Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection - MBAM closes / AVG and SB Updates Blocked / Random Redirects


  • This topic is locked This topic is locked
14 replies to this topic

#1 VSan

VSan

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 25 November 2009 - 03:38 AM

Hi folks

Well, after 15 infection free years I've now got one that I can't shift! Google has brought me to this forum and from what I've read you are the people to help! Anything you can offer will be gratefully received - I've exhausted my small box of tricks and without some help it would be the reinstall for me.

The symptoms all arrived at once and are as follows:

- Firefox crashes out of any google search. Uninstalled, tried to reinstall, installer fails (Run then disappears, no action)
- IE redirects links from google search results into seemingly random sites (potting sheds when searching for MBAM is an example). Also strange IE skin change
- AVG update "connection to server failed". Ran AVG "rmagent" (their suggested fix) didn't find anything and still fails to connect to server
- Spybot update also fails. SB (manually updated - Tea Timer off) finds no infection. AdAware finds no infection (and works normally)
- MBAM closes without trace after scanning for only a second or two
- Sound settings vanished
- win32kdiag returned an empty report

Attach.txt and ark.txt attached.

DDS report below - thanks in advance for any support you can give me :(

-------------------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-11-24.02) - NTFSx86
Run by Andy at 8:14:02.95 on 25/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3327.2528 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://portal.klz.org.uk/schoolsites/88624.../Staffroom.aspx
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: klz.org.uk\portal
Trusted Zone: ncsl.org.uk\registration
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-23 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-16 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-16 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-24 38224]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-3-26 476416]

=============== Created Last 30 ================

2009-11-24 08:25:25 0 d-----w- c:\docume~1\andy\applic~1\Malwarebytes
2009-11-24 08:25:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 08:25:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 08:25:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 08:25:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-23 23:28:59 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 23:28:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-23 23:28:16 16409960 ----a-w- C:\spybotsd162.exe
2009-11-23 23:27:16 292352 ----a-w- C:\xxtr2jxv.exe
2009-11-23 21:01:45 0 d-----w- C:\AVGTemp
2009-11-18 19:13:10 3284 ----a-w- c:\windows\system32\ANIWZCS{204D6F7A-92E6-4B7B-9A77-9917062B3983}
2009-11-16 13:27:08 0 d--h--w- c:\windows\PIF
2009-11-16 10:41:26 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-16 10:37:15 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-16 10:20:16 0 d--h--w- C:\$AVG
2009-11-16 10:20:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-16 10:19:51 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-16 09:50:26 0 d-----w- c:\program files\iPod
2009-11-16 09:50:24 0 d-----w- c:\program files\iTunes
2009-11-16 09:50:24 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-11-16 10:41:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-16 10:20:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-16 10:20:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 8:14:23.62 ===============

Attached Files


Edited by VSan, 25 November 2009 - 03:57 AM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 PM

Posted 25 November 2009 - 09:12 AM

Hello VSan

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 VSan

VSan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 25 November 2009 - 01:48 PM

Thanks for your quick reply :(

OTL.txt

OTL logfile created on: 25/11/2009 14:31:31 - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = C:\Documents and Settings\Andy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.00 Gb Total Space | 45.76 Gb Free Space | 76.27% Space Free | Partition Type: NTFS
Drive D: | 120.00 Gb Total Space | 82.01 Gb Free Space | 68.34% Space Free | Partition Type: NTFS
Drive E: | 68.36 Gb Total Space | 11.08 Gb Free Space | 16.21% Space Free | Partition Type: NTFS
Drive F: | 49.72 Gb Total Space | 48.46 Gb Free Space | 97.47% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-D2BD200638
Current User Name: Andy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Andy\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Andy\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (FontCache3.0.0.0) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
SRV - (NMIndexingService) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (Nero AG)
SRV - (ANIWZCSdService) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (UMWdf) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (srescan) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Check Point Software Technologies LTD)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (RTHDMIAzAudService) -- C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek Semiconductor Corp.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows Server 2003 DDK provider)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (rt2870) -- C:\WINDOWS\system32\drivers\rt2870.sys (Ralink Technology, Corp.)
DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://kent.gov.uk/owa/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://portal.klz.org.uk/schoolsites/88624.../Staffroom.aspx
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.701
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/24 21:29:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/11/16 10:19:52 | 00,000,000 | ---D | M]

