Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirection - STOPzilla, bragster


  • This topic is locked This topic is locked
19 replies to this topic

#1 martindale66

martindale66

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 15 September 2009 - 09:18 AM

Hi,
I appear to have picked up some adware, malware or something.
When I click on a search engine result upto 3 new windows open and I get redirected to either of the folowing;

[url=http://www.stopzilla.com/products/stopzilla/spywareremover-mov.do?aid=10192&cid=spyware]http://www.stopzilla.com/products/stopzill...amp;cid=spyware[/url]
[url=http://www.bragster.com/main/home?v=a]http://www.bragster.com/main/home?v=a[/url]
[url=http://media2.tmlatn.com/images/defaults41/approved/404.html]http://media2.tmlatn.com/images/defaults41/approved/404.html[/url]
[url=http://best-scanpc.net/disk/?code=934]http://best-scanpc.net/disk/?code=934[/url]
[url=http://www.pcsecurityshield.com/lp/shield-deluxe-5.aspx?trk=WTK&affid=541]http://www.pcsecurityshield.com/lp/shield-...K&affid=541[/url]

Also the odd advert opens intermitently.

I've ran A-squared, Spybot and attempted to run Ad-Aware but this keeps closing down.

I've ran DDS (which is listed below) and RootRepeal, but RootRepeal displays an error message;
"Could not read system registry!
Please contact the author!"

Any help would be appreciated.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Paul at 13:40:58.31 on 15/09/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.1014.271 [GMT 1:00]

AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: PCguard Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\RPS.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AlbumPlayer\RemoteControl\AP_RemoteControl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WEQ92EIV\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uWinlogon: Shell=c:\program files\pcenter\pc.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uRun: [Center Agent] c:\program files\kworld multimedia\hypermediacenter\dtvr\Scheduled.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [IndexCleaner] "c:\program files\virgin broadband\pcguard\IdxClnR.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Tour]
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [CCUTRAYICON] FactoryMode
mRun: [Apanel] c:\acersw\config\NewSetApanel.cmd
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [Setresolution] c:\acersw\config\1440x900.cmd
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
mRunOnce: [IndexCleaner] "c:\program files\virgin broadband\pcguard\IdxClnR.exe"
StartupFolder: c:\users\paul\appdata\roaming\micros~1\windows\startm~1\programs\startup\albump~1.lnk - c:\program files\albumplayer\remotecontrol\AP_RemoteControl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {84A31672-371A-4CBF-8785-DCE55CDC7370} - hxxp://192.168.1.100/ocxfile/DownLoad.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\dpnhpast32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\paul\appdata\roaming\mozilla\firefox\profiles\0wmeujt7.default\
FF - plugin: c:\program files\virgin broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-15 64160]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2007-2-12 208896]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2007-2-19 5376]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-12-29 5504]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2007-8-16 221184]
S2 CTpvr Recorder;CTpvr Recorder;c:\program files\ctpvr\ctpvrrecorder.exe --> c:\program files\ctpvr\CTpvrRecorder.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 AVerAF15;AVerMedia BDA Digital Tuner;c:\windows\system32\drivers\AVerAF15.sys [2009-2-18 264320]
S3 AVerM115S;AVerM115S service;c:\windows\system32\drivers\AVerM115S.sys [2007-8-16 856832]
S3 DHTRACE;Intel® DHTrace Controller;c:\program files\common files\intel\inteldh\bin\DHTraceController.exe [2007-4-6 39896]
S3 IntelDHSvcConf;IntelDHSvcConf;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2007-4-6 36312]
S3 NMSCore;Intel® NMSCore;c:\program files\common files\intel\inteldh\nms\nmscore\NMSCore.exe [2007-4-6 313816]
S3 QualityManager;Intel® Quality Manager;c:\program files\intel\inteldh\intel media server\media server\bin\QualityManager.exe [2007-4-6 272856]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2006-11-2 7168]

=============== Created Last 30 ================

2009-09-15 10:15 <DIR> --d----- c:\program files\a-squared Free
2009-09-15 09:18 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-15 09:13 <DIR> -cd-h--- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-15 09:13 <DIR> -cd-h--- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-15 09:13 <DIR> --d----- c:\program files\Lavasoft
2009-09-14 18:05 <DIR> --d----- c:\programdata\Lavasoft
2009-09-14 16:50 0 a------- c:\windows\system32\GroupPolicy000.dat
2009-09-14 15:45 17,851 a------- c:\windows\GnuHashes.ini
2009-09-14 15:37 <DIR> --dsh--- c:\windows\system32\LocalService
2009-09-14 15:37 523,264 a--sh--- c:\windows\system32\3091.tmp
2009-09-14 14:13 1,372 a------- c:\windows\system32\rnhdf.vbs
2009-09-14 14:12 1,372 a------- c:\windows\system32\LNIGRktEF1azz.vbs
2009-09-14 14:12 1,372 a------- c:\windows\system32\18OyNBQj5TPwzFw.vbs
2009-09-14 14:12 1,372 a------- c:\windows\system32\cxWgYGjk2HGf3Em.vbs
2009-09-14 13:49 122,880 a------- c:\windows\system32\dpnhpast32.dll
2009-09-14 13:49 1,372 a------- c:\windows\system32\4nasfZz.vbs
2009-09-14 13:25 25,244 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-09-14 13:25 45,056 a------- c:\windows\system32\WNASPI32.DLL
2009-09-14 13:25 5,600 a------- c:\windows\system\WINASPI.DLL
2009-09-14 13:25 4,672 a------- c:\windows\system\WOWPOST.EXE
2009-09-14 12:45 87,608 a------- c:\users\paul\appdata\roaming\inst.exe
2009-09-14 12:45 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-09-14 12:45 47,360 a------- c:\users\paul\appdata\roaming\pcouffin.sys
2009-09-02 21:55 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 21:55 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 13:54 <DIR> --d----- c:\users\paul\Office Genuine Advantage
2009-08-30 12:22 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-08-30 12:11 <DIR> --d----- c:\windows\system32\eu-ES
2009-08-30 12:11 <DIR> --d----- c:\windows\system32\ca-ES
2009-08-30 12:11 <DIR> --d----- c:\windows\system32\vi-VN
2009-08-30 11:43 <DIR> --d----- c:\windows\system32\EventProviders
2009-08-30 11:39 777,216 a------- c:\windows\system32\slcc.dll
2009-08-26 15:34 2,048 a------- c:\windows\system32\tzres.dll
2009-08-26 11:12 1,696,768 a------- c:\windows\system32\gameux.dll

==================== Find3M ====================

2009-09-14 12:46 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-14 12:46 51,200 a------- c:\windows\inf\infpub.dat
2009-09-14 12:46 86,016 a------- c:\windows\inf\infstor.dat
2009-08-30 12:11 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-29 03:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-29 03:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-29 03:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-29 03:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-14 17:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 14:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 14:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 14:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 14:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 14:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 14:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-31 15:30 82 a------- c:\users\paul\appdata\roaming\wklnhst.dat
2009-07-21 22:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 22:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 22:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 21:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 21:00 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-07-17 14:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 13:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 13:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 13:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 13:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-11 20:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 20:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 20:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 20:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 18:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-02-22 17:29 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-06-14 14:35 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-14 14:35 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-14 14:35 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-14 14:35 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-14 14:35 245,760 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 13:47:23.91 ===============

Attached Files


Edited by Orange Blossom, 18 September 2009 - 10:37 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 AM

Posted 30 September 2009 - 12:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 martindale66

martindale66
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 30 September 2009 - 02:40 PM

Hi, first let me update you on my situation

When I ran A-Squared several infections was found, I was not able to delete these and when I attempted to quarantine these files my computer shut down. The offending items still being there.
When I ran Ad-Aware, after several seconds Ad-Aware shut down.

After reading several posts in your forums I downloaded and ran Malwarebytes. Malwarebytes found the items and was able to delete them, as a concecense both A-Squared and Ad-Aware now run fine, finding only the odd cookie, also my browser appears to be working fine, I am no longer being redirected to sites trying to sell me their anti-spyware programs and the opening of new windows as also stopped.

Everything seems to be OK - but,

I have a CPU meter on my desktop which from starting my computer, seems to take 3 maybe 5 times longer than previous to settle down.

Also I have noticed that when I visit a website, the status bar (I think it's called the status bar, it's the bar at the bottom of the page that tells you if you're waiting, downloading or done) occasionally states "About Blank" and then the page loads - is this something I should be concerned about? Am I just being paronoid.

Anyway, below is a current DDS scan - Maybe everything is OK!




DDS (Ver_09-09-29.01) - NTFSx86
Run by Paul at 20:26:24.44 on 30/09/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1014.226 [GMT 1:00]

AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: PCguard Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Virgin Broadband\PCguard\rps.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\AlbumPlayer\RemoteControl\AP_RemoteControl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Virgin Broadband\PCguard\Kav\Bin\ScanningProcess.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AlbumPlayer\AlbumPlayer.exe
C:\Program Files\AlbumPlayer\AP_Extensions\AP_Extensions.exe
C:\Program Files\AlbumPlayer\MiniWindow\AlbumPlayerMiniWindow.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Paul\Desktop\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uRun: [Center Agent] c:\program files\kworld multimedia\hypermediacenter\dtvr\Scheduled.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Tour]
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [CCUTRAYICON] FactoryMode
mRun: [Apanel] c:\acersw\config\NewSetApanel.cmd
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [Setresolution] c:\acersw\config\1440x900.cmd
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\paul\appdata\roaming\micros~1\windows\startm~1\programs\startup\albump~1.lnk - c:\program files\albumplayer\remotecontrol\AP_RemoteControl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {84A31672-371A-4CBF-8785-DCE55CDC7370} - hxxp://192.168.1.100/ocxfile/DownLoad.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\paul\appdata\roaming\mozilla\firefox\profiles\0wmeujt7.default\
FF - plugin: c:\program files\virgin broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-27 64160]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2007-2-12 208896]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2007-2-19 5376]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-12-29 5504]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2007-8-16 221184]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_vista\SafeConnectDriver.sys [2008-11-14 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_vista\SafeConnectFilter.sys [2008-11-14 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_vista\SafeConnectShim.sys [2008-11-14 29248]
S2 CTpvr Recorder;CTpvr Recorder;c:\program files\ctpvr\ctpvrrecorder.exe --> c:\program files\ctpvr\CTpvrRecorder.exe [?]
S3 AVerAF15;AVerMedia BDA Digital Tuner;c:\windows\system32\drivers\AVerAF15.sys [2009-2-18 264320]
S3 AVerM115S;AVerM115S service;c:\windows\system32\drivers\AVerM115S.sys [2007-8-16 856832]
S3 DHTRACE;Intel® DHTrace Controller;c:\program files\common files\intel\inteldh\bin\DHTraceController.exe [2007-4-6 39896]
S3 IntelDHSvcConf;IntelDHSvcConf;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2007-4-6 36312]

