Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal protector


  • This topic is locked This topic is locked
19 replies to this topic

#1 barry.a

barry.a

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 13 December 2009 - 06:29 AM

Hi guys, long time since i've been on this site, got this personal protector virus, I cant stop it as it's killed my task manager, I've also got a blank desktop and cant seem to run (or see) anything, I've ran malwarebytes, spybot,(safe mode) and avast but they only find traces and when i reboot it's back again. I ran DDS normally as command line programs seem to run but i ran Root Repeal in safe mode as it disappears in normal mode, I also saved it as a text file I hope this is ok, I've uploaded root repeal and DDS txt files Attached File  RootRepeal_report_01_01_05__19_14_21_.txt   58.61KB   21 downloads, Attached File  DDS.txt   68.68KB   14 downloads
Thanks people, I gotta say this one driving me nuts
Bazza

UPDATE
Hi guyst. Today I done a few things to try and get rid of it, here are the results so far and steps taken, but need help to make sure it's gone
I had no icons on desktop and couldn't open or run anything.
I removed 2 files in safe mode

add/remove programs ---------- Personal Protector
deleted from c: docs and settingsallusers ----------microsoft P Data

i then rebooted normally and got my desktop back, I immediately ran a full scan with MBytes which found this, cant find it in mbytes now(neither in log or quarantine), but removed

PProtector.exe

I then ran Trendmicro housecall
quick scan found
file
42F ------------------------ TROJ AGENT.AWTV
930 ------------------------ TROJ AGENT.AXHP
winscent ------------------------ MAL FAKEAV-9
Full scan found

BB5_UN~EXE ---- HACKING BE97E9F5
BB5_UN .ZIP ---- " " " " "


ALL THESE I HAD FIXED
I still have no taskmanager which the virus was killing so I imagine I've still got traces
any help would be greatly appreciated
thanks
Bazza

UPDATE 2

Ran superantispyware found and removed these:-

screenshot included untitled.jpg
when I started pc today clock and date were wrong again, but testerday I managed to download a prog to get my taskmanager back, still think I've got traces of this and still require help
thanks
Bazza

Attached Files


Edited by boopme, 18 December 2009 - 01:14 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:36 AM

Posted 26 December 2009 - 03:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 barry.a

barry.a
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 28 December 2009 - 09:11 AM

Hi thanks,
uploaded files as requested, here is the DDS.txt file, attach file zipped as requested, not sure if I managed to get rid of the PP virus, (appreciate this i was learning to be a spyware warrior but alas i didn't have enough time to dedicate, so i understand the delays) I also thought I got rid of NORTON years ago . I use AVAST


DDS (Ver_09-12-01.01) - NTFSx86
Run by pcw at 13:57:44.78 on 28/12/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.465 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\pcw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pcw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pcw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\DVD Decrypter\DVDDecrypter.exe
C:\Documents and Settings\pcw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pcw\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/emailandcommunicate/
mDefault_Page_URL = file://c:\apps\ie\offline\uk.htm
uInternet Connection Wizard,ShellNext = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=OEM4
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5A752268-6896-38A7-9890-BF1305A56265} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PCMService] c:\apps\powercinema\PCMService.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\pcw\startm~1\programs\startup\ieee80~1.lnk - c:\program files\ieee 802.11g wireless lan utility\WLANUTL.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} - hxxp://support.epson-europe.com/selftest/Prg/ESTPTest.cab
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - hxxp://www.parallelgraphics.com/bin/cortvrml.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: InternetProvider - {14DA7AA4-40B1-430C-A354-2C826124343E} - c:\documents and settings\all users\microsoft pdata\inetprovider.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pcw\applic~1\mozilla\firefox\profiles\lbs8d6pk.default\
FF - prefs.js: browser.search.selectedEngine - GoogleFeed.net
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/communicate/email/?linkfrom=hp4&link=leftnav_pos_3_link_2&article=todaypage09leftnavcommunicate
FF - plugin: c:\documents and settings\pcw\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-30 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-24 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-4-9 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-5-9 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2005-1-13 12032]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-5-9 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-5-9 352920]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-8-29 40832]
S3 rt2870;Belkin 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusb.sys [2007-8-11 70272]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2007-8-11 72576]
S3 WlanUIG;EDUP 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [2009-10-10 376224]
S4 Boonty Games;Boonty Games;"c:\program files\common files\boonty shared\service\boonty.exe" --> c:\program files\common files\boonty shared\service\Boonty.exe [?]
S4 HU200SVC;HU200SVC;c:\program files\linksys home wireless-g usb wireless network monitor\WLService.exe [2009-10-30 41025]
S4 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-4-27 93960]
S4 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]

=============== Created Last 30 ================

2009-12-27 22:40:23 815104 ----a-w- c:\windows\system32\xvidcore.dll
2009-12-27 22:40:23 77824 ----a-w- c:\windows\system32\xvid.ax
2009-12-27 22:40:23 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-12-27 22:40:23 0 d-----w- c:\program files\Xvid
2009-12-27 22:39:31 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-12-27 22:39:30 84480 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-27 22:39:29 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-12-27 22:39:27 0 d-----w- c:\program files\ffdshow
2009-12-27 22:37:21 0 d-----w- c:\program files\Avi2Dvd
2009-12-25 07:03:02 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-12-25 07:03:02 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-12-25 07:03:02 129784 ------w- c:\windows\system32\pxafs.dll
2009-12-23 00:14:59 0 d-----w- c:\windows\system32\Adobe
2009-12-22 17:27:13 0 d-----w- c:\program files\Nuclear Coffee
2009-12-15 19:54:17 0 d-----w- c:\program files\EA GAMES
2009-12-15 16:36:11 0 d-----w- c:\program files\iTopsoft PC Speeduper
2009-12-09 20:32:50 51197 ----a-w- c:\windows\spoos.exe
2009-12-09 20:32:50 38352 ----a-w- c:\windows\regp.exe
2009-12-09 20:32:50 33149 ----a-w- c:\windows\explorers.exe
2009-12-09 20:32:50 28320 ----a-w- c:\windows\secureit.com
2009-12-09 20:32:50 18941 ----a-w- c:\windows\microsoftdefend.dll
2009-12-06 15:38:27 0 d-----w- c:\program files\common files\PCSuite
2009-12-06 15:37:28 0 d-----w- c:\program files\PC Connectivity Solution

==================== Find3M ====================

2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-11-14 20:30:14 831488 ----a-w- c:\windows\RtlExUpd.dll
2009-11-14 08:20:35 8704 ----a-w- c:\windows\system32\drivers\vhubwtnaovau.sys
2009-11-14 00:49:00 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-11-14 00:49:00 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49:00 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-06 11:23:35 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-30 12:49:35 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-30 12:49:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-29 19:08:22 3070976 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 11:52:36 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-08-13 22:15:58 74240 ----a-w- c:\program files\l
2009-03-13 18:55:04 19042 ---ha-w- c:\program files\Sandra.GID
2009-04-22 10:02:16 109 --sha-w- c:\windows\system32\2217294423.dat

============= FINISH: 13:58:36.40 ===============
thanks again
bazza

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:36 AM

Posted 29 December 2009 - 11:10 AM

Hello, barry.a and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 barry.a

barry.a
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 29 December 2009 - 03:31 PM

Hi Tom,
here is the GMER log,
I've had to lock this pc away in the spare room as I've had a lot of family round (kids&teens) and I don't want anyone messing with it while were doing this,
thanks for your help

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-29 20:14:56
Windows 5.1.2600 Service Pack 3
Running: vdu3gnb5.exe; Driver: C:\DOCUME~1\pcw\LOCALS~1\Temp\fwryiaow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xED5B26B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xED6CEFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xED6CBC80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xED5B2574]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xED6CF580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xED6E3900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xED6E3B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xED6E7B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xED6CF670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xED6CC210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xED6E69F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xED5B2A52]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xED6E3280]
SSDT spxx.sys ZwEnumerateKey [0xF7339CA2]
SSDT spxx.sys ZwEnumerateValueKey [0xF733A030]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xED6E6F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xED6E6F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xED6CC070]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xED5B264E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xED6E5180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xED6E4F40]
SSDT spxx.sys ZwQueryKey [0xF733A108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xED5B276E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xED6E76F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xED6E7150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xED6CEBE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xED5B272E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xED6CF190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xED6CC440]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xED5B28AE]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xED6E4200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xED6E4080]

INT 0x62 ? 87160BF8
INT 0x63 ? 86F34E00
INT 0x73 ? 86F34E00
INT 0x73 ? 86F34E00
INT 0x82 ? 87160BF8
INT 0x83 ? 86F34E00
INT 0xB4 ? 86F34E00

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C28 805044C4 2 Bytes [B8, 26]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [80, F5, 6C, ED, 00, 39, 6E, ...] {XOR CH, 0x6c; IN EAX, DX; ADD [ECX], BH; OUTSB ; IN EAX, DX; ADC [EBX], BH; OUTSB ; IN EAX, DX}
? spxx.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F67D88AC 5 Bytes JMP 86F343E0
.text ab3pgw81.SYS F6742386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ab3pgw81.SYS F67423AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ab3pgw81.SYS F67423C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ab3pgw81.SYS F67423C9 1 Byte [2E]
.text ab3pgw81.SYS F67423C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F731C040] spxx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F731C13C] spxx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F731C0BE] spxx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F731C7FC] spxx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F731C6D2] spxx.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F732C048] spxx.sys
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!KfAcquireSpinLock] 8BEC8B55
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!READ_PORT_UCHAR] 00C73445
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!KeGetCurrentIrql] 00000000
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!KfRaiseIrql] 830C458B
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!KfLowerIrql] C0840CEC
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!HalGetInterruptVector] 053C0D74
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!HalTranslateBusAddress] 57B80974
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!KeStallExecutionProcessor] 8B000000
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!KfReleaseSpinLock] 56C35DE5
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D08758B
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!READ_PORT_USHORT] 8D51FC4D
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8D52FD55
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[HAL.dll!WRITE_PORT_UCHAR] 8D51FE4D
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[WMILIB.SYS!WmiSystemControl] 8D51F84D
IAT \SystemRoot\System32\Drivers\ab3pgw81.SYS[WMILIB.SYS!WmiCompleteRequest] 5052F455
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [ED6D3B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [ED6D3930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [ED6D4260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [ED6D1E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [ED6D1E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [ED6D3B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [ED6D3930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [ED6D4260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [ED6D3B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [ED6D1E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [ED6D4260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [ED6D3930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [ED6D4260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [ED6D3930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [ED6D3B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [ED6D1E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [ED6D3B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [ED6D3930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [ED6D4260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisRegisterProtocol] [ED6D3B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisDeregisterProtocol] [ED6D1E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisCloseAdapter] [ED6D4260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [ED6D3930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [ED6D3B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [ED6D1E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [ED6D4260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [ED6D3930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[904] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[904] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8714C1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBPDO-0 86F311F8
Device \Driver\usbuhci \Device\USBPDO-1 86F311F8
Device \Driver\usbuhci \Device\USBPDO-2 86F311F8
Device \Driver\usbuhci \Device\USBPDO-3 86F311F8
Device \Driver\usbehci \Device\USBPDO-4 86EFF1F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 871611F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 871611F8
Device \Driver\Cdrom \Device\CdRom0 86ED81F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 871611F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F7295B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7295B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 [F7295B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 [F7295B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F7295B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Ftdisk \Device\HarddiskVolume4 871611F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B3D43BED-9D62-4C9E-89DC-C7E93BD16864} 86EAA348
Device \Driver\NetBT \Device\NetBt_Wins_Export 86EAA348
Device \Driver\NetBT \Device\NetbiosSmb 86EAA348
Device \Driver\PCI_PNP3150 \Device\00000088 spxx.sys
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 86F311F8
Device \Driver\sptd \Device\1500109400 spxx.sys
Device \Driver\usbuhci \Device\USBFDO-1 86F311F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86C40500
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 86F311F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86C40500
Device \Driver\usbuhci \Device\USBFDO-3 86F311F8
Device \Driver\usbehci \Device\USBFDO-4 86EFF1F8
Device \Driver\Ftdisk \Device\FtControl 871611F8
Device \Driver\ab3pgw81 \Device\Scsi\ab3pgw811 86EBB1F8
Device \FileSystem\Fastfat \Fat 85F6B500
Device \FileSystem\Fastfat \Fat BA6EB297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs 86D6B2F0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0x7E 0x02 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x57 0x47 0x9A 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4A 0x91 0x42 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0x7E 0x02 0x71 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x57 0x47 0x9A 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4A 0x91 0x42 0xB6 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9CA8DFDB-495A-5033-10C7-03B607E3EC91}

