Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Antivirus 2010


  • This topic is locked This topic is locked
20 replies to this topic

#1 neets23

neets23

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 16 March 2010 - 10:51 PM

Hi there, I have received popups from Vista Antivirus 2010 and found out by googling that it is a rogue that should be removed with Malwarebytes. I followed all instructions on this forum - running a disk cleanup, updating my Avira antivirus program, updating and running Spybot Search and Destroy, and running Malwarebytes in Safe mode with Networking. Each time the Malwarebytes full scan would freeze on a file in my C drive that starts like this: winsxs/x86_netfx-mscorlib... and ends like this... mscorlib.tlb. I have followed the instructions from BleepingComputer to find myself here. I haven't received any further popups from Vista Antivirus 2010 so would love to know if it is still on my computer or if somewhere along the way got removed. Neither of the Spybot or Malwarebytes programs showed any infections (up until Malwarebytes froze, which was usually at around 209610 files). When it freezes, the whole computer doesn't seem frozen as I can still move the mouse, but cannot click on anything, cannot force quit, and have to turn the computer off and on again to start over.

Also, I tried to download and run the GMER as instructed but WinZip trial has run out on my computer and I do not have a paid copy to extract it once downloaded. Any tips for this?

Here are the contents of the DDS file I ran:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Anita at 13:35:19.88 on Tue 16/03/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.1525.410 [GMT 9.5:30]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\SupportAppXL\AutoDect.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Anita\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BitTorrent DNA] "c:\users\anita\program files\dna\btdna.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-15 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-15 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-15 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-15 56816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-11-19 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-11-22 7168]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-15 38224]

=============== Created Last 30 ================

2010-03-16 04:03:31 0 ----a-w- c:\users\anita\defogger_reenable
2010-03-15 05:46:41 0 d-----w- c:\users\anita\appdata\roaming\Malwarebytes
2010-03-15 05:46:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-15 05:46:30 0 d-----w- c:\programdata\Malwarebytes
2010-03-15 05:46:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 05:46:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-10 17:33:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 17:33:49 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 17:33:49 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-02 01:47:10 0 d-----w- c:\windows\NAVLE® Exam Companion CD
2010-02-23 23:23:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 23:22:59 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 23:22:58 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 23:22:57 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 23:22:56 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 23:22:56 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 23:22:56 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 23:22:55 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 23:22:55 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 23:22:55 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 23:22:51 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-23 23:22:50 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-23 23:22:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-15 00:41:14 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 00:41:13 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

==================== Find3M ====================

2010-02-23 23:46:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-11 23:56:34 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-11 23:56:34 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-11 23:56:33 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-11 23:56:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-11 23:55:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-10 13:33:13 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-02-18 08:08:53 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-06-21 14:16:43 22 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 13:38:15.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 PM

Posted 20 March 2010 - 10:29 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 neets23

neets23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 21 March 2010 - 04:47 AM

Hi and thanks for getting back to me,

Here is my new OTL logs and GMER log as of today 21st March.
My problem still remains the same, ie I have received popups from Vista Antivirus 2010 and followed all instructions on this forum for removing it with Malwarebytes - running a disk cleanup, updating my Avira antivirus program, updating and running Spybot Search and Destroy, and running Malwarebytes in Safe mode with Networking. Each time the Malwarebytes full scan would freeze on a file in my C drive that starts like this: winsxs/x86_netfx-mscorlib... and ends like this... mscorlib.tlb. I haven't received any further popups from Vista Antivirus 2010 so would love to know if it is still on my computer or if somewhere along the way got removed. Neither of the Spybot or Malwarebytes programs showed any infections (up until Malwarebytes froze, which was usually at around 209610 files). When it freezes, the whole computer doesn't seem frozen as I can still move the mouse, but cannot click on anything, cannot force quit, and have to turn the computer off and on again to start over.

OTL logfile created on: 20/03/2010 10:43:33 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anita\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 27.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.46 Gb Total Space | 66.15 Gb Free Space | 55.37% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 19.44 Gb Free Space | 99.55% Space Free | Partition Type: NTFS
Drive E: | 10.06 Gb Total Space | 2.43 Gb Free Space | 24.16% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANITA-PC
Current User Name: Anita
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/20 10:43:21 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anita\Desktop\OTL.exe
PRC - [2010/01/29 22:35:42 | 000,298,608 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2009/08/25 09:10:32 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/06/19 12:10:00 | 000,525,640 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/04/11 15:57:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/02/03 11:37:18 | 000,240,544 | R--- | M] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\Macromed\Flash\FlashUtil10b.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/09/26 10:32:04 | 002,356,088 | R--- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
PRC - [2008/08/07 13:19:00 | 000,091,648 | ---- | M] () -- C:\WINDOWS\System32\SupportAppXL\AutoDect.exe
PRC - [2008/01/19 17:08:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/11 17:20:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/10/04 08:15:02 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/10/04 08:14:58 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe


========== Modules (SafeList) ==========

MOD - [2010/03/20 10:43:21 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anita\Desktop\OTL.exe
MOD - [2009/04/11 15:51:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/09/25 10:57:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/01/19 17:08:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/11 17:20:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/10/04 08:15:02 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/03/06 03:00:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)


========== Driver Services (SafeList) ==========

DRV - [2009/12/07 20:15:59 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/08/12 09:41:36 | 000,007,168 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/04/19 05:35:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2008/04/19 05:35:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2008/04/19 05:35:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2008/02/29 20:56:30 | 000,169,008 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/10/11 20:47:56 | 000,176,640 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2007/09/30 15:33:12 | 000,308,248 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/09/28 10:03:26 | 000,056,832 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2007/08/20 21:55:56 | 001,790,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2007/08/20 21:55:56 | 001,790,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\igdkmd32.sys -- (ialm)
DRV - [2007/07/10 23:57:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/20 20:59:56 | 000,984,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/06/20 20:58:34 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/06/20 20:58:22 | 000,660,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/06/19 09:42:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/05/31 08:10:42 | 000,735,232 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\athr.sys -- (athr)
DRV - [2007/04/24 07:21:08 | 000,050,176 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/11/02 19:21:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 19:21:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 19:21:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 19:21:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 19:21:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 19:21:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 19:21:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 19:20:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 19:20:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 19:20:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 19:20:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 19:20:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 19:20:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 19:20:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 19:20:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 19:20:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 19:20:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 19:20:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 19:20:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 19:20:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 19:20:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 19:20:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 19:20:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 19:20:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 19:20:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 19:20:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 19:20:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 19:20:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 19:20:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 19:19:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 19:19:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 19:19:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 19:19:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 19:19:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 19:19:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 17:55:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 17:54:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 17:54:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 17:54:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 17:54:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 17:54:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 17:11:49 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 17:06:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 17:00:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 17:00:53 | 000,464,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\BCMWL6.SYS -- (BCM43XV)
DRV - [2006/06/29 03:24:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CPQBttn.sys -- (HBtnKey)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2529188999-3395244793-274983389-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
IE - HKU\S-1-5-21-2529188999-3395244793-274983389-1003\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2529188999-3395244793-274983389-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2009/08/25 20:46:19 | 000,000,000 | ---D | M] -- C:\Users\Anita\AppData\Roaming\mozilla\Extensions