=============== Created Last 30 ================

2009-09-27 14:41 15,688 a------- c:\windows\system32\lsdelete.exe
2009-09-27 14:07 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-27 14:05 <DIR> -cd-h--- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-27 14:05 <DIR> -cd-h--- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-27 14:05 <DIR> --d----- c:\program files\Lavasoft
2009-09-27 12:50 <DIR> --d----- c:\users\paul\appdata\roaming\Malwarebytes
2009-09-27 12:50 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 12:50 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-27 12:50 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-27 12:50 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-27 12:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 19:58 737,280 a------- c:\windows\iun6002.exe
2009-09-22 19:58 <DIR> --d----- c:\program files\The Extractor
2009-09-18 10:45 84,056 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-09-18 10:45 6,229,024 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-18 10:41 36 a------- c:\windows\system32\????????????????????????????????????g
2009-09-18 10:38 71,184 a------- c:\windows\system32\drivers\DefragFS.sys
2009-09-18 10:38 <DIR> --d----- c:\programdata\Raxco
2009-09-18 10:37 <DIR> --d----- c:\program files\Raxco
2009-09-15 10:15 <DIR> --d----- c:\program files\a-squared Free
2009-09-14 18:05 <DIR> --d----- c:\programdata\Lavasoft
2009-09-14 14:13 1,372 a------- c:\windows\system32\rnhdf.vbs
2009-09-14 14:12 1,372 a------- c:\windows\system32\LNIGRktEF1azz.vbs
2009-09-14 14:12 1,372 a------- c:\windows\system32\18OyNBQj5TPwzFw.vbs
2009-09-14 14:12 1,372 a------- c:\windows\system32\cxWgYGjk2HGf3Em.vbs
2009-09-14 13:49 1,372 a------- c:\windows\system32\4nasfZz.vbs
2009-09-14 13:25 25,244 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-09-14 13:25 45,056 a------- c:\windows\system32\WNASPI32.DLL
2009-09-14 13:25 5,600 a------- c:\windows\system\WINASPI.DLL
2009-09-14 13:25 4,672 a------- c:\windows\system\WOWPOST.EXE
2009-09-14 12:45 87,608 a------- c:\users\paul\appdata\roaming\inst.exe
2009-09-14 12:45 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-09-14 12:45 47,360 a------- c:\users\paul\appdata\roaming\pcouffin.sys
2009-09-02 21:55 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 21:55 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 13:54 <DIR> --d----- c:\users\paul\Office Genuine Advantage

==================== Find3M ====================

2009-09-18 10:40 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-18 10:40 86,016 a------- c:\windows\inf\infstor.dat
2009-09-18 10:40 51,200 a------- c:\windows\inf\infpub.dat
2009-08-30 12:11 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-29 03:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-29 03:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-29 03:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-29 03:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-14 17:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 14:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 14:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 14:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 14:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 14:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 14:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-31 15:30 82 a------- c:\users\paul\appdata\roaming\wklnhst.dat
2009-07-21 22:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 22:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 22:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 21:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 14:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 13:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 13:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 13:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 13:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-11 20:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 20:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 20:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 20:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 18:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-02-22 17:29 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-06-14 14:35 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-14 14:35 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-14 14:35 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-14 14:35 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-14 14:35 245,760 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 20:29:34.09 ===============

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 AM

Posted 01 October 2009 - 04:21 PM

Hello, martindale66 and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please plug in all external drives you have and let them in.



Step 1

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.






Step 2

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.







Step 3

Please post the content of the Malwarebytes-Logfile where the baddies were found. You can find it in the Log-tab.







Please post back with:
  • Gmer-Logfile
  • Malwarebytes-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 martindale66

martindale66
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 02 October 2009 - 07:43 AM

Hi Tom, Nice to hear from you.

I downloaded Flash Disinfector, but when i tried to run it, nothing happened.

I then downloaded GMER, when I opened the application it ran a scan on its own - details below GMER1.log, when I tried to run my own scan I got the following message "GMER has stopped working and needs to close".

I then started my computer in Safe Mode, when I opened the application (GMER) it ran a scan on its own - details below GMER2.log, when I tried to run my own scan I got the following message "GMER has stopped working and needs to close".

Also listed below is the Malwarebytes-Logfile.

GMER1.log

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-10-02 13:03:34
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Paul\AppData\Local\Temp\kwrcypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat SafeConnectFilter.sys
AttachedDevice \Driver\tdx \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

---- EOF - GMER 1.0.15 ----


GMER2.log

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-10-02 13:15:53
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Paul\AppData\Local\Temp\kwrcypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Malwarebytes-Logfile

Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 6.0.6002 Service Pack 2

27/09/2009 12:58:28
mbam-log-2009-09-27 (12-58-28).txt

Scan type: Quick Scan
Objects scanned: 96570
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\dpnhpast32.dll (Trojan.Tracur) -> Delete on reboot.
C:\Windows\System32\3091.tmp (Worm.P2P) -> Delete on reboot.
C:\Users\Paul\AppData\Local\Temp\74C2.tmp (Trojan.Dropper) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\dpnhpast32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\dpnhpast32.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\PCenter\pc.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\LocalService (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\dpnhpast32.dll (Trojan.Tracur) -> Delete on reboot.
C:\Windows\System32\3091.tmp (Worm.P2P) -> Delete on reboot.
C:\Users\Paul\AppData\Local\Temp\74C2.tmp (Trojan.Dropper) -> Delete on reboot.
C:\Users\Paul\AppData\Local\Temp\FA07.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\305.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\305.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\306.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\306.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\307.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\307.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\308.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\308.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\309.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\309.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\310.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\310.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\311.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\311.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\312.music4.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\312.music4.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Users\IUSR_NMPR\Desktop\PCenter.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Windows\System32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 AM

Posted 02 October 2009 - 11:44 AM

Hi,

Please try the above steps again, but this time please take note of the following:

On Vista-systems, you have to run our tools with rightclick and choose "run as admin" from the context menue

Please try again and post back with the content of the Gmer-Logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 martindale66

martindale66
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 02 October 2009 - 12:52 PM

Hi,

I ran the extracted zip file in both normal and safe mode (with rightclick and choose "run as admin"), in both instances I got the message "The program has encounted a problem and needs to close."

I ran the "main mirror version" in both normal and safe mode (with rightclick and choose "run as admin"), in both instances the computer shut down, rebooted with the massage "windows shut down unexpectedly, how do you want to start; normal, safe, etc"

#8 martindale66

martindale66
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 02 October 2009 - 02:14 PM

Hi,

I ran GMER again, other programs running, all protection turned on and connected to the internet, below is the report: GMER3


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-02 20:00:00
Windows 6.0.6002 Service Pack 2
Running: w48tp79f.exe; Driver: C:\Users\Paul\AppData\Local\Temp\kwrcypod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\a-squared Free\a2service.exe[496] kernel32.dll!CreateThread + 1A 770DC928 4 Bytes CALL 00454DF5 C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SetWindowsHookExW 760287AD 5 Bytes JMP 6F029521 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CallNextHookEx 76028E3B 5 Bytes JMP 6F01CB69 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!UnhookWindowsHookEx 760298DB 5 Bytes JMP 6EF943F6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateWindowExW 76031305 5 Bytes JMP 6F02D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxParamW 760510B0 5 Bytes JMP 6EF551FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxIndirectParamW 76052EF5 5 Bytes JMP 6F123C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxParamA 76068152 5 Bytes JMP 6F123BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxIndirectParamA 7606847D 5 Bytes JMP 6F123C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxIndirectA 7607D4D9 5 Bytes JMP 6F123B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxIndirectW 7607D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxIndirectW 7607D5D3 5 Bytes JMP 6F123AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxExA 7607D639 5 Bytes JMP 6F123A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxExW 7607D65D 5 Bytes JMP 6F123A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ole32.dll!OleLoadFromStream 762F1E12 5 Bytes JMP 6F123F78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ole32.dll!CoCreateInstance 76329EA6 5 Bytes JMP 6F02D408 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!CreateWindowExW 76031305 5 Bytes JMP 6F02D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!DialogBoxParamW 760510B0 5 Bytes JMP 6EF551FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!DialogBoxIndirectParamW 76052EF5 5 Bytes JMP 6F123C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!DialogBoxParamA 76068152 5 Bytes JMP 6F123BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!DialogBoxIndirectParamA 7606847D 5 Bytes JMP 6F123C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!MessageBoxIndirectA 7607D4D9 5 Bytes JMP 6F123B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!MessageBoxIndirectW 7607D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!MessageBoxIndirectW 7607D5D3 5 Bytes JMP 6F123AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!MessageBoxExA 7607D639 5 Bytes JMP 6F123A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4332] USER32.dll!MessageBoxExW 7607D65D 5 Bytes JMP 6F123A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\a-squared Free\a2service.exe[496] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [00454F4C] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[496] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [00454F4C] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B87817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73BDA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B8BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B7F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B7E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73BB8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73B8DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B7FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B7FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73C0CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73BAC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B7D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B76853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B7687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B82AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys
AttachedDevice \Driver\tdx \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x56 0x82 0xC5 0x1C ...

---- EOF - GMER 1.0.15 ----

Edited by martindale66, 02 October 2009 - 02:17 PM.


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 AM

Posted 02 October 2009 - 02:38 PM

Hi,



Let's have a deeper look.



Step 1

Please download Sysprot Antirootkit from here

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items and check Hidden Objects Only at the bottom of the window.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  • Open the text file and copy/paste the log here.





