Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

av.exe - problem after removal


  • This topic is locked This topic is locked
15 replies to this topic

#1 mervward

mervward

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 18 March 2010 - 04:21 PM

Hi,

I've had a problem with av.exe on one of my computer user accounts.

I followed the Automated Removal Instructions for AV AntiSpyware using Malwarebytes' Anti-Malware on this site. It picked up 23 infections which it processed and removed. (none of them appeared to be av.exe related).

Now when I try to open various programmes (eg internet explorer and AVG anti virus) I get the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item".
I can open some of them by right clicking the mouse and selecting "Run as administrator"

All other five user accounts on the computer appear to operating normally.

Please note that the GMER log I have uploaded was obtained while my computer was running in safe mode. I tried four times in normal mode but the computer kept freezing up.


Any help would be very much appreciated.

Thanks

Merv Ward






DDS (Ver_10-03-17.01) - NTFSx86
Run by Merv at 18:30:38.95 on 18/03/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.2045.1183 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Merv\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.fromthelane.co.uk/FTL/forum_topics.asp?FID=1&title=fromthelanecouk
mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-6 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-6 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-24 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-12 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-12 308064]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
S2 gupdate1c98f846a883398;Google Update Service (gupdate1c98f846a883398);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-10 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-03-17 21:12:58 0 d-----w- c:\users\merv\appdata\roaming\Malwarebytes
2010-03-17 18:39:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 18:39:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:39:18 0 d-----w- c:\programdata\Malwarebytes
2010-03-17 18:39:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 21:42:51 0 d---a-w- c:\programdata\TEMP
2010-03-12 19:21:54 0 d-----w- c:\programdata\RegCure
2010-03-12 13:11:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 08:18:46 0 d-----w- C:\d38c5df7b72460dd1056d23f
2010-03-10 08:09:07 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 08:09:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 08:09:04 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-03 19:24:26 0 d-----w- c:\programdata\Nokia
2010-03-03 18:28:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-03-03 18:26:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-03-03 17:55:58 0 d-----w- c:\programdata\PC Suite
2010-03-03 17:48:29 0 d-----w- c:\program files\common files\Nokia
2010-03-03 17:47:45 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-03 17:42:04 0 d-----w- c:\program files\PC Connectivity Solution
2010-03-03 17:38:21 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-03-03 17:37:19 0 d-----w- c:\programdata\OviInstallerCache
2010-03-03 17:37:19 0 d-----w- c:\program files\Nokia
2010-02-27 07:44:35 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-24 13:45:31 0 d--h--w- C:\$AVG
2010-02-24 13:44:49 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-24 13:44:41 0 d-----w- c:\programdata\avg9
2010-02-24 13:31:02 80328144 ----a-w- c:\users\merv\avg_free_stf_en_90_730a1834.exe
2010-02-24 07:24:08 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 07:23:54 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 07:23:52 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 07:23:49 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 07:23:49 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 07:23:49 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 07:23:49 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 07:23:46 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 07:23:46 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 07:23:46 151040 ----a-w- c:\windows\system32\secproc_ssp.dll

==================== Find3M ====================

2010-03-12 13:10:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-04 18:52:18 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-03-04 18:52:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-03 17:47:36 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-21 14:53:16 18048 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-30 11:30:50 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-12-28 12:35:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35:00 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32:25 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31:22 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31:01 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28:43 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28:43 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-02-06 17:50:08 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-02-06 16:06:13 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-27 17:36:16 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 18:31:41.33 ===============













Attached Files



BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:39 PM

Posted 20 March 2010 - 05:59 PM

Hi mervward

Let's see what we can do:

Step 1
Please download exeHelper to your desktop.
If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan)
Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).

Step 2
Please update MBAM and run another scan:
Start MBAM
Click on the Update tab >> click Search for Updates
If it says that MBAM needs to close to update it... let it close and then restart it.
On restart >> click the Scan button.

Don't forget:
QUOTE
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Step 3
  • Download OTL to your desktop.
    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
    Now copy the lines below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.


  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.
In your next reply, please submit:
exehelperlog.txt
MBAM scan report
and both reports from OTL


Thanks.

Edited by Starbuck, 20 March 2010 - 06:02 PM.

BBPP6nz.png


#3 mervward

mervward
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 March 2010 - 11:31 AM


Hi Starbuck,

Thanks for your time.

Here are the logs requested.

exeHelper by Raktor
Build 20091220
Run at 15:29:13 on 03/21/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



Malwarebytes' Anti-Malware 1.44
Database version: 3891
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

21/03/2010 15:40:43
mbam-log-2010-03-21 (15-40-43).txt

Scan type: Quick Scan
Objects scanned: 161835
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Nath\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.SearchPage) -> Bad: (http://www.mirarsearch.com/?useie5=1&q=) Good: (http://www.google.com) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Sian\AppData\Local\Temp\dphA960.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Sian\AppData\Roaming\Microsoft\Windows\oulwsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.




OTL logfile created on: 21/03/2010 16:07:14 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Merv\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.78 Gb Total Space | 183.82 Gb Free Space | 78.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MERVSPC
Current User Name: Merv
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Merv\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\ieuser.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Merv\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (AvgTdiX) -- C:\Windows\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\Windows\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\Windows\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia)
DRV - (UsbserFilt) -- C:\Windows\System32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (nmwcdc) -- C:\Windows\System32\drivers\ccdcmbo.sys (Nokia)
DRV - (upperdev) -- C:\Windows\System32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (fssfltr) -- C:\Windows\System32\drivers\fssfltr.sys (Microsoft Corporation)
DRV - (UsbDiag) -- C:\Windows\System32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (USBModem) -- C:\Windows\System32\drivers\lgusbmodem.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\Windows\System32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (pccsmcfd) -- C:\Windows\System32\drivers\pccsmcfd.sys (Nokia)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (s117mdm) -- C:\Windows\System32\drivers\s117mdm.sys (MCCI Corporation)
DRV - (s117mdfl) -- C:\Windows\System32\drivers\s117mdfl.sys (MCCI Corporation)
DRV - (s117bus) Sony Ericsson Device 117 driver (WDM) -- C:\Windows\System32\drivers\s117bus.sys (MCCI Corporation)
DRV - (MRV6X32P) -- C:\Windows\System32\drivers\MRVW13B.sys (Marvell Semiconductor, Inc)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (SigmaTel, Inc.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.fromthelane.co.uk/FTL/forum_top...fromthelanecouk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/03/03 17:47:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2010/03/03 17:48:02 | 000,000,000 | ---D | M]

[2009/07/16 19:02:17 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\Mozilla\Extensions
[2009/07/16 19:02:17 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2009/03/17 19:55:36 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2006/09/18 21:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [] File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Merv\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Merv\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/02/06 15:57:54 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^Users^Mel 2^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk - C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe - ()
MsConfig - StartUpFolder: C:^Users^Merv^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk - C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe - ()
MsConfig - StartUpFolder: C:^Users^Nath^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe - (Lime Wire, LLC)
MsConfig - StartUpFolder: C:^Users^Sian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe - (Lime Wire, LLC)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: msnmsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
MsConfig - StartUpReg: My Web Search Bar Search Scope Monitor - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe File not found
MsConfig - StartUpReg: MyWebSearch Email Plugin - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
MsConfig - StartUpReg: MyWebSearch Plugin - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL File not found
MsConfig - StartUpReg: NokiaMServer - hkey= - key= - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
MsConfig - StartUpReg: NokiaOviSuite2 - hkey= - key= - C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe (Nokia)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: TomTomHOME.exe - hkey= - key= - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
MsConfig - StartUpReg: WMPNSCFG - hkey= - key= - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
MsConfig - State: "startup" - 2
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 30 Days ==========