[2009/08/25 20:46:19 | 000,000,000 | ---D | M] -- C:\Users\Anita\AppData\Roaming\mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2010/03/15 22:22:17 | 000,380,280 | R--- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13103 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-2529188999-3395244793-274983389-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [autodetect] C:\WINDOWS\System32\SupportAppXL\AutoDect.exe ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HP Health Check Scheduler] File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2529188999-3395244793-274983389-1003..\Run: [BitTorrent DNA] C:\Users\Anita\Program Files\DNA\btdna.exe File not found
O4 - HKU\S-1-5-21-2529188999-3395244793-274983389-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-2529188999-3395244793-274983389-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Anita\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Anita\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/23 01:44:39 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/12 00:48:54 | 000,000,340 | -HS- | M] () - E:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{31f8031a-b4a3-11dd-a105-001eec70490e}\Shell - "" = AutoRun
O33 - MountPoints2\{31f8031a-b4a3-11dd-a105-001eec70490e}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{46f8645a-2108-11de-a698-001eec70490e}\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\{57f02d07-30ac-11df-a05f-001eec70490e}\Shell\AutoRun\command - "" = setup.exe /AUTORUN
O33 - MountPoints2\{57f02d07-30ac-11df-a05f-001eec70490e}\Shell\configure\command - "" = setup.exe
O33 - MountPoints2\{57f02d07-30ac-11df-a05f-001eec70490e}\Shell\install\command - "" = setup.exe
O33 - MountPoints2\{7506fc98-b83a-11dd-94df-001eec70490e}\Shell - "" = AutoRun
O33 - MountPoints2\{7506fc98-b83a-11dd-94df-001eec70490e}\Shell\AutoRun\command - "" = H:\AutoRun.exe -- File not found
O33 - MountPoints2\{bba2fe5c-9102-11de-b095-001eec70490e}\Shell - "" = Autorun
O33 - MountPoints2\{bba2fe5c-9102-11de-b095-001eec70490e}\Shell\Open\command - "" = RECYCLER\S-5-7-35-100029207-100029309-100004471-5765.com j:\
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2529188999-3395244793-274983389-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/03/20 10:43:11 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Anita\Desktop\OTL.exe
[2010/03/15 15:16:41 | 000,000,000 | ---D | C] -- C:\Users\Anita\AppData\Roaming\Malwarebytes
[2010/03/15 15:16:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/15 15:16:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/15 15:16:29 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/15 15:16:29 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/11 03:03:54 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/03/11 03:03:49 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010/03/02 14:50:43 | 000,000,000 | ---D | C] -- C:\Users\Anita\Desktop\NAVLE
[2010/03/02 11:17:10 | 000,000,000 | ---D | C] -- C:\Windows\NAVLE® Exam Companion CD
[2010/03/02 11:17:09 | 000,000,000 | ---D | C] -- C:\Users\Anita\Documents\NAVLE® Exam Companion CD
[2010/02/24 08:53:52 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/02/24 08:53:36 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/24 08:52:59 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/02/24 08:52:58 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/02/24 08:52:57 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/02/24 08:52:56 | 000,518,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/02/24 08:52:56 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/02/24 08:52:56 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/02/24 08:52:55 | 000,332,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll
[2010/02/24 08:52:55 | 000,152,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/02/24 08:52:55 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[2010/02/24 08:52:51 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gameux.dll
[2010/02/24 08:52:50 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/02/24 08:52:49 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2 C:\Users\Anita\Desktop\*.tmp files -> C:\Users\Anita\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/20 10:47:23 | 006,291,456 | -HS- | M] () -- C:\Users\Anita\NTUSER.DAT
[2010/03/20 10:44:20 | 000,293,376 | ---- | M] () -- C:\Users\Anita\Desktop\GMER.exe
[2010/03/20 10:43:21 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Anita\Desktop\OTL.exe
[2010/03/20 10:34:14 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/20 10:17:32 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/20 10:17:32 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/20 10:17:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/19 20:44:56 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/19 17:44:10 | 000,788,274 | ---- | M] () -- C:\Users\Anita\Desktop\kylie, me, laura 2.bmp
[2010/03/19 17:41:22 | 000,820,890 | ---- | M] () -- C:\Users\Anita\Desktop\kylie, laura, me 1.bmp
[2010/03/17 00:07:55 | 000,121,856 | ---- | M] () -- C:\Users\Anita\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/17 00:03:42 | 000,756,644 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/17 00:03:42 | 000,647,242 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/17 00:03:42 | 000,123,530 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/16 13:41:09 | 000,284,915 | ---- | M] () -- C:\Users\Anita\Desktop\gmer.zip