---- EOF - GMER 1.0.15 ----

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:36 AM

Posted 29 December 2009 - 04:53 PM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 barry.a

barry.a
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 29 December 2009 - 08:03 PM

Hi Tom,
downloaded combofix and went to run it, however it said I had Norton internet security running, norton was installed when i bought pc, i uninstalled it in 2005
using NRT, I opened task manager and could see no mention of the program in processes or services, I did a full search for it in all drives and found nothing except a pdf help file which I deleted, as far as i knew i'd got rid of norton as I really don't like the product,and have been running avg then avast since 2005, if you could tell me how to stop it i would be more than happy to do so as I really cant find it. soon When i receive reply I'll run cfix
thanks
Barry

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:36 AM

Posted 30 December 2009 - 11:56 AM

Please ignore the message and run Combofix, we will take out the Symantec leftovers later :(.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 barry.a

barry.a
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 30 December 2009 - 01:12 PM

Hi Tom,
I took a chance last night and ran cfix anyway as I thought it may be a program that takes hours and best done overnight, as you can see i forgot to close ad-aware, ( must remember to expand system tray when closing things down!) anyway here's the log
thanks, hope it's ok,just ran another one in case, this is last nights
Barry


ComboFix 09-12-29.03 - Owner 29/12/2009 19:44:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.907 [GMT 0:00]
Running from: c:\users\Steve\Downloads\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1544574244-251867173-3466954505-500
c:\$recycle.bin\S-1-5-21-4217042556-2726753869-1975038667-500
C:\LOG.TXT
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 18:13 . 2009-12-29 18:14 -------- d-----w- C:\rsit
2009-12-26 23:27 . 2009-12-23 18:22 52224 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2009-12-26 23:27 . 2009-12-23 18:22 101376 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2009-12-26 23:27 . 2009-12-23 18:31 52224 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{c59f6d2e-9e08-4757-94fb-b89d9e71a420}\components\FFExternalAlert.dll
2009-12-26 23:27 . 2009-12-23 18:31 101376 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{c59f6d2e-9e08-4757-94fb-b89d9e71a420}\components\RadioWMPCore.dll
2009-12-26 23:27 . 2009-12-18 11:19 4726272 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2009-12-26 23:27 . 2009-12-18 11:19 103424 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-12-26 23:27 . 2009-12-18 11:19 545280 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-12-26 23:27 . 2009-12-18 11:19 344064 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-12-26 23:27 . 2009-12-18 11:19 153600 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-12-26 23:27 . 2009-12-18 11:19 57856 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-12-26 23:27 . 2009-12-24 02:52 684032 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-12-26 23:27 . 2009-12-24 02:52 776704 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-12-23 07:13 . 2009-12-23 15:25 -------- d-----w- c:\users\Steve\AppData\Roaming\vlc
2009-12-20 23:57 . 2009-12-22 16:11 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-20 23:57 . 2009-12-22 16:11 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-20 23:57 . 2009-12-22 16:11 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-20 23:57 . 2009-12-22 16:11 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-20 23:57 . 2009-12-22 16:11 370744 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-20 23:57 . 2009-12-22 16:11 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-20 23:56 . 2009-12-22 16:11 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-20 23:56 . 2009-12-22 16:11 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-20 23:56 . 2009-12-22 16:11 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-20 23:56 . 2009-12-22 16:11 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-20 23:56 . 2009-12-22 16:11 1638640 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-20 23:56 . 2009-12-22 16:11 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-20 23:56 . 2009-12-22 16:11 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-20 22:31 . 2009-12-20 22:33 -------- d-----w- c:\users\Owner\AppData\Roaming\vlc
2009-12-18 19:08 . 2009-12-18 20:20 -------- d-----w- c:\users\Owner\AppData\Roaming\GlarySoft
2009-12-18 19:08 . 2009-12-18 19:09 -------- d-----w- c:\program files\Glary Registry Repair
2009-12-17 20:11 . 2009-12-17 20:11 -------- d-----w- c:\users\Steve\AppData\Roaming\WinPatrol
2009-12-15 19:37 . 2009-12-15 19:37 -------- d-----w- c:\users\Owner\AppData\Local\Apple Computer
2009-12-15 16:08 . 2009-12-23 23:24 -------- d-----w- c:\users\Steve\AppData\Roaming\QuickScan
2009-12-15 14:54 . 2009-12-15 14:54 388096 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-15 14:54 . 2009-12-15 14:54 -------- d-----w- c:\program files\TrendMicro
2009-12-15 14:33 . 2009-12-15 14:33 -------- d-----w- c:\program files\Trend Micro
2009-12-15 14:33 . 2009-12-15 18:26 -------- d-----w- c:\users\Steve\AppData\Local\Adobe
2009-12-15 14:11 . 2009-12-15 14:11 -------- d-----w- c:\programdata\WindowsSearch
2009-12-15 14:03 . 2009-12-15 14:03 -------- d-----w- c:\users\Steve\AppData\Roaming\Malwarebytes
2009-12-15 13:14 . 2009-12-15 13:14 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2009-12-15 13:14 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 13:14 . 2009-12-15 13:14 -------- d-----w- c:\programdata\Malwarebytes
2009-12-15 13:14 . 2009-12-15 13:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 13:14 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 04:42 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-14 00:18 . 2009-12-15 19:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-14 00:18 . 2009-12-14 07:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-13 23:56 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-13 23:54 . 2009-12-13 23:54 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-13 23:54 . 2009-12-07 14:10 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-13 23:53 . 2009-12-13 23:53 -------- d-----w- c:\program files\Lavasoft
2009-12-13 10:20 . 2009-12-13 10:20 -------- d-----w- c:\users\Owner\AppData\Roaming\WinPatrol
2009-12-13 10:20 . 2009-04-28 19:55 124 ----a-w- c:\users\Owner\AppData\Roaming\WinPatrol\Autoexec.bat
2009-12-13 10:20 . 2006-09-18 21:43 10 ----a-w- c:\users\Owner\AppData\Roaming\WinPatrol\Config.sys
2009-12-13 10:19 . 2009-12-13 10:19 -------- d-----w- c:\program files\BillP Studios
2009-12-10 18:03 . 2009-12-06 12:56 52224 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{e0c7b854-d5ce-4db6-9804-be1438603d89}\components\FFExternalAlert.dll
2009-12-10 18:03 . 2009-12-06 12:56 114688 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{e0c7b854-d5ce-4db6-9804-be1438603d89}\components\npmozax.dll
2009-12-10 17:58 . 2009-12-10 17:58 -------- d-----w- c:\programdata\FileCure
2009-12-09 11:30 . 2009-12-09 11:30 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-09 11:20 . 2009-08-25 01:30 13312 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8jr3c6d1.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
2009-12-09 11:03 . 2009-12-09 11:03 233440 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-09 11:02 . 2009-12-09 11:02 -------- d-----w- c:\program files\Safari
2009-12-09 10:45 . 2009-12-16 05:53 -------- d-----w- c:\users\Owner\AppData\Roaming\Software Informer
2009-12-09 10:45 . 2009-12-09 10:45 -------- d-----w- c:\program files\Software Informer
2009-12-09 10:42 . 2009-03-27 12:55 234304 ----a-w- c:\windows\system32\drivers\SCRCAMHRDRV.sys
2009-12-09 10:42 . 2009-12-09 10:42 -------- d-----w- c:\program files\ScreenCamera
2009-12-09 03:08 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 03:08 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 03:08 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:38 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 21:12 . 2007-12-30 05:01 307200 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2009-12-08 21:12 . 2007-12-30 05:01 172032 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2009-12-08 21:12 . 2007-12-30 05:01 90112 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\41mufpdl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
2009-12-05 16:15 . 2009-09-04 17:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-12-05 16:15 . 2009-09-04 17:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-12-05 16:14 . 2009-12-05 16:14 -------- d-----w- c:\windows\system32\xlive
2009-12-05 16:14 . 2009-12-05 16:16 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-12-03 13:37 . 2009-12-03 13:48 -------- d-----w- c:\users\Steve\AppData\Roaming\Template
2009-12-02 00:10 . 2009-12-02 00:10 88 ----a-w- c:\programdata\BOINC\slots\0\libfftw3f-3-1-1a_upx.dll
2009-12-02 00:10 . 2009-12-02 00:10 74 ----a-w- c:\programdata\BOINC\slots\0\cudart.dll
2009-12-02 00:10 . 2009-12-02 00:10 73 ----a-w- c:\programdata\BOINC\slots\0\cufft.dll
2009-12-02 00:10 . 2009-12-02 00:10 106 ----a-w- c:\programdata\BOINC\slots\0\setiathome_6.08_windows_intelx86__cuda.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 18:00 . 2009-05-25 13:22 -------- d-----w- c:\program files\PhraseExpress
2009-12-29 17:52 . 2009-04-03 00:55 227032 ----a-w- c:\programdata\nvModes.dat
2009-12-29 06:25 . 2009-04-02 00:13 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-12-28 22:38 . 2009-04-04 17:38 -------- d-----w- c:\programdata\Google Updater
2009-12-25 00:48 . 2009-05-17 22:13 -------- d-----w- c:\program files\DigiGuide TV Guide
2009-12-24 06:58 . 2009-04-02 20:35 -------- d-----w- c:\program files\Google
2009-12-23 19:50 . 2008-08-12 09:45 737692 ----a-w- c:\windows\system32\perfh00C.dat
2009-12-23 19:50 . 2008-08-12 09:45 151980 ----a-w- c:\windows\system32\perfc00C.dat
2009-12-18 13:59 . 2009-09-10 17:17 -------- d-----w- c:\program files\Reg Tool
2009-12-18 13:56 . 2009-09-10 17:17 -------- d-----w- c:\users\Owner\AppData\Roaming\Reg Tool
2009-12-18 13:40 . 2009-04-04 17:30 -------- d-----w- c:\users\Steve\AppData\Roaming\Skype
2009-12-18 12:43 . 2009-04-28 19:47 -------- d-----w- c:\program files\Creative
2009-12-18 12:38 . 2009-05-25 13:22 -------- d-----w- c:\programdata\PhraseExpress
2009-12-18 12:05 . 2009-05-17 15:45 -------- d-----w- c:\users\Steve\AppData\Roaming\DNA
2009-12-16 08:52 . 2009-04-04 23:43 -------- d-----w- c:\users\Owner\AppData\Roaming\Skype
2009-12-16 07:22 . 2009-05-14 05:49 -------- d-----w- c:\programdata\BOINC
2009-12-14 04:42 . 2009-09-13 08:25 -------- d-----w- c:\program files\twitter_search
2009-12-13 23:53 . 2009-07-19 10:54 -------- d-----w- c:\programdata\Lavasoft
2009-12-09 11:39 . 2009-06-03 12:30 -------- d-----w- c:\program files\QuickTime
2009-12-09 11:31 . 2009-04-05 02:32 -------- d-----w- c:\program files\Common Files\Real
2009-12-09 11:07 . 2009-07-19 11:56 -------- d-----w- c:\program files\SmartFTP Client
2009-12-09 11:05 . 2009-09-10 18:02 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2009-12-09 11:03 . 2009-09-27 07:10 -------- d-----w- c:\users\Owner\AppData\Roaming\Apple Computer
2009-12-09 10:42 . 2008-08-12 11:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-09 08:11 . 2009-04-05 02:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-09 08:11 . 2009-08-13 21:51 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 08:11 . 2009-06-28 20:48 38784 ----a-w- c:\users\Steve\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 03:26 . 2009-04-05 04:28 -------- d-----w- c:\users\Steve\AppData\Roaming\uTorrent
2009-12-09 03:08 . 2009-04-02 06:25 -------- d-----w- c:\programdata\Microsoft Help
2009-12-03 13:37 . 2009-12-03 13:33 90 ----a-w- c:\users\Steve\AppData\Roaming\wklnhst.dat
2009-12-03 11:51 . 2009-11-26 21:55 -------- d-----w- c:\program files\Sony Handheld
2009-12-03 11:43 . 2009-10-12 17:47 -------- d-----w- c:\program files\DVD Genie
2009-12-03 11:42 . 2009-08-11 19:29 -------- d---a-w- c:\program files\DoylesRoom
2009-12-03 10:03 . 2009-05-01 05:31 -------- d-----w- c:\program files\TweakVI
2009-12-02 02:55 . 2009-11-28 13:25 88 ----a-w- c:\programdata\BOINC\slots\1\libfftw3f-3-1-1a_upx.dll
2009-12-02 02:55 . 2009-11-28 13:25 100 ----a-w- c:\programdata\BOINC\slots\1\setiathome_6.03_windows_intelx86.exe
2009-11-28 22:21 . 2009-10-15 09:27 -------- d-----w- c:\users\Steve\AppData\Roaming\Spotify
2009-11-28 12:36 . 2009-11-28 12:36 267776 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\setigraphics_6.03_windows_intelx86.exe
2009-11-28 12:36 . 2009-11-28 12:36 406016 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
2009-11-28 12:36 . 2009-11-28 12:36 389120 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\cufft.dll
2009-11-28 12:36 . 2009-11-28 12:36 1445888 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\setiathome_6.08_windows_intelx86__cuda.exe
2009-11-28 12:36 . 2009-11-28 12:36 192512 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\cudart.dll
2009-11-28 12:35 . 2009-11-28 12:35 -------- d-----w- c:\program files\BOINC
2009-11-28 11:49 . 2009-11-28 11:49 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-27 19:34 . 2009-11-27 19:34 -------- d-----w- c:\program files\SystemRequirementsLab
2009-11-27 19:34 . 2009-11-27 19:34 -------- d-----w- c:\users\Steve\AppData\Roaming\SystemRequirementsLab
2009-11-27 19:34 . 2009-11-27 19:34 290816 ----a-w- c:\users\Steve\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-11-27 19:34 . 2009-11-27 19:34 290816 ----a-w- c:\users\Steve\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-11-27 19:34 . 2009-11-27 19:34 290816 ----a-w- c:\users\Steve\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-11-27 19:34 . 2009-11-27 19:34 290816 ----a-w- c:\users\Steve\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-11-26 22:56 . 2009-11-26 22:20 -------- d-----w- c:\program files\Documents To Go
2009-11-26 22:06 . 2009-11-26 22:06 -------- d-----w- c:\programdata\SonicStage
2009-11-26 22:05 . 2009-11-26 22:02 -------- d-----w- c:\program files\Sony
2009-11-26 22:05 . 2009-11-26 22:05 -------- d-----w- c:\programdata\Sony Corporation
2009-11-26 22:04 . 2009-11-26 22:02 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-11-26 22:03 . 2009-11-26 22:03 -------- d-----w- c:\program files\directx
2009-11-26 21:56 . 2009-11-26 21:56 65536 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}\PalmDesktopShortcut.exe
2009-11-26 21:56 . 2009-11-26 21:56 65536 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}\ARPPRODUCTICON.exe
2009-11-26 21:33 . 2009-04-02 06:31 141984 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-26 10:04 . 2009-11-10 11:10 -------- d-----w- c:\program files\Opera
2009-11-25 06:58 . 2009-04-03 14:01 141984 ----a-w- c:\users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-22 10:06 . 2009-11-22 10:06 -------- d-----w- c:\users\Steve\AppData\Roaming\Amazon
2009-11-21 06:40 . 2009-12-08 23:39 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-08 23:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-08 23:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 12:17 . 2008-12-30 07:58 -------- d-----w- c:\programdata\NVIDIA
2009-11-14 12:10 . 2009-11-14 12:10 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-14 12:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-14 12:10 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-14 12:09 . 2009-11-14 12:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-12 19:59 . 2001-09-16 12:40 81920 ----a-w- c:\windows\system32\nuvyuv.dll
2009-11-12 19:59 . 2001-09-16 12:32 154976 ----a-w- c:\windows\system32\drivers\NUVision.sys
2009-11-12 19:59 . 2001-02-01 09:00 139264 ----a-w- c:\windows\system32\NUVTwain.dll
2009-11-12 17:21 . 2009-11-12 17:13 -------- d-----w- c:\programdata\Norton
2009-11-12 17:13 . 2008-08-12 11:33 -------- d-----w- c:\programdata\Symantec
2009-11-12 17:13 . 2009-11-12 17:13 -------- d-----w- c:\programdata\NortonInstaller
2009-11-12 17:10 . 2009-05-23 10:50 680 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2009-11-12 17:01 . 2009-10-12 13:52 -------- d-----w- c:\programdata\NOS
2009-11-11 20:58 . 2009-09-04 14:22 -------- d-----w- c:\program files\thecloud
2009-11-11 20:36 . 2009-09-04 14:23 -------- d-----w- c:\users\Owner\AppData\Roaming\Devicescape
2009-11-10 12:17 . 2009-11-10 12:19 661 ----a-w- c:\windows\Fonts\FGAaron.pfm
2009-11-10 11:46 . 2009-11-10 11:45 -------- d-----w- c:\program files\SeaMonkey
2009-11-10 11:26 . 2009-11-10 11:23 -------- d-----w- c:\program files\Cool Free All Video to Mp4 MPEG Converter
2009-11-10 11:23 . 2009-11-10 11:23 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat
2009-11-10 11:21 . 2009-11-10 11:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-11-09 17:21 . 2009-11-09 17:21 -------- d-----w- c:\users\Steve\AppData\Roaming\muvee Technologies
2009-11-08 17:14 . 2009-11-08 17:14 -------- d-----w- c:\program files\DoremiLabs
2009-11-06 16:58 . 2009-11-06 16:58 803584 ----a-w- c:\windows\boinc.scr
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 21:16 . 2009-11-05 21:16 73728 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-05 16:05 . 2009-04-02 21:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 18:05 . 2009-11-02 18:05 167064 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-02 18:05 . 2009-11-02 18:05 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-01 09:05 . 2009-11-01 09:03 -------- d-----w- c:\program files\iTunes
2009-11-01 09:03 . 2009-11-01 09:03 -------- d-----w- c:\program files\iPod
2009-11-01 09:03 . 2009-09-13 07:18 -------- d-----w- c:\program files\Common Files\Apple
2009-11-01 09:03 . 2009-09-13 07:24 -------- d-----w- c:\programdata\Apple Computer
2009-11-01 08:55 . 2009-11-01 08:55 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-12 13:48 . 2009-07-23 16:47 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-08-12 09:48 . 2008-08-12 09:48 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e85b2fb9-5de8-4565-83bd-302de8e528d1}"= "c:\program files\twitter_search\tbtwi0.dll" [2009-11-26 2166296]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]
2009-11-26 22:50 2166296 ----a-w- c:\program files\twitter_search\tbtwi0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e85b2fb9-5de8-4565-83bd-302de8e528d1}"= "c:\program files\twitter_search\tbtwi0.dll" [2009-11-26 2166296]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E85B2FB9-5DE8-4565-83BD-302DE8E528D1}"= "c:\program files\twitter_search\tbtwi0.dll" [2009-11-26 2166296]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-04 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"FileHippo.com"="c:\program files\filehippo.com\UpdateChecker.exe" [2009-07-27 155648]
"Software Informer"="c:\program files\Software Informer\softinfo.exe" [2009-09-17 1933381]
"Google Update"="c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-29 135664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-25 68592]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-06-04 32768]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"five Media Manager Tray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2008-05-21 368640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2009-03-10 468264]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-11-06 4793088]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-11-06 58112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-09 198160]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DigiGuide TV Guide.lnk - c:\program files\DigiGuide TV Guide\Client.exe [2009-5-17 570416]
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2002-12-10 299008]