[2009/06/14 10:49:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Mozilla\Extensions
[2009/03/28 09:10:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/14 10:49:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Mozilla\Extensions\home2@tomtom.com
[2009/11/20 07:24:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\n6igw7ym.default\extensions
[2009/06/30 17:55:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\n6igw7ym.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/18 19:33:11 | 00,001,626 | ---- | M] () -- C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\n6igw7ym.default\searchplugins\mozilla-add-ons.xml
[2009/11/22 19:45:37 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/02 12:21:33 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/09/10 19:27:01 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/10/11 04:17:27 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/11/16 09:49:24 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/11/16 09:49:24 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/11/16 09:49:24 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/11/16 09:49:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/11/16 09:49:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/11/16 09:49:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/11/16 09:49:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: klz.org.uk ([portal] https in Trusted sites)
O15 - HKCU\..Trusted Domains: ncsl.org.uk ([registration] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 27 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/26 20:29:53 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{543960f4-4a1b-11de-9de0-001b111c09a2}\Shell\AutoRun\command - "" = L:\wdsync.exe -- File not found
O33 - MountPoints2\{f999735f-58d0-11de-9ded-001b111c09a2}\Shell\AutoRun\command - "" = H:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/25 14:30:22 | 00,531,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Andy\Desktop\OTL.exe
[2009/11/25 08:18:03 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Andy\Desktop\RootRepeal.exe
[2009/11/24 08:25:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andy\Application Data\Malwarebytes
[2009/11/24 08:25:21 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/24 08:25:20 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/24 08:25:20 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/24 08:25:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/24 08:17:07 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy\Desktop\mbam-setup.exe
[2009/11/24 08:17:06 | 03,696,032 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy\Desktop\mbam-rules.exe
[2009/11/23 23:28:59 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/11/23 23:28:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/11/23 23:28:16 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\spybotsd162.exe
[2009/11/23 21:01:45 | 00,000,000 | ---D | C] -- C:\AVGTemp
[2009/11/22 19:45:01 | 00,000,000 | ---D | C] -- D:\Documents\Andy\Mozilla
[2009/11/18 19:47:39 | 00,000,000 | ---D | C] -- D:\Documents\Andy\Version Cue
[2009/11/18 19:47:38 | 00,000,000 | ---D | C] -- D:\Documents\Andy\AdobeStockPhotos
[2009/11/16 13:27:08 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/11/16 10:41:26 | 00,093,360 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2009/11/16 10:37:15 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/11/16 10:20:16 | 00,000,000 | -H-D | C] -- C:\$AVG
[2009/11/16 10:20:03 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/16 10:19:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/11/16 09:50:26 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/11/16 09:50:24 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/11/16 09:50:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/11/16 09:49:10 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/11/14 17:49:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andy\Local Settings\Application Data\IsolatedStorage
[2009/11/05 07:55:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Andy\Desktop\ASK Resources
[2009/11/02 21:09:47 | 00,000,000 | ---D | C] -- D:\Documents\Andy\Updater5
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/25 14:29:48 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Andy\Desktop\OTL.exe
[2009/11/25 14:26:08 | 00,542,182 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/25 14:26:08 | 00,456,612 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/25 14:26:08 | 00,075,326 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/25 14:23:13 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2009/11/25 14:23:11 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/11/25 14:23:10 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/25 14:22:05 | 00,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/11/25 14:22:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/25 14:22:00 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/25 09:00:59 | 04,718,592 | -H-- | M] () -- C:\Documents and Settings\Andy\NTUSER.DAT
[2009/11/25 09:00:59 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Andy\ntuser.ini
[2009/11/25 08:41:20 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/11/25 08:18:38 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\settings.dat
[2009/11/25 08:17:30 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Andy\Desktop\RootRepeal.exe
[2009/11/25 08:11:46 | 00,524,800 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\dds.scr
[2009/11/24 09:01:36 | 04,836,782 | -H-- | M] () -- C:\Documents and Settings\Andy\Local Settings\Application Data\IconCache.db
[2009/11/24 08:25:24 | 00,000,708 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/24 08:15:48 | 03,696,032 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy\Desktop\mbam-rules.exe
[2009/11/24 08:12:24 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Andy\Desktop\mbam-setup.exe
[2009/11/24 08:05:52 | 05,996,976 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\spybotsd_includes.exe
[2009/11/23 23:29:03 | 00,000,945 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\Spybot - Search & Destroy.lnk
[2009/11/23 23:25:24 | 00,003,284 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCS{204D6F7A-92E6-4B7B-9A77-9917062B3983}
[2009/11/23 23:20:50 | 00,000,005 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{204D6F7A-92E6-4B7B-9A77-9917062B3983}
[2009/11/23 21:31:32 | 00,292,352 | ---- | M] () -- C:\xxtr2jxv.exe
[2009/11/23 21:02:26 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\spybotsd162.exe
[2009/11/23 20:56:09 | 02,532,568 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\rmagent_en.exe
[2009/11/23 07:27:17 | 00,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/11/23 07:24:07 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/11/23 07:24:07 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/11/23 07:24:07 | 00,098,532 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/23 07:21:39 | 06,640,850 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\u7avi1782g3.bin
[2009/11/23 07:17:16 | 00,000,552 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/23 07:17:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/23 07:17:16 | 00,000,223 | RHS- | M] () -- C:\boot.ini
[2009/11/18 19:47:47 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/18 11:49:30 | 00,011,539 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\Frogs.gif
[2009/11/18 09:17:12 | 45,353,170 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/17 09:28:12 | 00,034,006 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\Broadwater 8th Oct 2009.pdf
[2009/11/16 10:41:23 | 00,093,360 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2009/11/16 10:41:19 | 00,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/11/16 10:37:14 | 00,000,879 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/11/16 10:20:03 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/16 10:20:03 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/11/16 10:20:03 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/11/16 10:20:03 | 00,001,519 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/11/16 10:20:02 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/11/16 10:20:02 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/11/14 17:49:15 | 00,002,505 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Research AutoCollage 2008.lnk
[2009/11/14 17:47:01 | 07,351,808 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\MicrosoftAutoCollageSetup.msi