[2010/03/16 13:35:13 | 000,524,288 | ---- | M] () -- C:\Users\Anita\Desktop\dds.scr
[2010/03/16 13:33:31 | 000,000,000 | ---- | M] () -- C:\Users\Anita\defogger_reenable
[2010/03/16 13:03:38 | 000,000,165 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2010/03/16 13:01:31 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/16 13:01:16 | 1600,143,360 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/15 23:28:32 | 000,001,356 | ---- | M] () -- C:\Users\Anita\AppData\Local\d3d9caps.dat
[2010/03/15 22:22:38 | 000,524,288 | -HS- | M] () -- C:\Users\Anita\NTUSER.DAT{46f8642d-2108-11de-a698-001eec70490e}.TMContainer00000000000000000001.regtrans-ms
[2010/03/15 22:22:38 | 000,065,536 | -HS- | M] () -- C:\Users\Anita\NTUSER.DAT{46f8642d-2108-11de-a698-001eec70490e}.TM.blf
[2010/03/15 22:22:17 | 000,380,280 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/03/15 16:15:12 | 000,001,880 | -HS- | M] () -- C:\Users\Anita\AppData\Local\21mn5E
[2010/03/15 16:15:12 | 000,001,880 | -HS- | M] () -- C:\ProgramData\21mn5E
[2010/03/15 15:16:37 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/14 21:13:15 | 000,000,370 | ---- | M] () -- C:\Users\Anita\Documents\Pictures - Shortcut.lnk
[2010/03/08 19:06:00 | 000,075,776 | ---- | M] () -- C:\Users\Anita\Documents\Xmas letter 2009 contact details.doc
[2010/03/02 11:17:30 | 000,002,006 | ---- | M] () -- C:\Users\Anita\Desktop\NAVLE® Exam Companion CD.lnk
[2010/03/01 12:55:51 | 000,001,055 | ---- | M] () -- C:\Users\Anita\Desktop\Spybot - Search & Destroy.lnk
[2010/03/01 12:13:13 | 000,009,184 | -HS- | M] () -- C:\Users\Anita\AppData\Local\26x8
[2010/02/26 23:08:04 | 000,025,600 | ---- | M] () -- C:\Users\Anita\Documents\Xmas letter in French 2009.doc
[2010/02/25 14:14:04 | 000,107,216 | ---- | M] () -- C:\Users\Anita\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/25 14:11:40 | 000,390,296 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/24 10:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/02/21 08:36:41 | 000,024,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/02/21 08:35:14 | 000,030,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2 C:\Users\Anita\Desktop\*.tmp files -> C:\Users\Anita\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/20 10:44:13 | 000,293,376 | ---- | C] () -- C:\Users\Anita\Desktop\GMER.exe
[2010/03/19 17:44:10 | 000,788,274 | ---- | C] () -- C:\Users\Anita\Desktop\kylie, me, laura 2.bmp
[2010/03/19 17:41:22 | 000,820,890 | ---- | C] () -- C:\Users\Anita\Desktop\kylie, laura, me 1.bmp
[2010/03/16 13:41:02 | 000,284,915 | ---- | C] () -- C:\Users\Anita\Desktop\gmer.zip
[2010/03/16 13:34:50 | 000,524,288 | ---- | C] () -- C:\Users\Anita\Desktop\dds.scr
[2010/03/16 13:33:31 | 000,000,000 | ---- | C] () -- C:\Users\Anita\defogger_reenable
[2010/03/16 13:01:16 | 1600,143,360 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/15 15:16:37 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/15 14:56:10 | 000,001,880 | -HS- | C] () -- C:\Users\Anita\AppData\Local\21mn5E
[2010/03/15 14:56:10 | 000,001,880 | -HS- | C] () -- C:\ProgramData\21mn5E
[2010/03/14 21:13:15 | 000,000,370 | ---- | C] () -- C:\Users\Anita\Documents\Pictures - Shortcut.lnk
[2010/03/02 11:17:30 | 000,002,006 | ---- | C] () -- C:\Users\Anita\Desktop\NAVLE® Exam Companion CD.lnk
[2010/03/01 12:07:03 | 000,009,184 | -HS- | C] () -- C:\Users\Anita\AppData\Local\26x8
[2010/02/26 21:20:05 | 000,025,600 | ---- | C] () -- C:\Users\Anita\Documents\Xmas letter in French 2009.doc
[2010/02/21 19:12:48 | 000,075,776 | ---- | C] () -- C:\Users\Anita\Documents\Xmas letter 2009 contact details.doc
[2009/10/25 19:30:25 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/29 22:46:03 | 000,001,356 | ---- | C] () -- C:\Users\Anita\AppData\Local\d3d9caps.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/11/16 03:31:11 | 000,978,244 | ---- | C] () -- C:\ProgramData\LuUninstall.LiveUpdate
[2008/09/24 16:19:24 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/09/24 00:14:01 | 000,121,856 | ---- | C] () -- C:\Users\Anita\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/24 00:13:39 | 000,024,206 | ---- | C] () -- C:\Users\Anita\AppData\Roaming\UserTile.png
[2008/09/23 23:59:50 | 000,000,000 | ---- | C] () -- C:\Users\Anita\AppData\Local\QSwitch.txt
[2008/09/23 23:59:50 | 000,000,000 | ---- | C] () -- C:\Users\Anita\AppData\Local\DSwitch.txt
[2008/09/23 23:59:50 | 000,000,000 | ---- | C] () -- C:\Users\Anita\AppData\Local\AtStart.txt
[2008/05/30 12:59:51 | 000,155,648 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2007/11/23 02:24:49 | 000,000,371 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2007/08/20 22:04:08 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1318.dll
[2007/08/20 21:55:00 | 000,910,720 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/08/20 21:40:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 22:05:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 17:10:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[1999/01/23 13:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL
[1998/01/13 03:00:00 | 000,040,448 | ---- | C] () -- C:\Windows\System32\REGOBJ.DLL
< End of report >

