,144 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
DRV - [2009/06/06 00:48:09 | 00,194,320 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys -- (klif [System | Running])
DRV - [2007/04/04 14:58:26 | 00,024,344 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klim5.sys -- (klim5 [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Boot | Running])
DRV - [2001/08/17 15:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Stopped])
DRV - [2005/02/24 12:29:14 | 00,162,176 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\pfc027.sys -- (PAC207 [On_Demand | Stopped])
DRV - [2003/09/19 15:45:48 | 00,021,248 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Boot | Running])
DRV - [2006/03/08 18:28:00 | 00,255,232 | ---- | M] (Ralink Technology, Corp.) -- C:\WINDOWS\system32\DRIVERS\rt73.sys -- (RT73 [On_Demand | Running])
DRV - [2006/12/08 04:22:43 | 00,081,408 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Stopped])
DRV - [2004/08/04 07:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/13 19:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Boot | Running])
DRV - [2006/07/24 17:05:00 | 00,005,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen [System | Running])
DRV - [2004/08/04 13:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Boot | Running])
DRV - [2008/10/01 14:01:28 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pcservicecall.co.uk

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pcservicecall.co.uk

IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pcservicecall.co.uk
IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\S-1-5-21-2151255587-3780539979-1519646943-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" (Kaspersky Lab)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup (Cyberlink)
O4 - Startup: C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-1HU9H.lnk = C:\Documents and Settings\Andrew\Desktop\Virus Removal Tool\is-1HU9H\startup.exe File not found
O4 - Startup: C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-FF7K4.lnk = C:\Documents and Settings\Andrew\Desktop\Virus Removal Tool1\is-FF7K4\startup.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm (Microsoft Corporation)
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} http://www.worldwinner.com/games/v56/spide...ersolitaire.cab (SpiderSolitaire Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/05 13:56:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a2044a21-6549-11da-a5a1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{a2044a21-6549-11da-a5a1-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a2044a21-6549-11da-a5a1-806d6172696f}\Shell\AutoRun\command - "" = E:\Launch.exe -- File not found
O33 - MountPoints2\Z\Shell - "" = AutoRun
O33 - MountPoints2\Z\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/19 18:28:06 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/06/19 18:27:53 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Andrew\Desktop\OTL.exe
[2009/06/17 22:29:22 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/06/17 22:27:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/06/17 18:49:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Macromedia
[2009/06/17 18:41:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Adobe
[2009/06/17 18:30:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Malwarebytes
[2009/06/17 18:13:42 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/17 18:13:39 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 18:13:38 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/17 18:13:38 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/17 15:44:40 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Andrew\Application Data\desktop.ini
[2009/06/17 15:44:39 | 00,001,805 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Digital Download Centre.lnk
[2009/06/17 15:44:39 | 00,001,657 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Norton Internet Security 2006.lnk
[2009/06/17 15:44:39 | 00,001,276 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Manual.lnk
[2009/06/17 15:44:39 | 00,001,011 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\mypixmania Photo Storage.lnk
[2009/06/17 15:44:39 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Windows Media Player.lnk
[2009/06/17 15:44:38 | 00,000,077 | -HS- | C] () -- C:\Documents and Settings\Andrew\My Documents\desktop.ini
[2009/06/17 15:44:38 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Andrew\Local Settings\desktop.ini
[2009/06/17 15:44:37 | 00,000,084 | -HS- | C] () -- C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\desktop.ini
[2009/06/17 15:44:37 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Andrew\Application Data\Microsoft
[2009/06/17 15:44:37 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Andrew\My Documents\My Pictures
[2009/06/17 15:44:37 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Andrew\My Documents\My Music
[2009/06/17 15:44:37 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files
[2009/06/17 15:44:37 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andrew\Local Settings\History
[2009/06/17 15:44:37 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\Andrew\Local Settings\Application Data
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\My Documents\CyberLink
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Local Settings\Temp
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\SampleView
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Identities
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\CyberLink
[2009/06/17 14:59:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/06/17 14:06:48 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/06/17 14:06:44 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/06/17 14:06:42 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/06/17 14:01:38 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/06/17 14:01:38 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/06/17 14:01:38 | 00,155,136 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/06/17 14:01:38 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/06/17 14:01:38 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/06/17 14:01:38 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/06/17 14:01:38 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/06/17 14:01:38 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/06/17 14:01:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/06/17 13:55:56 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/06/16 17:55:27 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/06/09 21:05:04 | 00,000,000 | ---D | C] -- C:\Program Files\dreft
[2009/06/09 12:45:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/06/09 12:45:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/06/07 12:36:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/06/07 11:57:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/06 21:58:27 | 00,148,496 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\61881138.sys
[2009/06/06 21:32:46 | 00,148,496 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\32404269.sys