Step 2

Download and run Win32kDiag:





Step 3
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized







Please post back with:
  • SysProt-Logfile
  • Win32kDiag-Logfile
  • Both OTL-Logfiles

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 martindale66

martindale66
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 02 October 2009 - 04:14 PM

Hi,

Logs as requested;


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8C3CF000
Module End: 8C3DA000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 8C3DA000
Module End: 8C3E2000
Hidden: Yes

Module Name: \??\C:\Users\Paul\AppData\Local\Temp\kwrcypod.sys
Service Name: kwrcypod
Module Base: AD48F000
Module End: AD4A4000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: MEDIA-PC:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MEDIA-PC:10615
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Virgin Broadband\PCguard\RPS.exe
State: LISTENING

Local Address: MEDIA-PC:10614
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Virgin Broadband\PCguard\RPS.exe
State: LISTENING

Local Address: MEDIA-PC:10613
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Virgin Broadband\PCguard\RPS.exe
State: LISTENING

Local Address: MEDIA-PC:10612
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Virgin Broadband\PCguard\RPS.exe
State: LISTENING

Local Address: MEDIA-PC:10611
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Virgin Broadband\PCguard\RPS.exe
State: LISTENING

Local Address: MEDIA-PC:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING

Local Address: MEDIA-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: MEDIA-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING

Local Address: MEDIA-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: MEDIA-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: MEDIA-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING

Local Address: MEDIA-PC:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MEDIA-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MEDIA-PC:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MEDIA-PC:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: LISTENING

Local Address: MEDIA-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MEDIA-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: MEDIA-PC:63186
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MEDIA-PC:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MEDIA-PC:68
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:64157
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: MEDIA-PC:63187
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:63182
Remote Address: NA
Type: UDP
Process: C:\Windows\ehome\ehrecvr.exe
State: NA

Local Address: MEDIA-PC:59874
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: MEDIA-PC:53088
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: MEDIA-PC:49157
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmplayer.exe
State: NA

Local Address: MEDIA-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:49152
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:5005
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: MEDIA-PC:5004
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: MEDIA-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: MEDIA-PC:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\SPP
Status: Access denied

Object: C:\System Volume Information\SystemRestore
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\Windows Backup
Status: Access denied

Object: C:\System Volume Information\{0e9d83b5-a690-11de-8a1c-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{13053f94-a106-11de-8e74-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{13053fa2-a106-11de-8e74-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{1e2367d5-a1c4-11de-b82d-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{1fba28a8-9dd2-11de-a3af-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3124f893-9c4b-11de-8f90-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3dfb7e5c-a2df-11de-afab-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{551dcc93-9921-11de-bc6a-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{5e49fff5-9ac5-11de-9914-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{76f837d5-a432-11de-af3a-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{76f8385e-a432-11de-af3a-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{76f83862-a432-11de-af3a-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{76f83866-a432-11de-af3a-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{796749d9-a9b5-11de-96fe-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{843fbb13-9e98-11de-b2db-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{844cfa5f-9d7c-11de-a4ca-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{8d28481a-9b8b-11de-9830-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{9f600e49-ac4e-11de-9c81-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{bc166d93-a1cc-11de-bd2e-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{be447402-a75c-11de-a58b-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{deabf0a5-97a7-11de-bb74-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{e5103794-9889-11de-839b-001c25527bb0}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied




Running from: C:\Users\Paul\Desktop\Win32kDiag.exe

Log file at : C:\Users\Paul\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-02 18:26:07 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-02 18:25:56 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-02 18:26:05 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-02 18:26:04 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-10-02 18:27:01 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()





Finished!



OTL logfile created on: 02/10/2009 21:54:40 - Run 1
OTL by OldTimer - Version 3.0.18.0 Folder = C:\Users\Paul\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.57 Mb Total Physical Memory | 224.82 Mb Available Physical Memory | 22.18% Memory free
2.24 Gb Paging File | 0.56 Gb Available in Paging File | 24.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.69 Gb Total Space | 34.63 Gb Free Space | 31.00% Space Free | Partition Type: NTFS
Drive D: | 111.43 Gb Total Space | 63.37 Gb Free Space | 56.87% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MEDIA-PC
Current User Name: Paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/05/27 13:10:02 | 00,371,440 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe
PRC - [2009/04/11 07:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE
PRC - [2009/05/27 13:10:54 | 00,388,336 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\rps.exe
PRC - [2009/09/15 10:19:37 | 01,852,488 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2007/04/17 02:48:12 | 00,028,672 | ---- | M] () -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PRC - [2008/01/19 08:38:38 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/06/20 09:56:16 | 04,493,312 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/08/01 00:25:48 | 00,326,176 | ---- | M] () -- C:\Acer\Empowering Technology\SysMonitor.exe
PRC - [2007/04/26 00:33:36 | 00,457,216 | ---- | M] (HiTRUST) -- C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
PRC - [2007/04/06 23:07:42 | 00,439,768 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
PRC - [2007/04/06 23:10:56 | 00,223,704 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
PRC - [2008/02/11 21:13:12 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxtray.exe
PRC - [2008/02/11 21:13:02 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/02/11 21:13:08 | 00,133,656 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2007/02/12 19:46:34 | 00,208,896 | ---- | M] () -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
PRC - [2007/04/26 00:34:30 | 00,457,512 | ---- | M] (HiTRSUT) -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
PRC - [2009/03/09 06:19:17 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/03/28 14:03:16 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/05/27 12:20:30 | 02,303,216 | ---- | M] (Virgin Broadband) -- C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
PRC - [2009/04/11 07:28:03 | 01,233,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Sidebar\sidebar.exe
PRC - [2008/01/19 08:33:09 | 00,125,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehtray.exe
PRC - [2008/01/19 08:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2009/02/19 00:33:08 | 00,809,488 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/03/02 20:11:18 | 00,159,744 | ---- | M] (Albumon) -- C:\Program Files\AlbumPlayer\RemoteControl\AP_RemoteControl.exe
PRC - [2008/02/11 21:13:10 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2007/01/17 19:20:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/09/22 16:58:44 | 00,693,512 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
PRC - [2007/07/03 19:40:10 | 00,053,248 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
PRC - [2008/01/19 08:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2008/11/14 18:28:10 | 04,937,752 | R--- | M] (Sana Security) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
PRC - [2009/07/15 13:39:31 | 00,168,960 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmplayer.exe
PRC - [2007/08/01 00:25:50 | 00,323,584 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
PRC - [2007/02/09 15:35:54 | 00,397,312 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
PRC - [2008/01/19 08:33:09 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehmsas.exe
PRC - [2009/09/18 15:32:35 | 00,175,184 | ---- | M] (Radialpoint SafeCare Inc.) -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
PRC - [2008/01/19 08:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
PRC - [2006/11/02 13:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe
PRC - [2008/09/22 16:58:46 | 00,066,824 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
PRC - [2008/09/22 16:58:46 | 00,066,824 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
PRC - [2008/09/22 16:58:46 | 00,066,824 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
PRC - [2008/09/22 16:58:46 | 00,066,824 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
PRC - [2008/09/22 16:58:46 | 00,066,824 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
PRC - [2008/09/22 16:58:46 | 00,066,824 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
PRC - [2009/04/11 07:28:03 | 01,233,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Sidebar\sidebar.exe
PRC - [2009/02/19 00:28:52 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
PRC - [2008/01/19 08:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe
PRC - [2009/05/27 12:20:32 | 00,308,464 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
PRC - [2009/04/03 14:51:32 | 00,143,360 | ---- | M] (Kaspersky Lab.) -- C:\Program Files\Virgin Broadband\PCguard\Kav\Bin\ScanningProcess.exe
PRC - [2009/08/20 22:03:26 | 04,803,584 | ---- | M] (Albumon) -- C:\Program Files\AlbumPlayer\AlbumPlayer.exe
PRC - [2009/08/20 19:48:44 | 00,016,384 | ---- | M] () -- C:\Program Files\AlbumPlayer\AP_Extensions\AP_Extensions.exe
PRC - [2009/05/11 21:32:16 | 01,319,936 | ---- | M] () -- C:\Program Files\AlbumPlayer\MiniWindow\AlbumPlayerMiniWindow.exe
PRC - [2009/07/21 22:53:43 | 00,638,216 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/07/21 22:53:43 | 00,638,216 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/07/21 22:53:43 | 00,638,216 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/10/02 21:53:50 | 00,518,656 | ---- | M] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/09/15 10:19:37 | 01,852,488 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe -- (a2free [Auto | Running])
SRV - [2007/04/17 02:48:12 | 00,028,672 | ---- | M] () -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe -- (AcerMemUsageCheckService [Auto | Running])
SRV - [2007/04/06 23:10:56 | 00,223,704 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService [Auto | Running])
SRV - [2009/03/30 05:42:14 | 00,066,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - File not found -- -- (CLTNetCnService [Auto | Stopped])
SRV - File not found -- -- (CTpvr Recorder [Auto | Stopped])
SRV - [2007/04/06 23:08:24 | 00,039,896 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe -- (DHTRACE [On_Demand | Stopped])
SRV - [2007/02/12 19:46:34 | 00,208,896 | ---- | M] () -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService [Auto | Running])
SRV - [2007/04/26 00:34:30 | 00,457,512 | ---- | M] (HiTRSUT) -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe -- (eDataSecurity Service [Auto | Running])
SRV - [2008/01/19 08:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Running])
SRV - [2006/11/02 13:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Running])
SRV - [2006/11/02 13:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2007/07/03 19:40:10 | 00,053,248 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService [Auto | Running])
SRV - [2009/04/11 07:28:25 | 01,017,856 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])
SRV - [2009/02/18 19:39:20 | 00,043,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/02/18 19:38:42 | 00,879,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2007/04/06 23:08:36 | 00,036,312 | R--- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe -- (IntelDHSvcConf [On_Demand | Stopped])
SRV - [2007/04/06 23:08:14 | 00,059,352 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe -- (ISSM [On_Demand | Stopped])
SRV - [2009/09/27 14:06:59 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [On_Demand | Stopped])
SRV - [2009/02/19 00:30:20 | 00,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ [On_Demand | Stopped])
SRV - [2007/01/17 19:20:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2007/04/06 23:06:48 | 00,256,472 | ---- | M] () -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server [On_Demand | Stopped])
SRV - [2007/04/06 23:08:58 | 00,158,168 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL [On_Demand | Stopped])
SRV - [2009/02/18 19:38:43 | 00,129,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/04/06 23:07:46 | 00,313,816 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe -- (NMSCore [On_Demand | Stopped])
SRV - [2008/09/22 16:58:44 | 00,693,512 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent [Auto | Running])
SRV - [2008/09/22 16:58:48 | 00,910,600 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine [On_Demand | Stopped])
SRV - [2007/04/06 23:10:22 | 00,272,856 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe -- (QualityManager [On_Demand | Stopped])
SRV - [2009/09/18 15:32:35 | 00,175,184 | ---- | M] (Radialpoint SafeCare Inc.) -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe -- (Radialpoint Security Services [On_Demand | Running])
SRV - [2008/11/14 18:28:10 | 04,937,752 | R--- | M] (Sana Security) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe -- (RadialpointSafeConnectAgent [Auto | Running])
SRV - [2007/04/06 23:10:08 | 00,449,496 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service [On_Demand | Stopped])
SRV - [2009/05/27 13:10:02 | 00,371,440 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- (RP_FWS [Auto | Running])
SRV - [2008/01/19 08:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV - [2008/01/19 08:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Running])