[2009/11/14 17:33:12 | 01,552,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/06 16:52:19 | 00,068,453 | ---- | M] () -- C:\Documents and Settings\Andy\Desktop\NL November 09.pdf
[2009/11/06 16:51:44 | 00,046,080 | ---- | M] () -- D:\Documents\Andy\NL November 09.doc
[2009/11/05 17:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/05 07:03:52 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/03 08:44:29 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Andy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/02 20:44:07 | 00,044,625 | ---- | M] () -- D:\Documents\Andy\Qatar Airways Confirmation FULL.pdf
[2009/11/02 20:33:42 | 00,033,159 | ---- | M] () -- D:\Documents\Andy\Qatar Airways Confirmation.pdf
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/25 08:18:38 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\settings.dat
[2009/11/25 08:13:35 | 00,524,800 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\dds.scr
[2009/11/24 08:25:24 | 00,000,708 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/24 08:08:02 | 05,996,976 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\spybotsd_includes.exe
[2009/11/23 23:29:03 | 00,000,945 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\Spybot - Search & Destroy.lnk
[2009/11/23 23:27:16 | 00,292,352 | ---- | C] () -- C:\xxtr2jxv.exe
[2009/11/23 20:56:06 | 02,532,568 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\rmagent_en.exe
[2009/11/23 07:21:39 | 06,640,850 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\u7avi1782g3.bin
[2009/11/18 19:13:10 | 00,003,284 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCS{204D6F7A-92E6-4B7B-9A77-9917062B3983}
[2009/11/18 11:49:30 | 00,011,539 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\Frogs.gif
[2009/11/17 09:28:12 | 00,034,006 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\Broadwater 8th Oct 2009.pdf
[2009/11/16 10:37:14 | 00,000,879 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/11/16 10:20:03 | 00,001,519 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/11/16 09:50:59 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/11/14 17:48:59 | 00,002,505 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Research AutoCollage 2008.lnk
[2009/11/14 17:46:13 | 07,351,808 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\MicrosoftAutoCollageSetup.msi
[2009/11/06 16:52:19 | 00,068,453 | ---- | C] () -- C:\Documents and Settings\Andy\Desktop\NL November 09.pdf
[2009/11/06 16:51:44 | 00,046,080 | ---- | C] () -- D:\Documents\Andy\NL November 09.doc
[2009/11/02 20:44:07 | 00,044,625 | ---- | C] () -- D:\Documents\Andy\Qatar Airways Confirmation FULL.pdf
[2009/11/02 20:33:42 | 00,033,159 | ---- | C] () -- D:\Documents\Andy\Qatar Airways Confirmation.pdf
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/24 19:15:08 | 00,000,076 | ---- | C] () -- C:\WINDOWS\Setup Wizard.INI
[2009/07/15 19:06:24 | 00,819,200 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/07/15 19:06:24 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/06/24 18:01:52 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/05/05 18:08:22 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/05 18:08:21 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Andy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/28 16:42:27 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS61.DLL
[2009/03/26 21:10:24 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009/03/26 21:01:29 | 00,069,312 | ---- | C] () -- C:\Documents and Settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/26 20:44:15 | 04,836,782 | -H-- | C] () -- C:\Documents and Settings\Andy\Local Settings\Application Data\IconCache.db
[2009/03/26 20:40:16 | 00,038,318 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/03/26 20:39:51 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/03/26 20:39:44 | 00,037,782 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/03/26 20:39:44 | 00,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/03/26 20:38:32 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Andy\Application Data\desktop.ini
[2009/03/26 20:29:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2009/03/26 20:26:34 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2009/03/26 20:26:34 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2009/03/26 20:25:51 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2009/03/26 20:25:50 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2009/03/26 20:20:11 | 00,542,182 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/26 20:20:10 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/26 20:19:35 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/04/14 12:00:00 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2008/04/14 12:00:00 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2008/04/14 12:00:00 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2008/04/14 12:00:00 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2008/04/14 12:00:00 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2008/04/14 12:00:00 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2008/04/14 12:00:00 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2008/04/14 12:00:00 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2008/04/14 12:00:00 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2008/04/14 12:00:00 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatUI.dll
[2008/04/14 12:00:00 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2008/04/14 12:00:00 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2008/04/14 12:00:00 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2008/04/14 12:00:00 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2008/04/14 12:00:00 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2008/04/14 12:00:00 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2008/04/14 12:00:00 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2008/04/14 12:00:00 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2008/04/14 12:00:00 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2008/04/14 12:00:00 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2008/04/14 12:00:00 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2008/04/14 12:00:00 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2008/04/14 12:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2008/04/14 12:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2008/04/14 12:00:00 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2008/04/14 12:00:00 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2008/04/14 12:00:00 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2008/04/14 12:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2008/04/14 12:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2008/04/14 12:00:00 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2008/04/14 12:00:00 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2008/04/14 12:00:00 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2008/04/14 12:00:00 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2008/04/14 12:00:00 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2008/04/14 12:00:00 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2008/04/14 12:00:00 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2008/04/14 12:00:00 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2008/04/14 12:00:00 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2008/04/14 12:00:00 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2008/04/14 12:00:00 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2008/04/14 12:00:00 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2008/04/14 12:00:00 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2008/04/14 12:00:00 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2008/04/14 12:00:00 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2008/04/14 12:00:00 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2008/04/14 12:00:00 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2008/04/14 12:00:00 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2008/04/14 12:00:00 | 00,000,552 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/04/14 12:00:00 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2008/04/14 12:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2007/09/27 09:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/06 10:07:30 | 00,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/06/29 14:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 14:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 15:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2001/08/17 22:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