[2009/06/05 23:29:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/05 18:42:29 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/06/05 18:22:40 | 02,336,800 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/06/05 18:22:40 | 00,030,496 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/06/05 18:22:40 | 00,026,780 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/06/05 18:22:40 | 00,003,860 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/05/31 20:57:05 | 00,105,395 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/05/31 20:57:04 | 00,094,643 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/05/31 20:51:28 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2009/05/31 20:51:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2009/05/31 14:02:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/05/28 20:56:49 | 00,000,000 | ---D | C] -- C:\Program Files\Sky Broadband
[2008/10/27 17:56:06 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/06/22 12:23:57 | 00,000,276 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2007/06/16 22:00:27 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/19 12:16:14 | 00,290,918 | ---- | C] () -- C:\WINDOWS\System32\Install7x.dll
[2005/12/06 12:16:48 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/05 12:42:07 | 00,001,454 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/12/05 12:41:46 | 00,000,881 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/12/05 12:41:43 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/09/02 00:39:24 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/09/02 00:39:24 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/09/02 00:39:00 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/02/24 12:29:14 | 00,162,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\PFC027.sys
[2005/01/25 15:15:42 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\PA207USD.DLL
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/06/19 18:30:10 | 00,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/06/19 18:28:06 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andrew\Desktop\OTL.exe
[2009/06/19 18:22:14 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/19 18:19:05 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Andrew\Local Settings\desktop.ini
[2009/06/19 18:19:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/19 18:18:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/18 12:44:15 | 02,336,800 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/06/18 12:44:15 | 00,030,496 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/06/18 12:44:15 | 00,026,780 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/06/18 12:44:15 | 00,003,860 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/06/17 22:35:23 | 00,000,881 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/17 22:35:23 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/06/17 22:35:23 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/06/17 21:35:17 | 00,250,288 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/17 21:02:29 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/06/17 18:13:42 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/17 15:45:47 | 00,000,077 | -HS- | M] () -- C:\Documents and Settings\Andrew\My Documents\desktop.ini
[2009/06/17 15:45:13 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\Andrew\Desktop\Windows Media Player.lnk
[2009/06/17 14:48:18 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/06/17 14:19:17 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/16 21:19:49 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/06/16 21:19:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/06/13 22:45:45 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/06/13 22:45:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/06/13 21:51:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/06/13 21:51:35 | 00,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/06/08 08:10:10 | 00,155,136 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/06/06 00:48:10 | 00,112,144 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\kl1.sys
[2009/06/06 00:48:09 | 00,194,320 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/06/06 00:48:05 | 00,105,395 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/06/06 00:48:05 | 00,094,643 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/06/01 17:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/31 17:01:48 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/05/31 17:01:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/05/31 13:47:24 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/05/31 13:47:23 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/05/27 20:07:27 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/05/25 11:48:13 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/05/23 20:19:05 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/05/23 20:19:05 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/05/23 18:26:27 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/05/23 18:26:27 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/05/23 17:09:42 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/05/23 17:09:42 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/05/23 05:42:29 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/05/23 05:42:29 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/05/22 18:40:15 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/05/22 18:40:15 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/05/22 16:21:59 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/05/22 16:21:59 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/05/22 14:30:40 | 00,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/05/22 14:30:39 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/05/21 19:22:22 | 00,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/05/21 19:22:21 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/05/21 17:29:55 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/05/21 17:29:55 | 00,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/05/21 17:28:05 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/05/21 17:28:05 | 00,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/05/21 17:25:15 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/05/21 17:25:15 | 00,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/05/20 22:36:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/05/20 22:36:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/05/20 21:33:40 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/05/20 21:33:40 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/05/20 18:41:33 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/05/20 18:41:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#10 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 19 June 2009 - 12:35 PM

There was also a second report. In the message above is OTL.text, below is Extras.txt:

OTL Extras logfile created on: 19/06/2009 18:28:40 - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\Andrew\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