[2010/03/21 15:46:55 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Merv\Desktop\OTL.exe
[2010/03/19 20:12:53 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/03/19 20:12:28 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2010/03/18 18:37:23 | 000,000,000 | ---D | C] -- C:\Users\Merv\Desktop\gmer
[2010/03/17 21:12:58 | 000,000,000 | ---D | C] -- C:\Users\Merv\AppData\Roaming\Malwarebytes
[2010/03/17 18:39:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/17 18:39:18 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/17 18:39:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/17 18:39:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/16 21:42:51 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/03/12 19:21:54 | 000,000,000 | ---D | C] -- C:\ProgramData\RegCure
[2010/03/12 13:11:13 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/03/10 08:18:46 | 000,000,000 | ---D | C] -- C:\d38c5df7b72460dd1056d23f
[2010/03/10 08:09:07 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/03/10 08:09:04 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010/03/03 19:24:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Nokia
[2010/03/03 17:58:09 | 000,000,000 | ---D | C] -- C:\Users\Merv\AppData\Roaming\Nokia
[2010/03/03 17:56:01 | 000,000,000 | ---D | C] -- C:\Users\Merv\AppData\Local\Nokia
[2010/03/03 17:55:58 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Suite
[2010/03/03 17:55:57 | 000,000,000 | ---D | C] -- C:\Users\Merv\AppData\Roaming\PC Suite
[2010/03/03 17:55:54 | 000,000,000 | ---D | C] -- C:\Users\Merv\AppData\Local\NokiaAccount
[2010/03/03 17:48:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/03/03 17:47:47 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/03/03 17:47:45 | 000,018,816 | ---- | C] (Nokia) -- C:\Windows\System32\drivers\pccsmcfd.sys
[2010/03/03 17:42:04 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2010/03/03 17:38:21 | 000,091,136 | ---- | C] (Nokia) -- C:\Windows\System32\nmwcdcls.dll
[2010/03/03 17:37:19 | 000,000,000 | ---D | C] -- C:\ProgramData\OviInstallerCache
[2010/03/03 17:37:19 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/02/27 07:44:35 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe
[2010/02/24 13:45:31 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/02/24 13:44:49 | 000,242,696 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/02/24 13:44:41 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/02/24 13:31:02 | 080,328,144 | ---- | C] (AVG Technologies) -- C:\Users\Merv\avg_free_stf_en_90_730a1834.exe
[2010/02/24 07:24:08 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/24 07:23:54 | 000,523,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/02/24 07:23:52 | 000,511,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/02/24 07:23:49 | 000,472,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/02/24 07:23:49 | 000,472,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/02/24 07:23:49 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/02/24 07:23:49 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/02/24 07:23:46 | 000,329,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll
[2010/02/24 07:23:46 | 000,151,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/02/24 07:23:46 | 000,151,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/21 16:06:42 | 002,097,152 | -HS- | M] () -- C:\Users\Merv\ntuser.dat
[2010/03/21 16:05:00 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{43CEFD8A-1EB2-40E2-8200-65380A3FA995}.job
[2010/03/21 15:47:00 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Merv\Desktop\OTL.exe
[2010/03/21 15:46:08 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/03/21 15:43:59 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/21 15:43:58 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/21 15:43:57 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/21 15:43:50 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/21 15:43:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/21 15:42:27 | 000,524,288 | -HS- | M] () -- C:\Users\Merv\ntuser.dat{fbc3833d-adc8-11de-8115-001372b1ca41}.TMContainer00000000000000000001.regtrans-ms
[2010/03/21 15:42:27 | 000,065,536 | -HS- | M] () -- C:\Users\Merv\ntuser.dat{fbc3833d-adc8-11de-8115-001372b1ca41}.TM.blf
[2010/03/21 15:42:20 | 001,685,905 | -H-- | M] () -- C:\Users\Merv\AppData\Local\IconCache.db
[2010/03/21 15:39:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/21 15:30:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2434869507-3798317886-3164630075-1002UA.job
[2010/03/21 15:28:46 | 000,290,816 | ---- | M] () -- C:\Users\Merv\Desktop\exeHelper.com
[2010/03/21 14:35:27 | 000,031,232 | ---- | M] () -- C:\Users\Merv\Desktop\romeo_and_juliet.doc
[2010/03/21 13:54:01 | 000,033,792 | ---- | M] () -- C:\Users\Merv\Documents\romeo & juliet.doc
[2010/03/21 13:30:00 | 000,000,846 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2434869507-3798317886-3164630075-1002Core.job
[2010/03/21 08:45:03 | 057,451,645 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/03/20 22:49:26 | 000,001,356 | ---- | M] () -- C:\Users\Merv\AppData\Local\d3d9caps.dat
[2010/03/19 14:34:51 | 001,485,312 | ---- | M] () -- C:\Users\Merv\Desktop\Bank Accounts.xls
[2010/03/18 20:17:13 | 192,167,067 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/18 18:36:12 | 000,284,915 | ---- | M] () -- C:\Users\Merv\Desktop\gmer.zip
[2010/03/18 18:28:51 | 000,525,824 | ---- | M] () -- C:\Users\Merv\Desktop\dds.scr
[2010/03/18 18:18:59 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/18 18:18:59 | 000,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/18 18:18:59 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/17 18:41:13 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/16 22:27:11 | 000,011,004 | -HS- | M] () -- C:\ProgramData\21mn5E
[2010/03/12 13:11:15 | 000,242,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/03/12 13:11:13 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/03/12 13:11:13 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/03/12 13:10:38 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/03/11 13:09:22 | 000,071,680 | ---- | M] () -- C:\Users\Merv\Documents\PVF Sales.xls
[2010/03/07 20:13:32 | 000,024,576 | ---- | M] () -- C:\Users\Merv\Documents\Barclaycard Offer.xls
[2010/03/03 19:34:33 | 000,005,632 | ---- | M] () -- C:\Users\Merv\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/03 18:28:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
[2010/03/03 18:26:10 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/03/03 17:50:20 | 000,001,928 | ---- | M] () -- C:\Users\Public\Desktop\Nokia Ovi Suite.lnk
[2010/02/27 08:32:04 | 000,001,589 | ---- | M] () -- C:\Users\Public\Desktop\Browser Choice.lnk
[2010/02/24 13:47:02 | 000,142,495 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/02/24 13:45:09 | 000,001,647 | ---- | M] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/02/24 13:44:49 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/02/24 13:31:12 | 080,328,144 | ---- | M] (AVG Technologies) -- C:\Users\Merv\avg_free_stf_en_90_730a1834.exe
[2010/02/24 13:08:23 | 000,100,040 | ---- | M] () -- C:\Users\Merv\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/24 13:03:46 | 000,369,488 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/20 23:39:35 | 000,024,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/02/20 23:37:20 | 000,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/21 15:28:45 | 000,290,816 | ---- | C] () -- C:\Users\Merv\Desktop\exeHelper.com
[2010/03/21 13:54:00 | 000,033,792 | ---- | C] () -- C:\Users\Merv\Documents\romeo & juliet.doc
[2010/03/21 13:04:22 | 000,031,232 | ---- | C] () -- C:\Users\Merv\Desktop\romeo_and_juliet.doc
[2010/03/18 19:36:51 | 000,001,356 | ---- | C] () -- C:\Users\Merv\AppData\Local\d3d9caps.dat
[2010/03/18 18:36:12 | 000,284,915 | ---- | C] () -- C:\Users\Merv\Desktop\gmer.zip
[2010/03/18 18:28:44 | 000,525,824 | ---- | C] () -- C:\Users\Merv\Desktop\dds.scr
[2010/03/17 18:39:22 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/15 21:49:41 | 000,011,004 | -HS- | C] () -- C:\ProgramData\21mn5E
[2010/03/03 18:28:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
[2010/03/03 18:26:10 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/03/03 17:50:20 | 000,001,928 | ---- | C] () -- C:\Users\Public\Desktop\Nokia Ovi Suite.lnk
[2010/02/27 08:32:04 | 000,001,589 | ---- | C] () -- C:\Users\Public\Desktop\Browser Choice.lnk
[2010/02/24 13:45:06 | 000,001,647 | ---- | C] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/05/04 14:03:00 | 000,059,904 | ---- | C] () -- C:\Windows\System32\zlib1.dll
[2009/05/04 13:53:28 | 000,286,720 | ---- | C] () -- C:\Windows\System32\libcurl.dll
[2009/05/04 13:53:10 | 000,143,360 | ---- | C] () -- C:\Windows\System32\libexpatw.dll
[2009/02/27 20:23:52 | 000,005,632 | ---- | C] () -- C:\Users\Merv\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/07 13:27:50 | 000,024,206 | ---- | C] () -- C:\Users\Merv\AppData\Roaming\UserTile.png
[2009/02/06 17:48:56 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/02/06 15:25:05 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2009/02/06 14:30:08 | 000,000,612 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2006/11/02 12:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 10:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/06/29 17:44:12 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2009/05/15 15:58:56 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\LG Electronics
[2009/08/11 19:10:36 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\LimeWire
[2009/08/11 20:48:40 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\NCH Swift Sound
[2010/03/03 17:58:09 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\Nokia
[2010/03/03 18:30:11 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\PC Suite
[2009/02/07 13:27:50 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\PeerNetworking
[2009/07/16 19:02:11 | 000,000,000 | ---D | M] -- C:\Users\Merv\AppData\Roaming\TomTom
[2010/03/21 15:42:46 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/03/21 16:05:00 | 000,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{43CEFD8A-1EB2-40E2-8200-65380A3FA995}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 09:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/18 23:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/18 23:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 09:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2008/01/18 23:35:38 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/18 23:35:38 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/18 23:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/18 23:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/18 23:36:20 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/18 23:36:20 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 09:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/18 23:34:10 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2008/01/18 23:34:10 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2008/01/18 23:38:04 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/18 23:36:12 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >



OTL Extras logfile created on: 21/03/2010 16:07:14 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Merv\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.78 Gb Total Space | 183.82 Gb Free Space | 78.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MERVSPC
Current User Name: Merv
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02CF5192-74AD-49F6-BE20-E4F2ED6F898E}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{16B890BE-3FC6-4F5F-996E-8C6F58E0FC6D}" = rport=138 | protocol=17 | dir=out | app=system |
"{18C91088-895A-49A4-BA15-29751CABF8F4}" = lport=445 | protocol=6 | dir=in | app=system |
"{21C92DE7-F994-45A6-A3D1-56AB3642AE1A}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2314116F-324E-4686-B28D-4D91077AB539}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2AA1ED18-392E-455F-9680-6E908221A11E}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{3DDB03A7-E28A-4EB3-BCB8-7749DBCE9B7C}" = lport=138 | protocol=17 | dir=in | app=system |
"{5C75FA97-01B7-4298-8FA5-1848485A933E}" = lport=139 | protocol=6 | dir=in | app=system |
"{6A097294-B79C-409E-9A6A-67A8797E883D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{6D1D0CE1-0616-463F-8371-3662C52C6249}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7066EB94-2729-4119-BF8D-7684E6AEAD1F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7120C786-F709-4F66-A96D-8EEE85A6FD0F}" = rport=445 | protocol=6 | dir=out | app=system |
"{760FF9B3-A0CB-4061-AA19-1FE25B7ECA2F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{80E57A07-45ED-44B5-8842-BAF40B67C264}" = lport=137 | protocol=17 | dir=in | app=system |
"{82F01ACD-92CD-42E2-957B-6F35E7725CFC}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8B2D6729-F8EA-4352-B49B-9EF6EAA2CE51}" = lport=10243 | protocol=6 | dir=in | app=system |
"{9485088F-692F-45F1-A12D-F0CFF16EAAC6}" = rport=137 | protocol=17 | dir=out | app=system |
"{976A9485-DF04-4051-8522-D0598BD49A7C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{993F2EDB-C954-42E7-9D01-65ACB80102FD}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{A14DB9F0-8020-4A93-980D-7FE82CB7664F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{A2C50C99-47CC-4526-BBF9-27F14D5385CE}" = rport=139 | protocol=6 | dir=out | app=system |
"{A4C2BDCA-52A5-44B2-A45D-E387DE7AB8B3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A6B9EBE2-7352-47BB-93EC-D1BCDC4594C4}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A934E976-2843-48AD-AA9B-AC3993B13FA4}" = lport=2869 | protocol=6 | dir=in | app=system |
"{DA6E2E84-9EBC-4DA2-B273-86DD66619912}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{DED56F5F-3737-4FFD-889F-1296F292F4C0}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DFBF021A-3F04-455F-B738-B240E8E5F0A7}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E4CB2004-8CBF-47E5-8134-95F06445FDB2}" = rport=10243 | protocol=6 | dir=out | app=system |
"{E9064225-87EC-49A1-9735-1AD71ABFA7DE}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B2D03E5-836E-427D-B59A-A87E89481774}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{162E359F-9AA9-474E-BEAE-18A2E9DA149C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{53A1F562-69AD-43B6-902F-09EFC7FA9AD0}" = dir=in | app=c:\program files\avg\avg9\avgemc.exe |
"{5E653E2F-BD02-477B-B7E3-63E5EBA4D9E3}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{61E07B91-A885-4E15-8FB0-006190232084}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{69E13EE3-301A-4072-9C3C-D0689FC0A9D0}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{6C4C17D0-8580-4A6D-83E5-567466138CC1}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{6D287539-D010-4C24-9C4C-E8C1A1B17243}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6DBB9CCB-BD90-4CE1-B26F-B2190C0E22D6}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{73213306-50AB-4C78-902B-B28D71E713B5}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{7BA3FC44-2239-4E80-8CA6-C04249EB73AE}" = protocol=6 | dir=out | app=system |
"{7CCD4D15-53A9-41CE-947B-E04199748A31}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{90FDD4FC-4028-4A3E-9C10-CBED12771F2C}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{92E2D8D8-F64C-4508-98BC-A482415D1496}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{97E232EE-6B57-475D-B9D0-FBB8C1137929}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{990626DF-90ED-403E-BFBB-0BAB816A37DD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A3B99238-C5D7-4534-AE8C-4BBAF8FAF97D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A3EC44A2-AEC0-4A29-9968-BBEC1FEB91A1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A8E8A9AE-B375-4571-A406-B259156ABDCA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{AE824BEC-0DDE-4370-9E9C-415ED3423EC6}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{AEF99A64-7B9C-4781-87B6-817D2B27674A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{B062770D-2247-4478-B0E4-7CFF3CBC724F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{B0CA990D-83D9-47F5-A8A1-4FB105FE92E7}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{BA87FBA4-0B0A-40D8-B582-1213D62EB38C}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D458FF82-1F49-4E48-B5AF-FC2D3F2631F7}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{EF1ABBC5-8EEC-4FE8-92C1-094F7CDC620C}" = dir=in | app=c:\program files\avg\avg9\avgnsx.exe |
"{F33D5E86-658E-493D-9D38-3F4900A9E069}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{FC0A4807-E1E4-4059-B896-D47DA26BF9A8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"TCP Query User{1CF397B1-198E-4DA9-8DE0-818E2D65B759}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=6 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe |
"TCP Query User{2A5D84D7-0787-4EBB-9556-80BE5E59BD58}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{2BB0D171-648B-4F27-8BBE-3BC5063A3890}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{593FDB54-D0F5-4C80-ADA0-5AE659A60211}C:\program files\nokia\nokia ovi suite\nokiaovisuite.exe" = protocol=6 | dir=in | app=c:\program files\nokia\nokia ovi suite\nokiaovisuite.exe |
"UDP Query User{06343414-2F3D-403F-BF79-5E823672AA53}C:\program files\nokia\nokia ovi suite\nokiaovisuite.exe" = protocol=17 | dir=in | app=c:\program files\nokia\nokia ovi suite\nokiaovisuite.exe |
"UDP Query User{64CD7A3C-7AAD-498E-AED8-36B74A65B868}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{79FE54E0-FA02-45B0-9C2B-93A5C2DB6101}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{8F997C9C-3E74-4947-ABFA-3F4E008EC605}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=17 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{14DCD95A-EBA3-4BF0-B7EF-533852E99BE6}" = LG PC Suite II
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{35ED8B97-897C-4BD1-AEAE-6FD3404BA082}" = Ovi Desktop Sync Engine
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{481C9A00-91AC-4065-870C-BD4E28186E5A}" = PC Connectivity Solution
"{49B6F667-76EB-4E9D-ACD2-84B7437901C0}" = LG PC Suite II
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4E1CD3D5-D4EE-4246-AE24-F0FD5A60390D}" = OviMPlatform
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}" = Nokia Ovi Suite
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B9C9DB4C-6D77-4AE9-AD1C-C708C23239A0}" = Nokia Connectivity Cable Driver
"{BA63348B-143D-4CAC-A355-3879402ED781}" = Nokia Ovi Suite Software Updater
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BEA18030-8B42-1286-EF64-CDA6BD083888}" = BBC iPlayer Desktop
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AVG9Uninstall" = AVG Free 9.0
"CCleaner" = CCleaner (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"Google Updater" = Google Updater
"LimeWire" = LimeWire 5.1.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Nokia Ovi Suite" = Nokia Ovi Suite
"OEMInformation" = OEM Logo and Information
"RealAlt_is1" = Real Alternative 1.8.0
"TomTom HOME" = TomTom HOME 2.6.2.1586
"UltSounds" = Windows Sound Schemes
"UltSounds2" = Ultimate Extras sounds from Microsoft® Tinker™
"Veetle TV" = Veetle TV 0.9.15
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 27/11/2009 14:26:05 | Computer Name = MervsPC | Source = Google Update | ID = 20
Description =