c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DigiGuide - Shortcut.lnk - c:\program files\DigiGuide TV Guide\DigiGuide.exe [2009-5-17 390192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
DataViz Messenger.lnk - c:\windows\DvzCommon\DvzMsgr.exe [2009-11-26 24576]
PhraseExpress.lnk - c:\program files\PhraseExpress\phraseexpress.exe [2009-5-25 6244688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GO333C~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:d0,86,df,c7,28,e5,c9,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [13/12/2009 11:56 PM 64288]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [16/01/2009 10:31 PM 161064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 1:19 PM 1181328]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [09/07/2009 11:15 AM 26104]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [12/08/2008 1:26 PM 361808]
R2 SCRCAMHRDRV;ScreenCamera HR;c:\windows\System32\drivers\SCRCAMHRDRV.sys [09/12/2009 10:42 AM 234304]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [12/08/2008 12:01 PM 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [21/08/2009 8:24 PM 66592]
S2 gupdate1c9b54c4632c4ce;Google Update Service (gupdate1c9b54c4632c4ce);c:\program files\Google\Update\GoogleUpdate.exe [04/04/2009 5:39 PM 133104]
S3 ECS_Loader_220;Digital TV Receiver Firmware Loader 5.10.31.0;c:\windows\System32\drivers\ECS_Loader_220.sys [31/10/2005 10:28 AM 15616]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21/01/2008 2:23 AM 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [01/10/2009 7:15 PM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 9:48 PM 704864]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [23/07/2009 4:46 PM 30192]
S3 NUVision;USB Video Adapter;c:\windows\System32\drivers\NUVision.sys [16/09/2001 12:32 PM 154976]
S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [17/06/2009 12:20 PM 12648]
S3 ST330;ST330;c:\windows\System32\drivers\st330.sys [30/10/2009 10:11 AM 30464]
S3 STBUS;STBUS;c:\windows\System32\drivers\stbus.sys [30/10/2009 10:11 AM 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\System32\drivers\stppp.sys [30/10/2009 10:11 AM 35328]
S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\System32\drivers\V0470Vid.sys [08/05/2009 8:04 PM 146720]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 12:28 AM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\System32\drivers\RsFx0103.sys [30/03/2009 2:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 2:23 AM 366936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-04 17:39]

2009-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-04 17:39]

2009-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1544574244-251867173-3466954505-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:50]

2009-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1544574244-251867173-3466954505-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:50]

2009-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1544574244-251867173-3466954505-1001Core.job
- c:\users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:50]

2009-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1544574244-251867173-3466954505-1001UA.job
- c:\users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:50]

2009-12-26 c:\windows\Tasks\HPCeeScheduleForSteve.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-12 22:14]

2009-12-29 c:\windows\Tasks\User_Feed_Synchronization-{58ED5000-C66C-448E-A6CF-BC6C6E5B99CA}.job
- c:\windows\system32\msfeedssync.exe [2009-12-08 04:59]

2009-12-29 c:\windows\Tasks\User_Feed_Synchronization-{AA02590E-B30B-4974-BCB7-4A3715216165}.job
- c:\windows\system32\msfeedssync.exe [2009-12-08 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8jr3c6d1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?shva=1#inbox|http://mail.live.com/default.aspx?wa=wsignin1.0|http://www.facebook.com/home.php?|http://apps.facebook.com/fishwrangler/my|http://apps.facebook.com/mousehunt/
FF - prefs.js: keyword.URL - hxxp://www.offos.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=Ec8KTjNB&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8jr3c6d1.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Owner\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.offos.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=Ec8KTjNB&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 19:55
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\H*P* ]
@Allowed: (Read) (RestrictedCode)
@SACL=(02 0001)
"Order"=hex:08,00,00,00,02,00,00,00,e2,06,00,00,01,00,00,00,0e,00,00,00,72,00,
00,00,00,00,00,00,64,00,32,00,cd,00,00,00,00,7d,2f,a8,20,00,41,43,43,45,53,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\L*i*n*k*s* \From Internet Explorer]
"Order"=hex:08,00,00,00,02,00,00,00,a4,05,00,00,01,00,00,00,0a,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,32,00,cd,00,00,00,00,a1,af,ad,20,00,42,54,59,41,48,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*t*u*m*b*l*e*U*p*o*n* \Commerce]
"Order"=hex:08,00,00,00,02,00,00,00,d0,00,00,00,01,00,00,00,01,00,00,00,c4,00,
00,00,00,00,00,00,b6,00,32,00,cd,00,00,00,00,9b,aa,b1,20,00,35,54,49,50,53,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*t*u*m*b*l*e*U*p*o*n* \Computers]
"Order"=hex:08,00,00,00,02,00,00,00,9a,00,00,00,01,00,00,00,01,00,00,00,8e,00,
00,00,00,00,00,00,80,00,32,00,cd,00,00,00,00,1c,26,77,20,00,53,54,52,45,45,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*t*u*m*b*l*e*U*p*o*n* \Outdoors]
"Order"=hex:08,00,00,00,02,00,00,00,a8,00,00,00,01,00,00,00,01,00,00,00,9c,00,
00,00,00,00,00,00,8e,00,32,00,cd,00,00,00,00,46,6b,3a,20,00,53,4c,49,47,48,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\T*v* ]
@Allowed: (Read) (RestrictedCode)
@SACL=(02 0001)
"Order"=hex:08,00,00,00,02,00,00,00,30,02,00,00,01,00,00,00,03,00,00,00,b8,00,
00,00,02,00,00,00,aa,00,32,00,cd,00,00,00,00,6e,d5,75,20,00,48,55,4c,55,2d,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1000\Software\SecuROM\License information*]
"datasecu"=hex:ab,92,af,e7,b9,35,a8,58,ea,23,4b,31,b8,4b,d4,e4,9c,ed,27,a3,1b,
08,a5,84,af,66,66,e8,cb,c6,7a,4b,d8,aa,45,62,9e,71,41,44,bf,c1,34,9d,b2,21,\
"rkeysecu"=hex:db,6e,af,6e,5b,0a,cb,8b,ef,c8,5d,af,34,26,fb,e8