246.11 Mb Total Physical Memory | 21.62 Mb Available Physical Memory | 8.78% Memory free
601.83 Mb Paging File | 141.11 Mb Available in Paging File | 23.45% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.95 Gb Total Space | 17.99 Gb Free Space | 54.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-CF7519F72B
Current User Name: Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
File not found -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/11/20 14:20:48 | 14,294,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2003/02/25 05:50:00 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{14C35072-D7D0-4B29-B5BF-C94E426D77E9}" = Sky Broadband
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}" = Kaspersky Anti-Virus 7.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7585478E9D9B42108671C12F8714CEFE}" = DivX Converter
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Roxio Burn Engine
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{C36C3F84-E04B-44E3-9D7B-ABBCC6BE94F5}" = PC Camer@
"{C765D9FF-4A34-4BF1-9F91-E9A3C60C86FC}" = ArcSoft VideoImpression 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{E91E8912-769D-42F0-8408-0E329443BABC}" = Ralink Wireless LAN Card
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{C36C3F84-E04B-44E3-9D7B-ABBCC6BE94F5}" = PC Camer@
"InstallWIX_{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}" = Kaspersky Anti-Virus 7.0
"Lexmark Z600 Series" = Lexmark Z600 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OcaHistoryUpd" = OCA Client history tool install
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14/06/2009 18:26:42 | Computer Name = YOUR-CF7519F72B | Source = Application Error | ID = 1000
Description = Faulting application sort.exe, version 5.1.2600.5512, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x0000a378.

Error - 15/06/2009 16:03:03 | Computer Name = YOUR-CF7519F72B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 15/06/2009 16:30:31 | Computer Name = YOUR-CF7519F72B | Source = Application Error | ID = 1000
Description = Faulting application sort.exe, version 5.1.2600.5512, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x0000a378.

Error - 16/06/2009 14:53:40 | Computer Name = YOUR-CF7519F72B | Source = ESENT | ID = 490
Description = wuauclt (3256) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 16/06/2009 14:53:40 | Computer Name = YOUR-CF7519F72B | Source = ESENT | ID = 439
Description = wuauclt (3256) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb.
Error -1032.

Error - 16/06/2009 14:53:51 | Computer Name = YOUR-CF7519F72B | Source = ESENT | ID = 473
Description = wuauclt (3256) Database C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
was partially detached. Error -1032 encountered updating database headers.

Error - 16/06/2009 16:13:22 | Computer Name = YOUR-CF7519F72B | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 16/06/2009 16:17:54 | Computer Name = YOUR-CF7519F72B | Source = MsiInstaller | ID = 11704
Description = Product: Driving Test Success 2002-2003 -- Error 1704.An installation
for Kaspersky Anti-Virus 7.0 is currently suspended. You must undo the changes
made by that installation to continue. Do you want to undo those changes?

Error - 16/06/2009 16:54:17 | Computer Name = YOUR-CF7519F72B | Source = pctsSvc.exe | ID = 0
Description =

Error - 17/06/2009 13:46:06 | Computer Name = YOUR-CF7519F72B | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 17/06/2009 13:25:33 | Computer Name = YOUR-CF7519F72B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
IntelIde
is-FF7K4drv
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde

Error - 17/06/2009 16:37:04 | Computer Name = YOUR-CF7519F72B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm is-FF7K4drv kl1 klif StarOpen

Error - 17/06/2009 17:19:38 | Computer Name = YOUR-CF7519F72B | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 17/06/2009 17:29:04 | Computer Name = YOUR-CF7519F72B | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 17/06/2009 17:35:26 | Computer Name = YOUR-CF7519F72B | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 17/06/2009 17:37:52 | Computer Name = YOUR-CF7519F72B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is-FF7K4drv

Error - 17/06/2009 19:38:43 | Computer Name = YOUR-CF7519F72B | Source = PSched | ID = 14103
Description = QoS [Adapter {9940FAA7-2171-42C1-8F70-0E3284B43D5D}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 18/06/2009 05:18:47 | Computer Name = YOUR-CF7519F72B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is-FF7K4drv

Error - 18/06/2009 08:16:52 | Computer Name = YOUR-CF7519F72B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is-FF7K4drv

Error - 19/06/2009 13:20:13 | Computer Name = YOUR-CF7519F72B | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is-FF7K4drv


< End of report >

Edited by seniab, 19 June 2009 - 12:35 PM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:13 PM

Posted 20 June 2009 - 07:52 AM

What are these?