OTL Extras logfile created on: 20/03/2010 10:43:33 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anita\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 27.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.46 Gb Total Space | 66.15 Gb Free Space | 55.37% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 19.44 Gb Free Space | 99.55% Space Free | Partition Type: NTFS
Drive E: | 10.06 Gb Total Space | 2.43 Gb Free Space | 24.16% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANITA-PC
Current User Name: Anita
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2529188999-3395244793-274983389-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1E79441C-E94F-40A3-992A-FC4C8F73A0CB}" = rport=1723 | protocol=6 | dir=out | app=system |
"{35B95B23-1EF5-4DC6-B50C-38D3EBE40E2D}" = lport=5358 | protocol=6 | dir=in | app=system |
"{39FEA514-B416-46E0-9574-CD047ED07E29}" = lport=3702 | protocol=17 | dir=in | app=c:\windows\system32\netproj.exe |
"{49288C71-7604-4C17-BE74-1ABD4E7439E3}" = rport=3702 | protocol=17 | dir=out | app=c:\windows\system32\netproj.exe |
"{7A099F6E-6A4D-4B24-8EEB-F6DDF195114E}" = rport=1701 | protocol=17 | dir=out | app=system |
"{87B5C160-9847-42BD-B1E7-FC7EC4F7E1AD}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{8CA5EA9E-BB6E-4684-9039-0A37D4166E19}" = lport=1723 | protocol=6 | dir=in | app=system |
"{9AF27673-BABF-4FB2-AD8E-A726ED0A6A3F}" = lport=5357 | protocol=6 | dir=in | app=system |
"{ADA1EDFE-71FF-4D4E-9865-33FF0F2F3EAC}" = rport=5357 | protocol=6 | dir=out | app=system |
"{B2BB00AD-0233-4720-A97D-6CF7A3C0D004}" = rport=5358 | protocol=6 | dir=out | app=system |
"{CD8C95B4-3AB3-46CC-A56B-81BD4F327FE5}" = lport=2869 | protocol=6 | dir=in | app=system |
"{E1F45BFC-B707-4D00-A231-A8898F434BDA}" = lport=445 | protocol=6 | dir=in | app=system |
"{E4F4827E-7AB1-432D-BB3E-4C961AC69D3C}" = lport=1701 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1832F032-33FB-4CD6-B749-4B2CAA3C2EB9}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{8475892C-4A4D-466E-B752-6A40BD47AE0C}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{8475F8BD-3FD6-4E8F-9480-8E831D068A05}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{9277CC77-F7D7-400E-9D93-5E3011771CD5}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{A2B45968-38D6-4508-A450-15CD0C86F4BC}" = protocol=6 | dir=in | app=c:\windows\system32\netproj.exe |
"{AC7F9530-D2BB-425F-A4F1-47BD085890C1}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
"{B5F4F9EF-F82E-4D8B-A477-0A1971263050}" = protocol=6 | dir=out | app=c:\windows\system32\netproj.exe |
"{BE212FFF-13DC-45FF-84C1-163BB1DB1C58}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{D2E2ABE1-C0C4-4174-969D-762400041F28}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
"{F1E80AAC-B386-4104-8D50-19B7D66A2279}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{F68C70EF-F57A-429A-8109-F3DA20E47E0B}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"TCP Query User{2CB98718-33BB-41D2-BFE0-0431A9A78F16}C:\users\anita\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\anita\program files\dna\btdna.exe |
"TCP Query User{3A6CBD14-0AC3-4A8B-AEE2-A1CD9BF996A6}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"TCP Query User{660B5975-D6C0-41B1-8BE9-411887E8B3A1}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"TCP Query User{7188A7E6-11F4-4CA2-9FA3-CC55F473754D}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{DB94EA09-373E-4BF5-9397-E99EAFCAC3DA}C:\users\anita\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\anita\program files\dna\btdna.exe |
"TCP Query User{E737C57B-A7E4-4DE1-8C3B-863E1478C3E0}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{0A9F0527-E875-4937-A912-B4BEA0288682}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"UDP Query User{33AC7E17-E799-47D0-B0F3-21734535AA27}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{7A4CC103-FBEC-43ED-871A-B91BC7A8D191}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"UDP Query User{C95DF207-28E8-4B73-8445-718C5C1FB718}C:\users\anita\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\anita\program files\dna\btdna.exe |
"UDP Query User{E40C0F92-DA7C-4A54-BAAF-0F66C54284D5}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{E428D0DE-044E-47CD-8890-DC20C1BF8B2A}C:\users\anita\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\anita\program files\dna\btdna.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{250E9609-E830-43EB-B379-DAB7546A2422}" = muvee autoProducer 6.1
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{28EDCE9C-3304-4331-8AB3-F3EBE94C35B4}" = HP Help and Support
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 E2
"{34DAFDEC-A4B4-488A-A5CD-C91975A6F083}" = MediaRing Talk
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.6
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{865DB1C9-D5E4-408B-B37D-9927E605BD2D}" = ESU for Microsoft Vista
"{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1
"{8E828E0D-0BF4-4BEE-B93D-1EBCD0000118}" = MyPhotoBooks
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}" = Telstra Turbo Connection Manager
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9885A11E-60E4-417C-B58B-8B31B21C0B8A}" = HP Easy Setup - Frontend
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver
"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1
"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
"{AE46ABD3-D625-467F-B5A7-8D3FFF077F0D}" = Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BD0E2B92-3814-46F0-893B-4612EA010C7E}" = HP Customer Experience Enhancements
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7358B07-4F10-4014-9869-7999578BE8ED}" = HP User Guides 0093
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7F3B252-E772-48AA-93EB-7964BC326067}" = MSCU for Microsoft Vista
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_6" = AIM 6
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"LimeWire" = LimeWire 5.4.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"NAVLE® Exam Companion CD" = NAVLE® Exam Companion CD
"PROHYBRIDR" = 2007 Microsoft Office system
"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.4
"TVWiz" = Intel® TV Wizard
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 0.9.6
"WildTangent hp Master Uninstall" = My HP Games
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2529188999-3395244793-274983389-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/03/2010 1:59:00 AM | Computer Name = Anita-PC | Source = Application Error | ID = 1000
Description = Faulting application NAVLE® Exam Companion CD.exe, version 10.1.0.11,
time stamp 0x413ffc3a, faulting module TextXtra.x32, version 10.0.0.210, time stamp
0x4057a109, exception code 0xc0000005, fault offset 0x00023735, process id 0x12dc,
application start time 0x01cab9aa5c38ceda.

