Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware issues, driver robots.....maybe more


  • This topic is locked This topic is locked
20 replies to this topic

#1 Neuro Nougami

Neuro Nougami

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 March 2010 - 02:47 PM

Here's the DDS log of what's going on.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Sarah at 19:29:49.76 on 23/03/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.112 [GMT 0:00]

AV: Internet Security Anti-Virus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Internet Security Firewall *enabled* {2BF21FEC-A5BE-424D-BDD7-3229CC84ED22}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\viamixer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\PC Tools Internet Security\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Sarah\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.co.uk
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools internet security\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools internet security\bdt\PCTBrowserDefender.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [<NO NAME>]
mRun: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
mRun: [ATIPTA] atiptaxx.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [atwtusb] atwtusb.exe beta
mRun: [WTClient] WTClient.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [ISTray] "c:\program files\pc tools internet security\pctsTray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viamixer.lnk - c:\program files\via technologies, inc\via audio driver setup program\viamixer.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242848367897
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sarah\applic~1\mozilla\firefox\profiles\59n17683.default\
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-3-7 54752]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [2009-2-8 22272]

=============== Created Last 30 ================

2010-03-15 18:50:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-15 18:49:46 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-15 18:49:46 0 d-----w- c:\docume~1\sarah\applic~1\SUPERAntiSpyware.com
2010-03-15 18:49:18 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-15 18:46:05 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-03-15 18:46:04 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-03-15 18:46:03 0 d-----w- c:\program files\SpywareBlaster
2010-03-14 23:50:00 0 d-----w- c:\docume~1\sarah\applic~1\Malwarebytes
2010-03-14 23:49:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 23:49:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-14 23:49:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 23:49:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 15:10:12 0 d-----w- c:\program files\a-squared Free
2010-03-11 18:49:05 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-11 18:40:43 215920 ----a-w- c:\windows\system32\muweb.dll
2010-03-11 18:40:42 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-11 18:40:42 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-03-07 09:24:18 0 d-----w- c:\documents and settings\sarah\Tracing
2010-03-07 09:22:18 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-03-07 09:20:34 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-03-07 09:20:18 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-07 09:17:53 0 d-----w- c:\program files\Microsoft
2010-03-07 09:17:31 0 d-----w- c:\program files\Windows Live SkyDrive
2010-03-07 09:04:39 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll

============= FINISH: 19:35:14.09 ===============

I forgot to attach the 'attach' file. And also to mention what the problems are. We have trace.file.DriverRobot and Trace.Registry.DriverRobot, the former has been removed, the latter remains. We also get a 'netbroadcast event window' program that's always closing and DDS closed itself.
Also here's the GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-23 22:03:40
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Sarah\LOCALS~1\Temp\fwldqpog.sys


---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF85CDA1C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF85E2CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF85E2ECE]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF85CDC10]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF85CDCB6]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF85CD90C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF8602D30]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xF85CDE52]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xF85CFB30]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

---- EOF - GMER 1.0.15 ----

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 23 March 2010 - 07:46 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:06 PM

Posted 27 March 2010 - 04:58 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Neuro Nougami

Neuro Nougami
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 28 March 2010 - 02:17 PM

Here's the OTL reports:

OTL logfile created on: 28/03/2010 20:06:08 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 94.00 Mb Available Physical Memory | 18.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 55.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 87.36 Gb Free Space | 78.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KITCHEN
Current User Name: Sarah
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/28 20:05:19 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2009/10/08 12:31:44 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\PC Tools Internet Security\BDT\BDTUpdateService.exe
PRC - [2009/10/01 17:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/09/23 14:33:52 | 001,141,224 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Internet Security\pctsSvc.exe
PRC - [2009/09/23 13:17:22 | 000,358,600 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
PRC - [2009/09/22 18:12:40 | 001,243,112 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Internet Security\pctsTray.exe
PRC - [2009/07/22 17:53:52 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/03/25 11:51:01 | 001,516,032 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
PRC - [2009/03/25 11:50:13 | 001,548,288 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/31 14:38:48 | 000,053,248 | ---- | M] (Tablet Driver) -- C:\WINDOWS\system32\drivers\WTSrv.exe
PRC - [2007/04/11 17:27:00 | 000,040,960 | ---- | M] (Tablet Driver) -- C:\WINDOWS\system32\WTClient.exe
PRC - [2006/12/22 08:31:50 | 000,108,712 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
PRC - [2006/12/22 08:29:56 | 000,067,752 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
PRC - [2006/01/02 17:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/09/21 19:08:48 | 000,290,816 | ---- | M] (WALTOP International Corp.) -- C:\WINDOWS\system32\ATWTUSB.EXE
PRC - [2002/07/12 18:17:56 | 000,335,872 | ---- | M] () -- C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\viamixer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/28 20:05:19 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
MOD - [2009/03/25 11:50:02 | 000,198,144 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/08 14:13:54 | 000,070,928 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2009/10/08 12:31:44 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\PC Tools Internet Security\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/10/01 17:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2009/09/23 14:33:52 | 001,141,224 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Internet Security\pctsSvc.exe -- (sdCoreService)
SRV - [2009/09/23 13:17:22 | 000,358,600 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Internet Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/08/20 14:16:30 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
SRV - [2009/08/05 23:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/03 14:53:32 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2007/05/31 14:38:48 | 000,053,248 | ---- | M] (Tablet Driver) [Auto | Running] -- C:\WINDOWS\System32\Drivers\WTSRV.EXE -- (WinTabService)
SRV - [2006/12/22 08:31:50 | 000,108,712 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)


========== Driver Services (SafeList) ==========

DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/10/13 09:50:54 | 000,115,216 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctplfw.sys -- (pctplfw)
DRV - [2009/10/08 14:14:10 | 000,059,664 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2009/10/08 14:14:10 | 000,033,552 | --S- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/10/08 14:14:08 | 000,051,984 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2009/10/06 17:31:30 | 000,087,784 | ---- | M] (PC Tools) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PCTAppEvent.sys -- (PCTAppEvent)
DRV - [2009/09/24 09:55:46 | 000,229,304 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2009/09/23 17:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/09/16 10:39:54 | 000,070,280 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys -- (PCTFW-PacketFilter)
DRV - [2009/09/03 10:45:12 | 000,070,408 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2009/08/14 14:44:18 | 000,032,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctNdis-DNS.sys -- (PCTFW-DNS)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/07/29 11:54:42 | 000,046,592 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctNdis.sys -- (pctNDIS)
DRV - [2009/03/25 11:50:02 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/03/25 11:49:57 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/09/17 12:46:06 | 000,028,395 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Tablet2k.cat -- (Tablet2k)
DRV - [2008/09/08 15:10:23 | 000,014,848 | ---- | M] (Tablet Driver) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UCTblHid.sys -- (UCTblHid)
DRV - [2008/04/13 19:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 19:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/04/23 16:28:56 | 000,018,432 | ---- | M] (Tablet Driver) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TClass2k.sys -- (TClass2k)
DRV - [2006/05/03 17:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/04 06:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/07/07 17:02:14 | 000,022,272 | ---- | M] (AIPTEK International Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\aiptektp.sys -- (aiptektp)
DRV - [2002/09/16 09:20:00 | 000,064,128 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viaudio.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2002/08/29 13:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2002/08/29 13:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2002/08/29 13:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2002/08/29 13:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2002/08/29 13:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2002/08/29 13:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2002/08/29 13:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2002/08/29 13:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2002/08/29 13:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2002/08/29 13:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2002/08/29 13:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2002/08/29 13:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2002/08/29 13:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2002/08/29 13:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2002/08/29 13:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2002/07/24 12:30:00 | 000,032,128 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2001/09/12 23:48:32 | 000,003,339 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vsp.sys -- (Vsp)
DRV - [2001/08/18 05:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/18 05:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/18 05:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/18 05:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/18 05:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/18 05:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/18 05:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/18 05:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/18 05:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
IE - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
IE - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========



FF - HKLM\software\mozilla\Mozilla Firefox 3.0.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/07/22 23:12:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/20 14:16:14 | 000,000,000 | ---D | M]