O4 - Startup: C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-1HU9H.lnk = C:\Documents and Settings\Andrew\Desktop\Virus Removal Tool\is-1HU9H\startup.exe File not found
O4 - Startup: C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-FF7K4.lnk = C:\Documents and Settings\Andrew\Desktop\Virus Removal Tool1\is-FF7K4\startup.exe File not found
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 20 June 2009 - 08:47 AM

Hi,

I think they are the things I downloaded from the Kaspersky website when I first discovered I had a problem with the machine. They are not on the machine anymore as the tool kept crashing half-way through(once it had identified the Trojan mentioned in the topic header)and so I deleted them. Is it possible that they have caused the other problems? I'm pretty sure I downloaded them directly from the Kaspersky website.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:13 PM

Posted 21 June 2009 - 09:35 AM

They just seemed unusual to see in your log that's all. I could tell it was something that you had downloaded. I don't see any signs of malware in your log, but we clean it up a bit. It looks like the main issue is several services that are not starting up as they should.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
    O4 - Startup: C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-1HU9H.lnk = C:\Documents and Settings\Andrew\Desktop\Virus Removal Tool\is-1HU9H\startup.exe File not found
    O4 - Startup: C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-FF7K4.lnk = C:\Documents and Settings\Andrew\Desktop\Virus Removal Tool1\is-FF7K4\startup.exe File not found
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Let me know if there is any difference.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 25 June 2009 - 04:15 PM

Hi,

Apologies for the length of time taken to reply - my Broadband connection went down and needed the service engineer to come out and fix it - I'm not having much luck with technology at the moment!

Below is the transcript from OTL - the actions you suggested don't seem to have had a great impact on the speed of the system - maybe I need to invest in a RAM upgrade?

========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-1HU9H.lnk moved successfully.
C:\Documents and Settings\Administrator.YOUR-CF7519F72B\Start Menu\Programs\Startup\is-FF7K4.lnk moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.

OTL by OldTimer - Version 2.1.1.0 log created on 06252009_212056

Files moved on Reboot...

Registry entries deleted on Reboot...


I'll reboot and run the full scan and post results shortly.

Thankyou for your continued help with this.

#15 seniab

seniab
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 25 June 2009 - 05:43 PM

OTL REPORT:

OTL logfile created on: 25/06/2009 22:16:53 - Run 2
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\Andrew\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

246.11 Mb Total Physical Memory | 46.87 Mb Available Physical Memory | 19.04% Memory free
813.83 Mb Paging File | 321.89 Mb Available in Paging File | 39.55% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.95 Gb Total Space | 17.55 Gb Free Space | 53.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-CF7519F72B
Current User Name: Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2003/02/25 05:52:00 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2003/02/25 05:50:00 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/06/26 16:53:12 | 00,218,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2005/01/14 09:32:38 | 00,053,248 | ---- | M] () -- C:\WINDOWS\System32\PAStiSvc.exe
PRC - [2004/08/11 02:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/12/08 09:04:21 | 00,077,824 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2006/12/08 09:05:26 | 00,118,784 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2006/12/08 04:12:03 | 16,270,848 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2005/01/12 04:01:32 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2007/06/26 16:53:12 | 00,218,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
PRC - [2005/07/08 17:01:56 | 01,953,887 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
PRC - [2009/06/02 11:56:00 | 24,264,488 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2006/03/15 10:30:24 | 00,593,920 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\RALINK\Common\RaUI.exe
PRC - [2009/04/25 06:27:50 | 00,636,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\internet explorer\iexplore.exe
PRC - [2009/06/19 18:28:06 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andrew\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/06/26 16:53:12 | 00,218,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe -- (AVP [Auto | Running])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/04/23 07:19:11 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2003/02/25 05:52:00 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2005/01/14 09:32:38 | 00,053,248 | ---- | M] () -- C:\WINDOWS\System32\PAStiSvc.exe -- (STI Simulator [Auto | Running])
SRV - [2004/08/11 02:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2007/10/25 16:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/12/19 12:15:42 | 00,020,747 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2004/08/04 13:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2008/04/13 19:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Boot | Running])
DRV - [2004/04/03 07:35:08 | 00,043,392 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
DRV - [2004/04/03 07:32:20 | 00,024,576 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2004/08/04 13:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Boot | Running])
DRV - [2008/04/17 14:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 17:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2008/03/07 13:46:38 | 00,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])
DRV - [2006/12/08 09:04:39 | 01,166,972 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2006/12/08 04:08:20 | 04,225,920 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/07/08 14:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\32404269.sys -- (is-1HU9Hdrv [System | Stopped])
DRV - [2008/07/08 14:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\61881138.sys -- (is-FF7K4drv [System | Stopped])
DRV - [2009/06/06 00:48:10 | 00,112,144 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
DRV - [2009/06/06 00:48:09 | 00,194,320 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys -- (klif [System | Running])
DRV - [2007/04/04 14:58:26 | 00,024,344 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klim5.sys -- (klim5 [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Boot | Running])
DRV - [2001/08/17 15:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Stopped])
DRV - [2005/02/24 12:29:14 | 00,162,176 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\pfc027.sys -- (PAC207 [On_Demand | Stopped])
DRV - [2003/09/19 15:45:48 | 00,021,248 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/08/04 13:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Boot | Running])
DRV - [2006/03/08 18:28:00 | 00,255,232 | ---- | M] (Ralink Technology, Corp.) -- C:\WINDOWS\system32\DRIVERS\rt73.sys -- (RT73 [On_Demand | Running])
DRV - [2006/12/08 04:22:43 | 00,081,408 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Stopped])
DRV - [2004/08/04 07:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/13 19:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Boot | Running])
DRV - [2006/07/24 17:05:00 | 00,005,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen [System | Running])
DRV - [2004/08/04 13:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Boot | Running])
DRV - [2004/08/04 13:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Boot | Running])
DRV - [2008/10/01 14:01:28 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pcservicecall.co.uk

