Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with a virus please


  • Please log in to reply
20 replies to this topic

#1 sy.

sy.

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 08 June 2010 - 10:16 AM

Hi, i am currently trying to get rid of a virus but not having much luck. I scan with many AVs they all find nothing yet every hour or so my kaspersky detects it. The only symptoms im having are that 70% of the time it wont let me access C:\Documents and settings. Nothing else
Here is what kaspersky is detecting.
08/06/2010 10:15:25 Detected: HEUR:Exploit.Script.Generic Kaspersky Internet Security C:\Documents and Settings\Family\AppData\Local\Temp\plugtmp-6\plugin-Notes7.pdf/data0000

as i said it detects it every hour or two but in a different plugtmpfile. I believe i got the virus through an adobe exploit but not sure.

Any help at all would be great.

Thanks

sy


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:17 AM

Posted 08 June 2010 - 10:51 AM

Hi sy. and welcome to Bleeping Computer.

As this seems to be in one of your temp folders, let's clean those first and then run a scan.

Step 1
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Step 2
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


In your next reply, please submit:
MBAM scan report


Thanks.

BBPP6nz.png


#3 sy.

sy.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 10 June 2010 - 09:09 AM

Hi starbuck thanks for the reply. I cleared the temp files and ran malwarebytes it found nothing sad.gif

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4183

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

09/06/2010 18:34:18
mbam-log-2010-06-09 (18-34-18).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 322533
Time elapsed: 1 hour(s), 44 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky is still picking up the virus every couple of hours

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:17 PM

Posted 10 June 2010 - 12:22 PM

Moved to Virus,Trojan and Malware Removal Logs forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:17 AM

Posted 10 June 2010 - 12:35 PM

Thanks for moving the topic: thumbup2.gif


Hi sy.

Now the topic has been moved, we are not restricted with the tools we can use.
Let's get a better look at what's going on in your system.
  • Download OTL to your desktop.

    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
    Now copy the lines below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.


  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

Thanks

BBPP6nz.png


#6 sy.

sy.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 10 June 2010 - 04:06 PM

Ok here are the logs.

QTL.txt ----------------

OTL logfile created on: 10/06/2010 21:35:42 - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Users\Family\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.09 Gb Total Space | 179.79 Gb Free Space | 62.84% Space Free | Partition Type: NTFS
Drive D: | 74.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FAMILY-PC
Current User Name: Family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Family\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Steam\GameOverlayUI.exe (Valve Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe (Kaspersky Lab)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\FsUsbExService.Exe (Teruten)
PRC - C:\Program Files\Kodak\Printer\Center\KodakSvc.exe (Eastman Kodak Company)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Family\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (AVP) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FsUsbExService) -- C:\Windows\System32\FsUsbExService.Exe (Teruten)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (Symantec Corporation)
SRV - (KodakSvc) -- C:\Program Files\Kodak\printer\center\KodakSvc.exe (Eastman Kodak Company)
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (KLIF) -- C:\Windows\System32\drivers\klif.sys (Kaspersky Lab)
DRV - (kl1) -- C:\Windows\System32\drivers\kl1.sys (Kaspersky Lab)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (klmouflt) -- C:\Windows\System32\drivers\klmouflt.sys (Kaspersky Lab)
DRV - (KLIM6) -- C:\Windows\System32\drivers\klim6.sys (Kaspersky Lab)
DRV - (klbg) -- C:\Windows\system32\drivers\klbg.sys (Kaspersky Lab)
DRV - (FsUsbExDisk) -- C:\Windows\System32\FsUsbExDisk.Sys ()
DRV - (nvrd32) -- C:\Windows\system32\drivers\nvrd32.sys (NVIDIA Corporation)
DRV - (nvstor32) -- C:\Windows\system32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (netr28u) -- C:\Windows\System32\drivers\netr28u.sys (Ralink Technology Corp.)
DRV - (ss_mdm) -- C:\Windows\System32\drivers\ss_mdm.sys (MCCI Corporation)
DRV - (ss_mdfl) -- C:\Windows\System32\drivers\ss_mdfl.sys (MCCI Corporation)
DRV - (ss_bus) SAMSUNG Mobile USB Device 1.0 driver (WDM) -- C:\Windows\System32\drivers\ss_bus.sys (MCCI Corporation)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation)
DRV - (usbcm) -- C:\Windows\System32\drivers\usbcm.sys (Microsystems Corp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.packardbell.com/?id=9067
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo.co.uk"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.459
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\THBExt [2010/05/27 15:52:57 | 000,000,000 | ---D | M]

