Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis/Malwarebytes log


  • This topic is locked This topic is locked
17 replies to this topic

#1 sanscosm

sanscosm

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 25 November 2009 - 06:03 PM

For the last week I have had repeated viruses and trojans appearing every time I scan. I think it started when 'System Defender' appeared on my laptop, which I think I managed to get rid of. I recently changed from using Avast and Spybot Search & Destroy to Avir and A-Squared. I also use Malwarebytes.

Whenever I use internet explorer or firefox it opens up saying it was interrupted unexpectedly and if I want to re-open web pages. If I click yes I get around 5 pop ups. While using the browsers I hear noises of pop ups being blocked and music (such as Gwen Stefani, very random) but no visual sign of either them being blocked or of the pop up windows. I then get a message from Avir saying a virus has been found, usually 'HTML/Infected.WebPage.Gen - Malware' Every program I scan with finds new corrupt files. I also can not get into safe mode. I am beginning to get quite worried.



Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:25:06, on 25/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\ctfmon.exe
D:\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plymouth.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O1 - Hosts: 89.248.168.187 google.ae
O1 - Hosts: 89.248.168.187 google.as
O1 - Hosts: 89.248.168.187 google.at
O1 - Hosts: 89.248.168.187 google.az
O1 - Hosts: 89.248.168.187 google.ba
O1 - Hosts: 89.248.168.187 google.be
O1 - Hosts: 89.248.168.187 google.bg
O1 - Hosts: 89.248.168.187 google.bs
O1 - Hosts: 89.248.168.187 google.ca
O1 - Hosts: 89.248.168.187 google.cd
O1 - Hosts: 89.248.168.187 google.com.gh
O1 - Hosts: 89.248.168.187 google.com.hk
O1 - Hosts: 89.248.168.187 google.com.jm
O1 - Hosts: 89.248.168.187 google.com.mx
O1 - Hosts: 89.248.168.187 google.com.my
O1 - Hosts: 89.248.168.187 google.com.na
O1 - Hosts: 89.248.168.187 google.com.nf
O1 - Hosts: 89.248.168.187 google.com.ng
O1 - Hosts: 89.248.168.187 google.ch
O1 - Hosts: 89.248.168.187 google.com.np
O1 - Hosts: 89.248.168.187 google.com.pr
O1 - Hosts: 89.248.168.187 google.com.qa
O1 - Hosts: 89.248.168.187 google.com.sg
O1 - Hosts: 89.248.168.187 google.com.tj
O1 - Hosts: 89.248.168.187 google.com.tw
O1 - Hosts: 89.248.168.187 google.dj
O1 - Hosts: 89.248.168.187 google.de
O1 - Hosts: 89.248.168.187 google.dk
O1 - Hosts: 89.248.168.187 google.dm
O1 - Hosts: 89.248.168.187 google.ee
O1 - Hosts: 89.248.168.187 google.fi
O1 - Hosts: 89.248.168.187 google.fm
O1 - Hosts: 89.248.168.187 google.fr
O1 - Hosts: 89.248.168.187 google.ge
O1 - Hosts: 89.248.168.187 google.gg
O1 - Hosts: 89.248.168.187 google.gm
O1 - Hosts: 89.248.168.187 google.gr
O1 - Hosts: 89.248.168.187 google.ht
O1 - Hosts: 89.248.168.187 google.ie
O1 - Hosts: 89.248.168.187 google.im
O1 - Hosts: 89.248.168.187 google.in
O1 - Hosts: 89.248.168.187 google.it
O1 - Hosts: 89.248.168.187 google.ki
O1 - Hosts: 89.248.168.187 google.la
O1 - Hosts: 89.248.168.187 google.li
O1 - Hosts: 89.248.168.187 google.lv
O1 - Hosts: 89.248.168.187 google.ma
O1 - Hosts: 89.248.168.187 google.ms
O1 - Hosts: 89.248.168.187 google.mu
O1 - Hosts: 89.248.168.187 google.mw
O1 - Hosts: 89.248.168.187 google.nl
O1 - Hosts: 89.248.168.187 google.no
O1 - Hosts: 89.248.168.187 google.nr
O1 - Hosts: 89.248.168.187 google.nu
O1 - Hosts: 89.248.168.187 google.pl
O1 - Hosts: 89.248.168.187 google.pn
O1 - Hosts: 89.248.168.187 google.pt
O1 - Hosts: 89.248.168.187 google.ro
O1 - Hosts: 89.248.168.187 google.ru
O1 - Hosts: 89.248.168.187 google.rw
O1 - Hosts: 89.248.168.187 google.sc
O1 - Hosts: 89.248.168.187 google.se
O1 - Hosts: 89.248.168.187 google.sh
O1 - Hosts: 89.248.168.187 google.si
O1 - Hosts: 89.248.168.187 google.sm
O1 - Hosts: 89.248.168.187 google.sn
O1 - Hosts: 89.248.168.187 google.st
O1 - Hosts: 89.248.168.187 google.tl
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Sbocigego] rundll32.exe "C:\WINDOWS\eyexavowiyel.dll",Startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PHOTOfunSTUDIO.lnk = C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: hmmmgfdll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 11417 bytes




Here is one of my Malwarebytes logs:

Objects scanned: 184055
Time elapsed: 44 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\photo_id.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\photo_id (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\photo_id (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\photo_id.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\Documents and Settings\Owner\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.




Thank you so much for your help!

Edited by sanscosm, 25 November 2009 - 07:12 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 25 November 2009 - 08:05 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============


The next log will show us any hidden files that are present.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 26 November 2009 - 04:48 AM

Hello Sam :(

My name is Ally and thank you very much for your help!

I have attached the RootRepeal report to the post. I get a .dll error every time I turn on my computer "eyexavowiyel.dll", when I put it into google nothing came up. Strange.

Here is the first OLT scan:

OTL logfile created on: 26/11/2009 09:16:29 - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.89 Mb Total Physical Memory | 310.36 Mb Available Physical Memory | 30.61% Memory free
2.38 Gb Paging File | 1.71 Gb Available in Paging File | 71.93% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 84.24 Gb Free Space | 75.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-2D715D4B37
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/26 09:03:36 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/10/01 16:03:14 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/09/28 09:42:50 | 00,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/09/10 14:53:56 | 01,312,080 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/06 16:07:00 | 01,848,648 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/11/18 18:57:22 | 00,044,176 | ---- | M] (Panasonic Corporation) -- C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe
PRC - [2008/11/06 10:40:44 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/07/02 16:16:20 | 00,393,216 | ---- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
PRC - [2008/06/12 16:57:18 | 00,991,584 | ---- | M] (Vendio Services, Inc.) -- C:\Program Files\Search Settings\SearchSettings.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/04 11:12:04 | 00,360,448 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe
PRC - [2008/02/05 09:34:48 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2008/02/05 09:34:42 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/02/05 09:34:38 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/02/05 09:34:28 | 00,162,328 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/01/29 13:47:50 | 16,859,648 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/12/06 15:20:56 | 01,024,000 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/11/21 16:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2007/10/12 13:16:46 | 00,266,240 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2007/10/12 13:16:34 | 00,040,960 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2007/09/28 15:05:16 | 00,128,360 | ---- | M] (TOSHIBA CORPORATION) -- c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/07/10 08:24:10 | 00,581,632 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe
PRC - [2007/05/17 21:45:33 | 00,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2007/05/11 09:06:50 | 00,143,360 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2007/04/26 10:49:34 | 00,495,616 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
PRC - [2007/04/10 21:46:52 | 00,709,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX1000.exe
PRC - [2007/04/10 07:45:20 | 00,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
PRC - [2006/12/23 18:05:20 | 00,143,360 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2006/12/23 18:04:42 | 00,905,216 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2006/12/23 17:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
PRC - [2006/12/14 17:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/10/05 11:10:12 | 00,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2006/03/16 12:58:00 | 00,974,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2005/04/11 10:26:06 | 00,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2005/01/17 15:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2002/12/31 13:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


========== Modules (SafeList) ==========

MOD - [2009/11/26 09:03:36 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/14 00:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 00:12:00 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mslbui.dll
MOD - [2008/04/14 00:11:56 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\linkinfo.dll
MOD - [2008/04/14 00:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/01 16:03:14 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2009/09/28 09:42:50 | 00,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/06 10:40:44 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/14 00:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/11/21 16:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/09/28 15:05:16 | 00,128,360 | ---- | M] (TOSHIBA CORPORATION) -- c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/05/17 21:45:33 | 00,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2007/04/10 07:45:20 | 00,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2006/12/23 17:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2006/12/14 17:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/10/05 11:10:12 | 00,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2005/01/17 15:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2002/12/31 13:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.plymouth.ac.uk/
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\S-1-5-21-2286749949-960611568-3193331992-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.11.1
FF - prefs.js..extensions.enabledItems: illimitux@illimitux.net:3.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.2.2
FF - prefs.js..extensions.enabledItems: {9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}:1.9.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..network.proxy.autoconfig_url: "http://www.abdn.ac.uk/local/autoproxy.php"
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/11/06 10:40:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 10:08:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}: C:\Documents and Settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA} [2009/11/18 22:34:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/18 15:26:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/18 15:26:15 | 00,000,000 | ---D | M]