========== Driver Services (SafeList) ==========

DRV - [2006/11/02 10:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])
DRV - [2006/11/02 10:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])
DRV - [2006/11/02 10:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])
DRV - [2009/02/22 17:47:19 | 00,449,408 | ---- | M] (AfaTech ) -- C:\Windows\System32\DRIVERS\AF15BDA.sys -- (AF15BDA [On_Demand | Stopped])
DRV - [2006/11/02 10:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])
DRV - [2006/11/02 10:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide [Disabled | Stopped])
DRV - [2006/11/02 10:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc [Disabled | Stopped])
DRV - [2006/11/02 10:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])
DRV - [1999/09/10 12:06:00 | 00,025,244 | ---- | M] (Adaptec) -- C:\Windows\System32\drivers\ASPI32.SYS -- (ASPI32 [System | Running])
DRV - [2007/03/22 03:08:36 | 00,264,320 | ---- | M] (AVerMedia TECHNOLOGIES, Inc.) -- C:\Windows\System32\Drivers\AVerAF15.sys -- (AVerAF15 [On_Demand | Stopped])
DRV - [2006/08/03 07:30:48 | 00,856,832 | ---- | M] (AVerMedia TECHNOLOGIES, Inc.) -- C:\Windows\System32\DRIVERS\AVerM115S.sys -- (AVerM115S [On_Demand | Stopped])
DRV - [2006/11/02 09:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo [On_Demand | Stopped])
DRV - [2006/11/02 09:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp [On_Demand | Stopped])
DRV - [2006/11/02 09:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid [Disabled | Stopped])
DRV - [2006/11/02 09:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm [Disabled | Stopped])
DRV - [2006/11/02 09:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm [Disabled | Stopped])
DRV - [2006/11/02 09:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer [On_Demand | Stopped])
DRV - [2006/11/02 10:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])
DRV - [2008/08/28 13:16:40 | 00,071,184 | ---- | M] (Raxco Software, Inc.) -- C:\Windows\System32\drivers\DefragFS.sys -- (DefragFS [Auto | Running])
DRV - [2007/04/13 06:22:56 | 00,228,224 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\e1e6032.sys -- (e1express [On_Demand | Running])
DRV - [2006/11/02 08:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])
DRV - [2006/11/02 10:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])
DRV - [2006/11/02 10:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs [Disabled | Stopped])
DRV - [2006/11/02 10:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV [Disabled | Stopped])
DRV - [2008/02/11 20:36:10 | 02,302,976 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\igdkmd32.sys -- (igfx [On_Demand | Running])
DRV - [2006/11/02 10:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])
DRV - [2007/07/03 03:05:20 | 00,015,392 | ---- | M] (Acer, Inc.) -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15 [Auto | Running])
DRV - [2007/06/22 10:34:12 | 01,788,056 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2007/12/29 00:02:02 | 00,005,504 | ---- | M] (Intel Corporation) -- C:\Windows\System32\Drivers\IntelDH.sys -- (IntelDH [On_Demand | Running])
DRV - [2006/11/02 10:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])
DRV - [2006/11/02 10:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])
DRV - [2009/04/03 14:51:34 | 00,120,336 | ---- | M] (Kaspersky Lab) -- C:\Windows\System32\DRIVERS\klif.sys -- (KLIF [System | Running])
DRV - [2009/07/03 15:49:08 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2008/12/19 00:43:40 | 00,035,472 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\DRIVERS\LHidFilt.Sys -- (LHidFilt [On_Demand | Running])
DRV - [2008/12/19 00:43:48 | 00,037,392 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\DRIVERS\LMouFilt.Sys -- (LMouFilt [On_Demand | Running])
DRV - [2006/11/02 10:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
DRV - [2006/11/02 10:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
DRV - [2006/11/02 10:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
DRV - [2008/12/19 00:44:00 | 00,028,816 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\Drivers\LUsbFilt.Sys -- (LUsbFilt [On_Demand | Running])
DRV - [2006/11/02 10:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas [Disabled | Stopped])
DRV - [2006/11/02 10:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x [Disabled | Stopped])
DRV - [2006/11/02 10:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])
DRV - [2007/02/19 05:34:50 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\Windows\System32\DRIVERS\nmsunidr.sys -- (nmsunidr [Auto | Running])
DRV - [2007/08/16 02:40:05 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Windows\System32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
DRV - [2006/11/02 08:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])
DRV - [2006/11/02 10:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])
DRV - [2006/11/02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor [Disabled | Stopped])
DRV - [2007/04/25 16:25:34 | 00,221,184 | ---- | M] (YUAN High-Tech Development Co. Ltd.) -- C:\Windows\System32\DRIVERS\OmniTV.sys -- (OmniTV [On_Demand | Running])
DRV - [2009/09/14 12:45:44 | 00,047,360 | ---- | M] (VSO Software) -- C:\Windows\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Stopped])
DRV - [2007/04/26 00:34:38 | 00,020,776 | ---- | M] (HiTRUST) -- C:\Windows\system32\DRIVERS\psdfilter.sys -- (PSDFilter [Boot | Running])
DRV - [2007/04/26 00:34:44 | 00,016,680 | ---- | M] (HiTRUST) -- C:\Windows\system32\drivers\PSDNServ.sys -- (PSDNServ [Boot | Running])
DRV - [2007/04/26 00:34:40 | 00,060,712 | ---- | M] (HiTRUST) -- C:\Windows\system32\drivers\psdvdisk.sys -- (psdvdisk [Boot | Running])
DRV - [2006/11/02 10:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])
DRV - [2008/11/14 18:28:36 | 00,161,304 | R--- | M] (Sana Security, Inc. ) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectDriver.sys -- (RadialpointSafeConnectDriver [On_Demand | Running])
DRV - [2008/11/14 18:28:36 | 00,029,720 | R--- | M] (Sana Security, Inc. ) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectFilter.sys -- (RadialpointSafeConnectFilter [On_Demand | Running])
DRV - [2008/11/14 18:28:36 | 00,029,248 | ---- | M] (Sana Security, Inc. ) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectShim.sys -- (RadialpointSafeConnectShim [On_Demand | Running])
DRV - [2008/08/06 21:20:06 | 00,048,384 | ---- | M] (Radialpoint, Inc.) -- C:\Windows\System32\DRIVERS\rp_pkt32.sys -- (RPPKT [On_Demand | Running])
DRV - [2008/11/26 15:19:56 | 00,053,192 | ---- | M] (Radialpoint Inc.) -- C:\Windows\System32\DRIVERS\rp_skt32.sys -- (RPSKT [Auto | Running])
DRV - [2006/11/02 07:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])
DRV - [2006/11/02 10:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2 [Disabled | Stopped])
DRV - [2006/11/02 10:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
DRV - [2006/11/02 10:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])
DRV - [2006/11/02 10:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])
DRV - [2006/11/02 10:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])
DRV - [2007/04/06 23:10:40 | 00,014,808 | ---- | M] () -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys -- (TSHWMDTCP [On_Demand | Stopped])
DRV - [2006/11/02 10:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])
DRV - [2006/11/02 10:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
DRV - [2006/11/02 10:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide [Disabled | Stopped])
DRV - [2006/11/02 10:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SEARCH PAGE = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\S-1-5-21-1106646625-2381546590-4196474004-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/30 11:08:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/03/28 14:03:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/29 18:23:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/29 18:23:34 | 00,000,000 | ---D | M]

[2009/06/14 15:22:21 | 00,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\mozilla\Extensions
[2009/06/14 15:22:21 | 00,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/06 17:57:47 | 00,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\mozilla\Extensions\mozswing@mozswing.org
[2009/09/27 11:42:01 | 00,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\mozilla\Firefox\Profiles\0wmeujt7.default\extensions
[2009/09/10 21:55:58 | 00,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\mozilla\Firefox\Profiles\0wmeujt7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/29 18:23:35 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/29 18:23:35 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/31 00:39:43 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/31 00:39:43 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/31 00:39:43 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/07/30 23:24:36 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2009/07/31 00:39:40 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 23:24:36 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2009/07/31 00:39:40 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 23:24:36 | 00,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2009/07/31 00:39:40 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/31 00:39:40 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 23:24:36 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (PopKill Class) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll (Virgin Media)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O3 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O3 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001\..\Toolbar\WebBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O4 - HKLM..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe ()
O4 - HKLM..\Run: [Acer Tour] File not found
O4 - HKLM..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (Acer Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd File not found
O4 - HKLM..\Run: [Broadbandadvisor.exe] C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe (Virgin Broadband)
O4 - HKLM..\Run: [CCUTRAYICON] File not found
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.EXE (Logitech, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NMSSupport] C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Setresolution] C:\ACERSW\config\1440x900.cmd File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (Acer Inc.)
O4 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001..\Run: [Center Agent] C:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe File not found
O4 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AlbumPlayer Remote Control.lnk = C:\Program Files\AlbumPlayer\RemoteControl\AP_RemoteControl.exe (Albumon)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {84A31672-371A-4CBF-8785-DCE55CDC7370} http://192.168.1.100/ocxfile/DownLoad.ocx (DownLoad Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1106646625-2381546590-4196474004-1001 Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2006/09/18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{2490c674-30b9-11de-aa91-001c25527bb0}\Shell\AutoRun\command - "" = G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe -- File not found
O34 - HKLM BootExecute: (PDBoot.exe) - C:\Windows\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/09/27 14:05:44 | 00,000,000 | -H-D | C] -- C:\ProgramData\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/09/14 18:05:39 | 00,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2009/09/27 12:50:28 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/09/18 10:38:00 | 00,000,000 | ---D | C] -- C:\ProgramData\Raxco
[2009/09/14 13:17:09 | 00,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\dvdcss
[2009/09/27 12:50:46 | 00,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\Malwarebytes
[2009/09/14 12:45:43 | 00,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\Vso
[2009/09/22 20:01:20 | 00,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\WinRAR
[2009/09/14 18:23:04 | 00,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\Apple
[2009/09/15 10:15:48 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2009/09/27 14:05:08 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/09/27 12:50:27 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/18 10:37:59 | 00,000,000 | ---D | C] -- C:\Program Files\Raxco
[2009/09/22 19:58:14 | 00,000,000 | ---D | C] -- C:\Program Files\The Extractor
[2009/10/02 21:52:51 | 00,518,656 | ---- | C] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe
[2009/10/02 20:44:39 | 00,000,000 | ---D | C] -- C:\Users\Paul\Desktop\SysProt
[2009/10/02 12:59:52 | 00,000,000 | ---D | C] -- C:\Users\Paul\Desktop\gmer
[2009/09/27 14:07:29 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2009/09/27 12:50:31 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/09/27 12:50:28 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/09/22 19:58:15 | 00,737,280 | ---- | C] (Indigo Rose Corporation) -- C:\Windows\iun6002.exe
[2009/09/18 10:38:05 | 00,071,184 | ---- | C] (Raxco Software, Inc.) -- C:\Windows\System32\drivers\DefragFS.sys
[2009/09/15 10:15:48 | 00,000,000 | ---D | C] -- C:\Users\Paul\Documents\a-squared Free
[2009/09/14 13:25:21 | 00,025,244 | ---- | C] (Adaptec) -- C:\Windows\System32\drivers\ASPI32.SYS
[2009/09/14 13:25:20 | 00,045,056 | ---- | C] (Adaptec) -- C:\Windows\System32\WNASPI32.DLL
[2009/09/14 13:25:20 | 00,005,600 | ---- | C] (Adaptec) -- C:\Windows\System\WINASPI.DLL
[2009/09/14 13:25:20 | 00,004,672 | ---- | C] (Adaptec) -- C:\Windows\System\WOWPOST.EXE
[2009/09/14 12:45:44 | 00,047,360 | ---- | C] (VSO Software) -- C:\Windows\System32\drivers\pcouffin.sys
[2009/09/14 12:45:44 | 00,047,360 | ---- | C] (VSO Software) -- C:\Users\Paul\AppData\Roaming\pcouffin.sys
[2009/09/14 12:45:43 | 00,000,000 | ---D | C] -- C:\Users\Paul\Documents\PcSetup
[2009/09/09 21:16:31 | 00,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2009/09/09 21:16:26 | 00,904,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpip.sys
[2009/09/09 21:16:26 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netiohlp.dll
[2009/09/09 21:16:25 | 00,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpipreg.sys
[2009/09/09 21:16:25 | 00,027,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\NETSTAT.EXE
[2009/09/09 21:16:25 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ARP.EXE
[2009/09/09 21:16:25 | 00,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ROUTE.EXE
[2009/09/09 21:16:25 | 00,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netevent.dll
[2009/09/09 21:16:25 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MRINFO.EXE
[2009/09/09 21:16:25 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\finger.exe
[2009/09/09 21:16:25 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TCPSVCS.EXE
[2009/09/09 21:16:25 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\HOSTNAME.EXE
[2009/09/09 21:16:15 | 00,302,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wlansec.dll
[2009/09/09 21:16:15 | 00,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wlanmsm.dll
[2009/09/09 21:16:15 | 00,127,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\L2SecHC.dll
[2009/09/09 21:16:14 | 00,513,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wlansvc.dll
[2009/09/09 21:16:14 | 00,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wlanapi.dll
[2009/09/09 21:16:11 | 02,386,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMVCORE.DLL
[2009/09/09 21:16:10 | 02,868,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mf.dll
[2009/09/02 21:55:35 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2007/08/16 02:50:06 | 00,053,248 | ---- | C] ( ) -- C:\Windows\System32\Interop.Shell32.dll