[2009/02/08 17:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Extensions
[2010/03/11 20:20:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\59n17683.default\extensions
[2010/03/11 20:20:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\59n17683.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/04/15 10:43:11 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\59n17683.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/06/03 21:10:08 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\59n17683.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2010/03/11 19:53:03 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\59n17683.default\searchplugins\bing.xml
[2009/08/03 20:50:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/02/02 16:35:06 | 000,238,976 | ---- | M] (British Telecommunications Plc) -- C:\Program Files\Mozilla Firefox\plugins\npBTEmailConfig.dll
[2009/03/29 20:36:15 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/03/29 20:36:15 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/03/29 20:36:15 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/03/29 20:36:15 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/02/20 19:04:11 | 000,292,138 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10060 more lines...
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Internet Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Internet Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [atwtusb] C:\WINDOWS\System32\ATWTUSB.EXE (WALTOP International Corp.)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [ISTray] C:\Program Files\PC Tools Internet Security\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [OemReset] C:\WINDOWS\OPTIONS\OEMRESET.EXE File not found
O4 - HKLM..\Run: [WTClient] C:\WINDOWS\System32\WTClient.exe (Tablet Driver)
O4 - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ViaMixer.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\viamixer.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3277439761-3525568733-1822439336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1242848367897 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/10/22 06:28:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/28 20:04:14 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2010/03/15 19:50:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/15 19:49:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Application Data\SUPERAntiSpyware.com
[2010/03/15 19:49:46 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/03/15 19:49:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/03/15 19:46:05 | 001,071,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCOMCTL.OCX
[2010/03/15 19:46:04 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSSTDFMT.DLL
[2010/03/15 19:46:03 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/03/15 19:45:21 | 003,012,768 | ---- | C] (Javacool Software LLC ) -- C:\Documents and Settings\Sarah\Desktop\spywareblastersetup42.exe
[2010/03/15 00:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Application Data\Malwarebytes
[2010/03/15 00:49:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/15 00:49:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/15 00:49:53 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/15 00:49:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/15 00:27:51 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sarah\Desktop\mbam-setup.exe
[2010/03/15 00:06:20 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\TFC.exe
[2010/03/14 16:10:12 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/03/14 16:10:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\My Documents\a-squared Free
[2010/03/14 16:06:57 | 074,121,968 | ---- | C] (Emsi Software GmbH ) -- C:\Documents and Settings\Sarah\Desktop\a2FreeSetup.exe
[2010/03/11 19:49:05 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/11 19:43:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Local Settings\Application Data\Threat Expert
[2010/03/11 19:40:42 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/03/11 19:40:42 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/03/07 10:24:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Tracing
[2010/03/07 10:23:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/03/07 10:22:18 | 000,054,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\fssfltr_tdi.sys
[2010/03/07 10:21:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Sync Framework
[2010/03/07 10:20:34 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2010/03/07 10:20:18 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2010/03/07 10:17:53 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/03/07 10:17:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/03/07 10:17:31 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2010/03/07 10:16:50 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/03/07 10:04:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/07/03 22:27:20 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/05/21 19:33:58 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/05/21 19:22:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2002/10/22 13:31:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/03/28 20:05:19 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2010/03/28 19:57:19 | 000,434,216 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/28 19:57:18 | 000,509,278 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/28 19:57:18 | 000,068,488 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/28 19:52:22 | 007,864,320 | -H-- | M] () -- C:\Documents and Settings\Sarah\NTUSER.DAT
[2010/03/28 19:49:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/28 19:49:52 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/28 19:49:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/28 19:49:42 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/23 20:52:55 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\gmer.zip
[2010/03/23 20:25:57 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2010/03/19 16:18:30 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Sarah\ntuser.ini
[2010/03/15 23:21:10 | 003,774,532 | -H-- | M] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\IconCache.db
[2010/03/15 19:49:54 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/03/15 19:48:52 | 007,757,856 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\SUPERAntiSpyware.exe
[2010/03/15 19:46:06 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\SpywareBlaster.lnk
[2010/03/15 19:45:24 | 003,012,768 | ---- | M] (Javacool Software LLC ) -- C:\Documents and Settings\Sarah\Desktop\spywareblastersetup42.exe
[2010/03/15 00:49:58 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/15 00:27:59 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sarah\Desktop\mbam-setup.exe
[2010/03/15 00:06:20 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\TFC.exe
[2010/03/14 16:41:04 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Paint.lnk
[2010/03/14 16:10:30 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/03/14 16:09:36 | 074,121,968 | ---- | M] (Emsi Software GmbH ) -- C:\Documents and Settings\Sarah\Desktop\a2FreeSetup.exe
[2010/03/12 00:00:23 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/11 23:09:39 | 106,401,836 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 5 Are You Receiving Me.wav
[2010/03/11 22:57:26 | 089,563,180 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 4 Big Tree Blue Sea.wav
[2010/03/11 22:47:17 | 101,513,260 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 3 Vanilla Queen.wav
[2010/03/11 22:35:00 | 067,942,444 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 2 Candy's Going Bad.wav
[2010/03/11 21:57:20 | 069,720,108 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 1 Radar Love.wav
[2010/03/11 21:31:11 | 038,244,396 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 11 Who Knows.wav
[2010/03/11 21:26:14 | 079,642,668 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 10 Power.wav
[2010/03/11 21:17:26 | 043,554,860 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 9 Hey Hey Hey.wav
[2010/03/11 21:11:46 | 016,179,244 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 8 Teazer.wav
[2010/03/11 21:06:09 | 026,888,236 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 7 Preacher Man.wav
[2010/03/11 21:02:14 | 027,303,980 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 6 Fire.wav
[2010/03/11 20:57:59 | 032,956,460 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 5 NSU.wav
[2010/03/11 20:53:28 | 041,175,084 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track4 Rock and Roll Tonight.wav
[2010/03/11 20:47:57 | 023,146,540 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 3 Gypsy Woman.wav
[2010/03/11 20:44:01 | 045,703,212 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 2 Atlantis.wav
[2010/03/11 20:38:19 | 035,475,500 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 1 Ezy on the Highway.wav
[2010/03/11 19:35:38 | 000,134,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/07 22:58:16 | 149,608,492 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 6 Steppin Out.wav
[2010/03/07 22:41:02 | 080,672,812 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 5 Sunshine of your Love.wav
[2010/03/07 22:22:04 | 052,514,860 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 4 Tales of Brave Ulysses.wav
[2010/03/07 22:14:32 | 055,892,012 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 3 Politician.wav
[2010/03/07 22:07:11 | 062,304,300 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 2 White Room.wav
[2010/03/07 21:49:36 | 049,694,764 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track1 Deserted Cities of the Heart.wav
[2010/03/07 20:49:03 | 077,652,008 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 5 Rollin nd a Tumblin.wav
[2010/03/07 20:36:31 | 167,630,892 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 4 Sweet Wine.wav
[2010/03/07 20:17:59 | 037,554,220 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 3 Lady Mama.wav
[2010/03/07 20:12:08 | 075,806,764 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 2 Sleepy Time Time.wav
[2010/03/07 20:02:16 | 110,108,712 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 1 N.S.U.wav
[2010/03/07 19:24:04 | 125,646,888 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 9 Heart of the Sunrise.wav
[2010/03/07 18:34:44 | 033,220,652 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 8 Mood for a Day.wav
[2010/03/07 18:29:46 | 067,670,060 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes tracks 6&7 long distance run around &the fish.wav
[2010/03/07 18:20:16 | 007,094,316 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 5 Five Percent of Nothing.wav
[2010/03/07 18:15:44 | 084,156,460 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 4 South Side of the Sky.wav
[2010/03/07 18:04:24 | 019,965,996 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 3 We Have Heaven.wav
[2010/03/07 18:01:11 | 018,483,244 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes Cans & Brahms.wav
[2010/03/07 17:25:25 | 093,573,160 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 1 Round-bout.wav
[2010/03/07 16:55:07 | 098,850,860 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 6 Perpetual Change.wav
[2010/03/07 16:42:22 | 037,447,724 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 5 A Venture.wav
[2010/03/07 16:37:09 | 074,692,652 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 4 I've Seen All Good People.wav
[2010/03/07 16:27:59 | 105,699,368 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 3 Starship Trooper.wav
[2010/03/07 16:15:37 | 035,596,332 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 2 The Clap.wav
[2010/03/07 16:09:37 | 106,135,596 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 1 Yours is no Disgrace.wav
[2010/03/07 15:44:08 | 063,918,124 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 7 Medusa.wav
[2010/03/07 15:36:00 | 052,756,524 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 6 Makes You Wanna Cry.wav
[2010/03/07 15:28:33 | 071,434,284 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 5 Seafull.wav
[2010/03/07 15:19:44 | 045,649,964 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 4 Touch My Life.wav
[2010/03/07 15:13:44 | 055,128,108 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 3 Your Love Is Alright.wav
[2010/03/07 15:05:46 | 088,930,348 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 2 Jury.wav
[2010/03/07 14:45:41 | 066,932,780 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 1 Black Cloud.wav
[2010/03/07 14:02:02 | 033,746,988 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 14 Tomorrow Never Knows.wav
[2010/03/07 13:56:39 | 028,921,900 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 13 Got To Get You In To My Life.wav
[2010/03/07 13:51:34 | 024,662,060 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 11 Dr. Robert.wav
[2010/03/07 13:47:20 | 026,636,332 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 12 I Want To Tell You.wav
[2010/03/07 13:42:50 | 024,791,084 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 11 Dr. Robert
[2010/03/07 13:38:37 | 022,243,372 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 10 For No One.wav
[2010/03/07 13:34:37 | 022,794,284 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 9 And Your Bird Can Sing.wav
[2010/03/07 13:31:12 | 024,107,052 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 8 Good Day Sunshine.wav
[2010/03/07 13:18:15 | 027,883,564 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 7 She Said She Said.wav
[2010/03/07 13:13:48 | 029,562,924 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 6 Yellow Submarine.wav
[2010/03/07 13:03:54 | 025,796,652 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 5 Here There And Everywhere.wav
[2010/03/07 12:59:35 | 034,369,580 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track4 Love To You.wav
[2010/03/07 12:50:58 | 032,878,636 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 3 I'm Only Sleeping.wav
[2010/03/07 12:45:38 | 023,787,564 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 2 Eleanor Rigby.wav
[2010/03/07 12:42:03 | 028,913,708 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 1 Taxmn.wav
[2010/03/07 12:02:06 | 267,212,840 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Catapilla track 4 Embryonic Fusion.wav
[2010/03/07 11:32:44 | 063,156,268 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Catapilla track3 Promises.wav
[2010/03/07 11:23:36 | 043,847,724 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Catpilla track 2 Tumble Weed.wav
[2010/03/07 11:13:01 | 172,357,676 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Catapilla track1 Naked Death.wav
[2010/03/07 10:23:41 | 000,026,008 | ---- | M] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/07 10:18:40 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\My Sharing Folders.lnk