Error - 7/03/2010 12:41:15 AM | Computer Name = Anita-PC | Source = Google Update | ID = 20
Description =

Error - 7/03/2010 12:57:05 AM | Computer Name = Anita-PC | Source = Google Update | ID = 20
Description =

Error - 7/03/2010 8:19:47 AM | Computer Name = Anita-PC | Source = Google Update | ID = 20
Description =

Error - 7/03/2010 9:23:45 PM | Computer Name = Anita-PC | Source = Google Update | ID = 20
Description =

Error - 8/03/2010 2:00:44 AM | Computer Name = Anita-PC | Source = Google Update | ID = 20
Description =

Error - 9/03/2010 12:13:19 AM | Computer Name = Anita-PC | Source = Application Error | ID = 1000
Description = Faulting application NAVLE® Exam Companion CD.exe, version 10.1.0.11,
time stamp 0x413ffc3a, faulting module TextXtra.x32, version 10.0.0.210, time stamp
0x4057a109, exception code 0xc0000005, fault offset 0x00023735, process id 0xa90,
application start time 0x01cabea563f33160.

Error - 9/03/2010 8:47:29 AM | Computer Name = Anita-PC | Source = Application Error | ID = 1000
Description = Faulting application NAVLE® Exam Companion CD.exe, version 10.1.0.11,
time stamp 0x413ffc3a, faulting module TextXtra.x32, version 10.0.0.210, time stamp
0x4057a109, exception code 0xc0000005, fault offset 0x00023735, process id 0x3cc,
application start time 0x01cabf609a0ab0f0.

Error - 9/03/2010 10:50:43 PM | Computer Name = Anita-PC | Source = Application Error | ID = 1000
Description = Faulting application NAVLE® Exam Companion CD.exe, version 10.1.0.11,
time stamp 0x413ffc3a, faulting module TextXtra.x32, version 10.0.0.210, time stamp
0x4057a109, exception code 0xc0000005, fault offset 0x00023735, process id 0x1484,
application start time 0x01cabf86b5fd7ce0.

Error - 13/03/2010 1:00:15 AM | Computer Name = Anita-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18882, time stamp
0x4b3ed243, faulting module mshtml.dll, version 8.0.6001.18882, time stamp 0x4b3ee91c,
exception code 0xc0000005, fault offset 0x00085b7c, process id 0x13f4, application
start time 0x01cac268e01b3050.

[ System Events ]
Error - 15/03/2010 8:19:59 AM | Computer Name = Anita-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 15/03/2010 8:19:59 AM | Computer Name = Anita-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 15/03/2010 8:54:26 AM | Computer Name = Anita-PC | Source = DCOM | ID = 10005
Description =

Error - 15/03/2010 8:54:36 AM | Computer Name = Anita-PC | Source = DCOM | ID = 10005
Description =

Error - 15/03/2010 8:55:17 AM | Computer Name = Anita-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 15/03/2010 8:55:17 AM | Computer Name = Anita-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 15/03/2010 11:31:23 PM | Computer Name = Anita-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 11:30:32 PM on 15/03/2010 was unexpected.

Error - 15/03/2010 11:32:17 PM | Computer Name = Anita-PC | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by +84490 seconds. The time service will not change the system time by more than
+54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.197.32:123) is working
properly.

Error - 16/03/2010 9:47:57 PM | Computer Name = Anita-PC | Source = volsnap | ID = 393230
Description = The shadow copies of volume C: were aborted because of an IO failure
on volume C:.

Error - 17/03/2010 5:48:24 AM | Computer Name = Anita-PC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001FE19085C0. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.


< End of report >

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-20 12:00:01
Windows 6.0.6002 Service Pack 2
Running: GMER.exe; Driver: C:\Users\Anita\AppData\Local\Temp\uglcrpow.sys


---- System - GMER 1.0.15 ----

SSDT A79E351C ZwCreateThread
SSDT A79E3508 ZwOpenProcess
SSDT A79E350D ZwOpenThread
SSDT A79E3517 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 221 81EE4984 4 Bytes [1C, 35, 9E, A7] {SBB AL, 0x35; SAHF ; CMPSD }
.text ntkrnlpa.exe!KeSetEvent + 3F1 81EE4B54 4 Bytes [08, 35, 9E, A7]
.text ntkrnlpa.exe!KeSetEvent + 40D 81EE4B70 4 Bytes [0D, 35, 9E, A7]
.text ntkrnlpa.exe!KeSetEvent + 621 81EE4D84 4 Bytes [17, 35, 9E, A7]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




Thanks for your help!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 PM

Posted 21 March 2010 - 06:06 AM

Hello neets23,

P2P WARNING
-------------------
Going over your logs I noticed that you have LimeWire installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 neets23

neets23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 March 2010 - 01:40 AM

Thanks for your feedback, I have removed Limewire. Combofix log as follows.