========== LOP Check ==========

[2009/06/24 18:10:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/05/05 19:51:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2009/03/28 17:32:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/03/28 17:33:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/03/26 21:01:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI
[2009/11/16 10:19:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/07/24 11:21:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2009/06/24 18:10:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/05/23 10:36:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/11/24 08:25:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/10 19:22:12 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/11/12 07:43:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2009/03/28 11:09:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nero
[2009/03/28 16:26:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/11/23 23:29:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/11/23 20:59:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/14 10:50:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2009/03/26 21:43:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/10/24 12:24:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/03/28 17:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/11/16 09:50:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/06 18:17:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/11/16 10:37:15 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/11/18 19:47:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Adobe
[2009/05/05 19:56:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Ahead
[2009/11/16 11:17:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Apple Computer
[2009/03/26 21:01:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\ATI
[2009/03/29 20:20:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Help
[2009/03/26 20:38:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Identities
[2009/03/26 21:01:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\InstallShield
[2009/03/28 11:30:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Macromedia
[2009/11/24 08:25:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Malwarebytes
[2009/09/30 06:45:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Andy\Application Data\Microsoft
[2009/03/28 09:10:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Mozilla
[2009/03/28 11:23:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Nero
[2009/09/21 17:11:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Office Genuine Advantage
[2009/03/28 11:26:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\OfficeUpdate12
[2009/09/02 12:19:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Sun
[2009/06/14 10:49:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\TomTom
[2009/09/10 19:23:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Windows Desktop Search
[2009/10/12 17:34:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Andy\Application Data\Windows Search
[2009/11/23 07:27:17 | 00,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2009/10/21 14:56:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2008/04/14 12:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/25 14:23:11 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2009/11/25 14:22:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