========== Files Created - No Company Name ==========

[2010/03/23 20:52:52 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\gmer.zip
[2010/03/23 20:25:45 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2010/03/15 23:10:18 | 536,399,872 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/15 19:49:54 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/03/15 19:48:28 | 007,757,856 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\SUPERAntiSpyware.exe
[2010/03/15 19:46:06 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\SpywareBlaster.lnk
[2010/03/15 00:49:58 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/14 16:10:29 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/03/11 23:09:07 | 106,401,836 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 5 Are You Receiving Me.wav
[2010/03/11 22:57:10 | 089,563,180 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 4 Big Tree Blue Sea.wav
[2010/03/11 22:46:50 | 101,513,260 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 3 Vanilla Queen.wav
[2010/03/11 22:34:52 | 067,942,444 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 2 Candy's Going Bad.wav
[2010/03/11 21:57:12 | 069,720,108 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\golden earring track 1 Radar Love.wav
[2010/03/11 21:31:07 | 038,244,396 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 11 Who Knows.wav
[2010/03/11 21:26:05 | 079,642,668 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 10 Power.wav
[2010/03/11 21:17:22 | 043,554,860 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 9 Hey Hey Hey.wav
[2010/03/11 21:11:45 | 016,179,244 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 8 Teazer.wav
[2010/03/11 21:06:06 | 026,888,236 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 7 Preacher Man.wav
[2010/03/11 21:02:11 | 027,303,980 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 6 Fire.wav
[2010/03/11 20:57:55 | 032,956,460 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 5 NSU.wav
[2010/03/11 20:53:24 | 041,175,084 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track4 Rock and Roll Tonight.wav
[2010/03/11 20:47:54 | 023,146,540 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 3 Gypsy Woman.wav
[2010/03/11 20:43:56 | 045,703,212 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 2 Atlantis.wav
[2010/03/11 20:38:16 | 035,475,500 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\ezy ryder track 1 Ezy on the Highway.wav
[2010/03/07 22:57:19 | 149,608,492 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 6 Steppin Out.wav
[2010/03/07 22:40:53 | 080,672,812 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 5 Sunshine of your Love.wav
[2010/03/07 22:21:59 | 052,514,860 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 4 Tales of Brave Ulysses.wav
[2010/03/07 22:14:27 | 055,892,012 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 3 Politician.wav
[2010/03/07 22:07:05 | 062,304,300 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track 2 White Room.wav
[2010/03/07 21:49:31 | 049,694,764 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live 2 track1 Deserted Cities of the Heart.wav
[2010/03/07 20:48:54 | 077,652,008 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 5 Rollin nd a Tumblin.wav
[2010/03/07 20:35:30 | 167,630,892 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 4 Sweet Wine.wav
[2010/03/07 20:17:55 | 037,554,220 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 3 Lady Mama.wav
[2010/03/07 20:11:59 | 075,806,764 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 2 Sleepy Time Time.wav
[2010/03/07 20:01:55 | 110,108,712 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Cream Live track 1 N.S.U.wav
[2010/03/07 19:23:19 | 125,646,888 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 9 Heart of the Sunrise.wav
[2010/03/07 18:34:41 | 033,220,652 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 8 Mood for a Day.wav
[2010/03/07 18:29:24 | 067,670,060 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes tracks 6&7 long distance run around &the fish.wav
[2010/03/07 18:20:15 | 007,094,316 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 5 Five Percent of Nothing.wav
[2010/03/07 18:15:10 | 084,156,460 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 4 South Side of the Sky.wav
[2010/03/07 18:04:22 | 019,965,996 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 3 We Have Heaven.wav
[2010/03/07 18:01:09 | 018,483,244 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes Cans & Brahms.wav
[2010/03/07 17:24:47 | 093,573,160 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Fragile Yes track 1 Round-bout.wav
[2010/03/07 16:54:31 | 098,850,860 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 6 Perpetual Change.wav
[2010/03/07 16:42:18 | 037,447,724 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 5 A Venture.wav
[2010/03/07 16:36:44 | 074,692,652 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 4 I've Seen All Good People.wav
[2010/03/07 16:27:19 | 105,699,368 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 3 Starship Trooper.wav
[2010/03/07 16:15:33 | 035,596,332 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 2 The Clap.wav
[2010/03/07 16:08:57 | 106,135,596 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The Yes Album track 1 Yours is no Disgrace.wav
[2010/03/07 15:43:54 | 063,918,124 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 7 Medusa.wav
[2010/03/07 15:35:54 | 052,756,524 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 6 Makes You Wanna Cry.wav
[2010/03/07 15:28:11 | 071,434,284 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 5 Seafull.wav
[2010/03/07 15:19:39 | 045,649,964 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 4 Touch My Life.wav
[2010/03/07 15:13:38 | 055,128,108 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 3 Your Love Is Alright.wav
[2010/03/07 15:05:12 | 088,930,348 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 2 Jury.wav
[2010/03/07 14:45:23 | 066,932,780 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Trapeze track 1 Black Cloud.wav
[2010/03/07 14:01:59 | 033,746,988 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 14 Tomorrow Never Knows.wav
[2010/03/07 13:56:36 | 028,921,900 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 13 Got To Get You In To My Life.wav
[2010/03/07 13:51:31 | 024,662,060 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 11 Dr. Robert.wav
[2010/03/07 13:47:17 | 026,636,332 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 12 I Want To Tell You.wav
[2010/03/07 13:42:47 | 024,791,084 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 11 Dr. Robert
[2010/03/07 13:38:35 | 022,243,372 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 10 For No One.wav
[2010/03/07 13:34:35 | 022,794,284 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 9 And Your Bird Can Sing.wav
[2010/03/07 13:31:09 | 024,107,052 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 8 Good Day Sunshine.wav
[2010/03/07 13:18:12 | 027,883,564 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 7 She Said She Said.wav
[2010/03/07 13:13:45 | 029,562,924 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 6 Yellow Submarine.wav
[2010/03/07 13:03:51 | 025,796,652 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 5 Here There And Everywhere.wav
[2010/03/07 12:59:31 | 034,369,580 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track4 Love To You.wav
[2010/03/07 12:50:55 | 032,878,636 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 3 I'm Only Sleeping.wav
[2010/03/07 12:45:36 | 023,787,564 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 2 Eleanor Rigby.wav
[2010/03/07 12:42:00 | 028,913,708 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Beatles track 1 Taxmn.wav
[2010/03/07 12:00:34 | 267,212,840 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Catapilla track 4 Embryonic Fusion.wav
[2010/03/07 11:32:35 | 063,156,268 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Catapilla track3 Promises.wav
[2010/03/07 11:23:31 | 043,847,724 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Catpilla track 2 Tumble Weed.wav
[2010/03/07 11:11:59 | 172,357,676 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Catapilla track1 Naked Death.wav
[2010/01/13 22:08:44 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2009/08/20 14:11:33 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2009/07/13 16:56:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE R240R245EU.ini
[2009/05/01 22:32:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2009/03/10 18:40:24 | 000,003,830 | ---- | C] () -- C:\WINDOWS\Tablet8000x6000.ini
[2009/02/08 21:44:37 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\WinTab32.dll
[2009/02/08 21:44:32 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\Funckey.dll
[2009/02/08 21:44:31 | 000,003,876 | ---- | C] () -- C:\WINDOWS\aiptbl.ini
[2009/02/08 18:07:11 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/08 16:44:02 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/10/28 17:40:48 | 000,173,552 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2007/04/24 20:31:12 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\ucinst32.dll
[2002/11/01 11:05:23 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2002/11/01 11:05:23 | 000,003,339 | ---- | C] () -- C:\WINDOWS\System32\drivers\vsp.sys
[2002/10/22 13:17:57 | 000,001,508 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2002/10/22 07:05:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/06/15 01:58:34 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 183 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5160F090
< End of report >


OTL Extras logfile created on: 28/03/2010 20:06:08 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 94.00 Mb Available Physical Memory | 18.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 55.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 87.36 Gb Free Space | 78.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KITCHEN
Current User Name: Sarah
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-3277439761-3525568733-1822439336-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe:*:Enabled:Kaspersky Anti-Virus -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4817189D-1785-4627-A33C-39FD90919300}" = The Sims 2 Pets
"{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}" = Microsoft Games for Windows - LIVE
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = The Sims 2
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = RTLSetup
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DA898F5C-4C85-4CF4-825B-E05D07DC39DD}" = BT Broadband Support Tools
"{DAB5C521-80B2-48C3-B0DA-326A1B331F55}" = GoToAssist Corporate
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}" = ATI Catalyst Control Center
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FD052FB9-FE90-4438-B355-15EDC89D8FB1}" = Microsoft Games for Windows - LIVE Redistributable
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"All ATI Software" = ATI - Software Uninstall Utility
"a-squared Free_is1" = a-squared Free 4.5
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Browser Defender_is1" = Browser Defender 2.0.6.10
"BT Broadband Desktop Help" = BT Broadband Desktop Help
"BT Wireless Connection Manager" = BT Wireless Connection Manager
"BT Yahoo! Applications" = BT Yahoo! Applications
"BTHomeHub" = BTHomeHub
"CEP - Colour Enable Packages_is1" = CEP (Color Enable Package) v.9.0 (beta)
"EPSON Printer and Utilities" = EPSON Printer Software
"GoToAssist" = GoToAssist Corporate
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Mozilla Firefox (3.0.12)" = Mozilla Firefox (3.0.12)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero - Burning Rom (Web installer)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Tools Internet Security" = PC Tools Internet Security 2010
"Rmtablet" = 1200-V2 WIRELESS SCROLL TABLET
"SpywareBlaster_is1" = SpywareBlaster 4.2
"ST6UNST #1" = IWF - Internet Safety Presentation
"TabletDriver" = Trust Tablet Driver
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3277439761-3525568733-1822439336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 07/08/2009 09:20:12 | Computer Name = KITCHEN | Source = ESENT | ID = 490
Description = svchost (1236) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 08/08/2009 15:53:04 | Computer Name = KITCHEN | Source = Microsoft Works | ID = 1000
Description =