Error - 27/11/2009 15:14:29 | Computer Name = MervsPC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 27/11/2009 15:47:44 | Computer Name = MervsPC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 27/11/2009 18:02:50 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 04:48:40 | Computer Name = MervsPC | Source = VSS | ID = 8193
Description =

Error - 28/11/2009 06:36:02 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 09:26:06 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 14:56:01 | Computer Name = MervsPC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28/11/2009 15:27:30 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 17:40:23 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

[ OSession Events ]
Error - 19/09/2009 10:21:09 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8015
seconds with 1740 seconds of active time. This session ended with a crash.

Error - 26/09/2009 08:40:19 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 11705
seconds with 4020 seconds of active time. This session ended with a crash.

Error - 01/10/2009 11:59:55 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 4465 seconds with 2700 seconds of active time. This session ended with a
crash.

Error - 05/10/2009 12:35:24 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 394 seconds with 300 seconds of active time. This session ended with a crash.

Error - 06/10/2009 13:39:06 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9522
seconds with 360 seconds of active time. This session ended with a crash.

Error - 27/11/2009 12:59:20 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3834
seconds with 240 seconds of active time. This session ended with a crash.

Error - 03/01/2010 15:38:42 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 6318 seconds with 1560 seconds of active time. This session ended with a
crash.

Error - 10/01/2010 07:22:15 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 287 seconds with 180 seconds of active time. This session ended with a crash.

Error - 10/02/2010 14:59:46 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 1367 seconds with 180 seconds of active time. This session ended with a
crash.

Error - 23/02/2010 14:20:44 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 446 seconds with 300 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 21/03/2010 09:24:24 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 09:26:29 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 09:45:08 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 09:51:52 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 09:51:59 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 10:36:03 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 10:40:00 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 11:24:52 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 11:43:40 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 21/03/2010 11:43:50 | Computer Name = MervsPC | Source = HTTP | ID = 15016
Description =


< End of report >



#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:39 PM

Posted 21 March 2010 - 01:49 PM

Hi merv

Ok, a few things for you:

P2P Warning
Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

Step 1
Double click on OTL.exe to run it.
Copy the lines in the codebox below. (make sure that :Otl is on the first line )
CODE
:Otl
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKCU..\Run: [] File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab  (Reg Error: Key error.)
MsConfig - StartUpFolder: C:^Users^Nath^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe - (Lime Wire, LLC)
MsConfig - StartUpReg: My Web Search Bar Search Scope Monitor - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe File not found
MsConfig - StartUpReg: MyWebSearch Email Plugin - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
MsConfig - StartUpReg: MyWebSearch Plugin - hkey= - key= - C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL File not found
[2010/03/03 19:34:33 | 000,005,632 | ---- | M] () -- C:\Users\Merv\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8

:commands
[emptytemp]
[purity]
[EMPTYFLASH]
  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click the red Run Fix button.


  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 2
Do you know what this file is:
[2010/03/15 21:49:41 | 000,011,004 | -HS- | C] () -- C:\ProgramData\21mn5E
The date and time may give you a clue.

If you don't know what it is, let's check it out:

Click on Start ... Control Panel
Click on the Appearance and Personalization link .
Click on Folder Options.
Click on the View tab.
Then under Hidden Files and Folders.....Make sure there's a tick against.. Show hidden files and folders
Then click Apply and then Ok.

Then:
Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\ProgramData\21mn5E

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

When completed:

Click on Start ... Control Panel
Click on the Appearance and Personalization link .
Click on Folder Options.
Click on the View tab.
Then under Hidden Files and Folders.....Make sure there's a tick against.. Do not show hidden files and folders
Then click Apply and then Ok.

In your next reply, please submit:
OTL report that comes up after the fix
Jotti scan results...... unless you know what that file is.

Also let me know how the system is running now.


Thanks.

BBPP6nz.png


#5 mervward

mervward
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 March 2010 - 03:46 PM

Hi Starbuck,

I couldn't find the file C:\ProgramData\21mn5E. I have checked show hidden files & folders.
I don't know what the file is but around that date and time is when my son first told me he had a problem on his user!

I've noted the P2P warning and Limewire will be removed once we've resolved this problem.


Heres the OTL report.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Users^Nath^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk\ deleted successfully.
C:\Windows\pss\LimeWire On Startup.lnk.Startup moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\My Web Search Bar Search Scope Monitor\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\MyWebSearch Email Plugin\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\MyWebSearch Plugin\ deleted successfully.
C:\Users\Merv\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dan
->Temp folder emptied: 17314545 bytes
->Temporary Internet Files folder emptied: 238621448 bytes
->Java cache emptied: 67616 bytes
->Google Chrome cache emptied: 14409794 bytes
->Flash cache emptied: 397302 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41085 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mel
->Temp folder emptied: 115040 bytes
->Temporary Internet Files folder emptied: 110149539 bytes
->Flash cache emptied: 6675 bytes

User: Mel 2
->Temp folder emptied: 792064 bytes
->Temporary Internet Files folder emptied: 123316987 bytes
->Java cache emptied: 1065681 bytes
->Flash cache emptied: 182873 bytes

User: Merv
->Temp folder emptied: 166319080 bytes
->Temporary Internet Files folder emptied: 98168399 bytes
->Java cache emptied: 10735673 bytes
->Flash cache emptied: 85882 bytes

User: Nath
->Temp folder emptied: 62755399 bytes
->Temporary Internet Files folder emptied: 330916733 bytes
->Java cache emptied: 971211 bytes
->Flash cache emptied: 341140 bytes

User: Public

User: Sian
->Temp folder emptied: 341298424 bytes
->Temporary Internet Files folder emptied: 310849452 bytes
->Java cache emptied: 5546917 bytes
->Flash cache emptied: 385385 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 19305540 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,768.00 mb


[EMPTYFLASH]

User: All Users

User: Dan
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Mel
->Flash cache emptied: 0 bytes

User: Mel 2
->Flash cache emptied: 0 bytes

User: Merv
->Flash cache emptied: 0 bytes

User: Nath
->Flash cache emptied: 0 bytes

User: Public

User: Sian
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03212010_200808

Files\Folders moved on Reboot...
File\Folder C:\Users\Mel 2\AppData\Local\Temp\~DF822F.tmp not found!
File\Folder C:\Users\Mel 2\AppData\Local\Temp\~DF8249.tmp not found!
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HPNUJF3O\ads[5].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H1ADK8SH\iframe[3].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H1ADK8SH\topic303421[1].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2YAJS7AQ\ads[3].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2YAJS7AQ\rnd=1955987880[1].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...