Extras.txt

OTL Extras logfile created on: 25/11/2009 14:31:31 - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = C:\Documents and Settings\Andy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.00 Gb Total Space | 45.76 Gb Free Space | 76.27% Space Free | Partition Type: NTFS
Drive D: | 120.00 Gb Total Space | 82.01 Gb Free Space | 68.34% Space Free | Partition Type: NTFS
Drive E: | 68.36 Gb Total Space | 11.08 Gb Free Space | 16.21% Space Free | Partition Type: NTFS
Drive F: | 49.72 Gb Total Space | 48.46 Gb Free Space | 97.47% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-D2BD200638
Current User Name: Andy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0191CD61-7709-764A-2184-121CC3012956}" = CCC Help Spanish
"{01EB4843-2BCF-0B29-CD54-C313728B3604}" = Catalyst Control Center Localization Hungarian
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0379261E-8FF2-7E59-B363-F84DC345050D}" = CCC Help Greek
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0B370354-305D-3D4E-89B4-6E321F263DD3}" = Catalyst Control Center Localization Russian
"{0D2BD39B-3AE5-CCAB-97A0-9C49312D56B3}" = CCC Help Japanese
"{1622AA2D-D220-5ADD-1462-0A486846F7C3}" = Catalyst Control Center Localization Japanese
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{185D0A67-E066-44AE-926D-F6305813301C}" = Adobe After Effects CS3 Presets
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21080038-0E1E-4535-AAD4-7873ECF7EF11}" = Catalyst Control Center Localization Dutch
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{259DA60F-3860-9089-948D-3DED6782D5C4}" = CCC Help Dutch
"{270C9210-AC0B-12F2-19C4-AB1AD1442438}" = Catalyst Control Center Localization Spanish
"{27F349E4-1538-FB13-C0DF-38F75C03169C}" = Catalyst Control Center Localization Swedish
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{413D20EE-74F4-6550-A127-DB47A3216D88}" = ccc-core-preinstall
"{423D8FBE-EC52-40FD-B2A0-8C9C8F973FD7}" = Microsoft Research AutoCollage 2008 version 1.1
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{51F76D4E-E924-4DF7-8B88-B6CA8A611033}" = Nero 8 Essentials
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{60C4D977-F978-52E4-0E2A-07B45729F439}" = Catalyst Control Center Localization Finnish
"{642BFE49-F510-B9F5-D84B-FB943B8C452B}" = CCC Help Chinese Traditional
"{66764497-4D70-C4EE-7A61-2BC278D8D9BE}" = CCC Help French
"{67D4FEEB-DDFB-5723-0752-051FC050943E}" = CCC Help Russian
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{699185E9-BF48-B0B9-A5D5-57ED913F3435}" = Catalyst Control Center Graphics Light
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6DE60DEE-86D6-5A3C-2756-386CCF4F4CE5}" = Catalyst Control Center Localization Thai
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7162AC2C-733F-4127-ACAD-C5F0F27D123D}" = Adobe Creative Suite 3 Master Collection
"{73B5D990-04EA-4751-B10F-5534770B91F2}" = Adobe Color EU Recommended Settings
"{75E54C4B-5EC3-3A05-56BF-C82938DC4B08}" = Catalyst Control Center Localization Italian
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7F6FE537-ED85-F431-3717-0947F629C195}" = Catalyst Control Center Localization German
"{7F85EBE6-644F-C467-EF48-22731F23C912}" = CCC Help Swedish
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{81CB87D4-7034-2516-A52D-8E514B910EDD}" = CCC Help Thai
"{82D14355-64BD-F61B-A36A-98C698EF6601}" = CCC Help Norwegian
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{84EEA031-CEEC-3E5F-E4BA-022F0859E3B8}" = Catalyst Control Center Localization Greek
"{85BD098C-6218-DFA4-BEFC-5B742CC31187}" = Catalyst Control Center Localization Portuguese
"{88D8615F-6F9B-A6D6-79BD-87E5439E9D79}" = CCC Help Hungarian
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8E9572C6-2249-A85B-57D8-126015A3EA81}" = CCC Help Danish
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97F70764-13AF-20C9-C033-1C9674423F64}" = Catalyst Control Center Localization Chinese Standard
"{97F77B0E-DB04-4417-936C-73DDA5CDE5E1}" = Jing
"{9BA4F9C5-7CB4-492C-9B97-89E36AFA0AB9}" = Adobe Setup
"{9C28D544-80A8-C81F-4238-CDCA9B3E8639}" = Catalyst Control Center Localization Korean
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC6DE78E-566C-282F-D045-155B40857CBE}" = CCC Help Italian
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{AE0CF609-D7A6-1BC1-9B3A-B919F1C90643}" = ccc-utility
"{AF456709-8547-3464-7198-8D7589C38E00}" = Catalyst Control Center Localization Turkish
"{B1B5EB6D-B19D-0421-CC58-B7FE44F48188}" = CCC Help Portuguese
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B288E0FB-5550-C87E-EFA1-21C4AB4A7EE2}" = CCC Help Korean
"{B2A14E4D-49A1-5F4A-EBB7-D79B0E4B00C2}" = Catalyst Control Center Localization Chinese Traditional
"{B385CECE-3B39-2CFE-CA5D-7801AFCAF159}" = Catalyst Control Center Localization Danish
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BCE06388-8582-A0A2-7D55-6FB822A27240}" = Catalyst Control Center Localization Norwegian
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0F224AF-C2B6-EEE2-6F2C-EA01987E0813}" = CCC Help Turkish
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1869336-4816-F485-93CE-642AF31E4716}" = CCC Help German
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D28FE44C-8A90-5707-DD29-1039443B1D40}" = CCC Help Finnish
"{D3E4F78D-E2BC-A86E-AC7E-A077A704C29B}" = CCC Help Polish
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D76ABF31-E44E-E87B-8517-2C69269644DD}" = Catalyst Control Center Graphics Full New
"{D7D2F494-89E3-42ED-8A2B-75BDD9B464CB}" = D-Link Wireless N DWA-140
"{D8341D34-5ED4-D81A-D23A-AB10EB45D68E}" = Skins
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF0ECE73-F31F-59CD-0F10-3ABB960952E4}" = CCC Help Chinese Standard
"{DF4B50F3-370B-DE4B-55BF-002B97E45DDB}" = Catalyst Control Center Localization Czech
"{DFC2F81C-CC43-518D-925A-5813342B054D}" = ccc-core-static
"{E2847FBE-DBB1-4D36-4379-67971F01CB23}" = Catalyst Control Center Core Implementation
"{E2EB0267-90F5-41FD-FFD7-84955A88DB5D}" = Catalyst Control Center Graphics Full Existing
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7870F81-A56E-E3DE-7D28-DB69C7B63DCF}" = Catalyst Control Center Localization Polish
"{E7DF2806-5A5F-803F-B341-88E5B7D46CA6}" = Catalyst Control Center Localization French
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2EE0EDB-2880-9367-C820-86BBE170DF0F}" = CCC Help English
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}" = Adobe Color NA Extra Settings
"{FF96846D-BF9C-D0AA-9BF3-1B52C4B1D0E8}" = CCC Help Czech
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_8bb24e071e5922899698c2105557bd2" = Add or Remove Adobe Creative Suite 3 Master Collection
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AVG9Uninstall" = AVG Free 9.0
"CANONBJ_Deinstall_CNMCP61.DLL" = Canon PIXMA iP3000
"DVD Shrink_is1" = DVD Shrink 3.2
"Gadwin PrintScreen" = Gadwin PrintScreen
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NeroVision!UninstallKey" = NeroVision Express 2
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROPLUS" = Microsoft Office Professional Plus 2007
"SpywareBlaster_is1" = SpywareBlaster 4.2
"TomTom HOME" = TomTom HOME 2.6.4.1641
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"Xvid_is1" = Xvid 1.2.2 final uninstall
"ZoneAlarm" = ZoneAlarm