Error - 08/08/2009 16:50:18 | Computer Name = KITCHEN | Source = Microsoft Works | ID = 1000
Description =

Error - 12/08/2009 12:34:03 | Computer Name = KITCHEN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3474, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 02/09/2009 10:53:32 | Computer Name = KITCHEN | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/01/2010 18:44:41 | Computer Name = KITCHEN | Source = ESENT | ID = 490
Description = svchost (1292) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 23/03/2010 15:26:46 | Computer Name = KITCHEN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 23/03/2010 15:55:50 | Computer Name = KITCHEN | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0000c4b1.

Error - 23/03/2010 15:59:04 | Computer Name = KITCHEN | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15281, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 23/03/2010 15:59:13 | Computer Name = KITCHEN | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15281, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 15/03/2010 15:07:10 | Computer Name = KITCHEN | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 15/03/2010 15:07:10 | Computer Name = KITCHEN | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 15/03/2010 15:07:10 | Computer Name = KITCHEN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AmdK7 Fips IPSec MRxSmb NetBIOS NetBT pctgntdi RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL

Error - 15/03/2010 18:09:15 | Computer Name = KITCHEN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 15/03/2010 18:22:31 | Computer Name = KITCHEN | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Flash Player (KB923789).

Error - 19/03/2010 11:18:49 | Computer Name = KITCHEN | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Flash Player (KB923789).

Error - 23/03/2010 15:22:25 | Computer Name = KITCHEN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 23/03/2010 15:22:43 | Computer Name = KITCHEN | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 28/03/2010 14:55:57 | Computer Name = KITCHEN | Source = System Error | ID = 1003
Description = Error code 100000d0, parameter1 00000005, parameter2 00000002, parameter3
00000001, parameter4 8054a098.

Error - 28/03/2010 15:08:13 | Computer Name = KITCHEN | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Flash Player (KB923789).


< End of report >




#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:06 PM

Posted 28 March 2010 - 02:23 PM

Apart from those driver robotics detections, what problems do you have exactly?

Also, can you please post me a GMER log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Neuro Nougami

Neuro Nougami
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 28 March 2010 - 02:25 PM

Before I forget, here's an idea of things that are wrong with this computer:
I did a scan with a2 and it found these two-

Trace.File.DriverRobot!A2
The above is located at c:/windows/tasks/driverrobot.job

Trace.Registry.DriverRobot!A2
And this one lives here Trace:Key:HKEY_LOCAL_MACHINE/software/DriverRobot

The second one was never removed, saying it couldn't be deleted. I was told a worse malware problem likely lurked within. I have noticed a 'netbroadcast event window' that seems to have problems closing as I switch off the computer and I have no idea what this is as I haven't encountered it on any other computer. Also this computer recently told me that one of the files containing system registry data had to be recovered by use of a log or alternate copy and that recovery was successful. Then it told me the system had recovered from a serious error.
I should also mention that this computer could have had malware on it for literally years because a couple of years ago I was too young to appreciate the dangers of the internet and my dad lacks a grasp of such things entirely.....so there could be some old problems on here. It's had viruses in the past that were removed by just crashing it....which wouldn't have necessarily removed them and if anything seemed dodgy, we just deleted it....it's a wonder this thing still works.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:06 PM

Posted 28 March 2010 - 02:29 PM

Are things actually slow, do you have any popups, redirects weird problems that make you think you were infected?

I saw you had a thread with schrauber less than a month ago, so be sure you were free of malware when you finished there.

Please post me the GMER log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Neuro Nougami

Neuro Nougami
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 28 March 2010 - 02:53 PM

Things are slow, yes. And the screen keeps 'whiting out' and darkening and 'whiting out' again. Every now and then a command prompt box pops up for no reason, though I haven't seen it lately. Just general 'weird' stuff that keeps happening. I can't post the GMER log right now because I can't disconnect this computer from the internet. Sorry for the delay, it will be posted asap.

--Also scanners have closed by themselves and there were a load of porn-related cookies, despite no one going on that kind of site.

Edited by Neuro Nougami, 28 March 2010 - 02:55 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:06 PM

Posted 28 March 2010 - 02:56 PM

Okay, I'll wait for your GMER log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Neuro Nougami

Neuro Nougami
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 28 March 2010 - 04:04 PM

Due to unforseen and incredibly annoying issues (namely an internet connection icon literally disappearing) I was wondering if it would just be easier to run GMER in safe mode....would it be equally effective? Sorry for the dumb question.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:06 PM

Posted 29 March 2010 - 02:33 AM

Yes, you can run GMER in safe mode smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Neuro Nougami

Neuro Nougami
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 30 March 2010 - 03:00 PM

I remembered something that may or may not be relevant. Some four or five years ago, I downloaded winrar from a website I have since forgotten for a forty day trial period....four/five years on I still have it and it still works. When I tried to run GMER from it my computer shutdown, even in safe-mode. It has been telling me the trial period is up, but yet it has worked for that whole time.
Bittorrent was also used on this computer at about the same time. Potentially this is a problem that stretches way back. Anyway, here's the GMER.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-30 20:49:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Sarah\LOCALS~1\Temp\fwldqpog.sys


---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF85CDA1C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF85E2CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF85E2ECE]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF85CDC10]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF85CDCB6]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF85CD90C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF8602D30]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xF85CDE52]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xF85CFB30]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

---- EOF - GMER 1.0.15 ----



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:06 PM

Posted 30 March 2010 - 03:10 PM

Hello Neuro Nougami,

Winrar is free to use even after the trial period is over. It just gives you the nagging screen at startup.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Neuro Nougami

Neuro Nougami
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 30 March 2010 - 04:01 PM

When I ran combofix it didn't run through the usual [insert name here] antivirus is running and may interfere etc.....and the scan was done in far less than ten minutes....but the deletions took an awfully long time.....here's the scan:

ComboFix 10-03-29.04 - Sarah 30/03/2010 21:17:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.271 [GMT 1:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
AV: Internet Security Anti-Virus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Internet Security Firewall *enabled* {2BF21FEC-A5BE-424D-BDD7-3229CC84ED22}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sarah\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\Sarah\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\Sarah\Local Settings\Temporary Internet Files\mcc17.tmp
c:\documents and settings\Sarah\Local Settings\Temporary Internet Files\mcc18.tmp
c:\documents and settings\Sarah\Local Settings\Temporary Internet Files\mccD.tmp
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00175084.
c:\recycler\NPROTECT\00175090.
c:\recycler\NPROTECT\00175104.
c:\recycler\NPROTECT\00175110.
c:\recycler\NPROTECT\00175114.
c:\recycler\NPROTECT\00175115.
c:\recycler\NPROTECT\00175119.
c:\recycler\NPROTECT\00175203.
c:\recycler\NPROTECT\00175204.
c:\recycler\NPROTECT\00175208.
c:\recycler\NPROTECT\00175210.
c:\recycler\NPROTECT\00175211.
c:\recycler\NPROTECT\00175212.
c:\recycler\NPROTECT\00175214.
c:\recycler\NPROTECT\00175227.
c:\recycler\NPROTECT\00175232.
c:\recycler\NPROTECT\00175237.
c:\recycler\NPROTECT\00175276.
c:\recycler\NPROTECT\00175286.
c:\recycler\NPROTECT\00175295.
c:\recycler\NPROTECT\00175330.
c:\recycler\NPROTECT\00175337.
c:\recycler\NPROTECT\00175344.
c:\recycler\NPROTECT\00175356.
c:\recycler\NPROTECT\00175363.
c:\recycler\NPROTECT\00175376.
c:\recycler\NPROTECT\00175385.
c:\recycler\NPROTECT\00175400.
c:\recycler\NPROTECT\00220989.
c:\recycler\NPROTECT\00221000.
c:\recycler\NPROTECT\00221011.
c:\recycler\NPROTECT\00221022.
c:\recycler\NPROTECT\00221025.
c:\recycler\NPROTECT\00221026.
c:\recycler\NPROTECT\00221027.
c:\recycler\NPROTECT\00221028.
c:\recycler\NPROTECT\00221029.
c:\recycler\NPROTECT\00221030.
c:\recycler\NPROTECT\00221032.
c:\recycler\NPROTECT\00221033.
c:\recycler\NPROTECT\00221034.
c:\recycler\NPROTECT\00221035.
c:\recycler\NPROTECT\00221036.
c:\recycler\NPROTECT\00221037.
c:\recycler\NPROTECT\00221038.
c:\recycler\NPROTECT\00221039.
c:\recycler\NPROTECT\00221040.
c:\recycler\NPROTECT\00221041.
c:\recycler\NPROTECT\00221043.
c:\recycler\NPROTECT\00221044.
c:\recycler\NPROTECT\00221045.
c:\recycler\NPROTECT\00221046.
c:\recycler\NPROTECT\00221047.
c:\recycler\NPROTECT\00221048.
c:\recycler\NPROTECT\00221049.
c:\recycler\NPROTECT\00221050.
c:\recycler\NPROTECT\00221051.
c:\recycler\NPROTECT\00221052.
c:\recycler\NPROTECT\00221054.
c:\recycler\NPROTECT\00221055.
c:\recycler\NPROTECT\00221056.
c:\recycler\NPROTECT\00221057.
c:\recycler\NPROTECT\00221058.
c:\recycler\NPROTECT\00221059.
c:\recycler\NPROTECT\00221060.
c:\recycler\NPROTECT\00221061.
c:\recycler\NPROTECT\00221062.
c:\recycler\NPROTECT\00221063.
c:\recycler\NPROTECT\00221065.
c:\recycler\NPROTECT\00221066.
c:\recycler\NPROTECT\00221067.
c:\recycler\NPROTECT\00221068.
c:\recycler\NPROTECT\00221069.
c:\recycler\NPROTECT\00221070.
c:\recycler\NPROTECT\00221071.
c:\recycler\NPROTECT\00221072.
c:\recycler\NPROTECT\00221073.
c:\recycler\NPROTECT\00221074.
c:\recycler\NPROTECT\00221076.
c:\recycler\NPROTECT\00221077.
c:\recycler\NPROTECT\00221078.
c:\recycler\NPROTECT\00221079.
c:\recycler\NPROTECT\00221080.
c:\recycler\NPROTECT\00221081.
c:\recycler\NPROTECT\00221082.
c:\recycler\NPROTECT\00221083.
c:\recycler\NPROTECT\00221084.
c:\recycler\NPROTECT\00221085.
c:\recycler\NPROTECT\00221087.
c:\recycler\NPROTECT\00221088.
c:\recycler\NPROTECT\00221089.
c:\recycler\NPROTECT\00221090.
c:\recycler\NPROTECT\00221091.
c:\recycler\NPROTECT\00221092.
c:\recycler\NPROTECT\00221094.
c:\recycler\NPROTECT\00221095.
c:\recycler\NPROTECT\00221096.
c:\recycler\NPROTECT\00221097.
c:\recycler\NPROTECT\00221098.
c:\recycler\NPROTECT\00221099.
c:\recycler\NPROTECT\00221100.
c:\recycler\NPROTECT\00221101.
c:\recycler\NPROTECT\00221102.
c:\recycler\NPROTECT\00221103.
c:\recycler\NPROTECT\00221105.
c:\recycler\NPROTECT\00221106.
c:\recycler\NPROTECT\00221107.
c:\recycler\NPROTECT\00221108.
c:\recycler\NPROTECT\00221109.
c:\recycler\NPROTECT\00221110.
c:\recycler\NPROTECT\00221111.
c:\recycler\NPROTECT\00221112.
c:\recycler\NPROTECT\00221113.
c:\recycler\NPROTECT\00221114.
c:\recycler\NPROTECT\00315846.
c:\recycler\NPROTECT\00315851.
c:\recycler\NPROTECT\00315852.
c:\recycler\NPROTECT\00395916.
c:\recycler\NPROTECT\00395924.
c:\recycler\NPROTECT\00395937.
c:\recycler\NPROTECT\00395942.
c:\recycler\NPROTECT\00395943.
c:\recycler\NPROTECT\00395950.
c:\recycler\NPROTECT\00395951.
c:\recycler\NPROTECT\00395988.
c:\recycler\NPROTECT\00395989.
c:\recycler\NPROTECT\00395990.
c:\recycler\NPROTECT\00395991.
c:\recycler\NPROTECT\00396026.
c:\recycler\NPROTECT\00396027.
c:\recycler\NPROTECT\00396028.
c:\recycler\NPROTECT\00396029.
c:\recycler\NPROTECT\00396100.
c:\recycler\NPROTECT\00396119.
c:\recycler\NPROTECT\00396129.
c:\recycler\NPROTECT\00396131.
c:\recycler\NPROTECT\00396140.
c:\recycler\NPROTECT\00396150.
c:\recycler\NPROTECT\00396156.
c:\recycler\NPROTECT\00396170.
c:\recycler\NPROTECT\00396175.
c:\recycler\NPROTECT\00396176.
c:\recycler\NPROTECT\00396183.
c:\recycler\NPROTECT\00396184.
c:\recycler\NPROTECT\00420342.
c:\recycler\NPROTECT\00420346.
c:\recycler\NPROTECT\00499943.
c:\recycler\NPROTECT\00499944.
c:\recycler\NPROTECT\00499992.
c:\recycler\NPROTECT\00500010.
c:\recycler\NPROTECT\00500028.
c:\recycler\NPROTECT\00500057.
c:\recycler\NPROTECT\00500062.
c:\recycler\NPROTECT\00500089.
c:\recycler\NPROTECT\00500108.
c:\recycler\NPROTECT\00500162.
c:\recycler\NPROTECT\00500172.
c:\recycler\NPROTECT\00500179.
c:\recycler\NPROTECT\00500253.
c:\recycler\NPROTECT\00500257.
c:\recycler\NPROTECT\00500260.
c:\recycler\NPROTECT\00500265.
c:\recycler\NPROTECT\00500289.
c:\recycler\NPROTECT\00500293.
c:\recycler\NPROTECT\00509312.
c:\recycler\NPROTECT\00509410.
c:\recycler\NPROTECT\00509422.
c:\recycler\NPROTECT\00509423.
c:\recycler\NPROTECT\00509441.
c:\recycler\NPROTECT\00509457.
c:\recycler\NPROTECT\00509466.
c:\recycler\NPROTECT\00509467.
c:\recycler\NPROTECT\00509473.
c:\recycler\NPROTECT\00509491.
c:\recycler\NPROTECT\00509501.
c:\recycler\NPROTECT\00509560.
c:\recycler\NPROTECT\00509561.
c:\recycler\NPROTECT\00509570.
c:\recycler\NPROTECT\00509577.
c:\recycler\NPROTECT\00509773.
c:\recycler\NPROTECT\00509778.
c:\recycler\NPROTECT\00509792.
c:\recycler\NPROTECT\00509794.
c:\recycler\NPROTECT\00509876.
c:\recycler\NPROTECT\00509877.
c:\recycler\NPROTECT\00509878.
c:\recycler\NPROTECT\00509879.
c:\recycler\NPROTECT\00509880.
c:\recycler\NPROTECT\00509881.
c:\recycler\NPROTECT\00509882.
c:\recycler\NPROTECT\00509883.
c:\recycler\NPROTECT\00509884.
c:\recycler\NPROTECT\00509885.
c:\recycler\NPROTECT\00509887.
c:\recycler\NPROTECT\00509888.
c:\recycler\NPROTECT\00509889.
c:\recycler\NPROTECT\00509890.
c:\recycler\NPROTECT\00509891.
c:\recycler\NPROTECT\00509892.
c:\recycler\NPROTECT\00509893.
c:\recycler\NPROTECT\00509894.
c:\recycler\NPROTECT\00509895.
c:\recycler\NPROTECT\00509896.
c:\recycler\NPROTECT\00509898.
c:\recycler\NPROTECT\00509899.
c:\recycler\NPROTECT\00509900.
c:\recycler\NPROTECT\00509901.
c:\recycler\NPROTECT\00509914.
c:\recycler\NPROTECT\00509921.
c:\recycler\NPROTECT\00509944.
c:\recycler\NPROTECT\00509945.
c:\recycler\NPROTECT\00509946.
c:\recycler\NPROTECT\00509964.
c:\recycler\NPROTECT\00509979.
c:\recycler\NPROTECT\00510009.
c:\recycler\NPROTECT\00510015.
c:\recycler\NPROTECT\00517842.
c:\recycler\NPROTECT\00517853.
c:\recycler\NPROTECT\00517918.
c:\recycler\NPROTECT\00517920.
c:\recycler\NPROTECT\00517922.
c:\recycler\NPROTECT\00518004.
c:\recycler\NPROTECT\00518007.
c:\recycler\NPROTECT\00518027.
c:\recycler\NPROTECT\00518037.
c:\recycler\NPROTECT\00518061.
c:\recycler\NPROTECT\00518065.
c:\recycler\NPROTECT\00518174.
c:\recycler\NPROTECT\00518175.