========== Files - Modified Within 30 Days ==========

[1 C:\Windows\*.tmp files]
[2009/10/02 21:54:22 | 06,888,480 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.dat
[2009/10/02 21:53:50 | 00,518,656 | ---- | M] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe
[2009/10/02 20:51:38 | 00,047,616 | ---- | M] () -- C:\Users\Paul\Desktop\Win32kDiag.exe
[2009/10/02 20:44:12 | 00,354,396 | ---- | M] () -- C:\Users\Paul\Desktop\SysProt.zip
[2009/10/02 20:25:59 | 00,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/10/02 20:25:59 | 00,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/10/02 19:15:25 | 00,288,768 | ---- | M] () -- C:\Users\Paul\Desktop\itxfief1.exe
[2009/10/02 18:34:59 | 00,000,390 | ---- | M] () -- C:\Users\Paul\Desktop\Local Area Connection - Shortcut.lnk
[2009/10/02 18:26:03 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/10/02 18:25:57 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/10/02 18:25:56 | 10,635,75552 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/02 18:25:55 | 12,047,4846 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/10/02 18:17:24 | 00,288,768 | ---- | M] () -- C:\Users\Paul\Desktop\w48tp79f.exe
[2009/10/02 15:46:39 | 00,092,936 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.idx
[2009/10/02 15:45:10 | 01,662,408 | -H-- | M] () -- C:\Users\Paul\AppData\Local\IconCache.db
[2009/10/02 12:59:32 | 00,280,419 | ---- | M] () -- C:\Users\Paul\Desktop\gmer.zip
[2009/10/02 12:51:03 | 00,014,336 | ---- | M] () -- C:\Users\Paul\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/02 12:22:15 | 00,132,597 | ---- | M] () -- C:\Users\Paul\Desktop\Flash_Disinfector.exe
[2009/09/30 20:25:50 | 00,361,355 | ---- | M] () -- C:\Users\Paul\Desktop\dds.pif
[2009/09/27 14:10:41 | 00,000,472 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/09/27 14:07:15 | 00,015,688 | ---- | M] () -- C:\Windows\System32\lsdelete.exe
[2009/09/27 14:05:42 | 00,000,971 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2009/09/27 12:59:27 | 00,005,556 | -HS- | M] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669C.manifest
[2009/09/27 12:59:27 | 00,003,015 | -HS- | M] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669P.manifest
[2009/09/27 12:59:27 | 00,000,516 | -HS- | M] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669O.manifest
[2009/09/27 12:59:27 | 00,000,011 | -HS- | M] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669S.manifest
[2009/09/27 12:50:37 | 00,000,782 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/25 19:42:21 | 00,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/09/25 19:42:21 | 00,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/09/25 19:42:20 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/09/22 19:58:21 | 00,001,707 | ---- | M] () -- C:\Users\Paul\Desktop\The Extractor.lnk
[2009/09/22 19:57:53 | 00,737,280 | ---- | M] (Indigo Rose Corporation) -- C:\Windows\iun6002.exe
[2009/09/22 17:27:12 | 07,197,714 | ---- | M] () -- C:\Users\Paul\Desktop\Johnson3.pdf
[2009/09/18 10:37:42 | 00,001,925 | ---- | M] () -- C:\Users\Public\Desktop\Virgin Broadband PCguard.lnk
[2009/09/15 10:16:05 | 00,000,734 | ---- | M] () -- C:\Users\Public\Desktop\a-squared Free.lnk
[2009/09/15 08:58:07 | 00,087,608 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\inst.exe
[2009/09/15 08:58:07 | 00,047,360 | ---- | M] (VSO Software) -- C:\Users\Paul\AppData\Roaming\pcouffin.sys
[2009/09/15 08:58:07 | 00,007,887 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\pcouffin.cat
[2009/09/15 08:58:07 | 00,001,144 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\pcouffin.inf
[2009/09/14 14:13:30 | 00,001,372 | ---- | M] () -- C:\Windows\System32\rnhdf.vbs
[2009/09/14 14:12:53 | 00,001,372 | ---- | M] () -- C:\Windows\System32\LNIGRktEF1azz.vbs
[2009/09/14 14:12:47 | 00,001,372 | ---- | M] () -- C:\Windows\System32\18OyNBQj5TPwzFw.vbs
[2009/09/14 14:12:27 | 00,001,372 | ---- | M] () -- C:\Windows\System32\cxWgYGjk2HGf3Em.vbs
[2009/09/14 13:49:32 | 00,001,372 | ---- | M] () -- C:\Windows\System32\4nasfZz.vbs
[2009/09/14 12:45:44 | 00,047,360 | ---- | M] (VSO Software) -- C:\Windows\System32\drivers\pcouffin.sys
[2009/09/14 12:42:03 | 00,033,060 | ---- | M] () -- C:\Windows\cdplayer.ini
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/09/09 11:32:34 | 00,001,114 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2009/09/09 09:33:44 | 00,001,666 | ---- | M] () -- C:\Users\Paul\Desktop\LimeWire 5.2.13.lnk