ComboFix 10-03-21.02 - Anita 21/03/2010 14:51:10.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.1525.855 [GMT 9.5:30]
Running from: c:\users\Anita\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2529188999-3395244793-274983389-500
c:\$recycle.bin\S-1-5-21-4074894658-3388959641-2332476118-500
c:\users\Anita\AppData\Local\Microsoft\Windows\Temporary Internet Files\15y28K2L.jpg
c:\users\Anita\AppData\Local\Microsoft\Windows\Temporary Internet Files\73NV163U.jpg
c:\users\Anita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hbo2Q.jpg
c:\users\Anita\AppData\Local\Microsoft\Windows\Temporary Internet Files\HLdCij.jpg
c:\windows\system32\Connect.dll
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-15 05:47 . 2010-03-15 05:47 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-15 05:46 . 2010-03-15 05:46 -------- d-----w- c:\users\Anita\AppData\Roaming\Malwarebytes
2010-03-15 05:46 . 2010-01-07 06:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-15 05:46 . 2010-03-15 05:46 -------- d-----w- c:\programdata\Malwarebytes
2010-03-15 05:46 . 2010-03-15 05:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-15 05:46 . 2010-01-07 06:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 17:33 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 17:33 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-10 17:33 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-02 01:47 . 2010-03-02 01:47 -------- d-----w- c:\windows\NAVLE® Exam Companion CD
2010-02-23 23:23 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 23:22 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 23:22 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 23:22 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 23:22 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 23:22 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 23:22 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 23:22 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 23:22 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 23:22 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 23:22 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-23 23:22 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-23 23:22 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 13:58 . 2009-08-29 13:16 1356 ----a-w- c:\users\Anita\AppData\Local\d3d9caps.dat
2010-03-10 17:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-10 17:41 . 2007-11-22 16:24 -------- d-----w- c:\programdata\Microsoft Help
2010-03-01 03:30 . 2008-11-15 18:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-01 03:28 . 2008-11-15 18:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-26 04:32 . 2008-12-10 14:07 1762568 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en\Installers\SetupGamesClient.exe
2010-02-25 04:44 . 2008-09-23 03:15 107216 ----a-w- c:\users\Anita\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 00:46 . 2009-10-03 04:19 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-11 23:57 . 2010-02-11 23:57 -------- d-----w- c:\program files\Windows Portable Devices
2010-02-11 23:56 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-11 23:55 . 2010-02-11 23:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-11 03:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-02-11 03:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-02-11 03:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-02-11 03:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-02-11 03:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-02-11 03:39 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-02-02 04:50 . 2009-08-24 23:39 -------- d-----w- c:\program files\Google
2010-02-01 12:16 . 2010-02-01 12:16 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9DE3.tmp.exe
2010-01-31 10:33 . 2010-01-31 10:33 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE2E3.tmp.exe
2010-01-30 08:12 . 2010-01-30 08:12 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb5100.tmp.exe
2010-01-29 12:48 . 2010-01-29 12:49 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbC14B.tmp.exe
2010-01-06 15:38 . 2010-02-23 23:22 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 23:22 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 23:22 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-23 23:22 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-02 06:38 . 2010-01-21 11:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 11:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 11:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 11:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-06-21 14:16 . 2008-09-23 18:53 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-01-21 217088]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-27 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:a1,ad,8c,73,cd,aa,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-08-12 7168]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:50]

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://au.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent DNA - c:\users\Anita\Program Files\DNA\btdna.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-BitTorrent DNA - c:\users\Anita\Program Files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 15:04
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-21 15:10:27
ComboFix-quarantined-files.txt 2010-03-21 05:40

Pre-Run: 68,586,442,752 bytes free
Post-Run: 68,229,853,184 bytes free

- - End Of File - - A2C12DA047C02CF9264D6875ADFB2E41


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 PM

Posted 22 March 2010 - 02:56 AM

Thats looking good. I suspect the file that locks up your MBAM scan is locked, so lets look for that first.

OTL
-----
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    /lockedfiles
  5. Push the None button and then
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 neets23

neets23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 March 2010 - 05:55 AM

Hope this is what you're after =)


OTL logfile created on: 21/03/2010 8:55:12 PM - Run 2
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anita\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.46 Gb Total Space | 61.66 Gb Free Space | 51.61% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 19.44 Gb Free Space | 99.55% Space Free | Partition Type: NTFS
Drive E: | 10.06 Gb Total Space | 2.43 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANITA-PC
Current User Name: Anita
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< /lockedfiles >
< End of report >


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 PM

Posted 22 March 2010 - 06:27 AM

Can you please try to run MBAM now? Make sure you update it first. If it hangs in normal mode, try safe mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 neets23

neets23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 March 2010 - 08:44 PM

Tried to run Malwarebytes again, updated it first. It froze on the same file in regular mode, and I had to force restart my laptop and reran in Safe mode with networking, once again it froze on the same file. The file is around 200,000 files into the scan and is still the same one (starts with winsxs/x86_netfx_mscorlib.. and ends with ..mscorlib.tlb).