c:\recycler\NPROTECT\00518176.
c:\recycler\NPROTECT\00518177.
c:\recycler\NPROTECT\00518178.
c:\recycler\NPROTECT\00518179.
c:\recycler\NPROTECT\00518180.
c:\recycler\NPROTECT\00518181.
c:\recycler\NPROTECT\00518182.
c:\recycler\NPROTECT\00518183.
c:\recycler\NPROTECT\00518185.
c:\recycler\NPROTECT\00518186.
c:\recycler\NPROTECT\00518187.
c:\recycler\NPROTECT\00518188.
c:\recycler\NPROTECT\00518189.
c:\recycler\NPROTECT\00518190.
c:\recycler\NPROTECT\00518191.
c:\recycler\NPROTECT\00518192.
c:\recycler\NPROTECT\00518193.
c:\recycler\NPROTECT\00518194.
c:\recycler\NPROTECT\00518196.
c:\recycler\NPROTECT\00518197.
c:\recycler\NPROTECT\00518198.
c:\recycler\NPROTECT\00518199.
c:\recycler\NPROTECT\00518200.
c:\recycler\NPROTECT\00518201.
c:\recycler\NPROTECT\00518202.
c:\recycler\NPROTECT\00518203.
c:\recycler\NPROTECT\00518204.
c:\recycler\NPROTECT\00518205.
c:\recycler\NPROTECT\00518207.
c:\recycler\NPROTECT\00518208.
c:\recycler\NPROTECT\00518209.
c:\recycler\NPROTECT\00518210.
c:\recycler\NPROTECT\00518211.
c:\recycler\NPROTECT\00518212.
c:\recycler\NPROTECT\00518251.
c:\recycler\NPROTECT\00518252.
c:\recycler\NPROTECT\00518269.
c:\recycler\NPROTECT\00518271.
c:\recycler\NPROTECT\00518282.
c:\recycler\NPROTECT\00518300.
c:\recycler\NPROTECT\00518311.
c:\recycler\NPROTECT\00518312.
c:\recycler\NPROTECT\00518321.
c:\recycler\NPROTECT\00518322.
c:\recycler\NPROTECT\00518336.
c:\recycler\NPROTECT\00518344.
c:\recycler\NPROTECT\00518349.
c:\recycler\NPROTECT\00518358.
c:\recycler\NPROTECT\00518361.
c:\recycler\NPROTECT\00518372.
c:\recycler\NPROTECT\00518432.
c:\recycler\NPROTECT\00518453.
c:\recycler\NPROTECT\00518456.
c:\recycler\NPROTECT\00518463.
c:\recycler\NPROTECT\00518489.
c:\recycler\NPROTECT\00518498.
c:\recycler\NPROTECT\00518532.
c:\recycler\NPROTECT\00518538.
c:\recycler\NPROTECT\00518547.
c:\recycler\NPROTECT\00518565.
c:\recycler\NPROTECT\00518594.
c:\recycler\NPROTECT\00518627.
c:\recycler\NPROTECT\00518630.
c:\recycler\NPROTECT\00518635.
c:\recycler\NPROTECT\00518644.
c:\recycler\NPROTECT\00518657.
c:\recycler\NPROTECT\00518678.
c:\recycler\NPROTECT\00518684.
c:\recycler\NPROTECT\00518746.
c:\recycler\NPROTECT\00518754.
c:\recycler\NPROTECT\00522463.
c:\recycler\NPROTECT\00522465.
c:\recycler\NPROTECT\00522467.
c:\recycler\NPROTECT\00522479.
c:\recycler\NPROTECT\00522493.
c:\recycler\NPROTECT\00522505.
c:\recycler\NPROTECT\00522552.
c:\recycler\NPROTECT\00522557.
c:\recycler\NPROTECT\00522582.
c:\recycler\NPROTECT\00522597.
c:\recycler\NPROTECT\00522647.
c:\recycler\NPROTECT\00522655.
c:\recycler\NPROTECT\00522667.
c:\recycler\NPROTECT\00522678.
c:\recycler\NPROTECT\00522696.
c:\recycler\NPROTECT\00522706.
c:\recycler\NPROTECT\00522725.
c:\recycler\NPROTECT\00522726.
c:\recycler\NPROTECT\00522765.
c:\recycler\NPROTECT\00522773.
c:\recycler\NPROTECT\00522800.
c:\recycler\NPROTECT\00522807.
c:\recycler\NPROTECT\00522821.
c:\recycler\NPROTECT\00522826.
c:\recycler\NPROTECT\00522838.
c:\recycler\NPROTECT\00522864.
c:\recycler\NPROTECT\00522865.
c:\recycler\NPROTECT\00522866.
c:\recycler\NPROTECT\00522867.
c:\recycler\NPROTECT\00522868.
c:\recycler\NPROTECT\00522891.
c:\recycler\NPROTECT\00522934.
c:\recycler\NPROTECT\00522935.
c:\recycler\NPROTECT\00522936.
c:\recycler\NPROTECT\00522967.
c:\recycler\NPROTECT\00522984.
c:\recycler\NPROTECT\00522993.
c:\recycler\NPROTECT\00523023.
c:\recycler\NPROTECT\00523045.
c:\recycler\NPROTECT\00523086.
c:\recycler\NPROTECT\00523087.
c:\recycler\NPROTECT\00523088.
c:\recycler\NPROTECT\00523106.
c:\recycler\NPROTECT\00523146.
c:\recycler\NPROTECT\00523153.
c:\recycler\NPROTECT\00523154.
c:\recycler\NPROTECT\00523155.
c:\recycler\NPROTECT\00523156.
c:\recycler\NPROTECT\00523157.
c:\recycler\NPROTECT\00523158.
c:\recycler\NPROTECT\00523159.
c:\recycler\NPROTECT\00523196.
c:\recycler\NPROTECT\00523197.
c:\recycler\NPROTECT\00523200.
c:\recycler\NPROTECT\00523250.
c:\recycler\NPROTECT\00523287.
c:\recycler\NPROTECT\00523297.
c:\recycler\NPROTECT\00523346.
c:\recycler\NPROTECT\00523354.
c:\recycler\NPROTECT\00523370.
c:\recycler\NPROTECT\00523429.
c:\recycler\NPROTECT\00523464.
c:\recycler\NPROTECT\00523535.
c:\recycler\NPROTECT\00523605.
c:\recycler\NPROTECT\00523648.
c:\recycler\NPROTECT\00523649.
c:\recycler\NPROTECT\00523651.
c:\recycler\NPROTECT\00523652.
c:\recycler\NPROTECT\00523677.
c:\recycler\NPROTECT\00523682.
c:\recycler\NPROTECT\00523690.
c:\recycler\NPROTECT\00523729.
c:\recycler\NPROTECT\00523751.
c:\recycler\NPROTECT\00523806.
c:\recycler\NPROTECT\00523826.
c:\recycler\NPROTECT\00523834.
c:\recycler\NPROTECT\00523837.
c:\recycler\NPROTECT\00523853.
c:\recycler\NPROTECT\00523867.
c:\recycler\NPROTECT\00523878.
c:\recycler\NPROTECT\00523883.
c:\recycler\NPROTECT\00523887.
c:\recycler\NPROTECT\00523943.
c:\recycler\NPROTECT\00523971.
c:\recycler\NPROTECT\00523995.
c:\recycler\NPROTECT\00524040.
c:\recycler\NPROTECT\00524042.
c:\recycler\NPROTECT\00524050.
c:\recycler\NPROTECT\00524065.
c:\recycler\NPROTECT\00524099.
c:\recycler\NPROTECT\00524104.
c:\recycler\NPROTECT\00524112.
c:\recycler\NPROTECT\00524151.
c:\recycler\NPROTECT\00524173.
c:\recycler\NPROTECT\00524228.
c:\recycler\NPROTECT\00524248.
c:\recycler\NPROTECT\00524256.
c:\recycler\NPROTECT\00524259.
c:\recycler\NPROTECT\00524275.
c:\recycler\NPROTECT\00524287.
c:\recycler\NPROTECT\00524298.
c:\recycler\NPROTECT\00524303.
c:\recycler\NPROTECT\00524307.
c:\recycler\NPROTECT\00524363.
c:\recycler\NPROTECT\00524391.
c:\recycler\NPROTECT\00524415.
c:\recycler\NPROTECT\00524458.
c:\recycler\NPROTECT\00524460.
c:\recycler\NPROTECT\00524468.
c:\recycler\NPROTECT\00524483.
c:\recycler\NPROTECT\00526779.
c:\recycler\NPROTECT\00526780.
c:\recycler\NPROTECT\00526781.
c:\recycler\NPROTECT\00526811.
c:\recycler\NPROTECT\00527212.
c:\recycler\NPROTECT\00527351.
c:\recycler\NPROTECT\00527357.
c:\recycler\NPROTECT\00527406.
c:\recycler\NPROTECT\00527411.
c:\recycler\NPROTECT\00527538.
c:\recycler\NPROTECT\00527568.
c:\recycler\NPROTECT\00527570.
c:\recycler\NPROTECT\00527579.
c:\recycler\NPROTECT\00527606.
c:\recycler\NPROTECT\00527608.
c:\recycler\NPROTECT\00527619.
c:\recycler\NPROTECT\00527653.
c:\recycler\NPROTECT\00531922.
c:\recycler\NPROTECT\00650260.
c:\recycler\NPROTECT\00650261.
c:\recycler\NPROTECT\00650262.
c:\recycler\NPROTECT\00650263.
c:\recycler\NPROTECT\00650264.
c:\recycler\NPROTECT\00650265.
c:\recycler\NPROTECT\00650266.
c:\recycler\NPROTECT\00650267.
c:\recycler\NPROTECT\00650268.
c:\recycler\NPROTECT\00650269.
c:\recycler\NPROTECT\00650270.
c:\recycler\NPROTECT\00650271.
c:\recycler\NPROTECT\00650272.
c:\recycler\NPROTECT\00650273.
c:\recycler\NPROTECT\00650274.
c:\recycler\NPROTECT\00650275.
c:\recycler\NPROTECT\00650276.
c:\recycler\NPROTECT\00650277.
c:\recycler\NPROTECT\00650278.
c:\recycler\NPROTECT\00650279.
c:\recycler\NPROTECT\00650280.
c:\recycler\NPROTECT\00650281.
c:\recycler\NPROTECT\00650282.
c:\recycler\NPROTECT\00650283.
c:\recycler\NPROTECT\00650284.
c:\recycler\NPROTECT\00650285.
c:\recycler\NPROTECT\00650286.
c:\recycler\NPROTECT\00650287.
c:\recycler\NPROTECT\00650288.
c:\recycler\NPROTECT\00650289.
c:\recycler\NPROTECT\00650290.
c:\recycler\NPROTECT\00650291.
c:\recycler\NPROTECT\00650292.
c:\recycler\NPROTECT\00747824.
c:\recycler\NPROTECT\00747876.
c:\recycler\NPROTECT\00747877.
c:\recycler\NPROTECT\00747878.
c:\recycler\NPROTECT\00747879.
c:\recycler\NPROTECT\00747880.
c:\recycler\NPROTECT\00747881.
c:\recycler\NPROTECT\00747882.
c:\recycler\NPROTECT\00747883.
c:\recycler\NPROTECT\00747886.
c:\recycler\NPROTECT\00747888.
c:\recycler\NPROTECT\00747889.
c:\recycler\NPROTECT\00747890.
c:\recycler\NPROTECT\00747891.
c:\recycler\NPROTECT\00747892.
c:\recycler\NPROTECT\00747893.
c:\recycler\NPROTECT\00747911.
c:\recycler\NPROTECT\00747912.
c:\recycler\NPROTECT\00747913.
c:\recycler\NPROTECT\00747914.
c:\recycler\NPROTECT\00747915.
c:\recycler\NPROTECT\00747916.
c:\recycler\NPROTECT\00747917.