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\C*i*n*e*m*a* \Common Links]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\H*P* ]
@Allowed: (Read) (RestrictedCode)
@SACL=(02 0001)
"Order"=hex:08,00,00,00,02,00,00,00,e2,06,00,00,01,00,00,00,0e,00,00,00,72,00,
00,00,00,00,00,00,64,00,32,00,cd,00,00,00,00,ce,c4,1e,20,00,41,43,43,45,53,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\L*i*n*k*s* \From Internet Explorer]
"Order"=hex:08,00,00,00,02,00,00,00,a4,05,00,00,01,00,00,00,0a,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,32,00,cd,00,00,00,00,cc,d1,89,20,00,42,54,59,41,48,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*t*u*m*b*l*e*U*p*o*n* \Commerce]
"Order"=hex:08,00,00,00,02,00,00,00,d0,00,00,00,01,00,00,00,01,00,00,00,c4,00,
00,00,00,00,00,00,b6,00,32,00,cd,00,00,00,00,55,3d,5b,20,00,35,54,49,50,53,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*t*u*m*b*l*e*U*p*o*n* \Computers]
"Order"=hex:08,00,00,00,02,00,00,00,9a,00,00,00,01,00,00,00,01,00,00,00,8e,00,
00,00,00,00,00,00,80,00,32,00,cd,00,00,00,00,d3,3b,ab,20,00,53,54,52,45,45,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*t*u*m*b*l*e*U*p*o*n* \Outdoors]
"Order"=hex:08,00,00,00,02,00,00,00,a8,00,00,00,01,00,00,00,01,00,00,00,9c,00,
00,00,00,00,00,00,8e,00,32,00,cd,00,00,00,00,2f,c4,3c,20,00,53,4c,49,47,48,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\T*v* ]
@Allowed: (Read) (RestrictedCode)
@SACL=(02 0001)
"Order"=hex:08,00,00,00,02,00,00,00,30,02,00,00,01,00,00,00,03,00,00,00,b8,00,
00,00,02,00,00,00,aa,00,32,00,cd,00,00,00,00,4e,d1,88,20,00,48,55,4c,55,2d,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\U*s*e*f*u*l*l* \Read It Later]
"Order"=hex:08,00,00,00,02,00,00,00,66,01,00,00,01,00,00,00,03,00,00,00,80,00,
00,00,01,00,00,00,72,00,32,00,cd,00,00,00,00,e0,18,92,20,00,48,45,52,4f,27,\

[HKEY_USERS\S-1-5-21-1544574244-251867173-3466954505-1001\Software\SecuROM\License information*]
"datasecu"=hex:36,84,26,fb,83,82,7f,8b,ef,64,54,c1,57,ec,a5,99,b1,45,65,c8,41,
66,ca,48,8c,ab,e9,24,d1,80,a1,fd,ce,a5,ea,b8,bf,9d,85,9d,5f,de,eb,09,97,07,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-29 19:59:28
ComboFix-quarantined-files.txt 2009-12-29 19:59

Pre-Run: 36,244,361,216 bytes free
Post-Run: 37,311,246,336 bytes free

- - End Of File - - E2CCC2ADCF2C3906D1E0754BD04E5B73

#10 barry.a

barry.a
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 30 December 2009 - 02:23 PM

Hi tom
the above combifix doesn't look like mine
this is last nights, sorry god knows where that came from
Barry

ComboFix 09-12-29.04 - pcw 30/12/2009 0:31.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.556 [GMT 0:00]
Running from: c:\documents and settings\pcw\Desktop\schrauber.exe
AV: avast! antivirus 4.8.1368 [VPS 091229-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\020000004c2037f5515C.manifest
c:\documents and settings\Administrator\Application Data\020000004c2037f5515O.manifest
c:\documents and settings\Administrator\Application Data\020000004c2037f5515P.manifest
c:\documents and settings\Administrator\Application Data\020000004c2037f5515S.manifest
c:\documents and settings\pcw\Application Data\020000004c2037f5515C.manifest
c:\documents and settings\pcw\Application Data\020000004c2037f5515O.manifest
c:\documents and settings\pcw\Application Data\020000004c2037f5515P.manifest
c:\documents and settings\pcw\Application Data\020000004c2037f5515S.manifest
c:\documents and settings\Ross\Application Data\020000004c2037f5515C.manifest
c:\documents and settings\Ross\Application Data\020000004c2037f5515O.manifest
c:\documents and settings\Ross\Application Data\020000004c2037f5515P.manifest
c:\documents and settings\Ross\Application Data\020000004c2037f5515S.manifest
c:\recycler\S-1-5-21-1782961997-1088347588-4149019241-1003
c:\windows\Downloaded Program Files\Quarantine
c:\windows\explorers.exe
c:\windows\microsoftdefend.dll
c:\windows\regp.exe
c:\windows\secureit.com
c:\windows\spoos.exe
c:\windows\system32\2217294423.dat
c:\windows\system32\ctfmon_ox.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\wl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-29 14:36 . 2009-12-29 14:37 -------- d-----w- c:\program files\SpeedFan
2009-12-29 14:26 . 2009-12-29 14:27 -------- d-----w- c:\program files\CPU Thermometer
2009-12-27 22:40 . 2009-12-27 22:40 -------- d-----w- c:\program files\Xvid
2009-12-27 22:40 . 2008-12-04 21:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-12-27 22:40 . 2008-12-04 21:42 815104 ----a-w- c:\windows\system32\xvidcore.dll
2009-12-27 22:37 . 2009-12-29 15:26 -------- d-----w- c:\program files\Avi2Dvd
2009-12-25 10:12 . 2009-12-26 07:01 -------- d-----w- c:\documents and settings\pcw\Application Data\DivX
2009-12-25 07:03 . 2009-11-14 00:49 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-12-25 07:03 . 2009-11-14 00:49 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-12-25 07:03 . 2009-11-14 00:49 129784 ------w- c:\windows\system32\pxafs.dll
2009-12-23 00:14 . 2009-12-23 00:14 -------- d-----w- c:\windows\system32\Adobe
2009-12-22 17:27 . 2009-12-22 17:27 -------- d-----w- c:\program files\Nuclear Coffee
2009-12-15 19:54 . 2009-12-15 19:54 -------- d-----w- c:\program files\EA GAMES
2009-12-06 15:38 . 2009-12-06 15:38 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-06 15:37 . 2009-12-06 15:37 -------- d-----w- c:\program files\PC Connectivity Solution
2009-12-06 15:35 . 2009-12-06 15:35 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-06 15:35 . 2009-12-06 15:35 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-06 15:35 . 2009-12-06 15:35 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-06 15:35 . 2009-12-06 15:35 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-06 15:35 . 2009-12-06 15:35 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 17:34 . 2009-12-29 20:22 3548160 ----a-w- c:\windows\Internet Logs\xDB57.tmp
2009-12-29 17:34 . 2009-12-29 20:22 94208 ----a-w- c:\windows\Internet Logs\xDB56.tmp
2009-12-29 15:28 . 2006-06-19 13:35 -------- d-----w- c:\program files\DivX
2009-12-29 15:26 . 2009-02-24 20:23 -------- d-----w- c:\program files\AviSynth 2.5
2009-12-28 22:53 . 2009-12-28 22:55 47104 ----a-w- c:\windows\Internet Logs\xDB55.tmp
2009-12-28 21:09 . 2009-12-28 21:20 3527680 ----a-w- c:\windows\Internet Logs\xDB54.tmp
2009-12-28 21:09 . 2009-12-28 21:20 122880 ----a-w- c:\windows\Internet Logs\xDB53.tmp
2009-12-28 13:00 . 2006-01-24 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-28 11:46 . 2009-12-29 14:16 270558 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-12-28 09:23 . 2006-01-24 11:13 -------- d-----w- c:\program files\DVD Shrink
2009-12-28 03:31 . 2009-12-28 08:26 3523072 ----a-w- c:\windows\Internet Logs\xDB52.tmp
2009-12-28 03:31 . 2009-12-28 08:26 811008 ----a-w- c:\windows\Internet Logs\xDB51.tmp
2009-12-26 21:27 . 2009-12-27 00:02 3512832 ----a-w- c:\windows\Internet Logs\xDB50.tmp
2009-12-26 09:37 . 2009-12-26 12:53 3512320 ----a-w- c:\windows\Internet Logs\xDB4F.tmp
2009-12-25 23:16 . 2009-12-26 06:46 3508736 ----a-w- c:\windows\Internet Logs\xDB4E.tmp
2009-12-25 21:11 . 2006-09-23 15:14 4757391 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-25 18:36 . 2009-12-25 21:11 3520512 ----a-w- c:\windows\Internet Logs\xDB4D.tmp
2009-12-25 07:02 . 2009-11-14 20:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-25 06:54 . 2006-01-01 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-23 00:35 . 2009-12-23 11:11 3513856 ----a-w- c:\windows\Internet Logs\xDB4C.tmp
2009-12-23 00:34 . 2009-12-23 11:11 927232 ----a-w- c:\windows\Internet Logs\xDB4B.tmp
2009-12-21 12:51 . 2009-10-30 12:49 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-21 12:51 . 2009-10-30 12:49 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-21 12:51 . 2009-10-30 12:49 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-21 12:51 . 2009-10-30 12:49 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-21 12:51 . 2009-10-30 12:49 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-21 12:51 . 2009-10-30 12:49 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-21 12:50 . 2009-10-30 12:48 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-21 12:50 . 2009-10-30 12:48 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-21 12:50 . 2009-10-30 12:46 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-21 12:50 . 2009-10-30 12:46 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-21 12:50 . 2009-10-30 12:46 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-21 12:50 . 2009-10-30 12:46 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-21 12:50 . 2009-10-30 12:46 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-17 22:15 . 2009-12-18 14:10 81920 ----a-w- c:\windows\Internet Logs\xDB4A.tmp
2009-12-16 20:49 . 2009-12-17 17:56 168448 ----a-w- c:\windows\Internet Logs\xDB49.tmp
2009-12-15 19:54 . 2005-04-29 19:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-15 17:26 . 2009-12-15 19:39 1410048 ----a-w- c:\windows\Internet Logs\xDB48.tmp
2009-12-10 18:51 . 2009-11-14 20:13 -------- d-----w- c:\program files\Driver Checker
2009-12-06 15:57 . 2006-01-01 15:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-06 15:38 . 2009-04-02 11:06 -------- d-----w- c:\program files\Common Files\Nokia
2009-12-06 15:38 . 2005-11-10 17:01 -------- d-----w- c:\program files\Nokia
2009-12-06 15:35 . 2009-04-02 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-06 01:19 . 2009-12-06 07:30 3431936 ----a-w- c:\windows\Internet Logs\xDB47.tmp
2009-11-30 12:49 . 2009-10-30 12:49 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-30 12:49 . 2009-10-30 12:48 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-30 12:49 . 2009-10-30 12:48 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-30 12:49 . 2009-10-30 12:47 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-29 14:59 . 2009-11-29 19:38 404480 ----a-w- c:\windows\Internet Logs\xDB46.tmp
2009-11-27 22:42 . 2009-11-28 06:15 90112 ----a-w- c:\windows\Internet Logs\xDB45.tmp
2009-11-26 21:01 . 2009-11-27 06:41 84480 ----a-w- c:\windows\Internet Logs\xDB44.tmp
2009-11-25 21:27 . 2009-11-26 18:09 117760 ----a-w- c:\windows\Internet Logs\xDB43.tmp
2009-11-25 00:15 . 2009-11-25 15:24 145920 ----a-w- c:\windows\Internet Logs\xDB42.tmp
2009-11-24 23:54 . 2007-05-09 18:58 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-05-09 18:58 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-05-09 18:58 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-08-24 18:06 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-08-24 18:06 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-05-09 18:58 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-05-09 18:58 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-05-09 18:58 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-05-09 18:58 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-11-24 00:34 . 2009-11-24 14:45 478720 ----a-w- c:\windows\Internet Logs\xDB41.tmp
2009-11-21 15:51 . 2004-08-10 15:37 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 23:29 . 2009-11-19 18:18 384000 ----a-w- c:\windows\Internet Logs\xDB40.tmp
2009-11-15 13:15 . 2009-11-15 13:06 -------- d-----w- c:\program files\Return to Castle Wolfenstein - Platinum Edition
2009-11-15 00:46 . 2009-11-15 07:52 421888 ----a-w- c:\windows\Internet Logs\xDB3F.tmp
2009-11-14 20:30 . 2009-11-14 20:30 831488 ----a-w- c:\windows\RtlExUpd.dll
2009-11-14 17:06 . 2009-11-14 17:06 -------- d-----w- c:\program files\Save Tube Video Company
2009-11-14 12:23 . 2005-04-29 19:44 -------- d-----w- c:\program files\Java
2009-11-14 12:22 . 2009-11-14 12:22 152576 ----a-w- c:\documents and settings\pcw\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-14 12:22 . 2009-11-14 12:18 79488 ----a-w- c:\documents and settings\pcw\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-14 08:20 . 2009-11-14 08:21 8704 ----a-w- c:\windows\system32\drivers\vhubwtnaovau.sys
2009-11-14 03:49 . 2009-10-30 11:34 -------- d-----w- c:\documents and settings\pcw\Application Data\MetaProducts
2009-11-14 00:49 . 2006-06-19 13:36 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49 . 2006-06-19 13:36 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:49 . 2004-10-21 02:03 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-10 19:49 . 2009-11-10 22:22 122880 ----a-w- c:\windows\Internet Logs\xDB3E.tmp
2009-11-09 17:57 . 2009-11-09 17:59 67584 ----a-w- c:\windows\Internet Logs\xDB3D.tmp
2009-11-08 07:55 . 2009-11-08 07:55 -------- d-----w- c:\program files\IEEE 802.11g Wireless LAN Utility
2009-11-07 22:41 . 2009-11-07 22:42 434688 ----a-w- c:\windows\Internet Logs\xDB3C.tmp
2009-11-06 11:23 . 2009-10-30 18:06 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-06 11:22 . 2009-11-06 11:22 -------- d-----w- c:\program files\Tenda
2009-11-04 23:13 . 2009-11-05 08:20 3319296 ----a-w- c:\windows\Internet Logs\xDB3B.tmp
2009-11-04 23:13 . 2009-11-05 08:20 70144 ----a-w- c:\windows\Internet Logs\xDB3A.tmp
2009-11-03 23:16 . 2009-11-04 14:18 66560 ----a-w- c:\windows\Internet Logs\xDB39.tmp
2009-11-03 18:07 . 2009-11-03 21:01 133632 ----a-w- c:\windows\Internet Logs\xDB38.tmp
2009-11-01 23:14 . 2009-11-02 16:57 361984 ----a-w- c:\windows\Internet Logs\xDB37.tmp
2009-11-01 16:19 . 2009-11-01 16:14 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-11-01 16:19 . 2009-11-01 16:14 -------- d-----w- c:\program files\AVS4YOU
2009-11-01 16:15 . 2009-11-01 16:15 -------- d-----w- c:\documents and settings\pcw\Application Data\AVS4YOU
2009-11-01 16:15 . 2009-11-01 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-11-01 16:15 . 2005-05-26 15:57 70904 ----a-w- c:\documents and settings\pcw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-01-28 110740]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-12 222784]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Maz\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-6-22 139776]