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 PM

Posted 23 March 2010 - 04:31 AM

Please do the following custom scan in otl:

CODE
/md5start
mscorlib.tlb
/md5stop

Click None and then Run Scan.

Afterwards, post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 neets23

neets23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 23 March 2010 - 08:04 PM

OTL logfile created on: 23/03/2010 10:57:27 AM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Anita\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 38.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 52.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.46 Gb Total Space | 60.45 Gb Free Space | 50.60% Space Free | Partition Type: NTFS
Drive D: | 19.53 Gb Total Space | 19.44 Gb Free Space | 99.55% Space Free | Partition Type: NTFS
Drive E: | 10.06 Gb Total Space | 2.43 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANITA-PC
Current User Name: Anita
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========



< MD5 for: MSCORLIB.TLB >
[2008/07/28 03:33:13 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=2CB7E3F25F957325442D249C8A3E1006 -- C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18111_none_fe52b3a379f3dcbf\mscorlib.tlb
[2008/01/05 20:56:35 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=2EF1209665D6D6469F801EA7190BD1DC -- C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18000_none_fe51ca4579f4a976\mscorlib.tlb
[2008/07/28 03:30:25 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=95CD1A907684D35DE70A9EA786C22158 -- C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16720_none_fe77ceed79a1d01e\mscorlib.tlb
[2008/07/28 03:25:53 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=95CD1A907684D35DE70A9EA786C22158 -- C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.20883_none_e7afe59193441511\mscorlib.tlb
[2008/07/28 03:28:33 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=95CD1A907684D35DE70A9EA786C22158 -- C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.22230_none_e787243f939955d2\mscorlib.tlb
[2006/10/20 10:44:16 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=DE5A129E748366F2D817239915E47E08 -- C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16386_none_fe7d4889799d00aa\mscorlib.tlb
[2009/03/30 14:12:14 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=F00741D5B8C8D2D0C038A681B1657ABE -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorlib.tlb
[2009/03/30 14:12:14 | 000,524,288 | ---- | M] (Microsoft Corporation) MD5=F00741D5B8C8D2D0C038A681B1657ABE -- C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6002.18005_none_fe2d4f817a463d8a\mscorlib.tlb
< End of report >


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 PM

Posted 24 March 2010 - 04:49 AM

Hello, please try the following steps.

SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 neets23

neets23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 24 March 2010 - 07:34 PM

I followed your instructions, and the SuperAntispyware scan in Safe mode froze on the same file that Malwarebytes does! The scan had been through around 8000 files and listed Adware Tracking Cookie.. 267 under problems found. The scan was left open for 10 hours and did not move on from the frozen file. I tried to click on Next but nothing happened. I had to force restart the laptop, and tried to bring up a copy of the log to paste here as instructed but there was no log listed.

This time I copied down the entire name of the problem file: it is

C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18111_none_fe52b3a379f3dcbf\mscorlib.tlb

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,815 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 PM

Posted 25 March 2010 - 05:32 AM

Please run the following OTL fix and afterwards, try to re-run the MBAM scan.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :files
    C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18111_none_fe52b3a379f3dcbf\mscorlib.tlb
    C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18000_none_fe51ca4579f4a976\mscorlib.tlb
    C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16720_none_fe77ceed79a1d01e\mscorlib.tlb
    C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.20883_none_e7afe59193441511\mscorlib.tlb
    C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.22230_none_e787243f939955d2\mscorlib.tlb
    C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16386_none_fe7d4889799d00aa\mscorlib.tlb
    C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6002.18005_none_fe2d4f817a463d8a\mscorlib.tlb
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 neets23

neets23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 25 March 2010 - 08:15 PM

========== FILES ==========
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18111_none_fe52b3a379f3dcbf\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18000_none_fe51ca4579f4a976\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16720_none_fe77ceed79a1d01e\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.20883_none_e7afe59193441511\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.22230_none_e787243f939955d2\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16386_none_fe7d4889799d00aa\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6002.18005_none_fe2d4f817a463d8a\mscorlib.tlb scheduled to be moved on reboot.

OTL by OldTimer - Version 3.1.37.3 log created on 03252010_110702

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18111_none_fe52b3a379f3dcbf\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.18000_none_fe51ca4579f4a976\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16720_none_fe77ceed79a1d01e\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.20883_none_e7afe59193441511\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6001.22230_none_e787243f939955d2\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6000.16386_none_fe7d4889799d00aa\mscorlib.tlb scheduled to be moved on reboot.
File move failed. C:\WINDOWS\winsxs\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_6.0.6002.18005_none_fe2d4f817a463d8a\mscorlib.tlb scheduled to be moved on reboot.

Registry entries deleted on Reboot...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users