[2008/11/07 17:11:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2008/11/07 17:11:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/25 22:41:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions
[2009/09/01 10:20:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/26 20:05:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\illimitux@illimitux.net
[2009/09/11 09:09:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\personas@christopher.beard
[2009/09/11 09:09:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com
[2008/12/04 16:30:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\translator@dontfollowme.net
[2009/11/25 22:41:05 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/18 15:26:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/26 19:10:59 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2008/11/06 10:40:55 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2009/11/18 15:26:08 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/18 15:26:08 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/05/01 21:02:48 | 01,044,480 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\libdivx.dll
[2008/11/06 10:40:44 | 00,410,976 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/05/12 18:46:20 | 01,650,992 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2009/05/18 22:41:32 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2009/11/18 15:26:10 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 19:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009/08/03 14:07:42 | 00,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/05/01 21:02:48 | 00,200,704 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\ssldivx.dll
[2009/09/01 10:20:36 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/09/01 10:20:36 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/09/01 10:20:36 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/09/01 10:20:36 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/09/01 10:20:36 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/11/18 22:29:50 | 00,001,210 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\search.xml
[2009/09/01 10:20:36 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/09/01 10:20:36 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (353871 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12136 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\..\Toolbar\WebBrowser: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe ()
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Sbocigego] C:\WINDOWS\eyexavowiyel.DLL File not found
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe (Vendio Services, Inc.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (TOSHIBA)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)
O4 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk = C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe (Panasonic Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (hmmmgfdll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\brastk.exe: Debugger - svchost.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/07 08:55:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{077f5dea-8b66-11de-be21-00225f021dce}\Shell\AutoRun\command - "" = G:\Toshiba\more4you.exe -- File not found
O33 - MountPoints2\{2236b612-a860-11de-be5b-001e334f75f7}\Shell\AutoRun\command - "" = E:\86.exe -- File not found
O33 - MountPoints2\{2236b612-a860-11de-be5b-001e334f75f7}\Shell\open\Command - "" = E:\86.exe -- File not found
O33 - MountPoints2\{436d064e-bd86-11dd-bc70-00225f021dce}\Shell - "" = AutoRun
O33 - MountPoints2\{436d064e-bd86-11dd-bc70-00225f021dce}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{436d064e-bd86-11dd-bc70-00225f021dce}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{bcb089e5-5692-11de-bdc9-00225f021dce}\Shell\AutoRun\command - "" = E:\Toshiba\more4you.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/07 09:47:19 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (68401979868577792)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/26 09:16:51 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/26 09:03:28 | 00,531,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/25 16:04:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\.spss
[2009/11/25 16:02:04 | 00,000,000 | ---D | C] -- C:\KAV
[2009/11/25 15:59:49 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Data Dynamics
[2009/11/25 15:57:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\SafeNet Sentinel
[2009/11/25 15:56:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2009/11/25 15:52:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SPSS
[2009/11/25 15:52:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SPSS
[2009/11/25 15:51:58 | 00,000,000 | ---D | C] -- C:\Program Files\SPSSInc
[2009/11/24 15:47:00 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/22 14:49:44 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2009/11/22 11:09:11 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/22 11:09:09 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/22 11:09:09 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/21 16:48:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Evo Psych
[2009/11/21 16:21:30 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2009/11/21 16:21:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\a-squared Free
[2009/11/21 15:15:50 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/11/21 15:15:50 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/11/21 15:15:50 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/11/21 15:15:50 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/11/21 15:15:50 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/11/21 15:15:46 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/11/21 15:15:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/11/18 23:13:09 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2009/11/18 22:34:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}
[2009/11/18 22:29:25 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\92d9089
[2009/11/18 19:48:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Research Assmessment 2
[2009/11/18 16:51:36 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\CANON
[2009/11/18 16:47:44 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/11/18 16:47:32 | 00,230,912 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNMLM9I.DLL
[2009/11/18 16:47:29 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\CanonIJ Uninstaller Information
[2009/11/18 16:47:11 | 00,200,704 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC190L.DLL
[2009/11/18 16:47:11 | 00,188,416 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNC190O.DLL
[2009/11/18 16:47:10 | 00,098,304 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC190I.DLL
[2009/11/18 16:47:09 | 01,323,008 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC190C.DLL
[2009/11/18 16:46:47 | 00,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2009/11/18 16:45:47 | 00,000,000 | ---D | C] -- C:\Program Files\Canon
[2009/11/14 13:54:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\IPA
[2009/11/14 12:59:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Environmental Psych
[2009/05/24 17:45:08 | 00,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[2008/05/07 09:50:52 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/19 18:03:36 | 02,916,478 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\WS_30003.WMA
[2009/11/26 09:16:56 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/11/26 09:16:54 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/26 09:06:01 | 12,845,056 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/11/26 09:03:36 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/26 08:56:35 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/26 08:56:01 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/11/26 08:56:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/26 08:55:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/26 08:55:56 | 10,632,11008 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/26 00:25:08 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/11/26 00:02:31 | 00,332,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/25 16:00:13 | 00,000,114 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.tgz
[2009/11/25 16:00:13 | 00,000,100 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.dll
[2009/11/25 16:00:13 | 00,000,014 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2009/11/25 16:00:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth2.dll
[2009/11/25 16:00:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth1.dll
[2009/11/25 16:00:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\ssprs.dll
[2009/11/25 16:00:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nsprs.tgz
[2009/11/25 16:00:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nsprs.dll
[2009/11/25 15:59:07 | 00,000,219 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.tgz
[2009/11/25 15:59:07 | 00,000,205 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/11/25 15:59:07 | 00,000,016 | -H-- | M] () -- C:\WINDOWS\System32\servdat.slm
[2009/11/25 15:58:40 | 00,000,000 | ---- | M] () -- C:\law.sp
[2009/11/25 15:56:39 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth2.dll
[2009/11/25 15:56:39 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth1.dll
[2009/11/25 15:51:42 | 00,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.tgz
[2009/11/25 15:51:42 | 00,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.dll
[2009/11/24 21:09:16 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/24 16:23:31 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/11/24 16:23:31 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/11/24 15:47:00 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/11/22 19:07:55 | 00,016,272 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MSc_Psychology_Deadlines[1].docx
[2009/11/22 16:54:54 | 00,019,654 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Interview brief and debrief edit..docx
[2009/11/22 16:52:37 | 00,021,297 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Interpretative Phenomenological Analysis Assignment 2.docx
[2009/11/22 14:49:48 | 00,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2009/11/22 12:06:24 | 00,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/11/22 11:09:14 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/21 21:08:15 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/11/21 16:21:49 | 00,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2009/11/21 16:13:07 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/21 15:16:04 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/11/20 23:10:38 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Szoje.dat
[2009/11/20 20:39:11 | 00,000,090 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/11/20 20:39:10 | 00,353,871 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/20 20:39:09 | 00,353,910 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091120-203910.backup
[2009/11/20 08:26:23 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Ogevamalanunevi.bin
[2009/11/19 18:46:52 | 00,010,367 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Literature Review.docx
[2009/11/18 22:30:49 | 00,354,181 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091120-203909.backup
[2009/11/18 16:27:15 | 00,003,583 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ptsd data.sav
[2009/11/12 17:06:50 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/12 15:44:05 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$mmary table for IPA.docx
[2009/11/12 15:42:40 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\~$A Theme.docx
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/26 09:16:56 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/11/25 16:00:04 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2009/11/25 16:00:04 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2009/11/25 16:00:04 | 00,000,014 | ---- | C] () -- C:\WINDOWS\System32\ssprs.tgz
[2009/11/25 16:00:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2009/11/25 16:00:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.tgz
[2009/11/25 16:00:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
[2009/11/25 15:58:40 | 00,000,000 | ---- | C] () -- C:\law.sp
[2009/11/25 15:56:39 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2009/11/25 15:56:39 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2009/11/25 15:56:39 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.tgz
[2009/11/25 15:56:38 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2009/11/25 15:51:42 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.tgz
[2009/11/25 15:51:42 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2009/11/25 15:51:42 | 00,000,219 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.tgz
[2009/11/25 15:51:42 | 00,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/11/25 15:51:42 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\servdat.slm
[2009/11/24 21:09:13 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/11/24 16:23:31 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/11/24 16:23:31 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/11/24 15:47:00 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/11/22 19:07:54 | 00,016,272 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MSc_Psychology_Deadlines[1].docx
[2009/11/22 16:54:53 | 00,019,654 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Interview brief and debrief edit..docx
[2009/11/22 16:52:36 | 00,021,297 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Interpretative Phenomenological Analysis Assignment 2.docx
[2009/11/22 14:49:48 | 00,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2009/11/22 11:09:14 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/21 16:21:49 | 00,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2009/11/21 15:16:04 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/11/20 20:39:11 | 00,000,090 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/11/19 18:46:52 | 00,010,367 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Literature Review.docx
[2009/11/18 22:34:32 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Szoje.dat
[2009/11/18 22:34:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Ogevamalanunevi.bin
[2009/11/18 16:27:15 | 00,003,583 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ptsd data.sav
[2009/11/12 15:44:05 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$mmary table for IPA.docx
[2009/11/12 15:42:40 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\~$A Theme.docx
[2009/09/26 12:27:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PhEdit.INI
[2009/08/26 20:45:58 | 00,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/05 21:31:02 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/05/24 17:45:08 | 00,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2009/05/14 12:41:15 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/11/12 20:00:02 | 00,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/11/09 15:44:17 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/07 17:50:38 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/06 10:39:07 | 00,000,478 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/06 10:29:57 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\desktop.ini
[2008/11/06 10:29:56 | 00,083,392 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/06 10:29:56 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2008/11/06 10:28:41 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2008/11/06 10:28:41 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2008/11/06 10:28:41 | 00,010,150 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2008/11/06 10:28:41 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2008/09/19 21:57:34 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/05/07 10:48:50 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/07 10:20:39 | 00,000,563 | ---- | C] () -- C:\WINDOWS\TBTdetect.ini
[2008/05/07 09:55:33 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/05/07 09:55:33 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/05/07 09:55:33 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/05/07 09:55:33 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/05/07 09:55:33 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/05/07 09:55:33 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/05/07 09:54:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2008/05/07 09:51:00 | 00,521,268 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/05/07 09:51:00 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/05/07 09:50:52 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2008/05/07 09:50:51 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/05/07 09:49:15 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2008/05/07 09:42:09 | 00,910,464 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/05/07 09:42:09 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4833.dll
[2008/05/07 09:14:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2008/05/07 09:11:59 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2008/05/07 09:11:20 | 00,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/05/07 08:55:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2008/05/07 08:53:33 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2008/05/07 08:53:33 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2008/05/07 08:53:19 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2008/05/07 08:53:18 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2008/05/07 07:46:38 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2008/05/07 07:46:38 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2008/05/07 07:46:34 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2008/05/07 07:46:34 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/05/07 07:46:33 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2008/05/07 07:46:33 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2008/05/07 07:46:33 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/05/07 07:46:31 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2008/05/07 07:46:31 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2008/05/07 07:46:31 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2008/05/07 07:46:31 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2008/05/07 07:46:30 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2008/05/07 07:46:30 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2008/05/07 07:46:30 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2008/05/07 07:46:30 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2008/05/07 07:46:30 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2008/05/07 07:46:30 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2008/05/07 07:46:30 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2008/05/07 07:46:30 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2008/05/07 07:46:30 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2008/05/07 07:46:30 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2008/05/07 07:46:30 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2008/05/07 07:46:30 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2008/05/07 07:46:30 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2008/05/07 07:46:30 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2008/05/07 07:46:30 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2008/05/07 07:46:30 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2008/05/07 07:46:30 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2008/05/07 07:46:30 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2008/05/07 07:46:30 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2008/05/07 07:46:30 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2008/05/07 07:46:30 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2008/05/07 07:46:30 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2008/05/07 07:46:29 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2008/05/07 07:46:29 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2008/05/07 07:46:29 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2008/05/07 07:46:29 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2008/05/07 07:46:29 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2008/05/07 07:46:29 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2008/05/07 07:46:29 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2008/05/07 07:46:28 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2008/05/07 07:46:26 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2008/05/07 07:46:26 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2008/05/07 07:46:26 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2008/05/07 07:46:25 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2008/05/07 07:46:25 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2008/05/07 07:46:25 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2008/05/07 07:46:25 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2008/05/07 07:46:25 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2008/05/07 07:46:25 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2007/12/21 15:46:32 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/07/22 20:30:18 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2002/12/31 13:00:00 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 19:00:00 | 00,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2001/08/17 22:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