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 15/09/2009 03:58:55 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 15/09/2009 14:28:08 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 16/09/2009 02:03:33 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 16/09/2009 02:33:06 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 16/09/2009 02:33:17 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 16/09/2009 02:33:31 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 16/09/2009 02:33:47 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 16/09/2009 02:34:04 | Computer Name = HOME-D2BD200638 | Source = Application Error | ID = 1000
Description = Faulting application nmindexstoresvr.exe, version 3.1.5.0, faulting
module olmapi32.dll, version 12.0.6504.5000, fault address 0x0026ce06.

Error - 16/09/2009 13:42:31 | Computer Name = HOME-D2BD200638 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ANDY\DESKTOP\PARENT_GOV_LETTER.PDF>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 16/09/2009 13:42:31 | Computer Name = HOME-D2BD200638 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ANDY\DESKTOP\PARENT_GOV_LETTER.PDF>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

[ System Events ]
Error - 24/11/2009 04:39:42 | Computer Name = HOME-D2BD200638 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 24/11/2009 04:39:42 | Computer Name = HOME-D2BD200638 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 24/11/2009 04:39:42 | Computer Name = HOME-D2BD200638 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AmdPPM AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant

Error - 24/11/2009 04:40:25 | Computer Name = HOME-D2BD200638 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 24/11/2009 04:40:36 | Computer Name = HOME-D2BD200638 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 24/11/2009 04:41:57 | Computer Name = HOME-D2BD200638 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 24/11/2009 04:42:24 | Computer Name = HOME-D2BD200638 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 24/11/2009 04:42:55 | Computer Name = HOME-D2BD200638 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 24/11/2009 04:43:07 | Computer Name = HOME-D2BD200638 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 24/11/2009 04:45:36 | Computer Name = HOME-D2BD200638 | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.


< End of report >

GMER results.txt

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 18:42:01
Windows 5.1.2600 Service Pack 3
Running: tldwk7xs.exe; Driver: C:\DOCUME~1\Andy\LOCALS~1\Temp\pfliaaoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA4404FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA4401C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA441C170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA4405580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA4405670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA4402210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA441C9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA441C7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA441CF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA441CF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA4402070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA441D6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA441D150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA4404BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA441D540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA4402440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA441C4E0]

---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB526D000, 0x187662, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[220] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[220] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[220] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[220] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[220] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[300] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[328] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Bonjour\mDNSResponder.exe[436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[560] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[560] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[560] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[560] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[560] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[560] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[560] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\winlogon.exe[764] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\winlogon.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\winlogon.exe[764] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\winlogon.exe[764] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\winlogon.exe[764] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\winlogon.exe[764] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\winlogon.exe[764] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\winlogon.exe[764] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\services.exe[816] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\services.exe[816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\services.exe[816] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\services.exe[816] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\services.exe[816] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\services.exe[816] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\services.exe[816] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\services.exe[816] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\lsass.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\lsass.exe[828] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\lsass.exe[828] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\lsass.exe[828] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\lsass.exe[828] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\lsass.exe[828] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\lsass.exe[828] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1032] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1032] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1032] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1032] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1032] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\wdfmgr.exe[1068] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\wdfmgr.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\wdfmgr.exe[1068] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\wdfmgr.exe[1068] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\wdfmgr.exe[1068] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\wdfmgr.exe[1068] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\wdfmgr.exe[1068] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\wdfmgr.exe[1068] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1104] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1104] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1104] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1104] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1104] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1284] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1284] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1284] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1284] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1284] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\System32\svchost.exe[1336] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\svchost.exe[1336] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\svchost.exe[1336] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\svchost.exe[1336] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\svchost.exe[1336] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\svchost.exe[1336] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\svchost.exe[1336] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1744] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\spoolsv.exe[2040] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\spoolsv.exe[2040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\spoolsv.exe[2040] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\spoolsv.exe[2040] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\spoolsv.exe[2040] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\spoolsv.exe[2040] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\spoolsv.exe[2040] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\spoolsv.exe[2040] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\SearchIndexer.exe[2068] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3056] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\System32\svchost.exe[3388] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\svchost.exe[3388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\svchost.exe[3388] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\svchost.exe[3388] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\svchost.exe[3388] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\svchost.exe[3388] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\svchost.exe[3388] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\svchost.exe[3388] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\RTHDCPL.EXE[3724] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\RTHDCPL.EXE[3724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\RTHDCPL.EXE[3724] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\RTHDCPL.EXE[3724] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\RTHDCPL.EXE[3724] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\RTHDCPL.EXE[3724] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\RTHDCPL.EXE[3724] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\RTHDCPL.EXE[3724] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3804] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10043D80
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10043BF0
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10043DF0
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10043AA4
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10043218
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100427E8
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1004277C
.text C:\Program Files\iTunes\iTunesHelper.exe[3820] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10043A50