[2008/12/25 14:31:05 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\Mozilla\Extensions
[2010/05/29 17:40:11 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\bjk9ga7f.default\extensions
[2009/07/31 12:10:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\bjk9ga7f.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/10 23:52:42 | 000,000,000 | ---D | M] (SourceEditor) -- C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\bjk9ga7f.default\extensions\{ee6976bb-656b-45cf-b2b6-5c837ee59a96}
[2010/05/29 18:28:59 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/25 14:00:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/27 15:53:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2009/02/25 17:09:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\npmozax@real.com
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll (Packard Bell)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKLM..\RunOnceEx: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/07/08 13:28:47 | 000,000,053 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\Shell\AutoRun\command - "" = D:\KIS2010_UK.exe -- [2009/07/09 10:25:44 | 003,650,600 | R--- | M] (Kaspersky Labs GmbH)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/21 03:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe - (FUJIFILM Corporation)
MsConfig - StartUpReg: CarboniteSetupLite - hkey= - key= - C:\Program Files\Packard Bell\Carbonite\CarboniteSetupLitePBPreInstaller.exe (Carbonite, Inc.)
MsConfig - StartUpReg: DAEMON Tools Pro Agent - hkey= - key= - C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (DT Soft Ltd)
MsConfig - StartUpReg: EKIJ5000StatusMonitor - hkey= - key= - File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: SmpcSys - hkey= - key= - C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe (Packard Bell BV)
MsConfig - StartUpReg: toolbar_eula_launcher - hkey= - key= - C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe ( )
MsConfig - StartUpReg: WindowsWelcomeCenter - hkey= - key= - File not found
MsConfig - State: "startup" - 2

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/06/01 09:18:16 | 000,000,000 | ---D | C] -- C:\Users\Family\AppData\Local\Adobe
[2010/05/31 16:35:38 | 000,000,000 | ---D | C] -- C:\Users\Family\AppData\Local\Apple Computer
[2010/05/31 15:34:00 | 000,000,000 | ---D | C] -- C:\Users\Family\AppData\Local\Apple
[2010/05/29 16:14:39 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\Family\Desktop\ATF-Cleaner.exe
[2010/05/29 14:51:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/29 14:50:59 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/29 14:50:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/28 16:56:47 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/28 16:56:41 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/28 16:56:41 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/28 16:54:04 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/05/28 16:51:24 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/05/28 15:37:05 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/05/28 15:35:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/05/28 15:34:39 | 000,000,000 | ---D | C] -- C:\ProgramData\NOS
[2010/05/27 18:49:36 | 000,000,000 | ---D | C] -- C:\Users\Family\Desktop\Pictures
[2010/05/27 18:28:49 | 000,000,000 | ---D | C] -- C:\Users\Family\Desktop\Apps
[2010/05/27 18:28:39 | 000,000,000 | ---D | C] -- C:\Users\Family\Desktop\Text files
[2010/05/27 18:15:50 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/05/27 15:52:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/05/27 15:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010/05/27 15:52:06 | 000,280,592 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys
[2010/05/27 15:51:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2010/05/26 09:09:29 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll

========== Files - Modified Within 30 Days ==========

[2010/06/10 21:35:42 | 045,875,200 | -HS- | M] () -- C:\Users\Family\NTUSER.DAT
[2010/06/10 21:03:07 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/10 21:03:07 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/10 15:03:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/10 09:40:40 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/10 09:40:40 | 000,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/10 09:40:40 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/10 09:35:14 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/10 09:35:09 | 3220,316,160 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/10 00:14:52 | 000,524,288 | -HS- | M] () -- C:\Users\Family\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
[2010/06/10 00:14:52 | 000,065,536 | -HS- | M] () -- C:\Users\Family\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/06/10 00:14:46 | 003,481,359 | -H-- | M] () -- C:\Users\Family\AppData\Local\IconCache.db
[2010/06/03 10:54:02 | 000,524,288 | -HS- | M] () -- C:\Users\Family\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/06/02 21:27:58 | 270,437,132 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/05/29 16:14:53 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\Family\Desktop\ATF-Cleaner.exe
[2010/05/29 16:12:05 | 000,000,952 | ---- | M] () -- C:\Users\Family\Desktop\Internet Explorer.lnk
[2010/05/29 14:51:02 | 000,000,821 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/28 16:57:27 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/05/28 16:54:17 | 000,001,729 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/05/28 15:37:42 | 000,001,890 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/05/28 15:36:05 | 000,000,875 | ---- | M] () -- C:\Users\Public\Desktop\Acrobat_com.lnk
[2010/05/27 16:02:17 | 000,280,592 | ---- | M] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys
[2010/05/27 16:02:17 | 000,128,016 | ---- | M] (Kaspersky Lab) -- C:\Windows\System32\drivers\kl1.sys
[2010/05/27 16:02:15 | 000,113,933 | ---- | M] () -- C:\Windows\System32\drivers\klin.dat
[2010/05/27 16:02:15 | 000,097,549 | ---- | M] () -- C:\Windows\System32\drivers\klick.dat
[2010/05/27 15:56:08 | 000,604,140 | -HS- | M] () -- C:\Windows\System32\drivers\ISwift3.dat
[2010/05/25 17:53:19 | 000,001,090 | ---- | M] () -- C:\Users\Family\AppData\Roaming\wklnhst.dat
[2010/05/20 14:24:56 | 000,010,752 | ---- | M] () -- C:\Users\Family\Documents\Darren Cunliffe cover letter for supermarket.wps
[2010/05/12 11:21:16 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe

========== Files Created - No Company Name ==========

[2010/05/29 16:12:05 | 000,000,952 | ---- | C] () -- C:\Users\Family\Desktop\Internet Explorer.lnk
[2010/05/29 14:51:02 | 000,000,821 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/28 16:57:27 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/05/28 16:54:17 | 000,001,729 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/05/28 15:37:42 | 000,001,890 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/05/28 15:36:05 | 000,000,875 | ---- | C] () -- C:\Users\Public\Desktop\Acrobat_com.lnk
[2010/05/27 15:56:08 | 000,604,140 | -HS- | C] () -- C:\Windows\System32\drivers\ISwift3.dat
[2010/05/27 15:53:38 | 000,113,933 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2010/05/27 15:53:38 | 000,097,549 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2010/05/20 14:24:56 | 000,010,752 | ---- | C] () -- C:\Users\Family\Documents\Darren Cunliffe cover letter for supermarket.wps
[2009/11/28 19:45:53 | 000,722,416 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/09/17 07:22:12 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/06/08 17:46:20 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2009/06/08 17:46:20 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2008/12/30 18:32:36 | 000,012,800 | ---- | C] () -- C:\Windows\System32\EKDeviceServices.dll
[2008/12/25 16:20:16 | 000,000,489 | ---- | C] () -- C:\Windows\VTruck1.ini
[2008/12/25 15:33:39 | 000,138,464 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/05/07 17:04:48 | 000,000,000 | -HSD | M] -- C:\Users\Family\AppData\Roaming\.#
[2009/07/31 16:07:42 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\CasualForge
[2009/11/28 20:35:08 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\DAEMON Tools Pro
[2009/03/05 20:03:05 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\EleFun Games
[2010/03/13 21:58:25 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\FUJIFILM
[2009/03/12 19:12:28 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\PlayFirst
[2009/01/02 15:18:50 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\Red Alert 3
[2009/06/08 19:14:50 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\Samsung
[2009/05/07 15:56:22 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\ShinyTales
[2010/04/16 10:56:01 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\Template
[2009/05/18 19:44:09 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\The Creative Assembly
[2009/02/17 20:01:15 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\ViquaSoft
[2009/02/25 20:35:48 | 000,000,000 | ---D | M] -- C:\Users\Family\AppData\Roaming\World-LooM
[2010/06/10 00:14:56 | 000,032,536 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 10:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 10:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 10:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/21 03:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVRD32.SYS >
[2008/06/06 18:13:40 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=6934105ECC6A19570160D794E301E595 -- C:\drivers\MOBO\CHIPSET\IDE\WinVista\sataraid\nvrd32.sys
[2008/06/06 18:13:40 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=6934105ECC6A19570160D794E301E595 -- C:\Windows\System32\drivers\nvrd32.sys
[2008/06/06 18:13:40 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=6934105ECC6A19570160D794E301E595 -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_b1dbd74d\nvrd32.sys

< MD5 for: NVSTOR.SYS >
[2006/11/02 10:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: NVSTOR32.SYS >
[2008/06/06 18:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) MD5=D05F6E26AC960474494356FE703D61BE -- C:\drivers\MOBO\CHIPSET\IDE\WinVista\sata_ide\nvstor32.sys
[2008/06/06 18:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) MD5=D05F6E26AC960474494356FE703D61BE -- C:\Windows\System32\drivers\nvstor32.sys
[2008/06/06 18:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) MD5=D05F6E26AC960474494356FE703D61BE -- C:\Windows\System32\DriverStore\FileRepository\nvstor32.inf_2b5b1080\nvstor32.sys
[2008/06/06 18:13:40 | 000,145,440 | ---- | M] (NVIDIA Corporation) MD5=D7B213299852D2026DBC90DAB77EF06C -- C:\drivers\MOBO\CHIPSET\IDE\WinVista\sataraid\nvstor32.sys
[2008/06/06 18:13:40 | 000,145,440 | ---- | M] (NVIDIA Corporation) MD5=D7B213299852D2026DBC90DAB77EF06C -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_b1dbd74d\nvstor32.sys

< MD5 for: SCECLI.DLL >
[2008/01/21 03:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/21 03:24:11 | 001,386,496 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\msvbvm60.dll
[2009/04/11 07:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 07:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2009/11/28 19:45:53 | 000,722,416 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\sptd.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:666FB4AA
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:4709F39D
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:0DFE2AE1
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:9026FFAC
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:417B6FAC
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:663B62CA
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:7AF9CAEB
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:9857FAE3
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:12EA4DC9
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:DF0BC727
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:52E1DB1D
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:F33592E3
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:67BA17B9
< End of report >