c:\documents and settings\pcw\Start Menu\Programs\Startup\
IEEE 802.11g Wireless LAN Utility.lnk - c:\program files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe [2009-11-8 655360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-10 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Boonty Games"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AOL 9.0\\aol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"36052:TCP"= 36052:TCP:*:Disabled:ppLive
"47930:UDP"= 47930:UDP:*:Disabled:ppLive

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/10/2009 12:50 64288]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/04/2009 06:23 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24/08/2009 18:06 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 08:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 08:43 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/08/2009 18:06 20560]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [13/01/2005 15:22 12032]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1181328]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [29/08/2008 20:25 40832]
S3 rt2870;Belkin 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 08:43 7408]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusb.sys [11/08/2007 18:15 70272]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [11/08/2007 18:11 72576]
S3 WlanUIG;EDUP 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [10/10/2009 08:54 376224]
S4 HU200SVC;HU200SVC;c:\program files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe [30/10/2009 18:06 41025]
S4 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [27/04/2009 17:09 93960]
.
Contents of the 'Scheduled Tasks' folder

2009-12-28 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-29 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-28 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-28 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/emailandcommunicate/
uInternet Connection Wizard,ShellNext = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=OEM4
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
FF - ProfilePath - c:\documents and settings\pcw\Application Data\Mozilla\Firefox\Profiles\lbs8d6pk.default\
FF - prefs.js: browser.search.selectedEngine - GoogleFeed.net
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/communicate/email/?linkfrom=hp4&link=leftnav_pos_3_link_2&article=todaypage09leftnavcommunicate
FF - plugin: c:\documents and settings\pcw\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{5A752268-6896-38A7-9890-BF1305A56265} - (no file)
SSODL-InternetProvider-{14DA7AA4-40B1-430C-A354-2C826124343E} - c:\documents and settings\All Users\Microsoft PData\inetprovider.dll
MSConfigStartUp-STManager - c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe
AddRemove-san_std_2002 - c:\program files\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 00:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys spgp.sys >>UNKNOWN [0x87180938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7610f28
\Driver\ACPI -> ACPI.sys @ 0xf72fbcb8
\Driver\atapi -> sfsync02.sys @ 0xf755d8b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1024749985-1777872257-1275195283-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1024749985-1777872257-1275195283-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9CA8DFDB-495A-5033-10C7-03B607E3EC91}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1024749985-1777872257-1275195283-1006\Software\SecuROM\License information*]
"datasecu"=hex:30,63,c2,64,65,43,d7,bd,aa,e7,16,72,a3,71,1d,83,78,02,18,6e,43,
af,5c,c1,eb,6a,d8,2a,4f,d4,72,d4,61,7e,37,a8,5b,97,50,10,73,5e,9c,15,87,6d,\
"rkeysecu"=hex:91,58,54,db,82,ca,6f,74,34,78,54,3b,c2,64,0a,e7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3648)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Completion time: 2009-12-30 00:46:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 00:45

Pre-Run: 22,335,459,328 bytes free
Post-Run: 22,209,073,152 bytes free

- - End Of File - - B7D62A98F1EBA82A1CCF480F2D1FBF24

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:36 AM

Posted 31 December 2009 - 06:10 AM

Hi,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SecCenter::
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

RegNull::
[HKEY_USERS\S-1-5-21-1024749985-1777872257-1275195283-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9CA8DFDB-495A-5033-10C7-03B607E3EC91}*]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by schrauber, 31 December 2009 - 06:11 AM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 barry.a

barry.a
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 31 December 2009 - 06:53 AM

Hi Tom
here's the cfix log
thanks
Barry
ps why does it say zonealarm and avast enabled I did disable these?!!