========== Files - No Company Name ==========
[2009/10/02 20:51:37 | 00,047,616 | ---- | C] () -- C:\Users\Paul\Desktop\Win32kDiag.exe
[2009/10/02 20:44:06 | 00,354,396 | ---- | C] () -- C:\Users\Paul\Desktop\SysProt.zip
[2009/10/02 19:15:22 | 00,288,768 | ---- | C] () -- C:\Users\Paul\Desktop\itxfief1.exe
[2009/10/02 18:34:59 | 00,000,390 | ---- | C] () -- C:\Users\Paul\Desktop\Local Area Connection - Shortcut.lnk
[2009/10/02 18:25:56 | 10,635,75552 | -HS- | C] () -- C:\hiberfil.sys
[2009/10/02 18:17:15 | 00,288,768 | ---- | C] () -- C:\Users\Paul\Desktop\w48tp79f.exe
[2009/10/02 15:45:10 | 01,662,408 | -H-- | C] () -- C:\Users\Paul\AppData\Local\IconCache.db
[2009/10/02 12:59:28 | 00,280,419 | ---- | C] () -- C:\Users\Paul\Desktop\gmer.zip
[2009/10/02 12:21:54 | 00,132,597 | ---- | C] () -- C:\Users\Paul\Desktop\Flash_Disinfector.exe
[2009/09/30 20:25:39 | 00,361,355 | ---- | C] () -- C:\Users\Paul\Desktop\dds.pif
[2009/09/27 14:41:45 | 00,015,688 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2009/09/27 14:05:41 | 00,000,971 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2009/09/27 12:50:37 | 00,000,782 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/22 19:58:21 | 00,001,707 | ---- | C] () -- C:\Users\Paul\Desktop\The Extractor.lnk
[2009/09/22 17:27:12 | 07,197,714 | ---- | C] () -- C:\Users\Paul\Desktop\Johnson3.pdf
[2009/09/18 10:45:33 | 00,092,936 | -HS- | C] () -- C:\Windows\System32\drivers\fidbox.idx
[2009/09/18 10:45:26 | 06,865,184 | -HS- | C] () -- C:\Windows\System32\drivers\fidbox.dat
[2009/09/18 10:37:42 | 00,001,925 | ---- | C] () -- C:\Users\Public\Desktop\Virgin Broadband PCguard.lnk
[2009/09/15 10:16:05 | 00,000,734 | ---- | C] () -- C:\Users\Public\Desktop\a-squared Free.lnk
[2009/09/14 18:07:43 | 00,000,472 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/09/14 14:13:30 | 00,001,372 | ---- | C] () -- C:\Windows\System32\rnhdf.vbs
[2009/09/14 14:12:53 | 00,001,372 | ---- | C] () -- C:\Windows\System32\LNIGRktEF1azz.vbs
[2009/09/14 14:12:47 | 00,001,372 | ---- | C] () -- C:\Windows\System32\18OyNBQj5TPwzFw.vbs
[2009/09/14 14:12:27 | 00,001,372 | ---- | C] () -- C:\Windows\System32\cxWgYGjk2HGf3Em.vbs
[2009/09/14 13:49:33 | 00,005,556 | -HS- | C] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669C.manifest
[2009/09/14 13:49:33 | 00,003,015 | -HS- | C] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669P.manifest
[2009/09/14 13:49:33 | 00,000,516 | -HS- | C] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669O.manifest
[2009/09/14 13:49:33 | 00,000,011 | -HS- | C] () -- C:\Users\Paul\AppData\Roaming\02000000c1f4700a669S.manifest
[2009/09/14 13:49:32 | 00,001,372 | ---- | C] () -- C:\Windows\System32\4nasfZz.vbs
[2009/09/14 12:47:06 | 00,000,033 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\pcouffin.log
[2009/09/14 12:45:44 | 00,087,608 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\inst.exe
[2009/09/14 12:45:44 | 00,007,887 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\pcouffin.cat
[2009/09/14 12:45:43 | 00,001,144 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\pcouffin.inf
[2009/09/09 21:16:15 | 02,501,921 | ---- | C] () -- C:\Windows\System32\wlan.tmf
[2009/09/09 11:32:34 | 00,001,114 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2009/09/09 09:33:44 | 00,001,666 | ---- | C] () -- C:\Users\Paul\Desktop\LimeWire 5.2.13.lnk
[2009/08/30 11:40:36 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/22 11:49:00 | 00,000,704 | ---- | C] () -- C:\Windows\wininit.ini
[2009/06/11 19:12:29 | 00,033,060 | ---- | C] () -- C:\Windows\cdplayer.ini
[2009/05/09 23:13:41 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/05/01 10:30:29 | 00,002,128 | ---- | C] () -- C:\Windows\AutostarSuite.ini
[2009/04/27 15:49:51 | 00,581,632 | ---- | C] () -- C:\Windows\System32\TMPXCORE.DLL
[2009/04/27 15:49:51 | 00,126,976 | ---- | C] () -- C:\Windows\System32\TMPXVFW.DLL
[2009/04/27 15:47:49 | 00,086,016 | ---- | C] () -- C:\Windows\System32\AMD422CODEC.DLL
[2009/03/08 20:34:58 | 00,000,082 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\wklnhst.dat
[2009/02/22 15:50:01 | 00,014,336 | ---- | C] () -- C:\Users\Paul\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/21 14:17:52 | 00,000,680 | ---- | C] () -- C:\Users\Paul\AppData\Local\d3d9caps.dat
[2009/02/19 18:42:07 | 00,070,717 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\KTVR1.chl
[2009/02/19 18:42:07 | 00,000,162 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\KTVR1.cfg
[2009/02/19 18:19:53 | 00,003,341 | ---- | C] () -- C:\Windows\TVAfaDrv.ini
[2009/02/18 18:38:50 | 00,049,152 | R--- | C] () -- C:\Windows\System32\AVerIO.dll
[2009/02/18 18:38:50 | 00,003,456 | R--- | C] () -- C:\Windows\System32\AVerIO.sys
[2009/02/18 18:38:41 | 00,262,144 | R--- | C] () -- C:\Windows\System32\sptlib01.dll
[2009/02/18 18:38:41 | 00,249,856 | R--- | C] () -- C:\Windows\System32\sptlib02.dll
[2009/02/17 13:49:15 | 00,071,600 | ---- | C] () -- C:\Users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
[2008/10/14 16:09:12 | 00,005,504 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen_x86.sys
[2008/02/11 20:55:18 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/12/29 00:09:55 | 00,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini
[2007/12/29 00:09:55 | 00,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini
[2007/08/16 03:39:17 | 00,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2007/08/16 02:50:04 | 00,331,776 | ---- | C] () -- C:\Windows\System32\ScrollBarLib.dll
[2007/08/16 01:53:36 | 00,000,707 | ---- | C] () -- C:\Windows\generic.ini
[2007/08/16 01:53:36 | 00,000,107 | ---- | C] () -- C:\Windows\Alaunch.ini
[2007/08/16 01:53:35 | 00,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/08/16 01:53:35 | 00,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1283.dll
[2007/08/16 01:53:34 | 00,003,072 | ---- | C] () -- C:\Windows\System32\34CoInstaller.dll
[2007/04/26 00:33:22 | 00,266,240 | ---- | C] () -- C:\Windows\System32\NotesExtmngr.dll
[2007/04/26 00:32:50 | 00,204,800 | ---- | C] () -- C:\Windows\System32\NotesActnMenu.dll
[2007/04/26 00:32:46 | 00,086,016 | ---- | C] () -- C:\Windows\System32\MSNSpook.dll
[2007/04/26 00:31:00 | 00,028,672 | ---- | C] () -- C:\Windows\System32\BatchCrypto.dll
[2007/04/26 00:30:52 | 00,073,728 | ---- | C] () -- C:\Windows\System32\APISlice.dll
[2007/04/26 00:30:44 | 00,063,488 | ---- | C] () -- C:\Windows\System32\ShowErrMsg.dll
[2006/12/25 23:44:48 | 00,022,016 | ---- | C] () -- C:\Windows\System32\MailFormat_U.dll
[2006/11/02 13:50:50 | 00,000,174 | -HS- | C] () -- C:\Program Files\desktop.ini
[2006/11/02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:23:31 | 00,000,240 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 11:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/06/23 19:09:34 | 00,019,968 | R--- | C] () -- C:\Windows\System32\cpuinf32.dll
[2001/12/27 00:12:30 | 00,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 07:46:38 | 00,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/31 00:33:56 | 00,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 06:04:36 | 00,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:6108D5DF

========== Files - Unicode (All) ==========
[2009/09/18 10:41:28 | 00,000,036 | ---- | M] ()(C:\Windows\System32\????????????????????????????????????g) -- C:\Windows\System32\㩃停潲牧浡䘠汩獥噜物楧牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
[2009/09/18 10:41:28 | 00,000,036 | ---- | C] ()(C:\Windows\System32\????????????????????????????????????g) -- C:\Windows\System32\㩃停潲牧浡䘠汩獥噜物楧牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
< End of report >





OTL Extras logfile created on: 02/10/2009 21:54:40 - Run 1
OTL by OldTimer - Version 3.0.18.0 Folder = C:\Users\Paul\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.57 Mb Total Physical Memory | 224.82 Mb Available Physical Memory | 22.18% Memory free
2.24 Gb Paging File | 0.56 Gb Available in Paging File | 24.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.69 Gb Total Space | 34.63 Gb Free Space | 31.00% Space Free | Partition Type: NTFS
Drive D: | 111.43 Gb Total Space | 63.37 Gb Free Space | 56.87% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MEDIA-PC
Current User Name: Paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{12E03DAC-0287-41ED-A5A1-E8D90C5B99BC}" = lport=139 | protocol=6 | dir=in | app=system |
"{350C84D6-6CEE-43F3-8000-A43AC1C2F7E9}" = rport=138 | protocol=17 | dir=out | app=system |
"{398A2A37-E6EE-41BC-A2C8-2E2BCC9926DA}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe |
"{410A47AF-C9E6-47B9-837A-44EF1556E049}" = rport=445 | protocol=6 | dir=out | app=system |
"{48C4D642-881F-47BE-BA95-CF25BEBD9CFC}" = lport=137 | protocol=17 | dir=in | app=system |
"{7CD96428-4EF5-4CF0-A081-AF28D3195E4C}" = rport=137 | protocol=17 | dir=out | app=system |
"{7ED2F438-D9C7-4E78-9630-B015C25B4D8A}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=file and printer sharing (spooler service - rpc-epmap) |
"{B12FD5E9-B765-4976-85A9-01C066C9124D}" = lport=445 | protocol=6 | dir=in | app=system |
"{B3C70305-367F-49B9-9E73-3EB634F58525}" = lport=138 | protocol=17 | dir=in | app=system |
"{BE93EE22-FFF2-4F94-974B-32B36C37E386}" = lport=1900 | protocol=17 | dir=in | name=intel® viiv™ media server upnp discovery |
"{EA20CD86-484A-4274-BF52-290653F6CB04}" = rport=139 | protocol=6 | dir=out | app=system |
"{F3D310FA-64C8-481A-8142-55759BAAAFA4}" = lport=9442 | protocol=17 | dir=in | name=intel® viiv™ media server discovery |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{031E7887-D0F9-4D8E-9029-A773FF74D607}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"{05FEBDE2-5F8B-4D06-941D-BDEAC9B71C8A}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvsettingsservice.exe |
"{0A5EE0CF-6523-408E-A30C-F73EABBEE58C}" = protocol=6 | dir=out | app=%systemroot%\explorer.exe |
"{118086B0-FC01-47A0-B332-6E31BDF0DCBF}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvnetworkservice.exe |
"{12AC8539-FED2-4ACC-82E4-42EC042B4517}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvrecordingengine.exe |
"{12EF5802-6C0E-458B-8781-ED3BCA65475D}" = protocol=6 | dir=in | app=%systemroot%\explorer.exe |
"{17C5C5C6-B64E-4243-B96A-98D4A7A0EC02}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvguidedataloader.exe |
"{22D7EB11-4C39-44AF-A86E-30F41E946200}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{2AFE4A5C-53AA-4558-AD10-34B23C3425EA}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\intel media server\shells\remote ui service.exe |
"{2F3A680B-C5DC-4EB8-A5E4-6054D9B0C554}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"{30E380D3-4BF5-43CC-A215-976EC0D6A002}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\intel media server\shells\remote ui service.exe |
"{3745919A-90ED-41DD-B0F0-0C956DAE6476}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\tshwmdtcp.exe |
"{43A6F80A-D761-4F81-BE41-34A4411AC199}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\setupwizard.exe |
"{496B4A89-2156-4100-945C-15E1E38E3FF4}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvsettingsservice.exe |
"{4C3BC114-0468-4920-8667-B2072973063F}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvtaskmanagerservice.exe |
"{4CC17C33-B562-49E1-BE37-6794E90687D9}" = protocol=6 | dir=in | app=%systemroot%\explorer.exe |
"{4ED3F624-7D9A-49B2-BA57-713C831B0611}" = protocol=17 | dir=in | app=c:\program files\melloware\intelliremote\intelliremote.exe |
"{5072A940-BC30-4F26-BDB0-B552A210EF77}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvregistrationservice.exe |
"{51BFB2FE-E0C0-49CD-93D2-EB05A5BCFB04}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvnetworkservice.exe |
"{520296BC-77A4-4927-AA09-05B9D50B12BB}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\setupwizard.exe |
"{6CC150E9-40BC-437A-9E3B-D7C5F780B289}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\mediaserver.exe |
"{6FFAB3DB-4748-43EE-B145-D8E3D88E4D1A}" = protocol=6 | dir=in | app=%systemroot%\explorer.exe |
"{7333978F-4316-4593-89F5-9F5681DD6F36}" = protocol=6 | dir=in | app=c:\program files\melloware\intelliremote\intelliremote.exe |
"{74B9042F-4BFF-443A-BE2D-8A148AFE5612}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvtaskmanagerservice.exe |
"{7D67544C-C312-4224-BAC3-D645653549ED}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{81404C57-010C-4C54-B086-5D7C43B3FFB5}" = protocol=6 | dir=out | app=%systemroot%\explorer.exe |
"{88A36E43-C8D9-4A37-8A21-86B854ACB8E6}" = protocol=6 | dir=out | app=%systemroot%\explorer.exe |
"{8F60E4F5-0429-40F8-A7B8-1A14D2B702A7}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{91C42958-08FF-461A-8506-4ADFE6A62266}" = protocol=6 | dir=out | app=%systemroot%\explorer.exe |
"{9B25CEA1-FA35-4F19-B115-3A1C468B09FC}" = protocol=6 | dir=in | app=%systemroot%\explorer.exe |
"{9E79B599-8C0A-485E-B232-6210475F49E4}" = protocol=6 | dir=in | app=%systemroot%\explorer.exe |
"{A11DF715-B47F-4B6F-AE41-93AA4EDAE373}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvplaybackengine.exe |
"{A35EBD7D-7C52-470B-ABA6-F9378AF38C83}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{A5C09E83-E190-4210-AC24-3135BA28963E}" = protocol=6 | dir=out | app=%systemroot%\explorer.exe |
"{AA4283AD-1E0F-432C-99FB-9256165E6B14}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{B3015A09-D315-4379-9C24-A331543CC47F}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvplaybackengine.exe |
"{B6B331FA-50D8-49C0-B8FF-8379422337E8}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvguidedataloader.exe |
"{BD98BF62-59A5-4F60-B7BA-80A40FD2AC38}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvregistrationservice.exe |
"{CB7800BF-46DC-4008-9B53-33BB417190AA}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\mediaserver.exe |
"{D6A5A8F8-BA69-4E6B-96A2-C015F029EA3D}" = protocol=17 | dir=in | app=c:\program files\snapstream media\beyond tv\btvd3dshell.exe |
"{D97D618E-B9F4-4350-9F5C-D27F54FB3D62}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvrecordingengine.exe |
"{DA1F1E3C-9376-4BC7-83BD-535D290804E6}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{E7EDF8E1-CF49-492E-A6E7-F14C9EF94237}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\tshwmdtcp.exe |
"{FAE977B8-FC23-47B3-9E96-9AB0F5500E96}" = protocol=6 | dir=in | app=c:\program files\snapstream media\beyond tv\btvd3dshell.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03E4915C-C563-4A37-9622-A5F975EFFCB9}" = RPS Diagnostic Utility
"{0B0F82AB-5B9A-4B9F-96EF-74E1FD85F01F}" = Virgin Broadband PCguard
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0DAA5653-60D4-44C1-AD10-EC7D4FA4D820}" = Intel® Viiv™ Software
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"{1B79FE5E-3100-4998-97A2-9CB717BFF5DE}" = RPS PerfectDiskStub
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2567B22D-4CAC-44ED-8B31-FB92636E2E0F}" = WebCam
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 13
"{295D8CF2-661D-45B2-AD03-EBDF8E7368A9}" = RPS RpsCore
"{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}" = PerfectDisk 2008
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.1
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6EE21298-DEA5-4141-B8C8-E58737216134}" = RPS SafeConnect
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7655E113-C306-11D9-A373-0050BAE317E1}" = MCE Software Encoder 1.1
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{8213D6EA-F48B-4040-A088-6259751DEB0B}" = RPS ParentalControl
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{94389919-B0AA-4882-9BE8-9F0B004ECA35}" = Acer Tour
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A5D4E41C-2583-46FE-9B99-62496F85C5F3}" = RPS CRT
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AEEAE013-92F1-4515-B278-139F1A692A36}" = Acer eDataSecurity Management
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BB34B49B-7C29-4140-9E58-659DFFB48534}" = RPS Burn
"{C29B13CC-F0C5-4973-8980-2BCDC7C44E39}" = Beyond TV DVD Burning Foundation
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{D462BF9E-0C35-4705-BF9B-3DF9F3816643}" = Acer ePerformance Management
"{D488D3D4-3302-4EB3-BC2C-814428DAEB15}" = RPS Firewall
"{D76AC37C-40AE-49EB-B867-1C405C9485C1}" = RPS Ksdk
"{D8C2C5B1-1A88-4B87-9116-59D082B1CE30}" = Visual Studio 2005 Redist Package
"{DEB38E1A-F4E5-4DF0-96F4-4050567A9D09}" = AV Input Selection
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E5D52570-5EF1-4576-A434-6CCD92268F0F}" = Google SketchUp 7
"{E8DF0C63-3669-4A71-9000-03775FF51D2C}" = RemotePlayback
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1BECAB5-C251-4019-88BC-FBD3668E526C}" = RPS PopupBlocker
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"AlbumPlayer aPod Skins_is1" = AlbumPlayer V5.1 aPod Skin
"AlbumPlayer Classic Skin_is1" = AlbumPlayer V5.1 Classic Skin
"AlbumPlayer Classic Touch Skin_is1" = AlbumPlayer V5.1 Classic Touch Skin
"AlbumPlayer Jukebox Skin_is1" = AlbumPlayer V5.1 Jukebox Skin
"AlbumPlayer Nostalgica Skin_is1" = AlbumPlayer V5.1 Nostalgica Skin
"AlbumPlayer RemoteControl_is1" = AlbumPlayer Remote Control V1.1
"AlbumPlayer Seventy-Nine Skins_is1" = AlbumPlayer V5.1 Seventy-Nine Skins
"AlbumPlayer_is1" = AlbumPlayer V5.1b
"a-squared Free_is1" = a-squared Free 4.5
"GOM Player" = GOM Player
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"Intel® Configuration Center" = Intel® Viiv™ Software
"Intelliremote_2.0" = Intelliremote 2.7.5.883
"KWorld DVB-T USB BDA Driver_is1" = KWorld DVB-T USB BDA Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"PROSet" = Intel® PRO Network Connections Drivers
"RadialpointClientGateway_is1" = Virgin Broadband advisor 1.5.24
"RealPlayer 6.0" = RealPlayer
"Stellarium_is1" = Stellarium 0.10.2
"The Extractor1.4.1" = The Extractor
"TVAfaDrv" = KWorld DVB-T USB BDA Driver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1106646625-2381546590-4196474004-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 18/09/2009 05:43:56 | Computer Name = Media-PC | Source = VSS | ID = 8193
Description =