Extras.txt ----------

OTL Extras logfile created on: 10/06/2010 21:35:42 - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Users\Family\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.09 Gb Total Space | 179.79 Gb Free Space | 62.84% Space Free | Partition Type: NTFS
Drive D: | 74.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FAMILY-PC
Current User Name: Family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{16D42AFE-0A03-4FE0-8DB9-497AD3FA369E}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{1C05178B-7468-40F3-9D2C-AB84D91BCC10}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{249828CA-4F81-49CF-9BB3-CFA68786DF30}" = protocol=6 | dir=in | app=c:\program files\activision\call of duty - world at war\codwawmp.exe |
"{2AFA7EF3-506A-459A-A8CC-D4B6523E6FA6}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\empire total war\empire.exe |
"{2DB3A42A-F54B-43EF-AB18-1BA49BBEC878}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{2FE33A6D-5CA8-43B8-9419-8857C16807A9}" = protocol=6 | dir=in | app=c:\program files\activision\call of duty - world at war\codwawmp.exe |
"{349E0DBE-EB2B-4DBD-B18A-47CEBDB9FF6C}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{4753CCC7-5BF7-4ABE-82B3-5E245942CECF}" = protocol=17 | dir=in | app=c:\program files\smartftp client\smartftp.exe |
"{48B05593-A508-4795-981B-19D1D66BD87A}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\empire total war\empire.exe |
"{4E180117-9B7C-43AA-85B9-5B4FBE76F52B}" = protocol=6 | dir=in | app=c:\program files\activision\call of duty - world at war\codwaw.exe |
"{51405A03-21C4-4000-A3B6-2FB450A0AB25}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike\hl.exe |
"{53882B71-8072-416A-B522-DBB99B27A256}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{5D789F2E-9D3B-4FA4-A480-DC818C72B7E2}" = protocol=17 | dir=in | app=c:\program files\activision\call of duty - world at war\codwawmp.exe |
"{669017A8-8212-4F1F-A328-158BF0B7D5C2}" = protocol=17 | dir=in | app=c:\program files\activision\call of duty - world at war\codwaw.exe |
"{7D1BAF00-FA73-474E-B568-B9B79D50BDC0}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{83EF3559-117D-402B-B4B4-FD258C045C0B}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{855CD4D7-317B-4C91-A7B4-BD3133C9DEF5}" = protocol=6 | dir=in | app=c:\program files\smartftp client\smartftp.exe |
"{867AC330-A8E6-4C31-9CAD-906E8E7005C6}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{8C744F69-2B5F-4ACC-82E6-6707A9FCC2E1}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{9ADE611D-8A52-44D4-8D67-8A492370DAD2}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A0790C02-ADA5-4C4E-88B8-3267A3D456BB}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{A1FD40D2-DD9E-4CB0-91B0-5CE1FF8DF708}" = protocol=17 | dir=in | app=c:\program files\activision\call of duty - world at war\codwaw.exe |
"{A214EF04-A12B-4C32-B467-EA036EABD43D}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{A5476370-6546-43B3-9C43-CCFBF9C6924E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A7E5527A-FF74-4B2E-9992-02DC31A75457}" = protocol=17 | dir=in | app=c:\program files\activision\call of duty - world at war\codwawmp.exe |
"{A80FB412-7F6D-4758-81D0-660E2AE6D12E}" = protocol=6 | dir=in | app=c:\program files\activision\call of duty - world at war\codwaw.exe |
"{AF20EE11-55B2-4974-BB80-44C02134B481}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike\hl.exe |
"{B2096601-E625-4AC4-ACBF-6F1E140750A1}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike\hl.exe |
"{B6D19CAA-4BFA-4F7C-835C-F2EAE4FFA01E}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike\hl.exe |
"{B8104BF1-D81E-48C6-B882-152C82CEB5DA}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{BB579F0A-5646-4CD8-BFC3-64445A5C9B64}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{C14869AF-1221-41EB-917F-DA9A2D76629D}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{C7A32532-8795-4A19-ABD6-8460FA596010}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{CBC63AA9-9CD5-40BE-8676-D87E47FC2EC5}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{D7F03371-D6FC-41A7-BEA8-93CB3B3634C0}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{E91C584A-E055-4859-BFD0-64ECDCEDE43A}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{F6A16BEC-8D12-44ED-BE83-92B3F8F33D76}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{FC11D652-5EB6-418C-BAD1-767095E66B3E}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{1EDB0D97-114C-4FC0-9D50-04C435E538C2}C:\program files\steam\steamapps\djfusion\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\djfusion\counter-strike source\hl2.exe |
"TCP Query User{4F09FAED-55CA-42F4-B8F1-F9FE9AECD0EF}C:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe |
"TCP Query User{8500FE62-CA29-4C23-8127-5B9CE0E22893}C:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe |
"TCP Query User{947726BC-F547-47E9-AA7E-AC259F79A03F}C:\program files\steam\steamapps\syrex1337\half-life 2 deathmatch\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\syrex1337\half-life 2 deathmatch\hl2.exe |
"TCP Query User{C4BAE370-E9FF-4651-8E92-7474E857592F}C:\westwood\ra2\mph.exe" = protocol=6 | dir=in | app=c:\westwood\ra2\mph.exe |
"TCP Query User{CFD9BD86-B010-4FD4-B8A3-7C76966E920D}C:\westwood\ra2\game.exe" = protocol=6 | dir=in | app=c:\westwood\ra2\game.exe |