ComboFix 09-12-29.04 - pcw 31/12/2009 11:28:08.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.573 [GMT 0:00]
Running from: c:\documents and settings\pcw\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\pcw\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091230-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-30 17:34 . 2009-12-30 17:47 -------- d-----w- C:\schrauber
2009-12-29 14:36 . 2009-12-29 14:37 -------- d-----w- c:\program files\SpeedFan
2009-12-29 14:26 . 2009-12-29 14:27 -------- d-----w- c:\program files\CPU Thermometer
2009-12-27 22:40 . 2009-12-27 22:40 -------- d-----w- c:\program files\Xvid
2009-12-27 22:40 . 2008-12-04 21:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-12-27 22:40 . 2008-12-04 21:42 815104 ----a-w- c:\windows\system32\xvidcore.dll
2009-12-27 22:37 . 2009-12-29 15:26 -------- d-----w- c:\program files\Avi2Dvd
2009-12-25 10:12 . 2009-12-26 07:01 -------- d-----w- c:\documents and settings\pcw\Application Data\DivX
2009-12-25 07:03 . 2009-11-14 00:49 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-12-25 07:03 . 2009-11-14 00:49 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-12-25 07:03 . 2009-11-14 00:49 129784 ------w- c:\windows\system32\pxafs.dll
2009-12-23 00:14 . 2009-12-23 00:14 -------- d-----w- c:\windows\system32\Adobe
2009-12-22 17:27 . 2009-12-22 17:27 -------- d-----w- c:\program files\Nuclear Coffee
2009-12-15 19:54 . 2009-12-15 19:54 -------- d-----w- c:\program files\EA GAMES
2009-12-06 15:38 . 2009-12-06 15:38 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-06 15:37 . 2009-12-06 15:37 -------- d-----w- c:\program files\PC Connectivity Solution
2009-12-06 15:35 . 2009-12-06 15:35 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-06 15:35 . 2009-12-06 15:35 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-06 15:35 . 2009-12-06 15:35 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-06 15:35 . 2009-12-06 15:35 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-06 15:35 . 2009-12-06 15:35 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 17:34 . 2009-12-29 20:22 3548160 ----a-w- c:\windows\Internet Logs\xDB57.tmp
2009-12-29 17:34 . 2009-12-29 20:22 94208 ----a-w- c:\windows\Internet Logs\xDB56.tmp
2009-12-29 15:28 . 2006-06-19 13:35 -------- d-----w- c:\program files\DivX
2009-12-29 15:26 . 2009-02-24 20:23 -------- d-----w- c:\program files\AviSynth 2.5
2009-12-28 22:53 . 2009-12-28 22:55 47104 ----a-w- c:\windows\Internet Logs\xDB55.tmp
2009-12-28 21:09 . 2009-12-28 21:20 3527680 ----a-w- c:\windows\Internet Logs\xDB54.tmp
2009-12-28 21:09 . 2009-12-28 21:20 122880 ----a-w- c:\windows\Internet Logs\xDB53.tmp
2009-12-28 13:00 . 2006-01-24 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-28 11:46 . 2009-12-29 14:16 270558 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-12-28 09:23 . 2006-01-24 11:13 -------- d-----w- c:\program files\DVD Shrink
2009-12-28 03:31 . 2009-12-28 08:26 3523072 ----a-w- c:\windows\Internet Logs\xDB52.tmp
2009-12-28 03:31 . 2009-12-28 08:26 811008 ----a-w- c:\windows\Internet Logs\xDB51.tmp
2009-12-26 21:27 . 2009-12-27 00:02 3512832 ----a-w- c:\windows\Internet Logs\xDB50.tmp
2009-12-26 09:37 . 2009-12-26 12:53 3512320 ----a-w- c:\windows\Internet Logs\xDB4F.tmp
2009-12-25 23:16 . 2009-12-26 06:46 3508736 ----a-w- c:\windows\Internet Logs\xDB4E.tmp
2009-12-25 21:11 . 2006-09-23 15:14 4757391 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-25 18:36 . 2009-12-25 21:11 3520512 ----a-w- c:\windows\Internet Logs\xDB4D.tmp
2009-12-25 07:02 . 2009-11-14 20:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-25 06:54 . 2006-01-01 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-23 00:35 . 2009-12-23 11:11 3513856 ----a-w- c:\windows\Internet Logs\xDB4C.tmp
2009-12-23 00:34 . 2009-12-23 11:11 927232 ----a-w- c:\windows\Internet Logs\xDB4B.tmp
2009-12-21 12:51 . 2009-10-30 12:49 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-21 12:51 . 2009-10-30 12:49 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-21 12:51 . 2009-10-30 12:49 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-21 12:51 . 2009-10-30 12:49 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-21 12:51 . 2009-10-30 12:49 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-21 12:51 . 2009-10-30 12:49 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-21 12:50 . 2009-10-30 12:48 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-21 12:50 . 2009-10-30 12:48 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-21 12:50 . 2009-10-30 12:46 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-21 12:50 . 2009-10-30 12:46 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-21 12:50 . 2009-10-30 12:46 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-21 12:50 . 2009-10-30 12:46 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-21 12:50 . 2009-10-30 12:46 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-17 22:15 . 2009-12-18 14:10 81920 ----a-w- c:\windows\Internet Logs\xDB4A.tmp
2009-12-16 20:49 . 2009-12-17 17:56 168448 ----a-w- c:\windows\Internet Logs\xDB49.tmp
2009-12-15 19:54 . 2005-04-29 19:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-15 17:26 . 2009-12-15 19:39 1410048 ----a-w- c:\windows\Internet Logs\xDB48.tmp
2009-12-10 18:51 . 2009-11-14 20:13 -------- d-----w- c:\program files\Driver Checker
2009-12-06 15:57 . 2006-01-01 15:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-06 15:38 . 2009-04-02 11:06 -------- d-----w- c:\program files\Common Files\Nokia
2009-12-06 15:38 . 2005-11-10 17:01 -------- d-----w- c:\program files\Nokia
2009-12-06 15:35 . 2009-04-02 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-06 01:19 . 2009-12-06 07:30 3431936 ----a-w- c:\windows\Internet Logs\xDB47.tmp
2009-11-30 12:49 . 2009-10-30 12:49 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-30 12:49 . 2009-10-30 12:48 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-30 12:49 . 2009-10-30 12:48 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-30 12:49 . 2009-10-30 12:47 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-29 14:59 . 2009-11-29 19:38 404480 ----a-w- c:\windows\Internet Logs\xDB46.tmp
2009-11-27 22:42 . 2009-11-28 06:15 90112 ----a-w- c:\windows\Internet Logs\xDB45.tmp
2009-11-26 21:01 . 2009-11-27 06:41 84480 ----a-w- c:\windows\Internet Logs\xDB44.tmp
2009-11-25 21:27 . 2009-11-26 18:09 117760 ----a-w- c:\windows\Internet Logs\xDB43.tmp
2009-11-25 00:15 . 2009-11-25 15:24 145920 ----a-w- c:\windows\Internet Logs\xDB42.tmp
2009-11-24 23:54 . 2007-05-09 18:58 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-05-09 18:58 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-05-09 18:58 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-08-24 18:06 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-08-24 18:06 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-05-09 18:58 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-05-09 18:58 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-05-09 18:58 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-05-09 18:58 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-11-24 00:34 . 2009-11-24 14:45 478720 ----a-w- c:\windows\Internet Logs\xDB41.tmp
2009-11-21 15:51 . 2004-08-10 15:37 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 23:29 . 2009-11-19 18:18 384000 ----a-w- c:\windows\Internet Logs\xDB40.tmp
2009-11-15 13:15 . 2009-11-15 13:06 -------- d-----w- c:\program files\Return to Castle Wolfenstein - Platinum Edition
2009-11-15 00:46 . 2009-11-15 07:52 421888 ----a-w- c:\windows\Internet Logs\xDB3F.tmp
2009-11-14 20:30 . 2009-11-14 20:30 831488 ----a-w- c:\windows\RtlExUpd.dll
2009-11-14 17:06 . 2009-11-14 17:06 -------- d-----w- c:\program files\Save Tube Video Company
2009-11-14 12:23 . 2005-04-29 19:44 -------- d-----w- c:\program files\Java
2009-11-14 12:22 . 2009-11-14 12:22 152576 ----a-w- c:\documents and settings\pcw\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-14 12:22 . 2009-11-14 12:18 79488 ----a-w- c:\documents and settings\pcw\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-14 08:20 . 2009-11-14 08:21 8704 ----a-w- c:\windows\system32\drivers\vhubwtnaovau.sys
2009-11-14 03:49 . 2009-10-30 11:34 -------- d-----w- c:\documents and settings\pcw\Application Data\MetaProducts
2009-11-14 00:49 . 2006-06-19 13:36 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49 . 2006-06-19 13:36 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:49 . 2004-10-21 02:03 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-10 19:49 . 2009-11-10 22:22 122880 ----a-w- c:\windows\Internet Logs\xDB3E.tmp
2009-11-09 17:57 . 2009-11-09 17:59 67584 ----a-w- c:\windows\Internet Logs\xDB3D.tmp
2009-11-08 07:55 . 2009-11-08 07:55 -------- d-----w- c:\program files\IEEE 802.11g Wireless LAN Utility
2009-11-07 22:41 . 2009-11-07 22:42 434688 ----a-w- c:\windows\Internet Logs\xDB3C.tmp
2009-11-06 11:23 . 2009-10-30 18:06 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-06 11:22 . 2009-11-06 11:22 -------- d-----w- c:\program files\Tenda
2009-11-04 23:13 . 2009-11-05 08:20 3319296 ----a-w- c:\windows\Internet Logs\xDB3B.tmp
2009-11-04 23:13 . 2009-11-05 08:20 70144 ----a-w- c:\windows\Internet Logs\xDB3A.tmp
2009-11-03 23:16 . 2009-11-04 14:18 66560 ----a-w- c:\windows\Internet Logs\xDB39.tmp
2009-11-03 18:07 . 2009-11-03 21:01 133632 ----a-w- c:\windows\Internet Logs\xDB38.tmp
2009-11-01 23:14 . 2009-11-02 16:57 361984 ----a-w- c:\windows\Internet Logs\xDB37.tmp
2009-11-01 16:19 . 2009-11-01 16:14 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-11-01 16:19 . 2009-11-01 16:14 -------- d-----w- c:\program files\AVS4YOU
2009-11-01 16:15 . 2009-11-01 16:15 -------- d-----w- c:\documents and settings\pcw\Application Data\AVS4YOU
2009-11-01 16:15 . 2009-11-01 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-11-01 16:15 . 2005-05-26 15:57 70904 ----a-w- c:\documents and settings\pcw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-30_00.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-31 11:26 . 2009-12-31 11:26 16384 c:\windows\Temp\Perflib_Perfdata_6dc.dat
- 2009-12-30 00:29 . 2009-12-30 00:29 16384 c:\windows\Temp\Perflib_Perfdata_494.dat
+ 2009-12-31 11:26 . 2009-12-31 11:26 16384 c:\windows\Temp\Perflib_Perfdata_494.dat
+ 2005-05-15 14:34 . 2009-12-30 12:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-05-15 14:34 . 2009-12-28 12:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-15 14:34 . 2009-12-30 12:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-15 14:34 . 2009-12-28 12:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-01-28 110740]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-12 222784]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Maz\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-6-22 139776]

c:\documents and settings\pcw\Start Menu\Programs\Startup\
IEEE 802.11g Wireless LAN Utility.lnk - c:\program files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe [2009-11-8 655360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-10 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Boonty Games"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AOL 9.0\\aol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"36052:TCP"= 36052:TCP:*:Disabled:ppLive
"47930:UDP"= 47930:UDP:*:Disabled:ppLive

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/10/2009 12:50 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24/08/2009 18:06 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 08:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 08:43 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/08/2009 18:06 20560]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [13/01/2005 15:22 12032]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/04/2009 06:23 717296]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1181328]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [29/08/2008 20:25 40832]
S3 rt2870;Belkin 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 08:43 7408]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusb.sys [11/08/2007 18:15 70272]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [11/08/2007 18:11 72576]
S3 WlanUIG;EDUP 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [10/10/2009 08:54 376224]
S4 HU200SVC;HU200SVC;c:\program files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe [30/10/2009 18:06 41025]
S4 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [27/04/2009 17:09 93960]
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-30 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-31 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-30 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]

2009-12-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/emailandcommunicate/
uInternet Connection Wizard,ShellNext = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=OEM4
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
FF - ProfilePath - c:\documents and settings\pcw\Application Data\Mozilla\Firefox\Profiles\lbs8d6pk.default\
FF - prefs.js: browser.search.selectedEngine - GoogleFeed.net
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk/communicate/email/?linkfrom=hp4&link=leftnav_pos_3_link_2&article=todaypage09leftnavcommunicate
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 11:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1024749985-1777872257-1275195283-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1024749985-1777872257-1275195283-1006\Software\SecuROM\License information*]
"datasecu"=hex:30,63,c2,64,65,43,d7,bd,aa,e7,16,72,a3,71,1d,83,78,02,18,6e,43,
af,5c,c1,eb,6a,d8,2a,4f,d4,72,d4,61,7e,37,a8,5b,97,50,10,73,5e,9c,15,87,6d,\
"rkeysecu"=hex:91,58,54,db,82,ca,6f,74,34,78,54,3b,c2,64,0a,e7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-31 11:38:37
ComboFix-quarantined-files.txt 2009-12-31 11:38
ComboFix2.txt 2009-12-30 17:47
ComboFix3.txt 2009-12-30 00:46

Pre-Run: 23,711,375,360 bytes free
Post-Run: 23,668,891,648 bytes free

- - End Of File - - C1E8FDAB068ABD2459CA202410D255BF

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:36 AM

Posted 31 December 2009 - 06:57 AM

Hi,


How is your system running?



Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




Step 2

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt





Step 3
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 barry.a

barry.a
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:36 PM

Posted 31 December 2009 - 12:27 PM

Hi tom,
all 3 scans completed, I'll paste them in order requested
thanks
Barry

Malwarebytes' Anti-Malware 1.43
Database version: 3462
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

31/12/2009 12:34:33
mbam-log-2009-12-31 (12-34-33).txt

Scan type: Quick Scan
Objects scanned: 138961
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





C:\Documents and Settings\pcw\Desktop\nok\bb5unlockfree-mobile-hacks.co.uk\bb5unlockfree-mobile-hacks.co.uk.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\pcw\Desktop\nok\bb5unlockfree-mobile-hacks.co.uk\bb5unlockfree-mobile-hacks.co.uk\bb5unlockfree-mobile-hacks.co.uk\BB5logunlocker.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP2\A0001789.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\49A Win32/PSW.Agent.NNT trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\mswsock32.dll Win32/PSW.Agent.NOK trojan cleaned by deleting (after the next restart) - quarantined





OTL logfile created on: 31/12/2009 16:52:30 - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\pcw\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 480.00 Mb Available Physical Memory | 47.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.51 Gb Total Space | 22.26 Gb Free Space | 32.48% Space Free | Partition Type: NTFS
Drive D: | 626.03 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 35.15 Gb Total Space | 30.26 Gb Free Space | 86.08% Space Free | Partition Type: NTFS
Drive G: | 39.37 Gb Total Space | 25.73 Gb Free Space | 65.34% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SN045637120196
Current User Name: pcw
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/31 16:49:16 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\pcw\Desktop\OTL.exe
PRC - [2009/11/24 23:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 23:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 23:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/11 10:57:36 | 01,451,520 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
PRC - [2009/10/27 09:26:36 | 00,657,408 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
PRC - [2009/10/27 09:15:44 | 00,132,608 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2009/10/27 09:15:02 | 00,120,832 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/15 23:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/15 23:10:22 | 00,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/04/14 00:12:22 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/29 01:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/12/12 23:18:16 | 00,222,784 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2005/01/28 10:11:42 | 00,737,379 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
PRC - [2005/01/28 10:11:40 | 00,024,576 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
PRC - [2005/01/28 10:11:14 | 00,110,682 | ---- | M] () -- c:\APPS\Powercinema\Kernel\TV\CLSched.exe
PRC - [2005/01/28 10:11:10 | 00,176,220 | ---- | M] () -- c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
PRC - [2005/01/28 10:10:32 | 00,110,740 | ---- | M] (CyberLink Corp.) -- C:\APPS\Powercinema\PCMService.exe
PRC - [2005/01/07 11:01:52 | 00,049,152 | ---- | M] () -- c:\APPS\HIDSERVICE\HidService.exe
PRC - [2004/05/11 13:59:44 | 00,655,360 | ---- | M] ( ) -- C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe


========== Modules (SafeList) ==========

MOD - [2009/12/31 16:49:16 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\pcw\Desktop\OTL.exe
MOD - [2005/12/12 23:18:24 | 00,042,552 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - File not found [Disabled | Stopped] -- -- (HU200SVC)
SRV - [2009/12/21 12:50:02 | 01,181,328 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 23:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 23:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/27 09:26:36 | 00,657,408 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/04/27 17:09:52 | 00,093,960 | ---- | M] (Sling Media Inc.) [Disabled | Stopped] -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe -- (SlingAgentService)
SRV - [2009/02/15 23:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2007/09/29 01:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/05/28 16:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) [Disabled | Stopped] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2006/12/20 21:05:00 | 00,520,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2005/10/05 15:39:23 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/28 10:11:40 | 00,024,576 | ---- | M] (Cyberlink) [Auto | Running] -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)
SRV - [2005/01/28 10:11:14 | 00,110,682 | ---- | M] () [Auto | Running] -- c:\APPS\Powercinema\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2005/01/28 10:11:10 | 00,176,220 | ---- | M] () [Auto | Running] -- c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)
SRV - [2005/01/07 11:01:52 | 00,049,152 | ---- | M] () [Auto | Running] -- c:\APPS\HIDSERVICE\HidService.exe -- (GenericHidService)
SRV - [2004/02/25 09:55:34 | 01,123,440 | ---- | M] (America Online, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Disabled | Stopped] -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/emailandcommunicate/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "GoogleFeed.net"
FF - prefs.js..browser.search.selectedEngine: "GoogleFeed.net"
FF - prefs.js..browser.startup.homepage: "http://www.orange.co.uk/communicate/email/?linkfrom=hp4&link=leftnav_pos_3_link_2&article=todaypage09leftnavcommunicate"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:4.0.0

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/12/06 15:38:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla 1.7.8\Extensions\\Components: C:\Program Files\mozilla.org\Mozilla\Components [2009/01/23 21:12:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla 1.7.8\Extensions\\Plugins: C:\Program Files\mozilla.org\Mozilla\Plugins [2009/12/25 07:03:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/14 13:39:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/14 20:33:58 | 00,000,000 | ---D | M]

[2009/07/10 20:29:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Mozilla\Extensions
[2009/07/10 20:29:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/12/19 09:19:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Mozilla\Firefox\Profiles\lbs8d6pk.default\extensions
[2009/10/30 11:33:31 | 00,000,000 | ---D | M] (MetaProducts Integration) -- C:\Documents and Settings\pcw\Application Data\Mozilla\Firefox\Profiles\lbs8d6pk.default\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}
[2009/10/25 04:59:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Mozilla\Firefox\Profiles\lbs8d6pk.default\extensions\en-US@dictionaries.addons.mozilla.org
[2009/11/14 17:06:21 | 00,000,003 | ---- | M] () -- C:\Documents and Settings\pcw\Application Data\Mozilla\Firefox\Profiles\lbs8d6pk.default\searchplugins\GoogleFeed.xml
[2009/12/27 11:06:50 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/03 01:42:02 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/11/03 01:42:02 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/11/03 01:42:02 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/11/03 01:42:02 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PCMService] c:\APPS\Powercinema\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2008/09/28 18:14:01 | 00,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\pcw\Start Menu\Programs\Startup\IEEE 802.11g Wireless LAN Utility.lnk = C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe ( )
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\mswsock32.dll File not found
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Reg Error: Value error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} http://support.epson-europe.com/selftest/Prg/ESTPTest.cab (EPSON Web Printer-SelfTest Control Class)
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} http://www.parallelgraphics.com/bin/cortvrml.cab (Reg Error: Value error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoftware.com/activescan/as5free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: PCPitstop-Tracks-Checker http://www.pcpitstop.com/privacy/PCPTracks.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 () -
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/12/27 01:09:12 | 00,815,104 | R--- | M] (Quarium, Inc.) - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2001/11/22 04:59:50 | 00,000,053 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{4a6fabf7-c54e-11d9-8832-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{4a6fabf7-c54e-11d9-8832-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4a6fabf7-c54e-11d9-8832-806d6172696f}\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2001/12/27 01:09:12 | 00,815,104 | R--- | M] (Quarium, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/05 17:38:06 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17173478272663552)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/31 16:49:12 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\pcw\Desktop\OTL.exe
[2009/12/31 12:41:27 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/12/31 12:13:34 | 05,061,520 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\pcw\Desktop\mbam-setup.exe
[2009/12/30 17:34:06 | 00,000,000 | ---D | C] -- C:\schrauber
[2009/12/30 00:30:05 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/30 00:30:05 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/30 00:30:04 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/30 00:30:04 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/30 00:29:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/30 00:19:48 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/29 14:36:49 | 00,000,000 | ---D | C] -- C:\Program Files\SpeedFan
[2009/12/29 14:26:33 | 00,000,000 | ---D | C] -- C:\Program Files\CPU Thermometer
[2009/12/29 14:26:09 | 00,587,246 | ---- | C] (CPUThermometer.com ) -- C:\Documents and Settings\pcw\Desktop\cputhermometer_setup.exe
[2009/12/28 23:51:46 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\pcw\Recent
[2009/12/28 13:59:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\pcw\Desktop\bleepcom
[2009/12/27 22:40:23 | 00,000,000 | ---D | C] -- C:\Program Files\Xvid
[2009/12/27 22:37:21 | 00,000,000 | ---D | C] -- C:\Program Files\Avi2Dvd
[2009/12/27 13:36:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\pcw\Desktop\PETS
[2009/12/25 10:12:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\pcw\Application Data\DivX
[2009/12/23 00:14:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/12/22 17:27:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\pcw\My Documents\My ripped videos
[2009/12/22 17:27:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\pcw\My Documents\My ripped audio
[2009/12/22 17:27:13 | 00,000,000 | ---D | C] -- C:\Program Files\Nuclear Coffee
[2009/12/22 17:26:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\pcw\Desktop\diskripper
[2009/12/20 19:25:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\pcw\Desktop\HP
[2009/10/10 08:54:30 | 00,376,224 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\WlanUIG.sys
[2009/08/27 19:34:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/03/20 18:03:08 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/05/09 19:07:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Talkback
[2007/05/09 19:07:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2007/05/09 19:07:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2007/05/09 18:53:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/05/09 18:53:27 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/04/29 19:37:46 | 00,014,976 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2 C:\Documents and Settings\pcw\My Documents\*.tmp files -> C:\Documents and Settings\pcw\My Documents\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/31 16:49:16 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\pcw\Desktop\OTL.exe
[2009/12/31 12:49:23 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2009/12/31 12:18:47 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/31 12:18:39 | 00,350,193 | -H-- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/12/31 12:18:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/31 12:16:51 | 13,893,632 | ---- | M] () -- C:\Documents and Settings\pcw\ntuser.dat
[2009/12/31 12:16:51 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\pcw\ntuser.ini
[2009/12/31 12:16:49 | 06,447,900 | -H-- | M] () -- C:\Documents and Settings\pcw\Local Settings\Application Data\IconCache.db
[2009/12/31 12:16:15 | 00,000,699 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/31 12:14:18 | 05,061,520 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\pcw\Desktop\mbam-setup.exe
[2009/12/31 11:34:54 | 00,000,000 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/31 08:30:10 | 00,054,272 | ---- | M] () -- C:\Documents and Settings\pcw\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/31 00:49:14 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2009/12/30 18:49:16 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/30 12:52:14 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/30 12:52:13 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2009/12/30 00:53:07 | 03,869,488 | R--- | M] () -- C:\Documents and Settings\pcw\Desktop\schrauber.exe
[2009/12/30 00:40:41 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/30 00:07:17 | 00,022,528 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\Download Combofix from any of the links below but rename it to.doc
[2009/12/29 17:32:34 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\vdu3gnb5.exe
[2009/12/29 14:36:50 | 00,000,685 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\SpeedFan.lnk
[2009/12/29 14:36:49 | 00,000,045 | ---- | M] () -- C:\WINDOWS\System32\initdebug.nfo
[2009/12/29 14:35:53 | 01,891,864 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\installspeedfan440.exe
[2009/12/29 14:26:15 | 00,587,246 | ---- | M] (CPUThermometer.com ) -- C:\Documents and Settings\pcw\Desktop\cputhermometer_setup.exe
[2009/12/28 09:23:06 | 00,000,673 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\DVD Shrink 3.2.lnk
[2009/12/28 09:17:30 | 00,000,040 | ---- | M] () -- C:\Documents and Settings\pcw\Application Data\cdr.ini
[2009/12/27 12:21:59 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/12/25 07:02:26 | 00,001,479 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\DivX Movies.lnk
[2009/12/22 23:47:49 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\Different learning materials.doc
[2009/12/22 21:30:02 | 01,035,776 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\unit_3_generation_worksheet.doc
[2009/12/22 21:29:25 | 00,011,776 | ---- | M] () -- C:\Documents and Settings\pcw\Desktop\unit_3_ac_circuits_worksheet.doc
[2009/12/22 17:27:16 | 00,000,774 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DiscRipper.lnk
[2 C:\Documents and Settings\pcw\My Documents\*.tmp files -> C:\Documents and Settings\pcw\My Documents\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/30 00:30:05 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/30 00:30:05 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/30 00:30:05 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/30 00:30:04 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/30 00:30:04 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/30 00:18:08 | 03,869,488 | R--- | C] () -- C:\Documents and Settings\pcw\Desktop\schrauber.exe
[2009/12/30 00:07:17 | 00,022,528 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\Download Combofix from any of the links below but rename it to.doc
[2009/12/29 17:32:33 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\vdu3gnb5.exe
[2009/12/29 14:36:50 | 00,000,685 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\SpeedFan.lnk
[2009/12/29 14:36:48 | 00,000,045 | ---- | C] () -- C:\WINDOWS\System32\initdebug.nfo
[2009/12/29 14:35:28 | 01,891,864 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\installspeedfan440.exe
[2009/12/28 09:23:06 | 00,000,673 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\DVD Shrink 3.2.lnk
[2009/12/27 22:40:23 | 00,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/12/27 22:40:23 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/27 22:40:23 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\xvid.ax
[2009/12/25 06:50:13 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2009/12/25 06:50:13 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2009/12/25 06:50:12 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2009/12/22 23:47:49 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\Different learning materials.doc
[2009/12/22 21:29:57 | 01,035,776 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\unit_3_generation_worksheet.doc
[2009/12/22 21:29:25 | 00,011,776 | ---- | C] () -- C:\Documents and Settings\pcw\Desktop\unit_3_ac_circuits_worksheet.doc
[2009/12/22 17:27:20 | 00,000,040 | ---- | C] () -- C:\Documents and Settings\pcw\Application Data\cdr.ini
[2009/12/22 17:27:16 | 00,000,774 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DiscRipper.lnk
[2009/12/21 12:52:19 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2009/12/10 20:39:41 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\pcw\Local Settings\Application Data\housecall.guid.cache
[2009/11/15 13:05:05 | 00,000,848 | ---- | C] () -- C:\WINDOWS\Rtcwplat.INI
[2009/11/14 08:21:15 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\vhubwtnaovau.sys
[2009/11/08 07:55:05 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2009/11/08 07:55:04 | 00,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2009/10/30 18:06:16 | 00,001,455 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2009/10/05 11:48:43 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\USB54G.dll
[2009/10/05 11:40:40 | 00,004,981 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
[2009/08/27 19:25:42 | 00,198,592 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/08/11 10:26:42 | 00,074,240 | ---- | C] () -- C:\Program Files\l
[2009/07/16 21:24:52 | 00,000,287 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/04/18 06:23:39 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/04/17 21:53:43 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/02/23 16:52:51 | 00,000,026 | ---- | C] () -- C:\WINDOWS\dvdSanta.INI
[2008/04/12 15:15:16 | 00,000,118 | ---- | C] () -- C:\WINDOWS\VCDSOFT.INI
[2008/04/12 15:15:16 | 00,000,039 | ---- | C] () -- C:\WINDOWS\VCD_PLUS.INI
[2008/03/08 23:32:18 | 00,019,042 | -H-- | C] () -- C:\Program Files\Sandra.GID
[2007/11/28 03:32:00 | 01,163,264 | ---- | C] () -- C:\WINDOWS\System32\acAuth.dll
[2007/08/11 18:15:37 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IsUser11b.dll
[2007/08/11 14:20:14 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2007/02/21 07:33:48 | 00,000,024 | ---- | C] () -- C:\WINDOWS\System32\sysmwwod.dll
[2007/02/19 10:25:46 | 00,000,420 | ---- | C] () -- C:\WINDOWS\MP3trtg.ini
[2007/02/15 17:12:18 | 00,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI
[2006/12/30 04:25:26 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2006/12/17 16:22:12 | 00,003,852 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/06/26 10:14:33 | 00,796,584 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2005/08/14 10:32:16 | 00,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
[2005/08/14 10:27:12 | 00,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2005/06/25 23:20:35 | 00,054,272 | ---- | C] () -- C:\Documents and Settings\pcw\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/06/19 09:06:55 | 00,000,126 | ---- | C] () -- C:\Documents and Settings\pcw\Local Settings\Application Data\fusioncache.dat
[2005/06/06 21:36:54 | 00,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2005/04/29 19:42:07 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\RTCOMDLL.dll
[2005/04/29 19:42:07 | 00,156,160 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/04/29 19:37:46 | 00,475,136 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2005/04/29 19:37:46 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\amr_cpl.dll
[2005/04/29 19:37:46 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\SLMOHServ.dll
[2005/01/18 14:41:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/09/07 17:49:32 | 00,005,520 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/08/07 14:01:50 | 00,233,472 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[1998/08/16 04:00:00 | 00,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1997/08/19 00:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/08/19 00:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1997/08/01 00:00:00 | 00,031,232 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL
[1997/08/01 00:00:00 | 00,025,600 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL
[1997/08/01 00:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/04/03 19:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
[1979/12/31 23:00:00 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll

========== LOP Check ==========

[2007/02/18 01:00:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avanquest Software
[2005/12/24 11:46:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BOONTY
[2008/02/04 22:26:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/12/06 15:35:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2007/09/19 19:45:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2007/09/19 21:10:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/10/23 09:53:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NeoSoftTools
[2009/04/02 11:12:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2009/08/27 19:21:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaMusic
[2009/08/27 19:33:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/01/10 23:15:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/09/10 18:51:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media
[2007/01/05 23:27:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/04/29 19:49:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/04/10 19:27:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/10/30 12:44:49 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2005/12/26 14:31:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\.BitTornado
[2005/11/10 17:06:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\DataLayer
[2008/03/16 19:14:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\FinalBurner .ISO
[2007/05/21 11:16:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\FinalBurner Video DVD
[2009/08/10 10:04:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Free-backup.info
[2009/08/10 15:49:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\GetRightToGo
[2008/06/28 21:42:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\gtk-2.0
[2009/04/07 00:25:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\ImgBurn
[2009/01/10 22:55:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\IObit
[2007/09/19 19:45:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\iolo
[2005/05/26 15:46:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Leadertech
[2009/03/20 21:15:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Learn2.com
[2009/11/14 03:49:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\MetaProducts
[2009/10/23 09:53:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\NeoSoftTools
[2009/08/27 19:33:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Nokia
[2009/08/27 20:19:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Nseries
[2005/10/05 15:53:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Opera
[2009/10/05 20:03:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\ParallelGraphics
[2009/08/27 19:33:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\PC Suite
[2006/12/10 16:24:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\PPMate
[2008/06/15 18:10:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\ppstream
[2007/04/15 18:17:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\RipIt4Me
[2009/09/16 19:13:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Software Informer
[2005/06/16 05:15:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Template
[2005/06/19 06:53:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Thunderbird
[2008/06/29 19:40:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\Uniblue
[2009/04/17 06:31:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\uTorrent
[2006/01/24 22:51:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\pcw\Application Data\WinPatrol
[2009/12/31 12:49:23 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2009/12/30 18:49:16 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2009/12/31 00:49:14 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2009/12/30 12:52:13 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2009/12/30 12:52:14 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/10/31 15:56:00 | 00,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe


< MD5 for: AGP440.SYS >
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 22:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 13:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 13:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 13:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\pcw\My Documents\setupeng.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\pcw\Desktop\MSIFIX.bat:SummaryInformation
@Alternate Data Stream - 20 bytes -> C:\Documents and Settings\pcw\Desktop\PAVARK.exe:License
@Alternate Data Stream - 20 bytes -> C:\Documents and Settings\pcw\Desktop\antirootkit.exe:License
< End of report >







OTL Extras logfile created on: 31/12/2009 16:52:30 - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\pcw\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 480.00 Mb Available Physical Memory | 47.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.51 Gb Total Space | 22.26 Gb Free Space | 32.48% Space Free | Partition Type: NTFS
Drive D: | 626.03 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 35.15 Gb Total Space | 30.26 Gb Free Space | 86.08% Space Free | Partition Type: NTFS
Drive G: | 39.37 Gb Total Space | 25.73 Gb Free Space | 65.34% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SN045637120196
Current User Name: pcw
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"36052:TCP" = 36052:TCP:*:Disabled:ppLive
"47930:UDP" = 47930:UDP:*:Disabled:ppLive

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AOL 9.0\aol.exe" = C:\Program Files\AOL 9.0\aol.exe:*:Disabled:AOL -- (America Online, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0861F88C-6EBC-41C9-B9A4-AA3D04B0AF3B}" = IEEE 802.11g Wireless LAN Utility
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0DEA94ED-915A-4834-A87E-388D012C8E02}" = Medal of Honor Allied Assault
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D2CF076-A63F-41A5-00A1-5924FADFAD9D}" = The Godfather™ The Game
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD
"{2218B96C-ABA2-45D9-A0B4-56B71F5303DB}" = Nokia Ovi Suite
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{32427945-A053-4059-80A1-AD3F3E373444}" = Mozilla Cleaner
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{42B74521-4706-412A-9A27-AED12B83E886}" = Nokia Ovi Application Installer
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{587031FE-980C-4F49-AFB0-41DD808E7491}" = Mp3Decode
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6442DEDF-AC2F-4CBA-85DE-42E459C5006C}" = Nokia Ovi Content Copier
"{656A8811-95E1-4BD2-B692-8202DDBA15D5}_is1" = CPU Thermometer 1.0
"{6869591A-7DD8-46D2-837F-57CBF7358955}" = Nokia Connectivity Cable Driver
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{6EB6C056-02BB-453E-8448-EC90B9794180}" = Nokia Multimedia Common Components 2.4
"{7035F31B-20DA-4522-B0DB-3CA18B46DD77}" = Nokia Music
"{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{886C3AC2-8B07-4EB8-BBA1-A36F3FD5E963}" = Linksys Home Wireless-G USB Adaptor
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}" = Nokia PC Suite
"{9292B96D-B693-4F07-B5FE-21CCDC7CB4AF}" = Nokia Photos
"{929408E6-D265-4174-805F-81D1D914E2A4}" = QuickTime
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B04AC0A3-7A0F-4E38-9DE7-FD1E4CE47D8C}" = Packard Bell InfoCentre
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B78823CD-488F-43B4-80D6-FAEADAE40EC4}" = Instant Wireless USB Adapter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4B045DB-C2C0-4A05-8DA5-754B4733EE31}" = Nokia Ovi One Touch Access
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}" = Nokia Software Updater
"{F9EA1C47-64A6-45E4-9A80-8CC1575B971D}" = Nokia Ovi System Utilities
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"Acoustica MP3 CD Burner" = Acoustica MP3 CD Burner
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"Belarc Advisor 2.0" = Belarc Advisor 7.0
"CCleaner" = CCleaner (remove only)
"DiscRipper_is1" = Nuclear Coffee - DiscRipper
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"EAX Unified" = EAX Unified
"ESET Online Scanner" = ESET Online Scanner v3
"Flash&Backup3" = Random's Flash&Backup 3
"Freecom Personal Media Suite_is1" = Freecom Personal Media Suite 2.17
"GOM Player" = GOM Player
"Guitar Pro 5_is1" = Guitar Pro 5.0
"HijackThis" = HijackThis 1.99.1
"ImgBurn" = ImgBurn
"InstallShield_{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4}" = QuickTime
"InstallShield_{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"IsoBuster_is1" = IsoBuster 2.3
"LimeWire" = LimeWire 5.1.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"My Video Daily2.0" = My Video Daily
"Nokia Ovi Application Installer" = Nokia Ovi Application Installer 6.85.3011
"Nokia Ovi Content Copier" = Nokia Ovi Content Copier 6.85.3011
"Nokia Ovi One Touch Access" = Nokia Ovi One Touch Access 6.85.3019
"Nokia Ovi System Utilities" = Nokia Ovi System Utilities 6.85.3018
"Nokia PC Suite" = Nokia PC Suite
"Office8.0" = Microsoft Office 97, Professional Edition
"Panda ActiveScan" = Panda ActiveScan
"RealPlayer 6.0" = RealPlayer
"Recuva" = Recuva (remove only)
"Return to Castle Wolfenstein - Platinum Edition" = Return to Castle Wolfenstein - Platinum Edition
"Software Informer_is1" = Software Informer 1.0 BETA
"SpeedFan" = SpeedFan (remove only)
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Sure Delete_is1" = Sure Delete 5.1.1
"Synacast Plug-in" = Synacast Plug-in 1.0.9.5
"VSO DivxToDVD_is1" = DivxToDVD 0.5.2b
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinZip Self-Extractor" = WinZip Self-Extractor
"WMFDist11" = Windows Media Format 11 runtime
"Word8.0" = Microsoft Word 97
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Xvid_is1" = Xvid 1.2.1 final uninstall
"ZoneAlarm" = ZoneAlarm

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 10/04/2009 15:24:28 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://software-files.download.com/sd/oE7l...4eab9f9acb94d54
failed, 00000026.

Error - 12/05/2009 07:11:41 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 12/05/2009 07:11:41 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 12/05/2009 07:11:46 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

Error - 12/05/2009 12:43:40 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 12/05/2009 12:43:40 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 12/05/2009 12:43:52 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

Error - 10/08/2009 11:50:15 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.pcpitstop.com/store/get.asp?prd...rt&aff=0002 failed, 00000026.


Error - 22/11/2009 05:34:34 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://promo.awempire.com/flash/performers...250714553054422
failed, 0000A413.

Error - 09/12/2009 19:29:06 | Computer Name = SN045637120196 | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 1753.

[ Application Events ]
Error - 31/12/2009 08:40:34 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 31/12/2009 08:40:34 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 31/12/2009 08:41:06 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 31/12/2009 08:41:21 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 31/12/2009 08:41:21 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 31/12/2009 08:41:21 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 31/12/2009 08:41:21 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 31/12/2009 08:41:21 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 31/12/2009 08:41:21 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 31/12/2009 08:41:21 | Computer Name = SN045637120196 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ System Events ]
Error - 29/12/2009 20:31:03 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 29/12/2009 20:31:03 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KLIF

Error - 29/12/2009 20:31:07 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7034
Description = The Generic Service for HID Keyboard Input Collections service terminated
unexpectedly. It has done this 1 time(s).

Error - 29/12/2009 20:40:23 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KLIF

Error - 30/12/2009 13:35:43 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KLIF

Error - 30/12/2009 13:36:37 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7034
Description = The Generic Service for HID Keyboard Input Collections service terminated
unexpectedly. It has done this 1 time(s).

Error - 31/12/2009 04:14:19 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KLIF

Error - 31/12/2009 07:26:30 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KLIF

Error - 31/12/2009 07:27:36 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7034
Description = The Generic Service for HID Keyboard Input Collections service terminated
unexpectedly. It has done this 1 time(s).

Error - 31/12/2009 08:18:36 | Computer Name = SN045637120196 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
KLIF


< End of report >

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:36 AM

Posted 01 January 2010 - 06:42 AM

Hi,

How is your system running?


Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."





Step 1

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Java 2 Runtime Environment, SE v1.4.2_05

Additional instructions can be found here if needed.





Step 2

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O32 - AutoRun File - [2001/12/27 01:09:12 | 00,815,104 | R--- | M] (Quarium, Inc.) - D:\Autorun.exe -- [ CDFS ]
    O32 - AutoRun File - [2001/11/22 04:59:50 | 00,000,053 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
    O33 - MountPoints2\{4a6fabf7-c54e-11d9-8832-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{4a6fabf7-c54e-11d9-8832-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{4a6fabf7-c54e-11d9-8832-806d6172696f}\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2001/12/27 01:09:12 | 00,815,104 | R--- | M] (Quarium, Inc.)
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\pcw\My Documents\setupeng.exe:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\pcw\Desktop\MSIFIX.bat:SummaryInformation
    @Alternate Data Stream - 20 bytes -> C:\Documents and Settings\pcw\Desktop\PAVARK.exe:License
    @Alternate Data Stream - 20 bytes -> C:\Documents and Settings\pcw\Desktop\antirootkit.exe:License
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users