Error - 18/09/2009 07:43:04 | Computer Name = Media-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 18/09/2009 07:52:16 | Computer Name = Media-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 18/09/2009 07:56:56 | Computer Name = Media-PC | Source = Application Error | ID = 1000
Description = Faulting application ehPrivJob.exe, version 6.0.6001.18000, time stamp
0x479192da, faulting module Indiv01.key, version 11.0.6000.6324, time stamp 0x47e420f2,
exception code 0xc0000005, fault offset 0x0010a706, process id 0x10d4, application
start time 0x01ca38564fcd0e2e.

Error - 19/09/2009 16:37:52 | Computer Name = Media-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 19/09/2009 16:42:12 | Computer Name = Media-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 19/09/2009 16:55:18 | Computer Name = Media-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 22/09/2009 07:31:33 | Computer Name = Media-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 25/09/2009 15:29:32 | Computer Name = Media-PC | Source = Application Error | ID = 1000
Description = Faulting application Explorer.EXE, version 6.0.6002.18005, time stamp
0x49e01da5, faulting module ntdll.dll, version 6.0.6002.18005, time stamp 0x49e03821,
exception code 0xc0000005, fault offset 0x00066739, process id 0x10c, application
start time 0x01ca3dec750beadf.

Error - 27/09/2009 09:06:13 | Computer Name = Media-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ IntelDH Events ]
Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 09:28:44 | Computer Name = Media-PC | Source = AlertService | ID = 15
Description = A CCU internal function detected an error: XMLDoc::LoadXML failed
with reason: XML document must have a top level element.

Error - 17/02/2009 11:26:53 | Computer Name = Media-PC | Source = AlertService | ID = 17
Description = A CCU interface function returned an error: DataManager::GetData failed
to retrieve the data

[ Media Center Events ]
Error - 26/08/2009 11:53:12 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerAccumulate failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 26/08/2009 12:36:15 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerAccumulate failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 26/08/2009 12:36:29 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerAccumulate failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 26/08/2009 13:23:31 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerAccumulate failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 26/08/2009 14:21:33 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerAccumulate failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 27/08/2009 08:06:26 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 02/09/2009 03:32:08 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 11/09/2009 16:00:54 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 20/09/2009 18:59:02 | Computer Name = Media-PC | Source = Media Center Guide | ID = 4
Description = Event Info: An unknown connection failure occurred. Windows Media
Center was unable to connect to the Internet. See Help for more information. Process:
DefaultDomain Object Name: Microsoft.Ehome.Epg.EhepgdatSingleton

Error - 01/10/2009 18:14:20 | Computer Name = Media-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.WaitForUploadComplete failed. Please
try to ping www.msn.com prior to filing a bug.; Win32 GetLastError returned 10000109
Process: DefaultDomain Object Name: Media Center Guide

[ System Events ]
Error - 10/05/2009 07:20:06 | Computer Name = Media-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 10/05/2009 20:56:10 | Computer Name = Media-PC | Source = DCOM | ID = 10010
Description =

Error - 11/05/2009 05:12:59 | Computer Name = Media-PC | Source = HTTP | ID = 15016
Description =

Error - 11/05/2009 05:14:43 | Computer Name = Media-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/05/2009 09:06:38 | Computer Name = Media-PC | Source = HTTP | ID = 15016
Description =

Error - 11/05/2009 09:08:20 | Computer Name = Media-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/05/2009 17:54:22 | Computer Name = Media-PC | Source = DCOM | ID = 10010
Description =

Error - 12/05/2009 06:25:24 | Computer Name = Media-PC | Source = HTTP | ID = 15016
Description =

Error - 12/05/2009 06:27:03 | Computer Name = Media-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 13/05/2009 06:48:02 | Computer Name = Media-PC | Source = HTTP | ID = 15016
Description =


< End of report >

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 AM

Posted 03 October 2009 - 10:52 AM

Hi,



Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Edited by schrauber, 03 October 2009 - 10:53 AM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 martindale66

martindale66
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 03 October 2009 - 01:39 PM

Hi Tom,

Any initial signs of infections, or too soon to say?

Below ComboFix.txt

I noticed that the log states that my PCguard Anti-Virus, Firewall and Anti-Spyware are enabled - even though I disabled them.
I can un-install these programs and repeat the scan if necessary.

Regards,

Paul.