#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:39 PM

Posted 21 March 2010 - 05:15 PM

Hi Merv

Thanks for that, let's get rid of it then:

Double click on OTL.exe to run it.
Copy the lines in the codebox below. (make sure that :Otl is on the first line )
CODE
:Otl
[2010/03/15 21:49:41 | 000,011,004 | -HS- | C] () -- C:\ProgramData\21mn5E

:commands
[emptytemp]
  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click the red Run Fix button.


  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Let me have the new fix report so that i can check it.

Is the system running better now?

BBPP6nz.png


#7 mervward

mervward
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 22 March 2010 - 02:07 PM


Hi Starbuck,

I am still having difficulty with trying to open certain programs on the user "Nath". (all other users are running fine)
I thought I'd ask your advice before proceeding.

When I try opening internet explorer I get the following message;
Choose the program you want to open this file.
File = ssvagent.exe

When I try opening AVG I get the following message;
Choose the program you want to open this file.
File = avgui.exe

When I try opening Microsoft Word I get the following message;
Word C:\program files\microsoft office\office12\winword.exe
This file does not have a program associated with it for performing this action.
Creat an association in the Set associations control panel.



I've attached the OTL report after the fix.


All processes killed
========== OTL ==========
C:\ProgramData\21mn5E moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mel
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mel 2
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 2850389 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Merv
->Temp folder emptied: 246151 bytes
->Temporary Internet Files folder emptied: 14638970 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1058 bytes

User: Nath
->Temp folder emptied: 31952 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Sian
->Temp folder emptied: 31952 bytes
->Temporary Internet Files folder emptied: 4065779 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 434 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 980 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 21.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03222010_132022

Files\Folders moved on Reboot...
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TMUD3B7S\ads[1].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TMUD3B7S\iframe[1].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TMUD3B7S\rnd=1159647847[1].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QQIOCJ4B\ads[1].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QQIOCJ4B\ads[2].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QQIOCJ4B\topic303421[1].htm moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
C:\Users\Merv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...




#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:39 PM

Posted 22 March 2010 - 02:31 PM

Hi Merv,

QUOTE
am still having difficulty with trying to open certain programs on the user "Nath". (all other users are running fine)
I thought I'd ask your advice before proceeding.

Each user profile is unique, this isn't the profile we've been working on, is it?
It may be that one of the other user profiles has some infection or problems.... once we establish that this profile is ok, we can move on to another.
It will mean running certain programs on the other profile.If you are happy with the way this profile is running, let me know and i'll finish off the cleaning on this one and will glady move on to another profile for you.

BBPP6nz.png


#9 mervward

mervward
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 22 March 2010 - 03:23 PM

Hi Starbuck,

I've been running all the programs and getting the logs on this user (Merv).
This seems to be running fine now.



#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:39 PM

Posted 22 March 2010 - 03:39 PM

Hi Merv,

QUOTE
This seems to be running fine now.
Ok, let's finish off then we can start another profile.

Step 1
Your Java is out of date!
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 18 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)


  • Click the "Download" button to the right... that says Download JRE
  • Select 'Windows' from the dropdown box.


  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click 'Continue'
  • The page will refresh.


  • Click on the link to download Windows Offline Installation and save the file to your desktop.


  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.

    Reboot the system when completed.


  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.

Step 2
  • Please double-click OTL.exe to run it.
  • You should see a CleanUp! button, press that button,


  • This will remove any programs we have asked you to download along with there associated folders.. plus itself.

Note:
MBAM will not be removed

Step 3
Now you should set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

Click on Start... Control Panel... System and Maintenance... System
Click on System Protection in the left-hand task list.
Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

When you uncheck a disk you will be presented with a screen.
You should click on the Turn System Protection Off button.
Click Apply and then OK.

Reboot your computer.

Now:
Click on Start... Control Panel... System and Maintenance... System
Click on System Protection in the left-hand task list.
Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
Click Apply and then OK.

Your System restore will now be active again... starting with a new restore point.

To find out how you may have been infected....read this topic:
So how did i get infected?

Not all of the following information will be applicable to you, but it's still best to read it all.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software
    Note*:
    Upon installation MS Security Essentials will check that your OS is a legal copy.

    Only install one AntiVirus program
  • Update your AntiVirus Software regularly
  • Use a 3rd party Firewall NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

    Only install one software Firewall

    Some 3rd party Firewalls will turn off the windows firewall when they are installed.
    It's always best to check that the Windows Firewall is turned off:

    How to turn off Windows Firewall:
    Start ... Control Panel ...click on 'Classic View'.
    now select Windows Firewall.
    When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok
  • Scan regularly with a 'Stand Alone' Anti-Malware scanner:
    Installing another scanner that you can run once or twice a week is always beneficial.
    Something like:
    Malwarebytes Anti-Malware
    SUPERAntiSypware
    Remember to update these programs each time before running.
    You can install more than one of these if you only run them as stand alone programs.
  • Use an alternative browser:
    Some excellent alternatives to MS Internet Explorer are:

    Firefox
    For added security, add the NoScript extension to this browser:
    Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
    also consider adding:
    WOT - Safe Browsing Tool

    Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
    Btw: you don't have to make a contribution.

    Opera

    They offer better security, more stability, and better speed.
  • Keep a backup of your registry
    Keeping a regular backup of your registry will help when something goes wrong.
    Use a program like:
    Erunt

    A full tutorial on how to set up and use Erunt can be found here:
    Erunt tutorial
  • Keep your system clean of temp files etc, using a 'Cleaner':

    Cleaners are programs that will help to clean out your:
    Windows temp files
    Current user temp files
    Cookies
    Temporary Internet flies
    Browser history
    Recycle bin
    Etc.......
    In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
    Programs like:
    CCleaner
    TFC by OldTimer
    ATF Cleaner
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using and installing SpywareBlaster
  • Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Safe surfing.

--------------------------------

Log in to the other profile:

Step 1
Please download exeHelper to your desktop.
If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan)
Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).

Step 2
  • Download OTL to your desktop.
    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
    Now copy the lines in the codebox below.
    CODE
    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.


  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

In your next reply, please submit:
exehelperlog.txt
and both reports from OTl


Thanks.

BBPP6nz.png


#11 mervward

mervward
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 22 March 2010 - 05:05 PM

Hi Starbuck,

I've followed all the steps to finish off the first profile. Thanks

Here's the logs from the other one;


exeHelper by Raktor
Build 20091220
Run at 21:37:11 on 03/22/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

OTL logfile created on: 22/03/2010 21:42:26 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Nath\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.78 Gb Total Space | 193.67 Gb Free Space | 83.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MERVSPC
Current User Name: Nath
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Nath\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
PRC - C:\Program Files\Windows Live\Toolbar\wltuser.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Nath\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (AvgTdiX) -- C:\Windows\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\Windows\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\Windows\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia)
DRV - (UsbserFilt) -- C:\Windows\System32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (nmwcdc) -- C:\Windows\System32\drivers\ccdcmbo.sys (Nokia)
DRV - (upperdev) -- C:\Windows\System32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (fssfltr) -- C:\Windows\System32\drivers\fssfltr.sys (Microsoft Corporation)
DRV - (UsbDiag) -- C:\Windows\System32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (USBModem) -- C:\Windows\System32\drivers\lgusbmodem.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\Windows\System32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (pccsmcfd) -- C:\Windows\System32\drivers\pccsmcfd.sys (Nokia)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (s117mdm) -- C:\Windows\System32\drivers\s117mdm.sys (MCCI Corporation)
DRV - (s117mdfl) -- C:\Windows\System32\drivers\s117mdfl.sys (MCCI Corporation)
DRV - (s117bus) Sony Ericsson Device 117 driver (WDM) -- C:\Windows\System32\drivers\s117bus.sys (MCCI Corporation)
DRV - (MRV6X32P) -- C:\Windows\System32\drivers\MRVW13B.sys (Marvell Semiconductor, Inc)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (SigmaTel, Inc.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/03/03 17:47:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2010/03/03 17:48:02 | 000,000,000 | ---D | M]