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A4409B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A4409930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A440A260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A4407E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A4407E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A4409B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A4409930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A440A260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A4409B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A4407E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A440A260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A4409930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A440A260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A4409930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A4409B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A4407E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A4409B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A4409930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A440A260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A4409B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A4407E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A440A260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A4409930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by VSan, 25 November 2009 - 01:54 PM.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 PM

Posted 25 November 2009 - 06:44 PM

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 VSan

VSan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 November 2009 - 05:03 AM

Thanks for you time.

Combofix could not scan properly while logged in normally - the program shut down during the scan. I rebooted and tried again with the same result and the addition of a "The process cannot access the file because it is being used by another process" message.

It was, however, able to complete a scan in safe mode - results below.

=========================================================================

ComboFix 09-11-25.05 - Andy 26/11/2009 9:22.2.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3327.2938 [GMT 0:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\twain_32.dll
c:\windows\uqiabrh.old

.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-25 14:34 . 2009-11-25 14:32 292352 ----a-w- C:\tldwk7xs.exe
2009-11-24 08:43 . 2009-11-24 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-24 08:25 . 2009-11-24 08:25 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes
2009-11-24 08:25 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 08:25 . 2009-11-25 07:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 08:25 . 2009-11-24 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-24 08:25 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 23:28 . 2009-11-23 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-23 23:28 . 2009-11-23 23:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 23:28 . 2009-11-23 21:02 16409960 ----a-w- C:\spybotsd162.exe
2009-11-23 21:01 . 2009-11-23 23:19 -------- d-----w- C:\AVGTemp
2009-11-23 18:17 . 2009-11-23 18:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-23 07:30 . 2009-11-23 07:30 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-16 13:27 . 2009-11-16 13:27 -------- d--h--w- c:\windows\PIF
2009-11-16 10:41 . 2009-11-16 10:41 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-16 10:41 . 2009-11-16 10:41 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-16 10:41 . 2009-11-16 10:41 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-16 10:41 . 2009-11-22 19:01 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-16 10:41 . 2009-11-16 10:41 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-16 10:41 . 2009-11-16 10:41 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-16 10:41 . 2009-11-16 10:41 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-16 10:41 . 2009-11-16 10:41 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-16 10:37 . 2009-11-16 10:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-16 10:37 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-16 10:20 . 2009-11-16 10:20 -------- d-----w- C:\$AVG
2009-11-16 10:20 . 2009-11-16 10:20 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-16 10:19 . 2009-11-16 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-16 09:50 . 2009-11-16 09:50 -------- d-----w- c:\program files\iPod
2009-11-16 09:50 . 2009-11-16 09:50 -------- d-----w- c:\program files\iTunes
2009-11-16 09:50 . 2009-11-16 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-16 09:49 . 2009-11-16 09:49 -------- d-----w- c:\program files\QuickTime
2009-11-16 09:43 . 2009-11-16 09:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-14 17:49 . 2009-11-14 17:49 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\IsolatedStorage
2009-11-05 07:07 . 2009-11-05 07:07 152576 ----a-w- c:\documents and settings\Andy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 20:59 . 2009-03-28 09:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-22 19:07 . 2009-03-28 09:11 -------- d-----w- c:\program files\SpywareBlaster
2009-11-16 11:17 . 2009-03-28 17:33 -------- d-----w- c:\documents and settings\Andy\Application Data\Apple Computer
2009-11-16 10:41 . 2009-06-20 10:09 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-16 10:41 . 2009-05-23 10:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-16 10:40 . 2009-06-20 10:09 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-16 10:20 . 2009-03-26 21:28 -------- d-----w- c:\program files\AVG
2009-11-16 10:20 . 2009-03-26 21:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-16 10:20 . 2009-03-26 21:28 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-16 10:20 . 2009-03-26 21:28 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-16 09:50 . 2009-03-28 17:32 -------- d-----w- c:\program files\Common Files\Apple
2009-11-14 18:04 . 2009-05-25 19:08 350488 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-14 17:48 . 2009-05-14 18:04 -------- d-----w- c:\program files\Microsoft
2009-11-12 07:43 . 2009-03-28 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-05 07:08 . 2009-09-02 12:21 -------- d-----w- c:\program files\Java
2009-10-24 12:24 . 2009-05-27 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-24 11:22 . 2009-03-26 21:01 69312 ----a-w- c:\documents and settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 06:56 . 2009-03-28 10:44 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 17:34 . 2009-10-12 17:34 -------- d-----w- c:\documents and settings\Andy\Application Data\Windows Search
2009-10-11 04:17 . 2009-09-02 12:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-23 12:55 . 2009-05-23 10:36 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-23 07:33 . 2009-09-23 07:33 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-23 07:33 . 2009-09-23 07:33 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-09-23 07:33 . 2009-09-23 07:33 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-23 07:32 . 2009-06-20 10:09 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:26 . 2009-09-10 19:26 152576 ----a-w- c:\documents and settings\Andy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:19 . 2009-08-29 08:19 1589344 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-29 08:08 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-22 788880]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 624248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-16 2020120]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-31 16806912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-16 10:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [23/05/2009 10:36 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1184912]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/03/2009 21:28 333192]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/11/2009 10:20 360584]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/11/2009 10:19 285392]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [03/06/2009 12:46 92008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [24/11/2009 08:25 38224]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [26/03/2009 21:08 476416]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:01]