"TCP Query User{D0104FCB-3252-4939-B874-D8C540CE0CC6}C:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe |
"TCP Query User{F8FA0F41-2A4D-429F-88D0-98F9D5A82BB2}C:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe |
"UDP Query User{05641468-E627-4168-8029-F07640CB80F8}C:\program files\steam\steamapps\syrex1337\half-life 2 deathmatch\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\syrex1337\half-life 2 deathmatch\hl2.exe |
"UDP Query User{16993C9B-5D05-4626-B252-1CDEE347CCCD}C:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe |
"UDP Query User{306776B8-6E32-4C64-812D-4CB0059486D1}C:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe |
"UDP Query User{3483B8D0-3016-4F9A-95AC-E1FE0A98F975}C:\westwood\ra2\mph.exe" = protocol=17 | dir=in | app=c:\westwood\ra2\mph.exe |
"UDP Query User{4AE5FFDB-5ABF-4837-A414-1DB9E7E52456}C:\program files\steam\steamapps\djfusion\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\djfusion\counter-strike source\hl2.exe |
"UDP Query User{4B0D4415-461E-45D1-9F0E-31CDDA362C52}C:\westwood\ra2\game.exe" = protocol=17 | dir=in | app=c:\westwood\ra2\game.exe |
"UDP Query User{BA5CFEAF-72B6-4546-9D61-4E9DB624B138}C:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\syrex1337\counter-strike source\hl2.exe |
"UDP Query User{ED025AA0-32F1-445F-AAF2-B52E9F6E05D1}C:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\canyboy\counter-strike source\hl2.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0996C331-6DCB-4E38-A3EC-0A77ABAE1361}" = Help_CTR
"{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}" = SimCity™ Societies
"{1C61C87D-DB8E-4E8A-900C-293C569DC211}" = Internet From BT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{296D8550-CB06-48E4-9A8B-E5034FB64715}" = Command & Conquer™ Red Alert™ 3
"{2A97D5B3-A989-47E1-B207-1CA9E3635655}" = aioprnt
"{3559CDE0-11FC-4D7B-A65C-D646035B1033}" = Nero 8 Essentials
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3BED0238-3A25-41AE-BC23-316914B5B048}" = aioocr
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{4290EA5A-633E-4C6D-B9E3-5FEAEC615CC9}" = Anachronox
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73F1681F-ADE1-461F-9F18-B7640507D395}" = ksdip
"{766FF098-68AB-48BE-BF41-05708D178198}" = Who Wants To Be A Millionaire
"{791E3D44-33D3-4446-82AD-5CD4B0169083}" = aiofw
"{79E41D91-BA1C-44B9-9358-48E598263ECF}" = center
"{7DC4585E-27EF-45EC-94E8-6622B3EC2AD7}" = SmartFTP Client
"{843081BD-351F-46FC-8A17-517A0D9117A3}" = helptut
"{88B32652-CAE0-4909-A463-5840D2689D93}" = FUJIFILM FinePixViewer S Ver.2.1
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{1E263117-EA60-42D9-A0B1-1A572770F6C1}" =
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9580813D-94B1-4C28-9426-A441E2BB29A5}" = Counter-Strike: Source
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AB7032FF-AFED-4C58-AA5C-8473B273793A}" = HDReg
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AF7E85DC-317C-47F5-810E-B82EE093A612}" = Samsung New PC Studio USB Driver Installer
"{AFAE2B15-89A0-4215-A030-F7B5B478886B}" = Call of Duty® - World at War™ 1.1 Patch
"{C0251585-1BE8-4278-B3CB-964B6E01C59D}" = aioscnnr
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = KODAK All-in-One Printer Software
"{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}" = Black & White® 2
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DC626A21-EDF1-40C7-8F2F-D2BA7535529F}" = helpug
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E6607F5B-50E7-4B54-81B7-F0600E3C8CF4}" = Belkin F5D8053 N Wireless USB Adapter
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AdobeReader" = Adobe Reader 8.1.2
"AUDIO_REALTEK" = Realtek HD Audio V6.0.1.5618
"BT_GB" = British Telecom
"Carbonite" = Carbonite
"Carbonite Setup Lite" = Protect your files now
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Diaper Dash" = Diaper Dash
"GoogleBAE" = Google BAE
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ImageWriter" = Packard Bell ImageWriter
"Infocentre" = Infocentre Rev. 2.0
"InstallShield_{AF7E85DC-317C-47F5-810E-B82EE093A612}" = Samsung New PC Studio USB Driver Installer
"InstallShield_{AFAE2B15-89A0-4215-A030-F7B5B478886B}" = Call of Duty® - World at War™ 1.1 Patch
"InstallShield_{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"LCDTest" = Packard Bell LCD Test
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"METABOLI" = Metaboli
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Nero8" = Nero 8 Essentials
"NVIDIA Drivers" = NVIDIA Drivers
"OFF2k7_UK" = Microsoft® Office Trial 2007
"Picasa_2" = Picasa2
"Picasa2" = Picasa 2
"PKR" = PKR
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"PunkBusterSvc" = PunkBuster Services
"Red Alert 2" = Command & Conquer Red Alert 2
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SETUPMYPC_GB" = SetUp My PC
"Shockwave" = Shockwave
"SmartFTP Client 4.0 Setup Files" = SmartFTP Client 4.0 Setup Files (remove only)
"SprayR" = SprayR 1.0 RC7b
"Steam App 10" = Counter-Strike
"Steam App 10500" = Empire: Total War
"Steam App 240" = Counter-Strike: Source
"Steam App 320" = Half-Life 2: Deathmatch
"Steam App 500" = Left 4 Dead
"Steam App 8700" = STCC - The Game - Demo
"Updator" = Packard Bell Updator
"VIDEO_NVIDIA_GOB" = Video NVIDIA V175.16
"WinRAR archiver" = WinRAR archiver
"WOLAPI" = Westwood Shared Internet Components
"works9se" = Microsoft Works 9 SE