[2009/03/15 21:41:08 | 000,000,000 | ---D | M] -- C:\Users\Nath\AppData\Roaming\Mozilla\Extensions
[2009/03/15 21:41:08 | 000,000,000 | ---D | M] -- C:\Users\Nath\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2006/09/18 21:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -Mozilla\4.0 ( File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = secfile] -- "C:\Users\Nath\AppData\Local\ave.exe" /START "%1" %* File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/02/06 15:57:54 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^Users^Mel 2^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk - C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe - ()
MsConfig - StartUpFolder: C:^Users^Merv^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk - C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe - ()
MsConfig - StartUpFolder: C:^Users^Sian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe - (Lime Wire, LLC)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: msnmsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
MsConfig - StartUpReg: NokiaMServer - hkey= - key= - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
MsConfig - StartUpReg: NokiaOviSuite2 - hkey= - key= - C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe (Nokia)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: TomTomHOME.exe - hkey= - key= - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
MsConfig - StartUpReg: WMPNSCFG - hkey= - key= - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
MsConfig - State: "startup" - 2
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 30 Days ==========

[2010/03/22 21:36:40 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Nath\Desktop\OTL.exe
[2010/03/22 20:58:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/03/22 20:58:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/03/22 20:58:11 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/03/22 20:58:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/03/22 20:58:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/03/22 20:54:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2010/03/19 20:12:53 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/03/19 20:12:28 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2010/03/17 18:39:24 | 000,000,000 | ---D | C] -- C:\Users\Nath\AppData\Roaming\Malwarebytes
[2010/03/17 18:39:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/17 18:39:18 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/17 18:39:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/17 18:39:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/17 18:30:20 | 005,061,512 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Nath\Desktop\mbam-setup.exe
[2010/03/16 22:07:39 | 000,000,000 | ---D | C] -- C:\Users\Nath\AppData\Local\Threat Expert
[2010/03/16 21:42:51 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/03/12 19:21:54 | 000,000,000 | ---D | C] -- C:\ProgramData\RegCure
[2010/03/12 13:11:13 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/03/10 08:18:46 | 000,000,000 | ---D | C] -- C:\d38c5df7b72460dd1056d23f
[2010/03/10 08:09:07 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/03/10 08:09:04 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010/03/03 21:24:01 | 000,000,000 | ---D | C] -- C:\Users\Nath\AppData\Roaming\PC Suite
[2010/03/03 19:24:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Nokia
[2010/03/03 17:55:58 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Suite
[2010/03/03 17:48:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/03/03 17:47:47 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/03/03 17:47:45 | 000,018,816 | ---- | C] (Nokia) -- C:\Windows\System32\drivers\pccsmcfd.sys
[2010/03/03 17:42:04 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2010/03/03 17:38:21 | 000,091,136 | ---- | C] (Nokia) -- C:\Windows\System32\nmwcdcls.dll
[2010/03/03 17:37:19 | 000,000,000 | ---D | C] -- C:\ProgramData\OviInstallerCache
[2010/03/03 17:37:19 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/02/27 07:44:35 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe
[2010/02/24 13:45:31 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/02/24 13:44:49 | 000,242,696 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/02/24 13:44:41 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/02/24 07:24:08 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/24 07:23:54 | 000,523,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/02/24 07:23:52 | 000,511,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/02/24 07:23:49 | 000,472,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/02/24 07:23:49 | 000,472,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/02/24 07:23:49 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/02/24 07:23:49 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/02/24 07:23:46 | 000,329,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll
[2010/02/24 07:23:46 | 000,151,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/02/24 07:23:46 | 000,151,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll

========== Files - Modified Within 30 Days ==========

[2010/03/22 21:42:17 | 001,835,008 | ---- | M] () -- C:\Users\Nath\NTUSER.DAT
[2010/03/22 21:39:59 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{43CEFD8A-1EB2-40E2-8200-65380A3FA995}.job
[2010/03/22 21:39:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/22 21:33:28 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Nath\Desktop\OTL.exe
[2010/03/22 21:32:08 | 000,290,816 | ---- | M] () -- C:\Users\Nath\Desktop\exeHelper.com
[2010/03/22 21:30:45 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/22 21:29:59 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2434869507-3798317886-3164630075-1002UA.job
[2010/03/22 21:18:25 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/03/22 21:16:13 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/22 21:16:12 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/22 21:16:06 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/22 21:16:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/22 21:07:05 | 000,369,488 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/22 20:57:40 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/03/22 20:57:39 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2010/03/22 20:57:39 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/03/22 20:57:39 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/03/22 18:57:01 | 000,524,288 | -HS- | M] () -- C:\Users\Nath\NTUSER.DAT{e6a19eb0-2144-11df-96d9-001372b1ca41}.TMContainer00000000000000000001.regtrans-ms
[2010/03/22 18:57:01 | 000,065,536 | -HS- | M] () -- C:\Users\Nath\NTUSER.DAT{e6a19eb0-2144-11df-96d9-001372b1ca41}.TM.blf
[2010/03/22 13:29:59 | 000,000,846 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2434869507-3798317886-3164630075-1002Core.job
[2010/03/22 13:11:16 | 057,504,857 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/03/21 17:41:14 | 002,378,906 | -H-- | M] () -- C:\Users\Nath\AppData\Local\IconCache.db
[2010/03/18 20:17:13 | 192,167,067 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/18 18:18:59 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/18 18:18:59 | 000,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/18 18:18:59 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/17 13:21:28 | 005,061,512 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Nath\Desktop\mbam-setup.exe
[2010/03/16 22:27:11 | 000,011,004 | -HS- | M] () -- C:\Users\Nath\AppData\Local\21mn5E
[2010/03/12 13:11:15 | 000,242,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/03/12 13:11:13 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/03/12 13:11:13 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/03/12 13:10:38 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/03/05 07:08:43 | 000,030,257 | ---- | M] () -- C:\Users\Nath\Documents\nathan science coursework nuclear power x.docx
[2010/03/03 18:28:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
[2010/03/03 18:26:10 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/03/03 17:50:20 | 000,001,928 | ---- | M] () -- C:\Users\Public\Desktop\Nokia Ovi Suite.lnk
[2010/02/27 08:32:04 | 000,001,589 | ---- | M] () -- C:\Users\Public\Desktop\Browser Choice.lnk
[2010/02/24 21:56:24 | 000,524,288 | -HS- | M] () -- C:\Users\Nath\NTUSER.DAT{e6a19eb0-2144-11df-96d9-001372b1ca41}.TMContainer00000000000000000002.regtrans-ms
[2010/02/24 21:30:35 | 000,100,040 | ---- | M] () -- C:\Users\Nath\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/24 13:47:02 | 000,142,495 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/02/24 13:46:02 | 000,524,288 | -HS- | M] () -- C:\Users\Nath\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
[2010/02/24 13:46:02 | 000,065,536 | -HS- | M] () -- C:\Users\Nath\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010/02/24 13:45:09 | 000,001,647 | ---- | M] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/02/24 13:44:49 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/02/23 21:50:52 | 000,010,877 | ---- | M] () -- C:\Users\Nath\Documents\bibliography science nathan.docx
[2010/02/22 18:05:14 | 000,012,251 | ---- | M] () -- C:\Users\Nath\Documents\hisorty homework communism nathan.docx
[2010/02/20 23:39:35 | 000,024,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/02/20 23:37:20 | 000,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll

========== Files Created - No Company Name ==========

[2010/03/22 21:36:40 | 000,290,816 | ---- | C] () -- C:\Users\Nath\Desktop\exeHelper.com
[2010/03/15 21:49:41 | 000,011,004 | -HS- | C] () -- C:\Users\Nath\AppData\Local\21mn5E
[2010/03/03 18:28:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
[2010/03/03 18:26:10 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/03/03 17:50:20 | 000,001,928 | ---- | C] () -- C:\Users\Public\Desktop\Nokia Ovi Suite.lnk
[2010/02/27 08:32:04 | 000,001,589 | ---- | C] () -- C:\Users\Public\Desktop\Browser Choice.lnk
[2010/02/24 21:30:30 | 000,524,288 | -HS- | C] () -- C:\Users\Nath\NTUSER.DAT{e6a19eb0-2144-11df-96d9-001372b1ca41}.TMContainer00000000000000000002.regtrans-ms
[2010/02/24 21:30:30 | 000,524,288 | -HS- | C] () -- C:\Users\Nath\NTUSER.DAT{e6a19eb0-2144-11df-96d9-001372b1ca41}.TMContainer00000000000000000001.regtrans-ms
[2010/02/24 21:30:30 | 000,065,536 | -HS- | C] () -- C:\Users\Nath\NTUSER.DAT{e6a19eb0-2144-11df-96d9-001372b1ca41}.TM.blf
[2010/02/24 13:45:06 | 000,001,647 | ---- | C] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/02/23 18:12:42 | 000,010,877 | ---- | C] () -- C:\Users\Nath\Documents\bibliography science nathan.docx
[2010/02/23 12:12:06 | 000,030,257 | ---- | C] () -- C:\Users\Nath\Documents\nathan science coursework nuclear power x.docx
[2010/02/22 18:05:13 | 000,012,251 | ---- | C] () -- C:\Users\Nath\Documents\hisorty homework communism nathan.docx
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/05/04 14:03:00 | 000,059,904 | ---- | C] () -- C:\Windows\System32\zlib1.dll
[2009/05/04 13:53:28 | 000,286,720 | ---- | C] () -- C:\Windows\System32\libcurl.dll
[2009/05/04 13:53:10 | 000,143,360 | ---- | C] () -- C:\Windows\System32\libexpatw.dll
[2009/02/06 17:48:56 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/02/06 15:25:05 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2009/02/06 14:30:08 | 000,000,612 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2006/11/02 12:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 10:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2010/03/16 21:27:18 | 000,000,000 | ---D | M] -- C:\Users\Nath\AppData\Roaming\LimeWire
[2010/03/03 21:24:01 | 000,000,000 | ---D | M] -- C:\Users\Nath\AppData\Roaming\PC Suite
[2010/03/22 21:15:17 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/03/22 21:39:59 | 000,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{43CEFD8A-1EB2-40E2-8200-65380A3FA995}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 09:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/18 23:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/18 23:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 09:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2008/01/18 23:35:38 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/18 23:35:38 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/18 23:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/18 23:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/18 23:36:20 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/18 23:36:20 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 09:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/18 23:34:10 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2008/01/18 23:34:10 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2008/01/18 23:38:04 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/18 23:36:12 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
< End of report >


OTL Extras logfile created on: 22/03/2010 21:42:26 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Nath\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.78 Gb Total Space | 193.67 Gb Free Space | 83.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MERVSPC
Current User Name: Nath
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Users\Nath\AppData\Local\ave.exe File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02CF5192-74AD-49F6-BE20-E4F2ED6F898E}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{16B890BE-3FC6-4F5F-996E-8C6F58E0FC6D}" = rport=138 | protocol=17 | dir=out | app=system |
"{18C91088-895A-49A4-BA15-29751CABF8F4}" = lport=445 | protocol=6 | dir=in | app=system |
"{21C92DE7-F994-45A6-A3D1-56AB3642AE1A}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2314116F-324E-4686-B28D-4D91077AB539}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2AA1ED18-392E-455F-9680-6E908221A11E}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{3DDB03A7-E28A-4EB3-BCB8-7749DBCE9B7C}" = lport=138 | protocol=17 | dir=in | app=system |
"{5C75FA97-01B7-4298-8FA5-1848485A933E}" = lport=139 | protocol=6 | dir=in | app=system |
"{6A097294-B79C-409E-9A6A-67A8797E883D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{6D1D0CE1-0616-463F-8371-3662C52C6249}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7066EB94-2729-4119-BF8D-7684E6AEAD1F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7120C786-F709-4F66-A96D-8EEE85A6FD0F}" = rport=445 | protocol=6 | dir=out | app=system |
"{760FF9B3-A0CB-4061-AA19-1FE25B7ECA2F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{80E57A07-45ED-44B5-8842-BAF40B67C264}" = lport=137 | protocol=17 | dir=in | app=system |
"{82F01ACD-92CD-42E2-957B-6F35E7725CFC}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8B2D6729-F8EA-4352-B49B-9EF6EAA2CE51}" = lport=10243 | protocol=6 | dir=in | app=system |
"{9485088F-692F-45F1-A12D-F0CFF16EAAC6}" = rport=137 | protocol=17 | dir=out | app=system |
"{976A9485-DF04-4051-8522-D0598BD49A7C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{993F2EDB-C954-42E7-9D01-65ACB80102FD}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{A14DB9F0-8020-4A93-980D-7FE82CB7664F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{A2C50C99-47CC-4526-BBF9-27F14D5385CE}" = rport=139 | protocol=6 | dir=out | app=system |
"{A4C2BDCA-52A5-44B2-A45D-E387DE7AB8B3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A6B9EBE2-7352-47BB-93EC-D1BCDC4594C4}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A934E976-2843-48AD-AA9B-AC3993B13FA4}" = lport=2869 | protocol=6 | dir=in | app=system |
"{DA6E2E84-9EBC-4DA2-B273-86DD66619912}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{DED56F5F-3737-4FFD-889F-1296F292F4C0}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DFBF021A-3F04-455F-B738-B240E8E5F0A7}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E4CB2004-8CBF-47E5-8134-95F06445FDB2}" = rport=10243 | protocol=6 | dir=out | app=system |
"{E9064225-87EC-49A1-9735-1AD71ABFA7DE}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B2D03E5-836E-427D-B59A-A87E89481774}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{162E359F-9AA9-474E-BEAE-18A2E9DA149C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{53A1F562-69AD-43B6-902F-09EFC7FA9AD0}" = dir=in | app=c:\program files\avg\avg9\avgemc.exe |
"{5E653E2F-BD02-477B-B7E3-63E5EBA4D9E3}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{61E07B91-A885-4E15-8FB0-006190232084}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{69E13EE3-301A-4072-9C3C-D0689FC0A9D0}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{6C4C17D0-8580-4A6D-83E5-567466138CC1}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{6D287539-D010-4C24-9C4C-E8C1A1B17243}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6DBB9CCB-BD90-4CE1-B26F-B2190C0E22D6}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{73213306-50AB-4C78-902B-B28D71E713B5}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{7BA3FC44-2239-4E80-8CA6-C04249EB73AE}" = protocol=6 | dir=out | app=system |
"{7CCD4D15-53A9-41CE-947B-E04199748A31}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{90FDD4FC-4028-4A3E-9C10-CBED12771F2C}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{92E2D8D8-F64C-4508-98BC-A482415D1496}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{97E232EE-6B57-475D-B9D0-FBB8C1137929}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{990626DF-90ED-403E-BFBB-0BAB816A37DD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A3B99238-C5D7-4534-AE8C-4BBAF8FAF97D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A3EC44A2-AEC0-4A29-9968-BBEC1FEB91A1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A8E8A9AE-B375-4571-A406-B259156ABDCA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{AE824BEC-0DDE-4370-9E9C-415ED3423EC6}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{AEF99A64-7B9C-4781-87B6-817D2B27674A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{B062770D-2247-4478-B0E4-7CFF3CBC724F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{B0CA990D-83D9-47F5-A8A1-4FB105FE92E7}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{BA87FBA4-0B0A-40D8-B582-1213D62EB38C}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D458FF82-1F49-4E48-B5AF-FC2D3F2631F7}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{EF1ABBC5-8EEC-4FE8-92C1-094F7CDC620C}" = dir=in | app=c:\program files\avg\avg9\avgnsx.exe |
"{F33D5E86-658E-493D-9D38-3F4900A9E069}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{FC0A4807-E1E4-4059-B896-D47DA26BF9A8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"TCP Query User{1CF397B1-198E-4DA9-8DE0-818E2D65B759}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=6 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe |
"TCP Query User{2A5D84D7-0787-4EBB-9556-80BE5E59BD58}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{2BB0D171-648B-4F27-8BBE-3BC5063A3890}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{593FDB54-D0F5-4C80-ADA0-5AE659A60211}C:\program files\nokia\nokia ovi suite\nokiaovisuite.exe" = protocol=6 | dir=in | app=c:\program files\nokia\nokia ovi suite\nokiaovisuite.exe |
"UDP Query User{06343414-2F3D-403F-BF79-5E823672AA53}C:\program files\nokia\nokia ovi suite\nokiaovisuite.exe" = protocol=17 | dir=in | app=c:\program files\nokia\nokia ovi suite\nokiaovisuite.exe |
"UDP Query User{64CD7A3C-7AAD-498E-AED8-36B74A65B868}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{79FE54E0-FA02-45B0-9C2B-93A5C2DB6101}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{8F997C9C-3E74-4947-ABFA-3F4E008EC605}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=17 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{14DCD95A-EBA3-4BF0-B7EF-533852E99BE6}" = LG PC Suite II
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{35ED8B97-897C-4BD1-AEAE-6FD3404BA082}" = Ovi Desktop Sync Engine
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{481C9A00-91AC-4065-870C-BD4E28186E5A}" = PC Connectivity Solution
"{49B6F667-76EB-4E9D-ACD2-84B7437901C0}" = LG PC Suite II
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4E1CD3D5-D4EE-4246-AE24-F0FD5A60390D}" = OviMPlatform
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}" = Nokia Ovi Suite
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B9C9DB4C-6D77-4AE9-AD1C-C708C23239A0}" = Nokia Connectivity Cable Driver
"{BA63348B-143D-4CAC-A355-3879402ED781}" = Nokia Ovi Suite Software Updater
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BEA18030-8B42-1286-EF64-CDA6BD083888}" = BBC iPlayer Desktop
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AVG9Uninstall" = AVG Free 9.0
"CCleaner" = CCleaner (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"Google Updater" = Google Updater
"LimeWire" = LimeWire 5.1.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Nokia Ovi Suite" = Nokia Ovi Suite
"OEMInformation" = OEM Logo and Information
"RealAlt_is1" = Real Alternative 1.8.0
"TomTom HOME" = TomTom HOME 2.6.2.1586
"UltSounds" = Windows Sound Schemes
"UltSounds2" = Ultimate Extras sounds from Microsoft® Tinker™
"Veetle TV" = Veetle TV 0.9.15
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 27/11/2009 14:26:05 | Computer Name = MervsPC | Source = Google Update | ID = 20
Description =