2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-11-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.klz.org.uk/schoolsites/88624.../Staffroom.aspx
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: klz.org.uk\portal
Trusted Zone: ncsl.org.uk\registration
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 09:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(248)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-26 09:34
ComboFix-quarantined-files.txt 2009-11-26 09:34

Pre-Run: 48,959,332,352 bytes free
Post-Run: 49,364,455,424 bytes free

- - End Of File - - D5FC6CABB60A7F2CA272B90A351FCDE6

Edited by VSan, 26 November 2009 - 05:25 AM.


#6 VSan

VSan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 November 2009 - 06:26 AM

Hi

Just to follow up - since running ComboFix all of the symptoms I listed in my opening post have been reversed!

Is this it? I wonder if you have any insight from the logs as to what the infection was and how it might have been received?

I run ZA, AVG, AdAware and Spywareblaster which have (up until now) kept me clean - is there something more I should be doing? My only behaviour change before getting this infection was to start using IE for browsing (I needed to as I was working with sharepoint and looking for resources).

I'm really grateful for your help with this, I shall be making a small donation :(

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 PM

Posted 26 November 2009 - 08:27 AM

Hi yes this file c:\windows\system32\twain_32.dll was the problem it is detected as a rootkit by Kaspersky.
I do recommend getting a better antivirus than AVG they have really gone downhill.
It appears that in the newest version they mad e the interface more "pretty" instead of fixing the issues to make it more stable and offer better protection.
My recommendation for free antivirus and anti spyware would be Microsoft Security essentials.

Just to get a second opinion please do the following:
Please download TFC by Old Timer.Double-click TFC.exe to run the program.
(If using Vista please Right Click and Choose "Run as Administrator")
Click the Start button.
Please reboot when prompted.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 VSan

VSan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 November 2009 - 06:21 PM

Thanks once again. Interesting to get a recommendation for a Microsoft product - times must be changing!

Some infected files still found by Kaspersky:

Scan statistics
Objects scanned 113487
Threats found 2
Infected objects found 4
Suspicious objects found 0
Scan duration 01:23:58

File name Threat Threats count
C:\AVGTemp\rmagent_files.tar Infected: Trojan-PSW.Win32.Kates.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\uqiabrh.old.vir Infected: Trojan-PSW.Win32.Kates.aa 1
E:\Apps\Archive\PC management\XP keyfinder.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 PM

Posted 26 November 2009 - 06:30 PM

Yes Security Essentials is a surprising change to what we know as Microsoft products.
I have tested this antivirus and it is solid it has a high detection rate and also is very powerful and has no problem removing serious threats.
It is also less problematic than other antivirus products.
===============================
Yep those are nothing to worry about.
This one is in combofix's quarantine folder which we will remove soon.
C:\Qoobox\Quarantine\C\WINDOWS\uqiabrh.old.vir
The first one is an AVG removal utlity.
Nothing to worry about there.

The third is an xp keyfinder tool.

You can delete this folder now:
C:\AVGTemp
=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
======Next======
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set. :(


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 VSan

VSan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 November 2009 - 07:10 PM

OK, thanks for all this, clean up is under way.

I've just googled the trojan mentioned in the Kaspersky log and it seems to be a pretty scary keylogger - I've done a good deal of internet banking in the last couple of weeks ... is it time to panic?

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 PM

Posted 26 November 2009 - 07:34 PM

Can you show me where a link to where you read that at?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 VSan

VSan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 November 2009 - 07:39 PM

Sure: http://www.enigmasoftware.com/trojanpswkatesaa-removal/

Edited by VSan, 26 November 2009 - 07:43 PM.


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 PM

Posted 26 November 2009 - 07:57 PM

No it isn't unfortunately.
I didn't put the 2 and 2 together until I saw the kaspersky description of what it found.
Trojan-PSW.Win32.Kates.aa

Interestingly enough it didn't detect the other file.
But nonetheless some of the below information can help re-securing any data that may have been compromised if any,not saying that is was but these types of infections have that capability.
=================================
One or more of the identified infections is a backdoor trojan or rootkit.

This can allow hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 VSan

VSan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 November 2009 - 06:17 AM

OK, thanks once again - I've changed all my passwords and dropped a small donation in to you folks, keep up the good work :(

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 PM

Posted 27 November 2009 - 07:17 AM

You are welcome and thank you as well :(


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :(

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users