c:\recycler\NPROTECT\00747918.
c:\recycler\NPROTECT\00747919.
c:\recycler\NPROTECT\00747920.
c:\recycler\NPROTECT\00747921.
c:\recycler\NPROTECT\00747922.
c:\recycler\NPROTECT\00747923.
c:\recycler\NPROTECT\00747924.
c:\recycler\NPROTECT\00747925.
c:\recycler\NPROTECT\00747926.
c:\recycler\NPROTECT\00747927.
c:\recycler\NPROTECT\00747928.
c:\recycler\NPROTECT\00747929.
c:\recycler\NPROTECT\00747930.
c:\recycler\NPROTECT\00747931.
c:\recycler\NPROTECT\00747932.
c:\recycler\NPROTECT\00747933.
c:\recycler\NPROTECT\00747936.
c:\recycler\NPROTECT\00747937.
c:\recycler\NPROTECT\00747938.
c:\recycler\NPROTECT\00747939.
c:\recycler\NPROTECT\00747940.
c:\recycler\NPROTECT\00747941.
c:\recycler\NPROTECT\00747942.
c:\recycler\NPROTECT\00747943.
c:\recycler\NPROTECT\00747944.
c:\recycler\NPROTECT\00747945.
c:\recycler\NPROTECT\00747946.
c:\recycler\NPROTECT\00747947.
c:\recycler\NPROTECT\00747948.
c:\recycler\NPROTECT\00747949.
c:\recycler\NPROTECT\00747950.
c:\recycler\NPROTECT\00747951.
c:\recycler\NPROTECT\00747952.
c:\recycler\NPROTECT\00747953.
c:\recycler\NPROTECT\00747954.
c:\recycler\NPROTECT\00747955.
c:\recycler\NPROTECT\00747956.
c:\recycler\NPROTECT\00747957.
c:\recycler\NPROTECT\00747958.
c:\recycler\NPROTECT\00747959.
c:\recycler\NPROTECT\00747960.
c:\recycler\NPROTECT\00747961.
c:\recycler\NPROTECT\00747962.
c:\recycler\NPROTECT\00747963.
c:\recycler\NPROTECT\00747964.
c:\recycler\NPROTECT\00747967.
c:\recycler\NPROTECT\00747968.
c:\recycler\NPROTECT\00747969.
c:\recycler\NPROTECT\00747970.
c:\recycler\NPROTECT\00747971.
c:\recycler\NPROTECT\00747972.
c:\recycler\NPROTECT\00747973.
c:\recycler\NPROTECT\00747974.
c:\recycler\NPROTECT\00747975.
c:\recycler\NPROTECT\00747976.
c:\recycler\NPROTECT\00747977.
c:\recycler\NPROTECT\00747978.
c:\recycler\NPROTECT\00747979.
c:\recycler\NPROTECT\00747980.
c:\recycler\NPROTECT\00747981.
c:\recycler\NPROTECT\00747982.
c:\recycler\NPROTECT\00747985.
c:\recycler\NPROTECT\00747986.
c:\recycler\NPROTECT\00747987.
c:\recycler\NPROTECT\00747988.
c:\recycler\NPROTECT\00747989.
c:\recycler\NPROTECT\00747990.
c:\recycler\NPROTECT\00747991.
c:\recycler\NPROTECT\00747992.
c:\recycler\NPROTECT\00747993.
c:\recycler\NPROTECT\00747994.
c:\recycler\NPROTECT\00747995.
c:\recycler\NPROTECT\00747996.
c:\recycler\NPROTECT\00747997.
c:\recycler\NPROTECT\00747998.
c:\recycler\NPROTECT\00747999.
c:\recycler\NPROTECT\00748000.
c:\recycler\NPROTECT\00748001.
c:\recycler\NPROTECT\00748002.
c:\recycler\NPROTECT\00748003.
c:\recycler\NPROTECT\00748004.
c:\recycler\NPROTECT\00748005.
c:\recycler\NPROTECT\00748006.
c:\recycler\NPROTECT\00748007.
c:\recycler\NPROTECT\00748008.
c:\recycler\NPROTECT\00748009.
c:\recycler\NPROTECT\00748010.
c:\recycler\NPROTECT\00748011.
c:\recycler\NPROTECT\00748016.
c:\recycler\NPROTECT\00748017.
c:\recycler\NPROTECT\00748018.
c:\recycler\NPROTECT\00748019.
c:\recycler\NPROTECT\00748020.
c:\recycler\NPROTECT\00748021.
c:\recycler\NPROTECT\00748022.
c:\recycler\NPROTECT\00748023.
c:\recycler\NPROTECT\00748024.
c:\recycler\NPROTECT\00748025.
c:\recycler\NPROTECT\00748026.
c:\recycler\NPROTECT\00748027.
c:\recycler\NPROTECT\00748028.
c:\recycler\NPROTECT\00748085.
c:\recycler\NPROTECT\00748086.
c:\recycler\NPROTECT\00748089.
c:\recycler\NPROTECT\00748090.
c:\recycler\NPROTECT\00748091.
c:\recycler\NPROTECT\00748092.
c:\recycler\NPROTECT\00748093.
c:\recycler\NPROTECT\00748094.
c:\recycler\NPROTECT\00748095.
c:\recycler\NPROTECT\00748096.
c:\recycler\NPROTECT\00748097.
c:\recycler\NPROTECT\00748098.
c:\recycler\NPROTECT\00748099.
c:\recycler\NPROTECT\00748129.
c:\recycler\NPROTECT\00748130.
c:\recycler\NPROTECT\00748131.
c:\recycler\NPROTECT\00748132.
c:\recycler\NPROTECT\00748133.
c:\recycler\NPROTECT\00748134.
c:\recycler\NPROTECT\00748135.
c:\recycler\NPROTECT\00748136.
c:\recycler\NPROTECT\00748137.
c:\recycler\NPROTECT\00748138.
c:\recycler\NPROTECT\00748139.
c:\recycler\NPROTECT\00748140.
c:\recycler\NPROTECT\00748141.
c:\recycler\NPROTECT\00748142.
c:\recycler\NPROTECT\00748143.
c:\recycler\NPROTECT\00748144.
c:\recycler\NPROTECT\00748145.
c:\recycler\NPROTECT\00748146.
c:\recycler\NPROTECT\00748147.
c:\recycler\NPROTECT\00748148.
c:\recycler\NPROTECT\00748149.
c:\recycler\NPROTECT\00748150.
c:\recycler\NPROTECT\00748151.
c:\recycler\NPROTECT\00748152.
c:\recycler\NPROTECT\00748153.
c:\recycler\NPROTECT\00748154.
c:\recycler\NPROTECT\00748155.
c:\recycler\NPROTECT\00748156.
c:\recycler\NPROTECT\00748157.
c:\recycler\NPROTECT\00748158.
c:\recycler\NPROTECT\00748159.
c:\recycler\NPROTECT\00748160.
c:\recycler\NPROTECT\00748161.
c:\recycler\NPROTECT\00748162.
c:\recycler\NPROTECT\00748163.
c:\recycler\NPROTECT\00748164.
c:\recycler\NPROTECT\00748165.
c:\recycler\NPROTECT\00748166.
c:\recycler\NPROTECT\00748167.
c:\recycler\NPROTECT\00748168.
c:\recycler\NPROTECT\00748169.
c:\recycler\NPROTECT\00748170.
c:\recycler\NPROTECT\00748171.
c:\recycler\NPROTECT\00748172.
c:\recycler\NPROTECT\00748173.
c:\recycler\NPROTECT\00748174.
c:\recycler\NPROTECT\00748175.
c:\recycler\NPROTECT\00748176.
c:\recycler\NPROTECT\00748177.
c:\recycler\NPROTECT\00748178.
c:\recycler\NPROTECT\00748179.
c:\recycler\NPROTECT\00748180.
c:\recycler\NPROTECT\00748181.
c:\recycler\NPROTECT\00748182.
c:\recycler\NPROTECT\00748183.
c:\recycler\NPROTECT\00748184.
c:\recycler\NPROTECT\00748185.
c:\recycler\NPROTECT\00748186.
c:\recycler\NPROTECT\00748187.
c:\recycler\NPROTECT\00748188.
c:\recycler\NPROTECT\00748189.
c:\recycler\NPROTECT\00748190.
c:\recycler\NPROTECT\00748191.
c:\recycler\NPROTECT\00748192.
c:\recycler\NPROTECT\00748193.
c:\recycler\NPROTECT\00748194.
c:\recycler\NPROTECT\00748195.
c:\recycler\NPROTECT\00748196.
c:\recycler\NPROTECT\00748197.
c:\recycler\NPROTECT\00748198.
c:\recycler\NPROTECT\00748199.
c:\recycler\NPROTECT\00748200.
c:\recycler\NPROTECT\00748201.
c:\recycler\NPROTECT\00748202.
c:\recycler\NPROTECT\00748203.
c:\recycler\NPROTECT\00748204.
c:\recycler\NPROTECT\00748205.
c:\recycler\NPROTECT\00748206.
c:\recycler\NPROTECT\00748207.
c:\recycler\NPROTECT\00748208.
c:\recycler\NPROTECT\00748209.
c:\recycler\NPROTECT\00748210.
c:\recycler\NPROTECT\00748211.
c:\recycler\NPROTECT\00748212.
c:\recycler\NPROTECT\00748213.
c:\recycler\NPROTECT\00748214.
c:\recycler\NPROTECT\00748215.
c:\recycler\NPROTECT\00748216.
c:\recycler\NPROTECT\00748217.
c:\recycler\NPROTECT\00748218.
c:\recycler\NPROTECT\00748219.
c:\recycler\NPROTECT\00748220.
c:\recycler\NPROTECT\00748221.
c:\recycler\NPROTECT\00748222.
c:\recycler\NPROTECT\00748223.
c:\recycler\NPROTECT\00748224.
c:\recycler\NPROTECT\00748225.
c:\recycler\NPROTECT\00748226.
c:\recycler\NPROTECT\00748227.
c:\recycler\NPROTECT\00748228.
c:\recycler\NPROTECT\00748229.
c:\recycler\NPROTECT\00748230.
c:\recycler\NPROTECT\00748231.
c:\recycler\NPROTECT\00748232.
c:\recycler\NPROTECT\00748233.
c:\recycler\NPROTECT\00748234.
c:\recycler\NPROTECT\00748235.
c:\recycler\NPROTECT\00748236.
c:\recycler\NPROTECT\00748237.
c:\recycler\NPROTECT\00748238.
c:\recycler\NPROTECT\00748239.
c:\recycler\NPROTECT\00748240.
c:\recycler\NPROTECT\00748241.
c:\recycler\NPROTECT\00748242.
c:\recycler\NPROTECT\00748243.
c:\recycler\NPROTECT\00748244.
c:\recycler\NPROTECT\00748245.
c:\recycler\NPROTECT\00748246.
c:\recycler\NPROTECT\00748247.
c:\recycler\NPROTECT\00748248.
c:\recycler\NPROTECT\00748249.
c:\recycler\NPROTECT\00748250.
c:\recycler\NPROTECT\00748251.
c:\recycler\NPROTECT\00748252.
c:\recycler\NPROTECT\00749467.
c:\recycler\NPROTECT\00749468.
c:\recycler\NPROTECT\00749469.
c:\recycler\NPROTECT\00749470.
c:\recycler\NPROTECT\00749471.
c:\recycler\NPROTECT\00749472.
c:\recycler\NPROTECT\00749473.
c:\recycler\NPROTECT\00749474.
c:\recycler\NPROTECT\00749475.
c:\recycler\NPROTECT\00749476.
c:\recycler\NPROTECT\00749477.
c:\recycler\NPROTECT\00749478.
c:\recycler\NPROTECT\00749479.
c:\recycler\NPROTECT\00749480.
c:\recycler\NPROTECT\00749481.