Error - 27/11/2009 15:14:29 | Computer Name = MervsPC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 27/11/2009 15:47:44 | Computer Name = MervsPC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 27/11/2009 18:02:50 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 04:48:40 | Computer Name = MervsPC | Source = VSS | ID = 8193
Description =

Error - 28/11/2009 06:36:02 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 09:26:06 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 14:56:01 | Computer Name = MervsPC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 28/11/2009 15:27:30 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

Error - 28/11/2009 17:40:23 | Computer Name = MervsPC | Source = EventSystem | ID = 4621
Description =

[ OSession Events ]
Error - 19/09/2009 10:21:09 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8015
seconds with 1740 seconds of active time. This session ended with a crash.

Error - 26/09/2009 08:40:19 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 11705
seconds with 4020 seconds of active time. This session ended with a crash.

Error - 01/10/2009 11:59:55 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 4465 seconds with 2700 seconds of active time. This session ended with a
crash.

Error - 05/10/2009 12:35:24 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 394 seconds with 300 seconds of active time. This session ended with a crash.

Error - 06/10/2009 13:39:06 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9522
seconds with 360 seconds of active time. This session ended with a crash.

Error - 27/11/2009 12:59:20 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3834
seconds with 240 seconds of active time. This session ended with a crash.

Error - 03/01/2010 15:38:42 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 6318 seconds with 1560 seconds of active time. This session ended with a
crash.

Error - 10/01/2010 07:22:15 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 287 seconds with 180 seconds of active time. This session ended with a crash.

Error - 10/02/2010 14:59:46 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 1367 seconds with 180 seconds of active time. This session ended with a
crash.

Error - 23/02/2010 14:20:44 | Computer Name = MervsPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 446 seconds with 300 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 22/03/2010 16:59:06 | Computer Name = MervsPC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 22/03/2010 17:06:53 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 22/03/2010 17:07:02 | Computer Name = MervsPC | Source = HTTP | ID = 15016
Description =

Error - 22/03/2010 17:16:00 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 22/03/2010 17:16:06 | Computer Name = MervsPC | Source = HTTP | ID = 15016
Description =

Error - 22/03/2010 17:17:49 | Computer Name = MervsPC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001E2A472DFB. The following
error occurred: %%121. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 22/03/2010 17:26:43 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 22/03/2010 17:30:18 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 22/03/2010 17:34:39 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type

Error - 22/03/2010 17:34:44 | Computer Name = MervsPC | Source = atikmdag | ID = 45062
Description = CRT invalid display type


< End of report >


#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:39 PM

Posted 22 March 2010 - 05:56 PM

Hi Merv,

try this and see if there's any difference:

Double click on OTL.exe to run it.
Copy the lines in the codebox below. (make sure you include the first lot of : )
CODE
:Otl
O37 - HKCU\...exe [@ = secfile] -- "C:\Users\Nath\AppData\Local\ave.exe" /START "%1" %* File not found
[2010/03/15 21:49:41 | 000,011,004 | -HS- | C] () -- C:\Users\Nath\AppData\Local\21mn5E

:commands
[emptytemp]
  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click the red Run Fix button.


  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

BBPP6nz.png


#13 mervward

mervward
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 23 March 2010 - 08:30 AM


Hi Starbuck,

I think you've cracked it!!

All functions on this user appear to be running smoothly now.

Here's the log;

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\Users\Nath\AppData\Local\21mn5E moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dan
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mel
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mel 2
->Temp folder emptied: 33210 bytes
->Temporary Internet Files folder emptied: 26389207 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 33139 bytes

User: Merv
->Temp folder emptied: 1777045 bytes
->Temporary Internet Files folder emptied: 1639624 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 2308 bytes

User: Nath
->Temp folder emptied: 49208 bytes
->Temporary Internet Files folder emptied: 8136954 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 434 bytes

User: Public

User: Sian
->Temp folder emptied: 298947 bytes
->Temporary Internet Files folder emptied: 25274132 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 678 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 980 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 61.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03232010_131729

Files\Folders moved on Reboot...
File\Folder C:\Users\Nath\AppData\Local\Temp\~DF957B.tmp not found!
File\Folder C:\Users\Nath\AppData\Local\Temp\~DFA922.tmp not found!
C:\Users\Nath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QTX17ZFK\ads[1].htm moved successfully.
C:\Users\Nath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QTX17ZFK\ads[2].htm moved successfully.
C:\Users\Nath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QTX17ZFK\iframe[2].htm moved successfully.
C:\Users\Nath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QTX17ZFK\rnd=545225267[1].htm moved successfully.
C:\Users\Nath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QTX17ZFK\signin[1].htm moved successfully.
C:\Users\Nath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXIR07Y6\topic303421[1].htm moved successfully.
C:\Users\Nath\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:39 PM

Posted 23 March 2010 - 06:13 PM

Hi Merv,

QUOTE
I think you've cracked it!!

All functions on this user appear to be running smoothly now.
That's good to hear.
Follow steps 2 and 3 of Post #10 (saves me adding it all again)
and you should be good to go.

Glad i could help.
Safe Surfing.

Edited by Starbuck, 23 March 2010 - 06:16 PM.

BBPP6nz.png


#15 mervward

mervward
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 24 March 2010 - 08:34 AM


Hi Starbuck,

Thank you very much for all your help.

I've followed steps 2 & 3 as suggested.

Once again thanks for your efforts. It really is appreciated.


Merv




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users