========== LOP Check ==========

[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2008/11/06 17:35:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2008/11/06 17:35:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\toshiba
[2009/11/18 22:29:47 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\92d9089
[2008/11/06 17:35:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/09/07 16:56:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2008/12/21 00:38:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/07/05 21:42:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/07/09 14:42:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2009/11/21 15:15:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avira
[2008/12/21 00:23:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/11/18 16:47:44 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/11/12 19:47:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/01/09 20:06:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/30 11:41:55 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/11/12 17:05:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2008/11/07 14:52:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nero
[2009/09/30 11:25:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2009/11/25 15:56:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2008/11/06 17:35:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/08/26 19:10:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2008/12/21 00:41:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2008/12/21 00:22:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
[2009/11/25 15:52:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS
[2009/11/21 16:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/11/21 16:29:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/24 15:58:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Adobe
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Identities
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\InstallShield
[2008/11/06 17:35:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Default User\Application Data\Microsoft
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Sun
[2008/11/06 17:35:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\toshiba
[2009/11/21 15:36:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/11/21 15:38:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2008/11/24 15:58:27 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/11/06 17:35:38 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/11/07 17:14:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2009/09/07 16:56:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ahead
[2009/07/17 16:07:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Apple Computer
[2009/07/05 22:11:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ArcSoft
[2009/10/05 20:49:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Audacity
[2008/11/21 23:22:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DivX
[2009/06/29 21:57:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\dvdcss
[2009/09/20 13:29:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Google
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Identities
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InstallShield
[2009/02/10 18:24:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2008/11/07 17:14:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Macromedia
[2009/01/09 20:06:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/10/22 12:53:55 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2008/11/07 17:11:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2009/09/30 11:25:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Office Genuine Advantage
[2009/07/05 21:44:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Panasonic
[2008/11/12 20:05:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Search Settings
[2009/11/21 23:11:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Skype
[2009/11/21 21:08:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\skypePM
[2008/12/21 00:41:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sony
[2008/11/06 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sun
[2008/11/13 17:50:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Thinstall
[2008/11/06 10:42:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\toshiba
[2009/03/08 18:47:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\U3
[2009/01/22 18:46:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\vlc
[2008/11/08 18:55:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2008/01/15 07:49:18 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/26 08:56:01 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2009/11/26 08:56:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/01/09 10:08:01 | 00,000,242 | ---- | M] () -- C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2008/01/15 07:36:38 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2008/01/15 07:56:51 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2008/01/15 07:50:53 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[2007/09/29 22:03:12 | 00,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/09/29 22:03:32 | 00,384,024 | ---- | M] (Intel Corporation) MD5=16A4671255CFB842225F0FDB6DBDB414 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2008/01/15 15:48:32 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\OemDir\iaStor.sys
[2007/09/29 22:03:12 | 00,308,248 | ---- | M] (Intel Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2008/01/15 15:48:32 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\iaStor.sys

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/01/15 07:59:13 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

< >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >





Here is the extra scan:

OTL Extras logfile created on: 26/11/2009 09:16:29 - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.89 Mb Total Physical Memory | 310.36 Mb Available Physical Memory | 30.61% Memory free
2.38 Gb Paging File | 1.71 Gb Available in Paging File | 71.93% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 84.24 Gb Free Space | 75.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-2D715D4B37
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe" = C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.1 -- (Sony Creative Software Inc.)
"C:\Program Files\Eidos\Pyro Studios\Commandos 3 - Destination Berlin\commandos3.exe" = C:\Program Files\Eidos\Pyro Studios\Commandos 3 - Destination Berlin\commandos3.exe:*:Disabled:commandos3 -- File not found
"C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\patchget.dat" = C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\patchget.dat:*:Enabled:patchgrabber -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Documents and Settings\All Users\Application Data\92d9089\WS92d9.exe" = C:\Documents and Settings\All Users\Application Data\92d9089\WS92d9.exe:*:Disabled:System Defender -- File not found
"C:\Program Files\SPSSInc\Statistics17\statistics.com" = C:\Program Files\SPSSInc\Statistics17\statistics.com:*:Disabled:Statistics17:com -- (SPSS Inc)
"C:\Program Files\SPSSInc\Statistics17\SPSSWinWrapIDE.exe" = C:\Program Files\SPSSInc\Statistics17\SPSSWinWrapIDE.exe:*:Disabled:SPSS Basic Script Editor -- (SPSS Inc.)
"C:\Program Files\SPSSInc\Statistics17\statistics.exe" = C:\Program Files\SPSSInc\Statistics17\statistics.exe:*:Disabled:Statistics17:exe -- (SPSS Inc)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0096A731-71DB-4969-AF1A-651698B246A5}" = Sony Ericsson Media Manager 1.1
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{07F58BB0-50D4-4477-B491-A97B2AD059B6}" = TOSHIBA Hotkey Utility
"{0F4F4815-76AD-4B26-8763-72F3344041C2}" = TOSHIBA Manuals
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP190_series" = Canon MP190 series MP Drivers
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 10
"{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 4.010.00
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{400830CA-F056-4BBE-80A3-9DF9CA4FB889}" = TOSHIBA Direct Disc Writer
"{46B65150-F8AA-42F2-94FB-2729A8AE5F7E}" = SPSS Statistics 17.0
"{497A1721-088F-41EF-8876-B43C9DA5528B}" = ArcSoft Software Suite
"{4B719A70-F14A-4f5c-90B5-346B24B7FFF1}" = Windows 7 Upgrade Advisor
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{61B84435-7A82-4F5C-87EC-1071EC28D72D}" = TOSHIBA Utilities
"{63AFACBC-4795-4A1B-8037-5085DC03FC54}" = Microsoft LifeCam
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{895722FE-25FE-4854-95AC-B0C42F9DBEDA}" = REALTEK RTL8187B Wireless LAN Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8F7AC250-4D7D-431D-AC4E-94FB78EA3F8B}" = TOSHIBA Power Saver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007
"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_WORD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_WORD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_WORD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_WORD_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_WORD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_WORD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A9DBEBC-C800-4776-A970-D76D6AA405B1}" = PHOTOfunSTUDIO
"{9DB2E18E-2A1F-4D65-A258-9CB446903C3E}" = Amos 17.0
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B28B351F-1232-46EA-85EF-B8EA91641033}" = Nero 7 Essentials
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C02A6D5F-0FE1-46DE-B483-2BD33A226BCF}" = TOSHIBA TouchPad ON/Off Utility
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D0C73318-7B4A-4D16-A0C4-3B83F075EA88}" = Search Settings 1.2
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"a-squared Free_is1" = a-squared Free 4.5
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.6 (Unicode)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Canon MP190 series User Registration" = Canon MP190 series User Registration
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.8.0
"Guitar Pro 5_is1" = Guitar Pro 5.2
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MP Navigator EX 1.2" = Canon MP Navigator EX 1.2
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WORD" = Microsoft Office Word 2007
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 24/11/2009 14:22:08 | Computer Name = YOUR-2D715D4B37 | Source = Application Hang | ID = 1001
Description = Fault bucket 1567219990.

Error - 24/11/2009 14:22:18 | Computer Name = YOUR-2D715D4B37 | Source = Application Hang | ID = 1002
Description = Hanging application avscan.exe, version 9.0.3.10, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 24/11/2009 16:49:40 | Computer Name = YOUR-2D715D4B37 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 24/11/2009 16:52:56 | Computer Name = YOUR-2D715D4B37 | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 24/11/2009 17:13:59 | Computer Name = YOUR-2D715D4B37 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 25/11/2009 06:00:59 | Computer Name = YOUR-2D715D4B37 | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 25/11/2009 12:01:19 | Computer Name = YOUR-2D715D4B37 | Source = Application Error | ID = 1005
Description = Windows cannot access the file D:\setup.exe for one of the following
reasons: there is a problem with the network connection, the disk that the file
is stored on, or the storage drivers installed on this computer; or the disk is
missing. Windows closed the program SPSS Statistics because of this error. Program:
SPSS Statistics File: D:\setup.exe The error value is listed in the Additional Data
section. User Action 1. Open the file again. This situation might be a temporary
problem that corrects itself when the program runs again. 2. If the file still cannot
be accessed and - It is on the network, your network administrator should verify
that there is not a problem with the network and that the server can be contacted.
-
It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the
disk is fully inserted into the computer. 3. Check and repair the file system by
running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click
OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem
persists, restore the file from a backup copy. 5. Determine whether other files
on the same disk can be opened. If not, the disk might be damaged. If it is a hard
disk, contact your administrator or computer hardware vendor for further assistance.
Additional
Data Error value: C0000240 Disk type: 5

Error - 25/11/2009 12:01:23 | Computer Name = YOUR-2D715D4B37 | Source = Application Error | ID = 1000
Description = Faulting application setup.exe, version 17.0.0.202, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000500b6.

Error - 25/11/2009 12:02:18 | Computer Name = YOUR-2D715D4B37 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 25/11/2009 14:23:25 | Computer Name = YOUR-2D715D4B37 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 14/11/2009 08:42:58 | Computer Name = YOUR-2D715D4B37 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 28
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 24/11/2009 18:14:09 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 24/11/2009 18:14:16 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 24/11/2009 19:15:18 | Computer Name = YOUR-2D715D4B37 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows CardSpace service
to connect.

Error - 24/11/2009 19:15:18 | Computer Name = YOUR-2D715D4B37 | Source = Service Control Manager | ID = 7000
Description = The Windows CardSpace service failed to start due to the following
error: %%1053

Error - 25/11/2009 05:57:53 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 25/11/2009 05:57:59 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 25/11/2009 06:00:39 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 25/11/2009 06:00:45 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 25/11/2009 06:00:52 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 25/11/2009 06:00:58 | Computer Name = YOUR-2D715D4B37 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.


< End of report >



Sorry read on another topic that it is easier if it is all on one page rather than an attached document. Please find below my RootRepeal report:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/26 09:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x99D72000 Size: 819200 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9582E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\owner\local settings\temp\~df3475.tmp
Status: Allocation size mismatch (API: 49152, Raw: 16384)

Path: c:\documents and settings\owner\local settings\temp\~df3d58.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\~df59a.tmp
Status: Allocation size mismatch (API: 540672, Raw: 24576)

Path: c:\documents and settings\owner\local settings\temp\~df669c.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: c:\documents and settings\owner\local settings\temporary internet files\content.ie5\avx7tgal\bind[1].htm
Status: Size mismatch (API: 588, Raw: 515)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa3d6d83e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa3d6d834

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa3d6d843

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa3d6d84d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa3d6d852

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa3d6d820

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa3d6d825

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa3d6d85c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa3d6d857

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa3d6d848

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa3d6d82f

==EOF==

Attached Files


Edited by sanscosm, 26 November 2009 - 02:21 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 27 November 2009 - 12:03 PM

Yes it is. That's perfect!


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKLM..\Run: [Sbocigego] C:\WINDOWS\eyexavowiyel.DLL File not found
    O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe (Vendio Services, Inc.)
    O33 - MountPoints2\{077f5dea-8b66-11de-be21-00225f021dce}\Shell\AutoRun\command - "" = G:\Toshiba\more4you.exe -- File not found
    O33 - MountPoints2\{2236b612-a860-11de-be5b-001e334f75f7}\Shell\AutoRun\command - "" = E:\86.exe -- File not found
    O33 - MountPoints2\{2236b612-a860-11de-be5b-001e334f75f7}\Shell\open\Command - "" = E:\86.exe -- File not found
    [2009/11/20 08:26:23 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Ogevamalanunevi.bin
    [2008/11/12 20:05:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Search Settings
    
    :Files
    C:\Program Files\Search Settings
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

========================


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 27 November 2009 - 05:03 PM

Hello Sam :( Hope you are having a good day.