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pcservicecall.co.uk

IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pcservicecall.co.uk
IE - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\S-1-5-21-2151255587-3780539979-1519646943-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" (Kaspersky Lab)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup (Cyberlink)
O4 - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2151255587-3780539979-1519646943-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} http://www.worldwinner.com/games/v56/spide...ersolitaire.cab (SpiderSolitaire Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/05 13:56:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{931925ae-5d84-11de-b20f-0019db04087b}\Shell - "" = AutoRun
O33 - MountPoints2\{931925ae-5d84-11de-b20f-0019db04087b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{931925ae-5d84-11de-b20f-0019db04087b}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{a2044a21-6549-11da-a5a1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{a2044a21-6549-11da-a5a1-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a2044a21-6549-11da-a5a1-806d6172696f}\Shell\AutoRun\command - "" = E:\Launch.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\Z\Shell - "" = AutoRun
O33 - MountPoints2\Z\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/25 21:11:22 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/06/25 21:20:56 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/06/20 17:42:22 | 00,000,048 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/06/20 17:42:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\skypePM
[2009/06/20 17:40:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Skype
[2009/06/20 17:38:28 | 00,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/06/20 17:38:25 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2009/06/20 17:38:20 | 00,000,000 | R--D | C] -- C:\Program Files\Skype
[2009/06/20 17:36:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/06/19 18:27:53 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Andrew\Desktop\OTL.exe
[2009/06/17 22:29:22 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/06/17 22:27:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/06/17 18:49:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Macromedia
[2009/06/17 18:41:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Adobe
[2009/06/17 18:30:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Malwarebytes
[2009/06/17 18:13:42 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/17 18:13:39 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 18:13:38 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/17 18:13:38 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/17 15:44:40 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Andrew\Application Data\desktop.ini
[2009/06/17 15:44:39 | 00,001,805 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Digital Download Centre.lnk
[2009/06/17 15:44:39 | 00,001,657 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Norton Internet Security 2006.lnk
[2009/06/17 15:44:39 | 00,001,276 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Manual.lnk
[2009/06/17 15:44:39 | 00,001,011 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\mypixmania Photo Storage.lnk
[2009/06/17 15:44:39 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\Andrew\Desktop\Windows Media Player.lnk
[2009/06/17 15:44:38 | 00,000,077 | -HS- | C] () -- C:\Documents and Settings\Andrew\My Documents\desktop.ini
[2009/06/17 15:44:38 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Andrew\Local Settings\desktop.ini
[2009/06/17 15:44:37 | 00,000,084 | -HS- | C] () -- C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\desktop.ini
[2009/06/17 15:44:37 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Andrew\Application Data\Microsoft
[2009/06/17 15:44:37 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Andrew\My Documents\My Pictures
[2009/06/17 15:44:37 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Andrew\My Documents\My Music
[2009/06/17 15:44:37 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files
[2009/06/17 15:44:37 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Andrew\Local Settings\History
[2009/06/17 15:44:37 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\Andrew\Local Settings\Application Data
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\My Documents\CyberLink
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Local Settings\Temp
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\SampleView
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\Identities
[2009/06/17 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andrew\Application Data\CyberLink
[2009/06/17 14:59:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/06/17 14:06:48 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/06/17 14:06:44 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/06/17 14:06:42 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/06/17 14:01:38 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/06/17 14:01:38 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/06/17 14:01:38 | 00,155,136 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/06/17 14:01:38 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/06/17 14:01:38 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/06/17 14:01:38 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/06/17 14:01:38 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/06/17 14:01:38 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/06/17 14:01:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/06/17 13:55:56 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/06/16 17:55:27 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/06/09 21:05:04 | 00,000,000 | ---D | C] -- C:\Program Files\dreft