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 27/10/2009 16:42:03 | Computer Name = Family-PC | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x4445c334,
faulting module datacache.dll, version 0.0.0.0, time stamp 0x46439c7b, exception
code 0xc0000005, fault offset 0x0000b423, process id 0x1208, application start time
0x01ca57454fab86e0.

Error - 28/10/2009 05:30:03 | Computer Name = Family-PC | Source = WinMgmt | ID = 10
Description =

Error - 28/10/2009 11:45:20 | Computer Name = Family-PC | Source = WinMgmt | ID = 10
Description =

Error - 28/10/2009 12:55:50 | Computer Name = Family-PC | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x4445c334,
faulting module datacache.dll, version 0.0.0.0, time stamp 0x46439c7b, exception
code 0xc0000005, fault offset 0x0000b423, process id 0x135c, application start time
0x01ca57ecc3c59e17.

Error - 28/10/2009 18:00:54 | Computer Name = Family-PC | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x4445c334,
faulting module filesystem_steam.dll_unloaded, version 0.0.0.0, time stamp 0x47e2d72b,
exception code 0xc0000005, fault offset 0x0235553e, process id 0x15c8, application
start time 0x01ca57efdc69f807.

Error - 28/10/2009 19:11:38 | Computer Name = Family-PC | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x4445c334,
faulting module filesystem_steam.dll_unloaded, version 0.0.0.0, time stamp 0x47e2d72b,
exception code 0xc0000005, fault offset 0x023a553e, process id 0x838, application
start time 0x01ca581c3bad3c8f.

Error - 29/10/2009 05:49:02 | Computer Name = Family-PC | Source = WinMgmt | ID = 10
Description =

Error - 29/10/2009 06:40:18 | Computer Name = Family-PC | Source = WinMgmt | ID = 10
Description =

Error - 29/10/2009 10:41:33 | Computer Name = Family-PC | Source = WinMgmt | ID = 10
Description =

Error - 29/10/2009 13:11:06 | Computer Name = Family-PC | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x4445c334,
faulting module filesystem_steam.dll_unloaded, version 0.0.0.0, time stamp 0x47e2d72b,
exception code 0xc0000005, fault offset 0x0f06553e, process id 0x1090, application
start time 0x01ca58aacaf0f8f5.

[ System Events ]
Error - 16/05/2009 05:51:43 | Computer Name = Family-PC | Source = HTTP | ID = 15016
Description =

Error - 16/05/2009 21:20:16 | Computer Name = Family-PC | Source = DCOM | ID = 10010
Description =

Error - 17/05/2009 04:27:26 | Computer Name = Family-PC | Source = HTTP | ID = 15016
Description =

Error - 17/05/2009 14:20:17 | Computer Name = Family-PC | Source = DCOM | ID = 10010
Description =

Error - 17/05/2009 15:56:47 | Computer Name = Family-PC | Source = HTTP | ID = 15016
Description =

Error - 17/05/2009 18:46:54 | Computer Name = Family-PC | Source = DCOM | ID = 10010
Description =

Error - 18/05/2009 08:00:33 | Computer Name = Family-PC | Source = HTTP | ID = 15016
Description =

Error - 18/05/2009 18:09:21 | Computer Name = Family-PC | Source = DCOM | ID = 10010
Description =

Error - 19/05/2009 08:26:10 | Computer Name = Family-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.3 for the Network Card with network
address 002197299A1E has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 19/05/2009 08:26:10 | Computer Name = Family-PC | Source = HTTP | ID = 15016
Description =


< End of report >



#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:17 AM

Posted 10 June 2010 - 07:17 PM

Hi sy.

mmm that's odd, the file isn't showing in your report.
Let's clean up a few items and look a little deeper:

Step 1
Double click on OTL.exe to run it.
Copy the lines in the codebox below. (make sure that :Otl is on the first line )
CODE
:Otl
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\RunOnceEx: [] File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab  (Reg Error: Key error.)
O33 - MountPoints2\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\Shell\AutoRun\command - "" = D:\KIS2010_UK.exe -- [2009/07/09 10:25:44 | 003,650,600 | R--- | M] (Kaspersky Labs GmbH)
MsConfig - StartUpReg: EKIJ5000StatusMonitor - hkey= - key= - File not found
MsConfig - StartUpReg: WindowsWelcomeCenter - hkey= - key= - File not found
[2009/05/07 17:04:48 | 000,000,000 | -HSD | M] -- C:\Users\Family\AppData\Roaming\.#
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:666FB4AA
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:4709F39D
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:0DFE2AE1
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:9026FFAC
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:417B6FAC
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:663B62CA
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:7AF9CAEB
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:9857FAE3
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:12EA4DC9
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:DF0BC727
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:52E1DB1D
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:F33592E3
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:67BA17B9

:commands
[emptytemp]
[purity]
[EMPTYFLASH]
  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click the red Run Fix button.


  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 2
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2






This is an example, you may rename ComboFix to anything you want.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please submit:
Otl fix report
Combofix.txt


Thanks.