Hopefully I did the OLT report properly. I copyed and pasted what you said to put in the "custom section" bit in the very first OLT report. If this is not correct I will do it agian.

<edit> Also since carrying out the ComboFix (or it may have started earlier today) I have been getting popups to "directdr.com" regardless of what webpage I am on. I am also still getting redirected during google searches and getting the "last session was interupted" message when opening the browser.

Here is the report from the OLT Fix:


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Sbocigego deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings deleted successfully.
C:\Program Files\Search Settings\SearchSettings.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{077f5dea-8b66-11de-be21-00225f021dce}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{077f5dea-8b66-11de-be21-00225f021dce}\ not found.
File G:\Toshiba\more4you.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2236b612-a860-11de-be5b-001e334f75f7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2236b612-a860-11de-be5b-001e334f75f7}\ not found.
File E:\86.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2236b612-a860-11de-be5b-001e334f75f7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2236b612-a860-11de-be5b-001e334f75f7}\ not found.
File E:\86.exe not found.
C:\WINDOWS\Ogevamalanunevi.bin moved successfully.
C:\Documents and Settings\Owner\Application Data\Search Settings\kb127\temp folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Search Settings\kb127\res folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Search Settings\kb127 folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Search Settings folder moved successfully.
========== FILES ==========
C:\Program Files\Search Settings\kb127\temp folder moved successfully.
C:\Program Files\Search Settings\kb127\res folder moved successfully.
C:\Program Files\Search Settings\kb127 folder moved successfully.
C:\Program Files\Search Settings folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49152 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 1757969 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 381675205 bytes
->Temporary Internet Files folder emptied: 1173836964 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 53188519 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
Windows Temp folder emptied: 356051 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23443046 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1820107 bytes

Total Files Cleaned = 1561.63 mb


OTL by OldTimer - Version 3.1.10.1 log created on 11272009_185836

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...






Here is the OLT report:


OTL logfile created on: 27/11/2009 19:07:08 - Run 2
OTL by OldTimer - Version 3.1.10.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.89 Mb Total Physical Memory | 428.37 Mb Available Physical Memory | 42.25% Memory free
2.38 Gb Paging File | 1.78 Gb Available in Paging File | 74.80% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 85.42 Gb Free Space | 76.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-2D715D4B37
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/26 09:03:36 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/10/10 13:32:18 | 00,305,664 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2009/10/10 13:32:18 | 00,203,264 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2009/10/01 16:03:14 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/09/28 09:42:50 | 00,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/06 16:07:00 | 01,848,648 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/11/18 18:57:22 | 00,044,176 | ---- | M] (Panasonic Corporation) -- C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe
PRC - [2008/11/06 10:40:44 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/07/02 16:16:20 | 00,393,216 | ---- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/04 11:12:04 | 00,360,448 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe
PRC - [2008/02/05 09:34:48 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2008/02/05 09:34:42 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/02/05 09:34:38 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/02/05 09:34:28 | 00,162,328 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/01/29 13:47:50 | 16,859,648 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2008/01/11 21:16:38 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2007/12/06 15:20:56 | 01,024,000 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/11/21 16:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2007/10/12 13:16:46 | 00,266,240 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2007/10/12 13:16:34 | 00,040,960 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2007/09/28 15:05:16 | 00,128,360 | ---- | M] (TOSHIBA CORPORATION) -- c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/07/10 08:24:10 | 00,581,632 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe
PRC - [2007/05/17 21:45:33 | 00,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2007/05/11 09:06:50 | 00,143,360 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2007/04/26 10:49:34 | 00,495,616 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
PRC - [2007/04/10 21:46:52 | 00,709,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX1000.exe
PRC - [2007/04/10 07:45:20 | 00,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
PRC - [2006/12/23 18:05:20 | 00,143,360 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2006/12/23 18:04:42 | 00,905,216 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2006/12/23 17:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
PRC - [2006/12/14 17:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/10/05 11:10:12 | 00,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2006/03/16 12:58:00 | 00,974,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2005/04/11 10:26:06 | 00,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2005/01/17 15:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2002/12/31 13:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


========== Modules (SafeList) ==========

MOD - [2009/11/26 09:03:36 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/14 00:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 00:12:00 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mslbui.dll
MOD - [2008/04/14 00:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/01 16:03:14 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2009/09/28 09:42:50 | 00,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/06 10:40:44 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/14 00:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/11/21 16:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/09/28 15:05:16 | 00,128,360 | ---- | M] (TOSHIBA CORPORATION) -- c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/05/17 21:45:33 | 00,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2007/04/10 07:45:20 | 00,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2006/12/23 17:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2006/12/14 17:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/10/05 11:10:12 | 00,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2005/01/17 15:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2002/12/31 13:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)


========== Driver Services (SafeList) ==========

DRV - [2009/07/28 16:33:56 | 00,055,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 10:12:24 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/09/19 21:57:32 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 18:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 16:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/30 09:28:36 | 04,725,760 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/15 07:54:57 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/01/03 20:10:16 | 00,105,856 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/12/26 08:20:18 | 00,288,000 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2007/12/10 13:22:22 | 00,110,120 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s3017unic.sys -- (s3017unic) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM)
DRV - [2007/12/10 13:22:22 | 00,100,648 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s3017obex.sys -- (s3017obex)
DRV - [2007/12/10 13:22:20 | 00,104,616 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s3017mgmt.sys -- (s3017mgmt) Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM)
DRV - [2007/12/10 13:22:20 | 00,025,512 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s3017nd5.sys -- (s3017nd5) Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS)
DRV - [2007/12/10 13:22:18 | 00,110,632 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s3017mdm.sys -- (s3017mdm)
DRV - [2007/12/10 13:22:18 | 00,015,016 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s3017mdfl.sys -- (s3017mdfl)
DRV - [2007/12/10 13:22:14 | 00,083,880 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s3017bus.sys -- (s3017bus) Sony Ericsson Device 3017 driver (WDM)
DRV - [2007/12/06 15:41:42 | 00,220,032 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/02 10:43:22 | 00,064,128 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/09/29 22:03:12 | 00,308,248 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/05/25 09:27:04 | 05,761,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/04/10 21:46:53 | 01,966,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2007/04/04 07:56:48 | 00,005,888 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2007/03/26 11:22:18 | 00,105,856 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\drivers\tdudf.sys -- (tdudf)
DRV - [2007/03/21 21:02:04 | 00,037,376 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/02/24 13:42:22 | 00,039,936 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/19 11:15:32 | 00,134,016 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\drivers\trudf.sys -- (trudf)
DRV - [2007/01/23 15:40:20 | 00,042,496 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/28 14:11:00 | 01,161,888 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/10/18 10:50:04 | 00,016,128 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/10 18:33:00 | 00,041,600 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/02/23 13:58:56 | 00,011,776 | ---- | M] (Arcsoft, Inc.) -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2003/01/29 13:35:00 | 00,012,032 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2001/08/23 19:00:00 | 00,022,400 | ---- | M] () -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.plymouth.ac.uk/
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\S-1-5-21-2286749949-960611568-3193331992-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.11.1
FF - prefs.js..extensions.enabledItems: illimitux@illimitux.net:3.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.2.2
FF - prefs.js..extensions.enabledItems: {9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}:1.9.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..network.proxy.autoconfig_url: "http://www.abdn.ac.uk/local/autoproxy.php"
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/11/06 10:40:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 10:08:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}: C:\Documents and Settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA} [2009/11/18 22:34:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/18 15:26:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/18 15:26:15 | 00,000,000 | ---D | M]

[2008/11/07 17:11:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2008/11/07 17:11:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/25 22:41:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions
[2009/09/01 10:20:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/26 20:05:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\illimitux@illimitux.net
[2009/09/11 09:09:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\personas@christopher.beard
[2009/09/11 09:09:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com
[2008/12/04 16:30:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\translator@dontfollowme.net
[2009/11/25 22:41:05 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/18 15:26:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/26 19:10:59 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2008/11/06 10:40:55 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2009/11/18 15:26:08 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/18 15:26:08 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/05/01 21:02:48 | 01,044,480 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\libdivx.dll
[2008/11/06 10:40:44 | 00,410,976 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/05/12 18:46:20 | 01,650,992 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2009/05/18 22:41:32 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2009/11/18 15:26:10 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 19:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009/08/03 14:07:42 | 00,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/07/05 21:42:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/05/01 21:02:48 | 00,200,704 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\ssldivx.dll
[2009/09/01 10:20:36 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/09/01 10:20:36 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/09/01 10:20:36 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/09/01 10:20:36 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/09/01 10:20:36 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/11/18 22:29:50 | 00,001,210 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\search.xml
[2009/09/01 10:20:36 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/09/01 10:20:36 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (353871 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12136 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\..\Toolbar\WebBrowser: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe ()
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (TOSHIBA)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)
O4 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk = C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe (Panasonic Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2286749949-960611568-3193331992-1005\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 141.163.246.9 141.163.201.180 141.163.201.236 141.163.201.235 141.163.66.70
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (hmmmgfdll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\brastk.exe: Debugger - svchost.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/07 08:55:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{436d064e-bd86-11dd-bc70-00225f021dce}\Shell - "" = AutoRun
O33 - MountPoints2\{436d064e-bd86-11dd-bc70-00225f021dce}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{436d064e-bd86-11dd-bc70-00225f021dce}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{bcb089e5-5692-11de-bdc9-00225f021dce}\Shell\AutoRun\command - "" = E:\Toshiba\more4you.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/07 09:47:19 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (68401979868577792)

========== Files/Folders - Created Within 30 Days ==========

[2009/11/27 18:58:36 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/11/26 09:16:51 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/26 09:03:28 | 00,531,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/25 16:04:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\.spss
[2009/11/25 16:02:04 | 00,000,000 | ---D | C] -- C:\KAV
[2009/11/25 15:59:49 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Data Dynamics
[2009/11/25 15:57:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\SafeNet Sentinel
[2009/11/25 15:56:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2009/11/25 15:52:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SPSS
[2009/11/25 15:52:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SPSS
[2009/11/25 15:51:58 | 00,000,000 | ---D | C] -- C:\Program Files\SPSSInc
[2009/11/24 15:47:00 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/23 18:09:54 | 00,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2009/11/22 14:49:44 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2009/11/22 11:09:11 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/22 11:09:09 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/22 11:09:09 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/21 16:48:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Evo Psych
[2009/11/21 16:21:30 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2009/11/21 16:21:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\a-squared Free
[2009/11/21 15:15:50 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/11/21 15:15:50 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/11/21 15:15:50 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/11/21 15:15:50 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/11/21 15:15:50 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/11/21 15:15:46 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/11/21 15:15:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/11/18 23:13:09 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2009/11/18 22:34:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}
[2009/11/18 22:29:25 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\92d9089
[2009/11/18 19:48:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Research Assmessment 2
[2009/11/18 16:51:36 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\CANON
[2009/11/18 16:47:44 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/11/18 16:47:39 | 00,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbprint.sys
[2009/11/18 16:47:39 | 00,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbprint.sys
[2009/11/18 16:47:32 | 00,230,912 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNMLM9I.DLL
[2009/11/18 16:47:29 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\CanonIJ Uninstaller Information
[2009/11/18 16:47:11 | 00,200,704 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC190L.DLL
[2009/11/18 16:47:11 | 00,188,416 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNC190O.DLL
[2009/11/18 16:47:10 | 00,098,304 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC190I.DLL
[2009/11/18 16:47:09 | 01,323,008 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC190C.DLL
[2009/11/18 16:46:47 | 00,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2009/11/18 16:45:47 | 00,000,000 | ---D | C] -- C:\Program Files\Canon
[2009/11/14 13:54:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\IPA
[2009/11/14 12:59:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Environmental Psych
[2009/05/24 17:45:08 | 00,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[2008/05/07 09:50:52 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll

========== Files - Modified Within 30 Days ==========

[2010/03/19 18:03:36 | 02,916,478 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\WS_30003.WMA
[2009/11/27 19:05:21 | 03,577,870 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2009/11/27 19:03:15 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/27 19:02:55 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/11/27 19:02:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/27 19:02:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/27 19:02:50 | 10,632,11008 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/27 19:01:40 | 12,845,056 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/11/27 19:01:40 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/11/27 17:24:28 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/11/26 20:05:24 | 00,000,102 | ---- | M] () -- C:\Documents and Settings\Owner\default.pls
[2009/11/26 20:05:17 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/26 09:16:56 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/11/26 09:16:54 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/26 09:03:36 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/26 00:02:31 | 00,332,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/25 16:00:13 | 00,000,114 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.tgz
[2009/11/25 16:00:13 | 00,000,100 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.dll
[2009/11/25 16:00:13 | 00,000,014 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2009/11/25 16:00:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth2.dll
[2009/11/25 16:00:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth1.dll
[2009/11/25 16:00:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\ssprs.dll
[2009/11/25 16:00:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nsprs.tgz
[2009/11/25 16:00:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nsprs.dll
[2009/11/25 15:59:07 | 00,000,219 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.tgz
[2009/11/25 15:59:07 | 00,000,205 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/11/25 15:59:07 | 00,000,016 | -H-- | M] () -- C:\WINDOWS\System32\servdat.slm
[2009/11/25 15:58:40 | 00,000,000 | ---- | M] () -- C:\law.sp
[2009/11/25 15:56:39 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth2.dll
[2009/11/25 15:56:39 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth1.dll
[2009/11/25 15:51:42 | 00,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.tgz
[2009/11/25 15:51:42 | 00,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.dll
[2009/11/24 21:09:16 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/24 15:47:00 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/11/22 19:07:55 | 00,016,272 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MSc_Psychology_Deadlines[1].docx
[2009/11/22 16:54:54 | 00,019,654 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Interview brief and debrief edit..docx
[2009/11/22 16:52:37 | 00,021,297 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Interpretative Phenomenological Analysis Assignment 2.docx
[2009/11/22 14:49:48 | 00,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2009/11/22 12:06:24 | 00,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/11/22 11:09:14 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/21 16:21:49 | 00,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2009/11/21 16:13:07 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/21 15:16:04 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/11/20 23:10:38 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Szoje.dat
[2009/11/20 20:39:11 | 00,000,090 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/11/20 20:39:10 | 00,353,871 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/20 20:39:09 | 00,353,910 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091120-203910.backup
[2009/11/19 18:46:52 | 00,010,367 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Literature Review.docx
[2009/11/18 22:30:49 | 00,354,181 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091120-203909.backup
[2009/11/18 16:27:15 | 00,003,583 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ptsd data.sav
[2009/11/12 17:06:50 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/12 15:44:05 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$mmary table for IPA.docx
[2009/11/12 15:42:40 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\~$A Theme.docx
[2009/11/07 10:36:35 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/11/05 17:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/05 14:37:20 | 00,090,112 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Coursework Cover-Sheet final.doc
[2009/10/31 18:52:34 | 00,051,460 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DSC01610.jpg

========== Files Created - No Company Name ==========

[2009/11/27 19:05:16 | 03,577,870 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2009/11/26 09:16:56 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/11/25 16:00:04 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2009/11/25 16:00:04 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2009/11/25 16:00:04 | 00,000,014 | ---- | C] () -- C:\WINDOWS\System32\ssprs.tgz
[2009/11/25 16:00:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2009/11/25 16:00:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.tgz
[2009/11/25 16:00:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
[2009/11/25 15:58:40 | 00,000,000 | ---- | C] () -- C:\law.sp
[2009/11/25 15:56:39 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2009/11/25 15:56:39 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2009/11/25 15:56:39 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.tgz
[2009/11/25 15:56:38 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2009/11/25 15:51:42 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.tgz
[2009/11/25 15:51:42 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2009/11/25 15:51:42 | 00,000,219 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.tgz
[2009/11/25 15:51:42 | 00,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/11/25 15:51:42 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\servdat.slm
[2009/11/24 21:09:13 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/11/24 15:47:00 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/11/22 19:07:54 | 00,016,272 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MSc_Psychology_Deadlines[1].docx
[2009/11/22 16:54:53 | 00,019,654 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Interview brief and debrief edit..docx
[2009/11/22 16:52:36 | 00,021,297 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Interpretative Phenomenological Analysis Assignment 2.docx
[2009/11/22 14:49:48 | 00,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2009/11/22 11:09:14 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/21 16:21:49 | 00,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2009/11/21 15:16:04 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/11/20 20:39:11 | 00,000,090 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/11/19 18:46:52 | 00,010,367 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Literature Review.docx
[2009/11/18 22:34:32 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Szoje.dat
[2009/11/18 16:27:15 | 00,003,583 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ptsd data.sav
[2009/11/12 15:44:05 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$mmary table for IPA.docx
[2009/11/12 15:42:40 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\~$A Theme.docx
[2009/11/05 14:37:19 | 00,090,112 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Coursework Cover-Sheet final.doc
[2009/10/31 18:52:33 | 00,051,460 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\DSC01610.jpg
[2009/09/26 12:27:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PhEdit.INI
[2009/08/26 20:45:58 | 00,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/05 21:31:02 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/05/24 17:45:08 | 00,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2009/05/14 12:41:15 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/11/12 20:00:02 | 00,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/11/09 15:44:17 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/07 17:50:38 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/06 10:39:07 | 00,000,478 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/06 10:29:57 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\desktop.ini
[2008/11/06 10:29:56 | 00,083,392 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/06 10:29:56 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2008/11/06 10:28:41 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2008/11/06 10:28:41 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2008/11/06 10:28:41 | 00,010,150 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2008/11/06 10:28:41 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2008/09/19 21:57:34 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/05/07 10:48:50 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/07 10:20:39 | 00,000,563 | ---- | C] () -- C:\WINDOWS\TBTdetect.ini
[2008/05/07 09:55:33 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/05/07 09:55:33 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/05/07 09:55:33 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/05/07 09:55:33 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/05/07 09:55:33 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/05/07 09:55:33 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/05/07 09:54:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2008/05/07 09:51:00 | 00,521,268 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/05/07 09:51:00 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/05/07 09:50:52 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2008/05/07 09:50:51 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/05/07 09:49:15 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2008/05/07 09:42:09 | 00,910,464 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/05/07 09:42:09 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4833.dll
[2008/05/07 09:14:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2008/05/07 09:11:59 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2008/05/07 09:11:20 | 00,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/05/07 08:55:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2008/05/07 08:53:33 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2008/05/07 08:53:33 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2008/05/07 08:53:19 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2008/05/07 08:53:18 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2008/05/07 07:46:38 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2008/05/07 07:46:38 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2008/05/07 07:46:34 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2008/05/07 07:46:34 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/05/07 07:46:33 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2008/05/07 07:46:33 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2008/05/07 07:46:33 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/05/07 07:46:31 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2008/05/07 07:46:31 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2008/05/07 07:46:31 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2008/05/07 07:46:31 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2008/05/07 07:46:30 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2008/05/07 07:46:30 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2008/05/07 07:46:30 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2008/05/07 07:46:30 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2008/05/07 07:46:30 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2008/05/07 07:46:30 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2008/05/07 07:46:30 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2008/05/07 07:46:30 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2008/05/07 07:46:30 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2008/05/07 07:46:30 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2008/05/07 07:46:30 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2008/05/07 07:46:30 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2008/05/07 07:46:30 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2008/05/07 07:46:30 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2008/05/07 07:46:30 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2008/05/07 07:46:30 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2008/05/07 07:46:30 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2008/05/07 07:46:30 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2008/05/07 07:46:30 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2008/05/07 07:46:30 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2008/05/07 07:46:30 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2008/05/07 07:46:30 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2008/05/07 07:46:29 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2008/05/07 07:46:29 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2008/05/07 07:46:29 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2008/05/07 07:46:29 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2008/05/07 07:46:29 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2008/05/07 07:46:29 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2008/05/07 07:46:29 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2008/05/07 07:46:28 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2008/05/07 07:46:26 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2008/05/07 07:46:26 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2008/05/07 07:46:26 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2008/05/07 07:46:25 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2008/05/07 07:46:25 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2008/05/07 07:46:25 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2008/05/07 07:46:25 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2008/05/07 07:46:25 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2008/05/07 07:46:25 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2007/12/21 15:46:32 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/07/22 20:30:18 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2002/12/31 13:00:00 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 19:00:00 | 00,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2001/08/17 22:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2008/01/15 07:36:38 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2008/01/15 07:56:51 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2008/01/15 07:50:53 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[2007/09/29 22:03:12 | 00,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/09/29 22:03:32 | 00,384,024 | ---- | M] (Intel Corporation) MD5=16A4671255CFB842225F0FDB6DBDB414 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2008/01/15 15:48:32 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\OemDir\iaStor.sys
[2007/09/29 22:03:12 | 00,308,248 | ---- | M] (Intel Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2008/01/15 15:48:32 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\iaStor.sys

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/01/15 07:59:13 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >



Here is the combo fix report:


ComboFix 09-11-26.02 - Owner 27/11/2009 21:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.518 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\prsgrc.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-27 18:58 . 2009-11-27 18:58 -------- d-----w- C:\_OTL
2009-11-25 16:04 . 2009-11-25 16:04 -------- d-----w- c:\documents and settings\Owner\.spss
2009-11-25 16:02 . 2009-11-25 16:02 -------- d-----w- C:\KAV
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth2.dll
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth1.dll
2009-11-25 15:59 . 2009-11-25 15:59 -------- d-----w- c:\program files\Common Files\Data Dynamics
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\program files\Common Files\SPSS
2009-11-25 15:51 . 2009-11-25 15:59 -------- d-----w- c:\program files\SPSSInc
2009-11-25 15:51 . 2009-11-25 15:51 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-11-24 15:47 . 2009-11-24 15:47 -------- d-----w- c:\program files\Trend Micro
2009-11-23 18:09 . 2008-04-13 19:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-22 14:49 . 2009-11-22 14:49 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-22 11:09 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 11:09 . 2009-11-22 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 11:09 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:21 . 2009-11-26 15:09 -------- d-----w- c:\program files\a-squared Free
2009-11-21 15:15 . 2009-07-28 16:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:15 . 2009-03-30 10:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-21 15:15 . 2009-02-13 12:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-21 15:15 . 2009-02-13 12:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\program files\Avira
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-18 23:09 . 2009-11-18 23:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 22:34 . 2009-11-20 23:10 120 ----a-w- c:\windows\Szoje.dat
2009-11-18 22:34 . 2009-11-18 22:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}
2009-11-18 22:29 . 2009-11-18 15:26 457688 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\sqlite3.dll
2009-11-18 22:29 . 2009-11-18 15:26 722392 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\mozcrt19.dll
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\92d9089
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-18 16:51 . 2009-11-18 16:51 -------- d-----w- c:\program files\Common Files\CANON
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-11-18 16:47 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-18 16:47 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-18 16:47 . 2008-02-25 20:00 230912 ----a-w- c:\windows\system32\CNMLM9I.DLL
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-11-18 16:47 . 2008-02-08 06:38 200704 ----a-w- c:\windows\system32\CNC190L.DLL
2009-11-18 16:47 . 2007-03-15 05:12 188416 ----a-w- c:\windows\system32\CNC190O.DLL
2009-11-18 16:47 . 2007-11-09 02:58 98304 ----a-w- c:\windows\system32\CNC190I.DLL
2009-11-18 16:47 . 2007-11-09 02:59 1323008 ----a-w- c:\windows\system32\CNC190C.DLL
2009-11-18 16:46 . 2009-11-18 16:46 -------- d--h--w- c:\program files\CanonBJ
2009-11-18 16:45 . 2009-11-18 16:53 -------- d-----w- c:\program files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 18:57 . 2009-08-26 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-27 17:24 . 2009-08-26 19:15 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-26 19:43 . 2009-01-09 00:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-26 19:40 . 2008-11-06 10:33 -------- d-----w- c:\program files\SpywareBlaster
2009-11-25 16:36 . 2008-05-07 09:00 85128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-12 17:05 . 2008-05-07 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-28 19:00 . 2008-05-07 09:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-18 19:58 . 2009-09-20 13:28 -------- d-----w- c:\program files\Google
2009-10-12 21:21 . 2008-11-06 10:36 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 20:49 . 2009-01-15 18:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity
2009-09-30 11:25 . 2009-09-30 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-30 11:25 . 2009-09-30 11:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Office Genuine Advantage
2009-09-11 14:18 . 2008-05-07 07:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-05-07 07:46 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-03-04 360448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1848648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-29 16859648]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2007-10-12 266240]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-7-5 44176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/11/2009 15:15 108289]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 11:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 11:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [07/05/2008 09:50 5888]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [07/05/2008 09:50 288000]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [21/12/2008 00:22 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [21/12/2008 00:22 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [21/12/2008 00:22 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [21/12/2008 00:22 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [21/12/2008 00:22 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [21/12/2008 00:22 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [21/12/2008 00:22 110120]
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plymouth.ac.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA} - c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini uinstrsc.dll
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini
AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe Uninst.ini uinstrsc.dll
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 21:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F07170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7654f28
\Driver\ACPI -> ACPI.sys @ 0xf74c7cb8
\Driver\atapi -> atapi.sys @ 0xf7459852
\Driver\iaStor -> iaStor.sys @ 0xf73c6002
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf728abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7297a21
SendHandler -> NDIS.sys @ 0xf727587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-27 21:56
ComboFix-quarantined-files.txt 2009-11-27 21:56

Pre-Run: 91,489,267,712 bytes free
Post-Run: 91,541,307,392 bytes free

- - End Of File - - 3071CEC710BAF2245EDC17EF71764DF8

Edited by sanscosm, 27 November 2009 - 06:36 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 28 November 2009 - 10:26 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

FCopy::
C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Let me how your computer is behaving after running Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 28 November 2009 - 12:21 PM

There seems to be no change in how my computer is behaving. It is running very slow, especially explorer. The random pop-ups are still appearing and quite frequently. When the invisible pop-ups, the ones with the music but no window, open there also seem to be more iexplorer.exe processes going on. Is there a difference between iexplorer.exe and explorer.exe? Thank you :(


ComboFix 09-11-27.07 - Owner 28/11/2009 16:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.602 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\ReinstallBackups\0016\DriverFiles\iaStor.sys --> c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-28 11:09 . 2009-11-28 11:09 57344 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL
2009-11-28 11:09 . 2009-11-28 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-27 18:58 . 2009-11-27 18:58 -------- d-----w- C:\_OTL
2009-11-25 16:04 . 2009-11-25 16:04 -------- d-----w- c:\documents and settings\Owner\.spss
2009-11-25 16:02 . 2009-11-25 16:02 -------- d-----w- C:\KAV
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth2.dll
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth1.dll
2009-11-25 15:59 . 2009-11-25 15:59 -------- d-----w- c:\program files\Common Files\Data Dynamics
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\program files\Common Files\SPSS
2009-11-25 15:51 . 2009-11-25 15:59 -------- d-----w- c:\program files\SPSSInc
2009-11-25 15:51 . 2009-11-25 15:51 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-11-24 15:47 . 2009-11-24 15:47 -------- d-----w- c:\program files\Trend Micro
2009-11-23 18:09 . 2008-04-13 19:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-22 14:49 . 2009-11-22 14:49 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-22 11:09 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 11:09 . 2009-11-22 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 11:09 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:21 . 2009-11-28 15:05 -------- d-----w- c:\program files\a-squared Free
2009-11-21 15:15 . 2009-07-28 16:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:15 . 2009-03-30 10:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-21 15:15 . 2009-02-13 12:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-21 15:15 . 2009-02-13 12:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\program files\Avira
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-18 23:09 . 2009-11-18 23:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 22:34 . 2009-11-20 23:10 120 ----a-w- c:\windows\Szoje.dat
2009-11-18 22:34 . 2009-11-18 22:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}
2009-11-18 22:29 . 2009-11-18 15:26 457688 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\sqlite3.dll
2009-11-18 22:29 . 2009-11-18 15:26 722392 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\mozcrt19.dll
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\92d9089
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-18 16:51 . 2009-11-18 16:51 -------- d-----w- c:\program files\Common Files\CANON
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-11-18 16:47 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-18 16:47 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-18 16:47 . 2008-02-25 20:00 230912 ----a-w- c:\windows\system32\CNMLM9I.DLL
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-11-18 16:47 . 2008-02-08 06:38 200704 ----a-w- c:\windows\system32\CNC190L.DLL
2009-11-18 16:47 . 2007-03-15 05:12 188416 ----a-w- c:\windows\system32\CNC190O.DLL
2009-11-18 16:47 . 2007-11-09 02:58 98304 ----a-w- c:\windows\system32\CNC190I.DLL
2009-11-18 16:47 . 2007-11-09 02:59 1323008 ----a-w- c:\windows\system32\CNC190C.DLL
2009-11-18 16:46 . 2009-11-18 16:46 -------- d--h--w- c:\program files\CanonBJ
2009-11-18 16:45 . 2009-11-18 16:53 -------- d-----w- c:\program files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 18:57 . 2009-08-26 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-27 17:24 . 2009-08-26 19:15 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-26 19:43 . 2009-01-09 00:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-26 19:40 . 2008-11-06 10:33 -------- d-----w- c:\program files\SpywareBlaster
2009-11-25 16:36 . 2008-05-07 09:00 85128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-12 17:05 . 2008-05-07 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-28 19:00 . 2008-05-07 09:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-18 19:58 . 2009-09-20 13:28 -------- d-----w- c:\program files\Google
2009-10-12 21:21 . 2008-11-06 10:36 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 20:49 . 2009-01-15 18:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity
2009-09-30 11:25 . 2009-09-30 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-30 11:25 . 2009-09-30 11:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Office Genuine Advantage
2009-09-11 14:18 . 2008-05-07 07:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-05-07 07:46 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-27_21.52.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-28 11:00 . 2009-11-28 11:00 16384 c:\windows\Temp\Perflib_Perfdata_b00.dat
- 2009-11-27 19:07 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-27 19:07 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-06 10:14 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-06 10:14 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-18 23:09 . 2009-11-28 10:59 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-18 23:09 . 2009-11-27 21:35 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2008-11-06 10:14 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-06 10:14 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-03-04 360448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1848648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-29 16859648]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2007-10-12 266240]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-7-5 44176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/11/2009 15:15 108289]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 11:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 11:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [07/05/2008 09:50 5888]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [07/05/2008 09:50 288000]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [21/12/2008 00:22 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [21/12/2008 00:22 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [21/12/2008 00:22 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [21/12/2008 00:22 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [21/12/2008 00:22 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [21/12/2008 00:22 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [21/12/2008 00:22 110120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plymouth.ac.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA} - c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 16:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F3C170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7654f28
\Driver\ACPI -> ACPI.sys @ 0xf74c7cb8
\Driver\atapi -> atapi.sys @ 0xf7459852
\Driver\iaStor -> iaStor.sys @ 0xf73c6002
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf728abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7297a21
SendHandler -> NDIS.sys @ 0xf727587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\igfxpph.dll
c:\windows\system32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\system32\igfxress.dll
c:\windows\system32\igfxsrvc.dll
.
Completion time: 2009-11-28 16:58
ComboFix-quarantined-files.txt 2009-11-28 16:58
ComboFix2.txt 2009-11-28 16:03
ComboFix3.txt 2009-11-27 21:56

Pre-Run: 91,163,693,056 bytes free
Post-Run: 91,158,626,304 bytes free

- - End Of File - - BB6F1C4B67B6B6D2B52E911686093A27

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 28 November 2009 - 08:54 PM

Yes, there is a difference. One of them is Windows explorer and the other one is Internet Explorer.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Filelook::
C:\WINDOWS\OemDir\iaStor.sys
C:\WINDOWS\system32\drivers\iaStor.sys
C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\iaStor.sys
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\system32\dllcache\atapi.sys
C:\WINDOWS\system32\drivers\atapi.sys
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 November 2009 - 07:54 AM

Here is the lastest ComboFix report:


ComboFix 09-11-28.03 - Owner 29/11/2009 12:42.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.669 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-28 11:09 . 2009-11-28 11:09 57344 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL
2009-11-28 11:09 . 2009-11-28 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-27 18:58 . 2009-11-27 18:58 -------- d-----w- C:\_OTL
2009-11-25 16:04 . 2009-11-25 16:04 -------- d-----w- c:\documents and settings\Owner\.spss
2009-11-25 16:02 . 2009-11-25 16:02 -------- d-----w- C:\KAV
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth2.dll
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth1.dll
2009-11-25 15:59 . 2009-11-25 15:59 -------- d-----w- c:\program files\Common Files\Data Dynamics
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\program files\Common Files\SPSS
2009-11-25 15:51 . 2009-11-25 15:59 -------- d-----w- c:\program files\SPSSInc
2009-11-25 15:51 . 2009-11-25 15:51 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-11-24 15:47 . 2009-11-24 15:47 -------- d-----w- c:\program files\Trend Micro
2009-11-23 18:09 . 2008-04-13 19:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-22 14:49 . 2009-11-22 14:49 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-22 11:09 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 11:09 . 2009-11-22 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 11:09 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:21 . 2009-11-28 15:05 -------- d-----w- c:\program files\a-squared Free
2009-11-21 15:15 . 2009-07-28 16:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:15 . 2009-03-30 10:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-21 15:15 . 2009-02-13 12:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-21 15:15 . 2009-02-13 12:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\program files\Avira
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-18 23:09 . 2009-11-18 23:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 22:34 . 2009-11-20 23:10 120 ----a-w- c:\windows\Szoje.dat
2009-11-18 22:34 . 2009-11-18 22:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}
2009-11-18 22:29 . 2009-11-18 15:26 457688 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\sqlite3.dll
2009-11-18 22:29 . 2009-11-18 15:26 722392 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\mozcrt19.dll
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\92d9089
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-18 16:51 . 2009-11-18 16:51 -------- d-----w- c:\program files\Common Files\CANON
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-11-18 16:47 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-18 16:47 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-18 16:47 . 2008-02-25 20:00 230912 ----a-w- c:\windows\system32\CNMLM9I.DLL
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-11-18 16:47 . 2008-02-08 06:38 200704 ----a-w- c:\windows\system32\CNC190L.DLL
2009-11-18 16:47 . 2007-03-15 05:12 188416 ----a-w- c:\windows\system32\CNC190O.DLL
2009-11-18 16:47 . 2007-11-09 02:58 98304 ----a-w- c:\windows\system32\CNC190I.DLL
2009-11-18 16:47 . 2007-11-09 02:59 1323008 ----a-w- c:\windows\system32\CNC190C.DLL
2009-11-18 16:46 . 2009-11-18 16:46 -------- d--h--w- c:\program files\CanonBJ
2009-11-18 16:45 . 2009-11-18 16:53 -------- d-----w- c:\program files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 18:57 . 2009-08-26 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-27 17:24 . 2009-08-26 19:15 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-26 19:43 . 2009-01-09 00:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-26 19:40 . 2008-11-06 10:33 -------- d-----w- c:\program files\SpywareBlaster
2009-11-25 16:36 . 2008-05-07 09:00 85128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-12 17:05 . 2008-05-07 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-28 19:00 . 2008-05-07 09:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-18 19:58 . 2009-09-20 13:28 -------- d-----w- c:\program files\Google
2009-10-12 21:21 . 2008-11-06 10:36 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 20:49 . 2009-01-15 18:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity
2009-09-11 14:18 . 2008-05-07 07:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-05-07 07:46 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\$NtServicePackUninstall$\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 95360
Created time: 2009-05-19 16:29
Modified time: 2004-08-03 21:59
MD5: CDFE4411A69C224BD1D11B2DA92DAC51
SHA1: A42FBFEB5A4D94118B483D7F18113AA8C329A052


--- c:\windows\OemDir\iaStor.sys ---
Company: Intel Corporation
File Description: Intel Matrix Storage Manager driver - ia32
File Version: 7.5.0.1017
Product Name: Intel Matrix Storage Manager driver
Copyright: Copyright© Intel Corporation 1994-2007
Original Filename: iaStor.sys
File size: 304920
Created time: 2008-05-07 07:46
Modified time: 2008-01-15 15:48
MD5: 997E8F5939F2D12CD9F2E6B395724C16
SHA1: 31901F9CED1659E73D001EF9B729D7ED4E110797


--- c:\windows\ServicePackFiles\i386\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 96512
Created time: 2008-04-13 18:40
Modified time: 2008-04-13 18:40
MD5: 9F3A2F5AA6875C72BF062C712CFA2674
SHA1: A719156E8AD67456556A02C34E762944234E7A44


--- c:\windows\system32\dllcache\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 96512
Created time: 2009-11-23 18:09
Modified time: 2008-04-13 19:40
MD5: 9F3A2F5AA6875C72BF062C712CFA2674
SHA1: A719156E8AD67456556A02C34E762944234E7A44


--- c:\windows\system32\drivers\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 96512
Created time: 2004-08-03 22:59
Modified time: 2008-04-13 19:40
MD5: 9F3A2F5AA6875C72BF062C712CFA2674
SHA1: A719156E8AD67456556A02C34E762944234E7A44


--- c:\windows\system32\drivers\iaStor.sys ---
Company: Intel Corporation
File Description: Intel Matrix Storage Manager driver - ia32
File Version: 7.5.0.1017
Product Name: Intel Matrix Storage Manager driver
Copyright: Copyright© Intel Corporation 1994-2007
Original Filename: iaStor.sys
File size: 304920
Created time: 2008-05-07 07:46
Modified time: 2008-01-15 15:48
MD5: 997E8F5939F2D12CD9F2E6B395724C16
SHA1: 31901F9CED1659E73D001EF9B729D7ED4E110797


--- c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 95360
Created time: 2008-05-07 09:40
Modified time: 2008-01-15 07:59
MD5: CDFE4411A69C224BD1D11B2DA92DAC51
SHA1: A42FBFEB5A4D94118B483D7F18113AA8C329A052


--- c:\windows\system32\ReinstallBackups\0016\DriverFiles\iaStor.sys ---
Company: Intel Corporation
File Description: Intel Matrix Storage Manager driver - ia32
File Version: 7.5.0.1017
Product Name: Intel Matrix Storage Manager driver
Copyright: Copyright© Intel Corporation 1994-2007
Original Filename: iaStor.sys
File size: 304920
Created time: 2008-05-07 09:47
Modified time: 2008-01-15 15:48
MD5: 997E8F5939F2D12CD9F2E6B395724C16
SHA1: 31901F9CED1659E73D001EF9B729D7ED4E110797


((((((((((((((((((((((((((((( SnapShot@2009-11-27_21.52.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-29 12:15 . 2009-11-29 12:15 16384 c:\windows\Temp\Perflib_Perfdata_8f0.dat
- 2009-11-27 19:07 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-27 19:07 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-06 10:14 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-06 10:14 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-18 23:09 . 2009-11-28 10:59 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-18 23:09 . 2009-11-27 21:35 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2008-11-06 10:14 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-06 10:14 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-07 07:46 . 2008-01-15 15:48 304920 c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-11-28 11:09 57344 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-03-04 360448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1848648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-29 16859648]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2007-10-12 266240]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-7-5 44176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16059:TCP"= 16059:TCP:spport
"26066:TCP"= 26066:TCP:spport

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [21/11/2009 16:21 1858144]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/11/2009 15:15 108289]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [07/05/2008 07:46 14336]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 11:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 11:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [07/05/2008 09:50 5888]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [07/05/2008 09:50 288000]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [21/12/2008 00:22 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [21/12/2008 00:22 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [21/12/2008 00:22 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [21/12/2008 00:22 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [21/12/2008 00:22 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [21/12/2008 00:22 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [21/12/2008 00:22 110120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plymouth.ac.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA} - c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3572)
c:\windows\system32\WININET.dll
c:\documents and settings\all users\application data\sp\sp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-11-29 12:52
ComboFix-quarantined-files.txt 2009-11-29 12:52
ComboFix2.txt 2009-11-28 16:58
ComboFix3.txt 2009-11-28 16:03
ComboFix4.txt 2009-11-27 21:56

Pre-Run: 90,628,038,656 bytes free
Post-Run: 91,085,647,872 bytes free

- - End Of File - - 1B66C221FE834D2E4D0A53AEBCD7E716

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 29 November 2009 - 09:44 AM

Please visit the online Virustotal Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\documents and settings\All Users\Application Data\SP\sp.DLL


  • The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.


========================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 November 2009 - 12:14 PM

I am not sure that the VirusTotal scan worked. I couldnt find the 'application data' folder when browsing in 'all users'. So I just copied and pasted the name of file into the file name box at the bottom and pressed open. It doesnt seem to be a hidden file either.

Here is what came up in the report:

a-squared 4.5.0.43 2009.11.29 -
AhnLab-V3 5.0.0.2 2009.11.28 -
AntiVir 7.9.1.79 2009.11.27 -
Antiy-AVL 2.0.3.7 2009.11.27 -
Authentium 5.2.0.5 2009.11.28 -
Avast 4.8.1351.0 2009.11.29 -
AVG 8.5.0.426 2009.11.29 -
BitDefender 7.2 2009.11.29 -
CAT-QuickHeal 10.00 2009.11.28 -
ClamAV 0.94.1 2009.11.29 -
Comodo 3080 2009.11.29 -
DrWeb 5.0.0.12182 2009.11.29 -
eSafe 7.0.17.0 2009.11.29 -
eTrust-Vet 35.1.7146 2009.11.27 -
F-Prot 4.5.1.85 2009.11.28 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.29 -
GData 19 2009.11.29 -
Ikarus T3.1.1.74.0 2009.11.29 -
Jiangmin 11.0.800 2009.11.29 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.11.29 -
McAfee 5817 2009.11.29 -
McAfee+Artemis 5817 2009.11.29 -
McAfee-GW-Edition 6.8.5 2009.11.29 -
Microsoft 1.5302 2009.11.29 -
NOD32 4646 2009.11.29 -
Norman 6.03.02 2009.11.27 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.11.29 -
PCTools 7.0.3.5 2009.11.29 -
Prevx 3.0 2009.11.29 -
Rising 22.23.06.04 2009.11.29 -
Sophos 4.48.0 2009.11.29 -
Sunbelt 3.2.1858.2 2009.11.29 -
Symantec 1.4.4.12 2009.11.29 -
TheHacker 6.5.0.2.081 2009.11.28 -
TrendMicro 9.100.0.1001 2009.11.29 -
VBA32 3.12.12.0 2009.11.29 -
ViRobot 2009.11.28.2060 2009.11.28 -
VirusBuster 5.0.21.0 2009.11.29 -
Additional information
File size: 57344 bytes
MD5 : 2299222d022165928c98e55d08c0a553
SHA1 : 68adbc3f8e533195605fa26217f5de4e51a7a819
SHA256: 73f6717ce6b2e0fd0ad8235d37177ca1e842d87d2d69a945b60c6cff1a44b1ea
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8846
timedatestamp.....: 0x4B0D5921 (Wed Nov 25 17:19:45 2009)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9379 0x9400 6.46 31fc60a855741e1222a3aa8158588ed1
.rdata 0xB000 0x2FE7 0x3000 5.43 4eff6921d8afd941934121ed3e4bd993
.data 0xE000 0x9AC 0x400 6.40 2c7563c131a796dc38473e2db97186b1
.rsrc 0xF000 0x1B4 0x200 5.11 9050e6b0dc4a8f2994cbb197b084c1ce
.reloc 0x10000 0x113C 0x1200 5.40 9952027e2d4504b5b34121ebf6853a4a

( 9 imports )