[2009/06/09 12:45:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/06/09 12:45:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/06/07 12:36:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/06/07 11:57:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/06 21:58:27 | 00,148,496 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\61881138.sys
[2009/06/06 21:32:46 | 00,148,496 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\32404269.sys
[2009/06/05 23:29:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/05 18:42:29 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/06/05 18:22:40 | 02,336,800 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/06/05 18:22:40 | 00,040,480 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/06/05 18:22:40 | 00,029,276 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/06/05 18:22:40 | 00,004,772 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/05/31 20:57:05 | 00,105,395 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/05/31 20:57:04 | 00,094,643 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/05/31 20:51:28 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2009/05/31 20:51:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2009/05/31 14:02:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/05/28 20:56:49 | 00,000,000 | ---D | C] -- C:\Program Files\Sky Broadband
[2008/10/27 17:56:06 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/06/22 12:23:57 | 00,000,276 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2007/06/16 22:00:27 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/19 12:16:14 | 00,290,918 | ---- | C] () -- C:\WINDOWS\System32\Install7x.dll
[2005/12/06 12:16:48 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/05 12:42:07 | 00,001,454 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/12/05 12:41:46 | 00,000,881 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/12/05 12:41:43 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/09/02 00:39:24 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/09/02 00:39:24 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/09/02 00:39:00 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/02/24 12:29:14 | 00,162,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\PFC027.sys
[2005/01/25 15:15:42 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\PA207USD.DLL
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/06/25 21:38:47 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/25 21:36:54 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Andrew\Local Settings\desktop.ini
[2009/06/25 21:30:29 | 00,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/06/25 21:29:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/25 21:28:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/25 21:28:02 | 00,040,480 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/06/25 21:28:02 | 00,004,772 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/06/25 21:28:01 | 02,336,800 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/06/25 21:28:01 | 00,029,276 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/06/20 17:42:22 | 00,000,048 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/06/20 17:38:28 | 00,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/06/19 23:12:02 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/06/19 18:28:06 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andrew\Desktop\OTL.exe
[2009/06/17 22:35:23 | 00,000,881 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/17 22:35:23 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/06/17 22:35:23 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/06/17 21:35:17 | 00,250,288 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/17 21:02:29 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/06/17 18:13:42 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/17 15:45:47 | 00,000,077 | -HS- | M] () -- C:\Documents and Settings\Andrew\My Documents\desktop.ini
[2009/06/17 15:45:13 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\Andrew\Desktop\Windows Media Player.lnk
[2009/06/17 14:48:18 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/06/17 14:19:17 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/16 21:19:49 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/06/16 21:19:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/06/13 22:45:45 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/06/13 22:45:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/06/13 21:51:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/06/13 21:51:35 | 00,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/06/08 08:10:10 | 00,155,136 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/06/06 00:48:10 | 00,112,144 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\kl1.sys
[2009/06/06 00:48:09 | 00,194,320 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/06/06 00:48:05 | 00,105,395 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/06/06 00:48:05 | 00,094,643 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/06/01 17:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/31 17:01:48 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/05/31 17:01:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/05/31 13:47:24 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/05/31 13:47:23 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/05/27 20:07:27 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users