BBPP6nz.png


#8 sy.

sy.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 11 June 2010 - 08:19 AM

Hi Starbuck here are the logs smile.gif

OTL

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NPSStartup deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\ deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8e2a4ee2-d278-11dd-9ed9-806e6f6e6963}\ not found.
File move failed. D:\KIS2010_UK.exe scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\EKIJ5000StatusMonitor\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\WindowsWelcomeCenter\ deleted successfully.
C:\Users\Family\AppData\Roaming\.# folder moved successfully.
ADS C:\ProgramData\TEMP:666FB4AA deleted successfully.
ADS C:\ProgramData\TEMP:4709F39D deleted successfully.
ADS C:\ProgramData\TEMP:0DFE2AE1 deleted successfully.
ADS C:\ProgramData\TEMP:9026FFAC deleted successfully.
ADS C:\ProgramData\TEMP:417B6FAC deleted successfully.
ADS C:\ProgramData\TEMP:663B62CA deleted successfully.
ADS C:\ProgramData\TEMP:7AF9CAEB deleted successfully.
ADS C:\ProgramData\TEMP:9857FAE3 deleted successfully.
ADS C:\ProgramData\TEMP:12EA4DC9 deleted successfully.
ADS C:\ProgramData\TEMP:DF0BC727 deleted successfully.
ADS C:\ProgramData\TEMP:52E1DB1D deleted successfully.
ADS C:\ProgramData\TEMP:F33592E3 deleted successfully.
ADS C:\ProgramData\TEMP:67BA17B9 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Family
->Temp folder emptied: 194617 bytes
->Temporary Internet Files folder emptied: 7829940 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 2096 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 53680 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 8.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Family
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.6.0 log created on 06112010_133417

Files\Folders moved on Reboot...
File move failed. D:\KIS2010_UK.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...





ComboFix


ComboFix 10-06-10.04 - Family 11/06/2010 14:01:59.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.2074 [GMT 1:00]
Running from: c:\users\Family\Desktop\ComboFix1.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 13:08 . 2010-06-11 13:08 -------- d-----w- c:\users\Family\AppData\Local\temp
2010-06-11 13:08 . 2010-06-11 13:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-11 12:34 . 2010-06-11 12:34 -------- d-----w- C:\_OTL
2010-06-10 10:14 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-01 08:18 . 2010-06-01 08:18 -------- d-----w- c:\users\Family\AppData\Local\Adobe
2010-05-31 15:35 . 2010-05-31 15:35 -------- d-----w- c:\users\Family\AppData\Local\Apple Computer
2010-05-31 14:34 . 2010-05-31 14:34 -------- d-----w- c:\users\Family\AppData\Local\Apple
2010-05-29 13:51 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 13:50 . 2010-05-29 13:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 13:50 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 15:56 . 2010-05-28 15:56 -------- d-----w- c:\program files\iPod
2010-05-28 15:56 . 2010-05-28 15:57 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-28 15:56 . 2010-05-28 15:57 -------- d-----w- c:\program files\iTunes
2010-05-28 15:54 . 2010-05-28 15:54 -------- d-----w- c:\program files\QuickTime
2010-05-28 15:51 . 2010-05-28 15:51 -------- d-----w- c:\program files\Bonjour
2010-05-28 15:49 . 2010-05-28 15:49 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-28 14:35 . 2010-05-28 14:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-28 14:35 . 2010-05-28 14:35 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-05-28 14:34 . 2010-05-29 02:37 -------- d-----w- c:\programdata\NOS
2010-05-27 15:03 . 2010-05-27 15:03 932368 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-05-27 15:03 . 2010-05-27 15:03 678416 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-05-27 15:03 . 2010-05-27 15:03 604688 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-05-27 15:03 . 2010-05-27 15:03 522768 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-05-27 15:03 . 2010-05-27 15:03 1096208 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-05-27 15:02 . 2010-05-27 15:02 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-05-27 14:52 . 2010-06-11 12:55 -------- d-----w- c:\programdata\Kaspersky Lab
2010-05-27 14:52 . 2010-05-27 14:52 -------- d-----w- c:\program files\Kaspersky Lab
2010-05-27 14:51 . 2010-05-27 14:51 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-05-26 08:09 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 12:49 . 2008-12-25 13:31 -------- d-----w- c:\program files\Steam
2010-06-08 14:28 . 2008-12-25 13:31 -------- d-----w- c:\program files\Common Files\Steam
2010-05-29 15:22 . 2008-12-30 00:22 -------- d-----w- c:\users\Family\AppData\Roaming\Apple Computer
2010-05-28 15:56 . 2008-12-30 00:20 -------- d-----w- c:\program files\Common Files\Apple
2010-05-28 14:37 . 2008-08-06 07:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-27 17:21 . 2009-02-25 16:09 -------- d-----w- c:\program files\RealArcade
2010-05-27 17:20 . 2009-04-03 16:20 -------- d-----w- c:\program files\MSN Games
2010-05-27 14:56 . 2010-05-27 14:56 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-05-26 17:06 . 2010-06-10 10:15 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 10:15 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 16:53 . 2010-04-16 09:55 1090 ----a-w- c:\users\Family\AppData\Roaming\wklnhst.dat
2010-05-13 07:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 10:21 . 2009-10-03 12:54 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59 . 2010-06-10 10:15 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 10:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 10:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 10:15 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-29 20:20 . 2010-04-29 20:20 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-04-25 13:00 . 2010-04-25 13:00 -------- d-----w- c:\program files\Common Files\Java
2010-04-25 13:00 . 2009-12-21 15:02 -------- d-----w- c:\program files\Java
2010-04-23 17:08 . 2009-01-02 17:19 1356 ----a-w- c:\users\Family\AppData\Local\d3d9caps.dat
2010-04-16 09:56 . 2010-04-16 09:56 -------- d-----w- c:\users\Family\AppData\Roaming\Template
2010-04-12 16:29 . 2010-04-25 13:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 17:01 . 2010-06-10 10:15 67072 ----a-w- c:\windows\system32\asycfilt.dll
2008-08-06 16:10 . 2008-08-06 16:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-05-27 1238352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-07 6139904]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-07 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-07 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VTAgentReboot.exe [2001-10-7 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Exif Launcher S.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Exif Launcher S.lnk
backup=c:\windows\pss\Exif Launcher S.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2008-04-07 14:09 306112 ----a-w- c:\program files\Packard Bell\Carbonite\CarboniteSetupLitePBPreInstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2009-08-05 10:17 224712 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 14:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
2008-02-04 10:13 1038136 ----a-w- c:\program files\Packard Bell\SetUpMyPC\SmpSys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
2007-02-20 16:20 28672 ----a-w- c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:c3,16,33,7f,55,86,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-28 722416]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-08-15 552448]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-05-15 21008]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2008-12-13 233472]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\printer\center\KodakSvc.exe [2008-07-25 18944]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2008-12-13 36608]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-05-16 19472]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 14:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4057320956-4081455236-3199138704-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:49,98,81,79,ac,1f,84,c0,07,d6,cf,09,f4,51,03,95,ab,97,8f,77,56,32,9c,
b2,9d,8a,76,ea,84,cc,e9,34,f0,57,a2,53,c5,e6,e1,2b,1b,48,bc,6a,66,18,e0,5d,\
"??"=hex:d9,eb,e8,87,54,a1,8d,80,f0,7a,3a,0f,c2,c7,4d,2a