> advapi32.dll: SetServiceStatus, RegisterServiceCtrlHandlerExA, RegDeleteValueA, RegQueryInfoKeyA, RegCreateKeyExA, RegEnumKeyExA, RegDeleteKeyA, RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
> kernel32.dll: GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, InterlockedCompareExchange, InterlockedExchange, RtlUnwind, OutputDebugStringA, InterlockedDecrement, InterlockedIncrement, GetTickCount, CreateThread, DeleteCriticalSection, ResetEvent, EnterCriticalSection, LeaveCriticalSection, CreateEventA, Sleep, InitializeCriticalSection, SetEvent, WaitForSingleObject, DeleteFileA, CloseHandle, GetModuleHandleA, GetModuleFileNameA, MoveFileA, GetLastError, WriteFile, MoveFileExA, CreateFileA, GetVersion
> msvcp60.dll: _sync@_$basic_streambuf@DU_$char_traits@D@std@@@std@@MAEHXZ, _setbuf@_$basic_streambuf@DU_$char_traits@D@std@@@std@@MAEPAV12@PADH@Z, _xsputn@_$basic_streambuf@DU_$char_traits@D@std@@@std@@MAEHPBDH@Z, _xsgetn@_$basic_streambuf@DU_$char_traits@D@std@@@std@@MAEHPADH@Z, _uflow@_$basic_streambuf@DU_$char_traits@D@std@@@std@@MAEHXZ, _showmanyc@_$basic_streambuf@DU_$char_traits@D@std@@@std@@MAEHXZ, __1_$basic_streambuf@DU_$char_traits@D@std@@@std@@UAE@XZ, __0_$basic_streambuf@DU_$char_traits@D@std@@@std@@IAE@XZ, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBD@Z, __Y_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@D@Z, __Y_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@ABV01@@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBDABV_$allocator@D@1@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, __1_Lockit@std@@QAE@XZ, __0_Lockit@std@@QAE@XZ, __1_$basic_ios@DU_$char_traits@D@std@@@std@@UAE@XZ, __0_Winit@std@@QAE@XZ, __1Init@ios_base@std@@QAE@XZ, __0Init@ios_base@std@@QAE@XZ, _compare@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEHABV12@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV_$allocator@D@1@@Z, __0out_of_range@std@@QAE@ABV01@@Z, __1out_of_range@std@@UAE@XZ, __0out_of_range@std@@QAE@ABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, __0logic_error@std@@QAE@ABV01@@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@@Z, __0_$basic_ios@DU_$char_traits@D@std@@@std@@IAE@XZ, __0_$basic_istream@DU_$char_traits@D@std@@@std@@QAE@PAV_$basic_streambuf@DU_$char_traits@D@std@@@1@_N@Z, __1_$basic_istream@DU_$char_traits@D@std@@@std@@UAE@XZ, _getline@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEAAV12@PADH@Z, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __1strstreambuf@std@@UAE@XZ, _overflow@strstreambuf@std@@MAEHH@Z, _pbackfail@strstreambuf@std@@MAEHH@Z, _underflow@strstreambuf@std@@MAEHXZ, _seekoff@strstreambuf@std@@MAE_AV_$fpos@H@2@JW4seekdir@ios_base@2@H@Z, _seekpos@strstreambuf@std@@MAE_AV_$fpos@H@2@V32@H@Z, __Init@strstreambuf@std@@IAEXHPAD0H@Z, __1istrstream@std@@UAE@XZ, _imbue@_$basic_streambuf@DU_$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, __1_Winit@std@@QAE@XZ
> msvcrt.dll: _isatty, _write, _lseeki64, _fileno, __pioinfo, __badioinfo, wctomb, _itoa, _snprintf, isleadbyte, _adjust_fdiv, _amsg_exit, _initterm, _XcptFilter, __1type_info@@UAE@XZ, _onexit, _lock, __dllonexit, _unlock, atol, memmove, __0exception@@QAE@ABV0@@Z, strstr, memcmp, memset, printf, _purecall, __2@YAPAXI@Z, time, strspn, __3@YAXPAX@Z, srand, rand, atoi, strlen, malloc, free, _stricmp, memcpy, _iob, _errno, __CxxFrameHandler, _CxxThrowException, _except_handler3
> ole32.dll: CoCreateGuid
> rpcrt4.dll: UuidToStringA, RpcStringFreeA
> shlwapi.dll: StrTrimA
> user32.dll: KillTimer, GetMessageA, TranslateMessage, SetTimer, DispatchMessageA
> ws2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 1 exports )

> DllCanUnloadNow, DllGetClassObject, HandlerEx, ServiceMain
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:CKJkrsKsdydbgR5WEEKp57hqkxGyFDIbg0sVLjOeHwu/+d1cY3M:HJkrfsdKicEEKp5tqkxGA3/jOeQSCj3M
PEiD : -
RDS : NSRL Reference Data Set
-


Here is the Malwarebytes report:

Malwarebytes' Anti-Malware 1.41
Database version: 3257
Windows 5.1.2600 Service Pack 3

29/11/2009 17:11:38
mbam-log-2009-11-29 (17-11-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 189604
Time elapsed: 37 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have 5 items in my quarantine from 4 days ago if you would like to see the log?

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 29 November 2009 - 08:36 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\documents and settings\All Users\Application Data\SP\sp.DLL

Dirlook::
c:\documents and settings\All Users\Application Data\SP
c:\documents and settings\Owner\.spss
c:\documents and settings\All Users\Application Data\SPSS
c:\program files\Common Files\SPSS
c:\program files\SPSSInc

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
[-HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 30 November 2009 - 05:07 AM

Hello Sam!

My internet explorer keeps crashing when I try to copy and paste the log and its too big to attach to the post. What should I do next? SPSS is a statistical program I use for university.

The good news is the "your last session was unexpectedly interrupted" message which came up whenever I started explorer seems to have gone. Also so far no pop-ups.

Thank you very much for your continued help :(

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 30 November 2009 - 08:13 AM

If you edit out the SPSS related entries in the log does that cut it down enough so that you can post it?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 30 November 2009 - 09:47 AM

I sure can. I have posted the log without SPSS bellow:



ComboFix 09-11-29.03 - Owner 30/11/2009 9:05.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.736 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\All Users\Application Data\SP\sp.DLL"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\SP\sp.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SPService


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-28 11:09 . 2009-11-30 09:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-27 18:58 . 2009-11-27 18:58 -------- d-----w- C:\_OTL
2009-11-25 16:04 . 2009-11-25 16:04 -------- d-----w- c:\documents and settings\Owner\.spss
2009-11-25 16:02 . 2009-11-25 16:02 -------- d-----w- C:\KAV
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth2.dll
2009-11-25 16:00 . 2009-11-25 16:00 1024 ----a-w- c:\windows\system32\clauth1.dll
2009-11-25 15:59 . 2009-11-25 15:59 -------- d-----w- c:\program files\Common Files\Data Dynamics
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2009-11-25 15:52 . 2009-11-25 15:52 -------- d-----w- c:\program files\Common Files\SPSS
2009-11-25 15:51 . 2009-11-25 15:59 -------- d-----w- c:\program files\SPSSInc
2009-11-25 15:51 . 2009-11-25 15:51 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-11-24 15:47 . 2009-11-24 15:47 -------- d-----w- c:\program files\Trend Micro
2009-11-23 18:09 . 2008-04-13 19:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-22 14:49 . 2009-11-22 14:49 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-22 11:09 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 11:09 . 2009-11-22 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 11:09 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:21 . 2009-11-29 16:13 -------- d-----w- c:\program files\a-squared Free
2009-11-21 15:15 . 2009-07-28 16:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:15 . 2009-03-30 10:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-21 15:15 . 2009-02-13 12:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-21 15:15 . 2009-02-13 12:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\program files\Avira
2009-11-21 15:15 . 2009-11-21 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-18 23:09 . 2009-11-18 23:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 22:34 . 2009-11-20 23:10 120 ----a-w- c:\windows\Szoje.dat
2009-11-18 22:34 . 2009-11-18 22:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}
2009-11-18 22:29 . 2009-11-18 15:26 457688 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\sqlite3.dll
2009-11-18 22:29 . 2009-11-18 15:26 722392 ----a-w- c:\documents and settings\All Users\Application Data\92d9089\mozcrt19.dll
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\92d9089
2009-11-18 22:29 . 2009-11-18 22:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-18 16:51 . 2009-11-18 16:51 -------- d-----w- c:\program files\Common Files\CANON
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-11-18 16:47 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-18 16:47 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-18 16:47 . 2008-02-25 20:00 230912 ----a-w- c:\windows\system32\CNMLM9I.DLL
2009-11-18 16:47 . 2009-11-18 16:47 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-11-18 16:47 . 2008-02-08 06:38 200704 ----a-w- c:\windows\system32\CNC190L.DLL
2009-11-18 16:47 . 2007-03-15 05:12 188416 ----a-w- c:\windows\system32\CNC190O.DLL
2009-11-18 16:47 . 2007-11-09 02:58 98304 ----a-w- c:\windows\system32\CNC190I.DLL
2009-11-18 16:47 . 2007-11-09 02:59 1323008 ----a-w- c:\windows\system32\CNC190C.DLL
2009-11-18 16:46 . 2009-11-18 16:46 -------- d--h--w- c:\program files\CanonBJ
2009-11-18 16:45 . 2009-11-18 16:53 -------- d-----w- c:\program files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 14:13 . 2009-01-09 00:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-29 14:05 . 2008-11-06 10:33 -------- d-----w- c:\program files\SpywareBlaster
2009-11-27 18:57 . 2009-08-26 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-27 17:24 . 2009-08-26 19:15 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-25 16:36 . 2008-05-07 09:00 85128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 16:15 . 2008-11-06 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-12 17:05 . 2008-05-07 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-28 19:00 . 2008-05-07 09:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-18 19:58 . 2009-09-20 13:28 -------- d-----w- c:\program files\Google
2009-10-12 21:21 . 2008-11-06 10:36 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 20:49 . 2009-01-15 18:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity
2009-09-11 14:18 . 2008-05-07 07:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-05-07 07:46 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-27_21.52.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 09:13 . 2009-11-30 09:13 16384 c:\windows\Temp\Perflib_Perfdata_5bc.dat
- 2009-11-27 19:07 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-27 19:07 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-06 10:14 . 2009-11-28 10:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-06 10:14 . 2009-11-27 21:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-18 23:09 . 2009-11-28 10:59 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-18 23:09 . 2009-11-27 21:35 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2008-05-07 07:46 . 2008-01-15 15:48 304920 c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-03-04 360448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1848648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-29 16859648]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2007-10-12 266240]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-7-5 44176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16059:TCP"= 16059:TCP:spport
"26066:TCP"= 26066:TCP:spport
"20105:TCP"= 20105:TCP:spport

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [21/11/2009 16:21 1858144]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/11/2009 15:15 108289]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 11:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 11:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [07/05/2008 09:50 5888]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [07/05/2008 09:50 288000]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [21/12/2008 00:22 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [21/12/2008 00:22 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [21/12/2008 00:22 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [21/12/2008 00:22 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [21/12/2008 00:22 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [21/12/2008 00:22 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [21/12/2008 00:22 110120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plymouth.ac.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA} - c:\documents and settings\Owner\Local Settings\Application Data\{9D46456F-8289-4CB0-95CC-BDC3F1BBA5AA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-30 09:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 09:17
ComboFix2.txt 2009-11-29 12:52
ComboFix3.txt 2009-11-28 16:58
ComboFix4.txt 2009-11-28 16:03
ComboFix5.txt 2009-11-30 09:03

Pre-Run: 90,331,033,600 bytes free
Post-Run: 90,880,675,840 bytes free

- - End Of File - - 86E2576FCC03B27E92EDE17B52232A91




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users