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-28 19:42 . 2010-03-28 19:42 -------- d-----w- c:\documents and settings\Sarah\Application Data\MSN6
2010-03-28 19:42 . 2010-03-28 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-03-15 18:50 . 2010-03-15 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-15 18:49 . 2010-03-15 18:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-15 18:49 . 2010-03-15 18:49 -------- d-----w- c:\documents and settings\Sarah\Application Data\SUPERAntiSpyware.com
2010-03-15 18:49 . 2010-03-15 18:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-15 18:46 . 2005-08-25 19:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-03-15 18:46 . 2010-03-15 18:47 -------- d-----w- c:\program files\SpywareBlaster
2010-03-14 23:50 . 2010-03-14 23:50 -------- d-----w- c:\documents and settings\Sarah\Application Data\Malwarebytes
2010-03-14 23:49 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 23:49 . 2010-03-14 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-14 23:49 . 2010-03-14 23:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 23:49 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 15:10 . 2010-03-14 17:17 -------- d-----w- c:\program files\a-squared Free
2010-03-11 18:49 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-11 18:43 . 2010-03-11 18:43 -------- d-----w- c:\documents and settings\Sarah\Local Settings\Application Data\Threat Expert
2010-03-11 18:40 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-03-11 18:40 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-07 09:24 . 2010-03-30 20:44 -------- d-----w- c:\documents and settings\Sarah\Tracing
2010-03-07 09:23 . 2010-03-12 16:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-07 09:22 . 2009-08-05 22:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-03-07 09:21 . 2010-03-07 09:21 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-03-07 09:20 . 2006-11-29 13:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-03-07 09:20 . 2010-03-07 09:20 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-07 09:17 . 2010-03-07 09:17 -------- d-----w- c:\program files\Microsoft
2010-03-07 09:17 . 2010-03-07 09:17 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-07 09:16 . 2010-03-07 09:22 -------- d-----w- c:\program files\Windows Live
2010-03-07 09:04 . 2010-03-07 09:04 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 20:49 . 2010-01-13 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-30 20:48 . 2010-01-13 21:06 -------- d-----w- c:\program files\PC Tools Internet Security
2010-03-14 17:40 . 2009-02-08 16:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-07 09:23 . 2009-02-11 00:05 26008 ----a-w- c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-21 23:16 . 2010-01-13 21:08 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:16 . 2010-01-13 21:08 1152444 ----a-w- c:\windows\UDB.zip
2010-01-21 23:16 . 2010-01-13 21:08 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:16 . 2010-01-13 21:08 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-21 23:16 . 2010-01-13 21:08 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-05 10:00 . 2009-02-08 21:57 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2009-02-08 21:54 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2009-02-08 21:56 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe beta" [X]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-09-12 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"WTClient"="WTClient.exe" [2007-04-11 40960]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-03-25 1548288]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2009-03-25 1516032]
"ISTray"="c:\program files\PC Tools Internet Security\pctsTray.exe" [2009-09-22 1243112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ViaMixer.lnk - c:\program files\VIA Technologies, Inc\VIA Audio Driver Setup Program\viamixer.exe [2002-11-1 335872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-20 13:16 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [13/01/2010 22:07 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [13/01/2010 22:06 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [13/01/2010 22:06 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [13/01/2010 22:07 229304]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [14/03/2010 16:10 1858144]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Internet Security\BDT\BDTUpdateService.exe [13/01/2010 22:08 112592]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [13/01/2010 22:07 87784]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Internet Security\pctsAuxs.exe [13/01/2010 22:06 358600]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [13/01/2010 22:06 32552]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [13/01/2010 22:06 70280]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [13/01/2010 22:06 46592]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [13/01/2010 22:06 115216]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [08/02/2009 21:44 22272]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [13/01/2010 22:06 70408]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [13/01/2010 22:06 33552]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service [?]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [01/11/2002 11:05 3339]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\59n17683.default\
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-OemReset - c:\windows\OPTIONS\OEMRESET.EXE
HKLM-Run-ATIPTA - atiptaxx.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Sarah\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 21:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:wjY*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6102"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(844)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\WTClient.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\PC Tools Internet Security\pctsSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\Drivers\WTSRV.EXE
.
**************************************************************************
.
Completion time: 2010-03-30 21:57:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 20:57

Pre-Run: 93,672,177,664 bytes free
Post-Run: 92,982,358,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

- - End Of File - - B160512D310EF9DF4CBC4F99BDBC0C92


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:06 PM

Posted 31 March 2010 - 08:35 AM

Hello Neuro Nougami,

How are things running now?

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 19.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Neuro Nougami

Neuro Nougami
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 02 April 2010 - 02:07 PM

Still suffering the unexplained netbroadcast event window and the MBAM only took 47 minutes to complete whereas on computers with less on them it takes around an hour and a half. Just in case I forgot to mention it, I failed to remove the earlier:

Trace.Registry.DriverRobot!A2
At Trace:Key:HKEY_LOCAL_MACHINE/software/DriverRobot

Also no malicious items were found by the MBAM scan. I'm puzzled because this computer has been acting oddly and owing to my unsafe behaviour on it some four or five years ago I was certain there was something on it.....but so far not much has turned up. Could the fact that it was infected so long ago mean that the malware is harder to detect?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users