[HKEY_USERS\S-1-5-21-4057320956-4081455236-3199138704-1000\Software\SecuROM\License information*]
"datasecu"=hex:4b,bd,ca,89,61,dc,9c,3b,98,0c,55,49,3f,1e,ab,8e,ae,5d,9c,8f,85,
e8,16,f7,f3,83,65,b7,00,83,21,36,60,76,5a,3d,4c,1d,b9,d5,d6,2c,cd,3f,8c,af,\
"rkeysecu"=hex:76,ce,2f,81,19,d7,7b,a6,d6,61,e0,b1,41,bb,3b,a1

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-11 14:11:08
ComboFix-quarantined-files.txt 2010-06-11 13:11

Pre-Run: 188,151,513,088 bytes free
Post-Run: 188,092,129,280 bytes free

- - End Of File - - C7864EEAF0258B9BDFC0D93233E0B1D3

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:17 AM

Posted 11 June 2010 - 10:19 AM

Hi sy.

After looking in to this a bit more, it seems that folder is created by Firefox and could well be a false positive from Kaspersky.
Are you still getting it flagged as bad?

BBPP6nz.png


#10 sy.

sy.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 11 June 2010 - 10:32 AM

yes im still getting it every few hours mate. i dont think its a false positive as at first it stopped access to C:\Documents and settings and also kaspersky stopped working completly until i reinstalled it but it could be coincidental and something else could be going on. I hope it is a false positive anyway that would be nice tongue.gif



#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:17 AM

Posted 11 June 2010 - 10:44 AM

Let's take a look with an online scan from another vendor:

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Click , and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the button.
  • Click
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

BBPP6nz.png


#12 sy.

sy.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 11 June 2010 - 01:36 PM

Ok i ran ESET and yet again no threats detected. the only log.txt i got was this

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

i havnt had any AV software actually detect the virus in a scan. Kaspersky also cant find anything whilst scanning, but detects a virus in the temp files constantly.




#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:17 AM

Posted 11 June 2010 - 01:49 PM

Do you have another browser installed?
obviously you will have IE, but any others like Opera?
try running a different browser for a day or so and see if Kaspersky still flags it.
It seems as though Firefox creates this folder each time it's run.
By trying another browser for a day or so will tell us if it is a false positive or not.

BBPP6nz.png


#14 sy.

sy.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 11 June 2010 - 02:48 PM

yes im just using firefox/ie. ill give another a go and delete firefox for now.
Unfortunately i wont be able to access this pc for around 8 days so ill have to try it then. sad.gif
i understand that this topic may be closed in that time.

Ill run another browser for a couple of days asap and let you know how it goes

Thanks

sy

#15 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:17 AM

Posted 11 June 2010 - 04:35 PM

QUOTE
i understand that this topic may be closed in that time.

Don't worry sy. I'll make sure this thread stays open for you.
Just post back when you're ready.... no rush.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users