ComboFix 09-10-01.05 - Paul 03/10/2009 18:51.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1014.398 [GMT 1:00]
Running from: c:\users\Paul\Desktop\schrauber.exe
AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: PCguard Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1106646625-2381546590-4196474004-500
c:\users\Paul\AppData\Roaming\02000000c1f4700a669C.manifest
c:\users\Paul\AppData\Roaming\02000000c1f4700a669O.manifest
c:\users\Paul\AppData\Roaming\02000000c1f4700a669P.manifest
c:\users\Paul\AppData\Roaming\02000000c1f4700a669S.manifest
c:\users\Paul\AppData\Roaming\inst.exe
c:\windows\system32\18OyNBQj5TPwzFw.vbs
c:\windows\system32\4nasfZz.vbs
c:\windows\system32\cxWgYGjk2HGf3Em.vbs
c:\windows\system32\LNIGRktEF1azz.vbs
c:\windows\system32\rnhdf.vbs

.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-03 10:32 . 2009-10-01 09:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-27 13:41 . 2009-09-27 13:07 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-27 13:07 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-27 13:05 . 2009-09-27 13:05 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-27 13:05 . 2009-09-27 13:05 -------- d-----w- c:\program files\Lavasoft
2009-09-27 11:50 . 2009-09-27 11:50 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2009-09-27 11:50 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 11:50 . 2009-09-27 11:50 -------- d-----w- c:\programdata\Malwarebytes
2009-09-27 11:50 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 11:50 . 2009-09-27 11:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 18:58 . 2009-09-22 18:57 737280 ----a-w- c:\windows\iun6002.exe
2009-09-22 18:58 . 2009-09-22 18:58 -------- d-----w- c:\program files\The Extractor
2009-09-18 09:45 . 2009-10-03 17:48 7180576 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-18 09:38 . 2008-08-28 12:16 71184 ----a-w- c:\windows\system32\drivers\DefragFS.sys
2009-09-18 09:38 . 2009-09-18 09:38 -------- d-----w- c:\programdata\Raxco
2009-09-18 09:37 . 2009-09-18 09:37 -------- d-----w- c:\program files\Raxco
2009-09-15 09:15 . 2009-09-21 15:33 -------- d-----w- c:\program files\a-squared Free
2009-09-14 17:23 . 2009-09-14 17:23 -------- d-----w- c:\users\Paul\AppData\Local\Apple
2009-09-14 17:05 . 2009-09-27 13:05 -------- d-----w- c:\programdata\Lavasoft
2009-09-14 12:25 . 1999-09-10 11:06 25244 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-09-14 12:25 . 1999-09-10 11:06 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-09-14 12:25 . 1999-09-10 11:06 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-09-14 12:25 . 1999-09-10 11:06 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-09-14 12:17 . 2009-09-14 12:17 -------- d-----w- c:\users\Paul\AppData\Roaming\dvdcss
2009-09-14 11:45 . 2009-09-14 11:45 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-14 11:45 . 2009-09-15 07:58 -------- d-----w- c:\users\Paul\AppData\Roaming\Vso

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 21:37 . 2009-09-18 09:45 94808 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-22 20:10 . 2009-05-06 16:56 -------- d-----w- c:\users\Paul\AppData\Roaming\LimeWire
2009-09-18 09:42 . 2009-05-18 10:23 -------- d-----w- c:\users\Paul\AppData\Roaming\Virgin Broadband
2009-09-18 09:37 . 2009-05-18 10:23 -------- d-----w- c:\program files\Virgin Broadband
2009-09-18 09:37 . 2009-05-18 10:23 -------- d-----w- c:\programdata\Virgin Broadband
2009-09-18 09:37 . 2007-08-16 01:36 -------- d-----w- c:\program files\InstallShield Installation Information
2009-09-15 07:58 . 2009-09-14 11:45 47360 ----a-w- c:\users\Paul\AppData\Roaming\pcouffin.sys
2009-09-09 21:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-09 21:23 . 2009-08-26 18:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 10:31 . 2007-08-16 01:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-09 08:33 . 2009-07-09 19:19 -------- d-----w- c:\program files\LimeWire
2009-08-30 11:22 . 2009-08-30 11:22 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-08-30 11:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-08-30 11:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-30 11:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-08-30 11:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-08-30 11:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-08-30 11:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-08-29 00:27 . 2009-09-02 20:55 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 20:55 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 08:56 . 2007-08-16 01:54 -------- d-----w- c:\program files\Microsoft Works
2009-08-25 21:22 . 2009-02-23 21:28 -------- d-----w- c:\users\Paul\AppData\Roaming\Intelliremote
2009-08-21 23:48 . 2009-02-23 18:07 -------- d-----w- c:\program files\AlbumPlayer
2009-08-15 20:18 . 2009-04-04 14:53 -------- d-----w- c:\users\Paul\AppData\Roaming\Stellarium
2009-08-14 16:27 . 2009-09-09 20:16 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 20:16 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 20:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 20:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 20:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 20:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 20:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 20:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 20:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 20:16 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 20:16 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-08 16:41 . 2009-04-14 15:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-31 14:30 . 2009-03-08 19:34 82 ----a-w- c:\users\Paul\AppData\Roaming\wklnhst.dat
2009-07-21 21:52 . 2009-07-30 20:04 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 20:04 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 20:04 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 20:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 19:36 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 19:35 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 19:35 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 19:35 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 19:35 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-11 19:01 . 2009-09-09 20:16 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-09 20:16 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-09 20:16 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-09 20:16 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-09 20:16 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-07-31 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 439768]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-06-20 4493312]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304]

c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AlbumPlayer Remote Control.lnk - c:\program files\AlbumPlayer\RemoteControl\AP_RemoteControl.exe [2009-3-8 159744]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-9 113664]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-16 535336]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-11 809488]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:84,99,c5,ff,63,29,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{22D7EB11-4C39-44AF-A86E-30F41E946200}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DA1F1E3C-9376-4BC7-83BD-535D290804E6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E7EDF8E1-CF49-492E-A6E7-F14C9EF94237}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{3745919A-90ED-41DD-B0F0-0C956DAE6476}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{2AFE4A5C-53AA-4558-AD10-34B23C3425EA}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{30E380D3-4BF5-43CC-A215-976EC0D6A002}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{CB7800BF-46DC-4008-9B53-33BB417190AA}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{6CC150E9-40BC-437A-9E3B-D7C5F780B289}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{F3D310FA-64C8-481A-8142-55759BAAAFA4}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{BE93EE22-FFF2-4F94-974B-32B36C37E386}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{BD98BF62-59A5-4F60-B7BA-80A40FD2AC38}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVRegistrationService.exe:TV Registration Service
"{5072A940-BC30-4F26-BDB0-B552A210EF77}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVRegistrationService.exe:TV Registration Service
"{118086B0-FC01-47A0-B332-6E31BDF0DCBF}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVNetworkService.exe:TV Network Service
"{51BFB2FE-E0C0-49CD-93D2-EB05A5BCFB04}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVNetworkService.exe:TV Network Service
"{D97D618E-B9F4-4350-9F5C-D27F54FB3D62}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe:TV Recording Engine
"{12AC8539-FED2-4ACC-82E4-42EC042B4517}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe:TV Recording Engine
"{B6B331FA-50D8-49C0-B8FF-8379422337E8}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVGuideDataLoader.exe:TV Guide Data Loader
"{17C5C5C6-B64E-4243-B96A-98D4A7A0EC02}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVGuideDataLoader.exe:TV Guide Data Loader
"{496B4A89-2156-4100-945C-15E1E38E3FF4}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVSettingsService.exe:TV Settings Service
"{05FEBDE2-5F8B-4D06-941D-BDEAC9B71C8A}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVSettingsService.exe:TV Settings Service
"{74B9042F-4BFF-443A-BE2D-8A148AFE5612}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe:TV Task Manager Service
"{4C3BC114-0468-4920-8667-B2072973063F}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe:TV Task Manager Service
"{FAE977B8-FC23-47B3-9E96-9AB0F5500E96}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVD3DShell.exe:TV ViewScape
"{D6A5A8F8-BA69-4E6B-96A2-C015F029EA3D}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVD3DShell.exe:TV ViewScape
"{43A6F80A-D761-4F81-BE41-34A4411AC199}"= UDP:c:\program files\SnapStream Media\Beyond TV\SetupWizard.exe:TV Setup Wizard
"{520296BC-77A4-4927-AA09-05B9D50B12BB}"= TCP:c:\program files\SnapStream Media\Beyond TV\SetupWizard.exe:TV Setup Wizard
"{B3015A09-D315-4379-9C24-A331543CC47F}"= UDP:c:\program files\SnapStream Media\Beyond TV\BTVPlaybackEngine.exe:TV Playback Engine
"{A11DF715-B47F-4B6F-AE41-93AA4EDAE373}"= TCP:c:\program files\SnapStream Media\Beyond TV\BTVPlaybackEngine.exe:TV Playback Engine
"{7333978F-4316-4593-89F5-9F5681DD6F36}"= UDP:c:\program files\Melloware\Intelliremote\Intelliremote.exe:ENABLE
"{4ED3F624-7D9A-49B2-BA57-713C831B0611}"= TCP:c:\program files\Melloware\Intelliremote\Intelliremote.exe:ENABLE
"{7D67544C-C312-4224-BAC3-D645653549ED}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A35EBD7D-7C52-470B-ABA6-F9378AF38C83}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [27/09/2009 14:07 64160]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [12/02/2007 19:46 208896]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [19/02/2007 05:34 5376]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 16:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 18:28 4937752]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [29/12/2007 00:02 5504]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\System32\drivers\OmniTV.sys [16/08/2007 01:53 221184]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectDriver.sys [14/11/2008 18:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectFilter.sys [14/11/2008 18:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectShim.sys [14/11/2008 18:28 29248]
S2 CTpvr Recorder;CTpvr Recorder;c:\program files\CTpvr\CTpvrRecorder.exe --> c:\program files\CTpvr\CTpvrRecorder.exe [?]
S3 AVerAF15;AVerMedia BDA Digital Tuner;c:\windows\System32\drivers\AVerAF15.sys [18/02/2009 18:39 264320]
S3 AVerM115S;AVerM115S service;c:\windows\System32\drivers\AVerM115S.sys [16/08/2007 01:53 856832]
S3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [06/04/2007 23:08 39896]
S3 IntelDHSvcConf;IntelDHSvcConf;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [06/04/2007 23:08 36312]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
S3 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [06/04/2007 23:07 313816]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 16:58 910600]
S3 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\QualityManager.exe [06/04/2007 23:10 272856]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 13:10 175184]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {84A31672-371A-4CBF-8785-DCE55CDC7370} - hxxp://192.168.1.100/ocxfile/DownLoad.ocx
FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\0wmeujt7.default\
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Center Agent - c:\program files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
HKLM-Run-Apanel - c:\acersw\config\NewSetApanel.cmd
HKLM-Run-Setresolution - c:\acersw\config\1440x900.cmd
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-KWorld DVB-T USB BDA Driver_is1 - c:\temp\Driver\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 19:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-03 19:02
ComboFix-quarantined-files.txt 2009-10-03 18:02

Pre-Run: 37,456,330,752 bytes free
Post-Run: 37,815,820,288 bytes free

260 --- E O F --- 2009-10-03 10:32

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 AM

Posted 03 October 2009 - 02:47 PM

Hi,

Any initial signs of infections, or too soon to say?


There were some malware-related files that get handled by Combofix. Now let's check for some leftovers. Do you have still any problems with your system?



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 martindale66

martindale66
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:03:43 AM

Posted 03 October 2009 - 06:24 PM

Hi,

I think the Kaspersky Online Scanner has been updated since you last used it. I followed your instructions the best I could, below is the scan result.

I have noticed that after running ComboFix my computer is responding better.





KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 3, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 03, 2009 20:42:46
Records in database: 2903118


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\

Scan statistics
Objects scanned 123141
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 01:40:45

No threats found. Scanned area is clean.
Selected area has been scanned.

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 AM

Posted 04 October 2009 - 09:50 AM

Hi,


Really good :(




Step 1

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.






Step 2

Please go to start > all programs and click on Windows Update. Now Windows is searching Updates for your system.
Please download and install every Update, and repeat the whole steps a few times until you see no more Updates.







Please post back with:
  • Fresh OTL-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users