Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTML files infected after I thought I'd cleaned virus


  • This topic is locked This topic is locked
20 replies to this topic

#1 happypig

happypig

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 09 September 2010 - 04:05 PM

Last week I was hit with a virus (win32/ZbotB and SHeur3.AQRA) and I thought my AVG had got rid of it (along with a load of exe files). I thought I was getting it back in order but tonight it's chucking up a load of HTML files which all have a big lump of code stuck on the end of them, some dort of dropper I think :

Attached File  dropper.jpg   41.93KB   6 downloads

DDS.txt produced :
QUOTE
DDS (Ver_10-03-17.01) - NTFSX64
Run by gary at 21:43:55.50 on 09/09/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.4095.2283 [GMT 1:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\AVG\AVG9\avgemc.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\PixArt\PAC207\Monitor.exe
C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Password Safe\pwsafe.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Logitech\QCDriver2\LVComS.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Vidalia Bundle\Tor\tor.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Vidalia Bundle\Polipo\polipo.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Nokia\NoA\nokiaaserver.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
F:\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [WinFast Schedule] c:\program files\winfast\wfdtv\WFWIZ.exe
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
uRun: [Vidalia] "c:\program files (x86)\vidalia bundle\vidalia\vidalia.exe"
uRun: [<NO NAME>]
uRun: [NokiaOviSuite2] c:\program files (x86)\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files (x86)\common files\ahead\lib\NMBgMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe
mRun: [WinFastDTV] c:\program files\winfast\wfdtv\DTVSchdl.exe
mRun: [ArcSoft Connection Service] c:\program files (x86)\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [RDesc]
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mRun: [LVCOMS] c:\program files (x86)\common files\logitech\qcdriver2\LVCOMS.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NokiaMServer] c:\program files (x86)\common files\nokia\mplatform\NokiaMServer /watchfiles startup
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\x64\3\EKIJ5000MUI.exe
mRun: [AppleSyncNotifier] c:\program files (x86)\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\gary\appdata\roaming\micros~1\windows\startm~1\programs\startup\mozill~1.lnk - c:\program files (x86)\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\users\gary\appdata\roaming\micros~1\windows\startm~1\programs\startup\passwo~1.lnk - c:\program files (x86)\password safe\pwsafe.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\bttray.lnk - c:\program files (x86)\belkin\bluetooth software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files (x86)\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
Trusted Zone: msn.com\uk
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {885A9737-3469-4E16-88D4-D6169EE9844F} = 208.67.222.222,208.67.220.220
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\syswow64\BTXPPanel.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s
mRun-x64: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun-x64: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\x64\3\EKIJ5000MUI.exe
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\gary\appdata\roaming\mozilla\firefox\profiles\5co7wrh7.gary\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files (x86)\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files (x86)\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
FF - component: c:\program files (x86)\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files (x86)\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\microsoft\office live\npOLW.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files (x86)\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: c:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\divx\divx web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\opera\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\5co7wrh7.gary\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2009-10-21 269904]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2009-10-21 35536]
R1 AvgTdiA;AVG Free Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2009-10-21 317520]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 203264]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files (x86)\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2009-12-6 1153368]
R3 WFLR6654;WinFast TV2000 XP Expert (FM1216MK3);c:\windows\system32\drivers\wfeaglxt.sys [2009-8-10 474496]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 nmwcdcx64;Nokia USB Generic;c:\windows\system32\drivers\ccdcmbox64.sys [2009-12-30 25088]
S3 nmwcdnsucx64;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsucx64.sys [2009-12-30 12288]
S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys [2009-12-30 173056]
S3 nmwcdx64;Nokia USB Phone Parent;c:\windows\system32\drivers\ccdcmbx64.sys [2010-1-21 18944]
S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-5-29 573952]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2007-4-23 108296]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2007-4-23 19720]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2007-4-23 144648]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-4-23 126216]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-4-23 123656]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-20 1255736]

=============== Created Last 30 ================

2010-09-09 19:26:24 0 d-----w- c:\program files (x86)\WTN
2010-08-29 19:31:30 0 d-----w- c:\program files (x86)\Password Safe
2010-08-29 19:12:11 589824 ----a-w- C:\PFE32.EXE
2010-08-28 06:51:24 0 d-----w- c:\users\gary\temp
2010-08-24 20:40:50 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-24 20:40:50 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-23 20:59:32 0 d-----w- c:\program files\iPod
2010-08-23 20:59:31 0 d-----w- c:\program files\iTunes
2010-08-23 20:59:31 0 d-----w- c:\program files (x86)\iTunes
2010-08-14 09:48:01 0 d-----w- c:\users\gary\firefox_portable
2010-08-12 07:02:13 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 07:02:13 404992 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 07:02:13 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-12 07:02:12 340992 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 07:02:12 224256 ----a-w- c:\windows\syswow64\schannel.dll

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-07-15 18:37:24 317520 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2010-07-15 18:37:23 13048 ----a-w- c:\windows\system32\avgrssta.dll
2010-07-15 18:37:17 269904 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-25 07:44:46 64456 ----a-w- c:\users\gary\appdata\roaming\GDIPFONTCACHEV1.DAT
2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-03-21 13:44:24 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2006-05-03 10:06:54 163328 --sh--r- c:\windows\syswow64\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\syswow64\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\syswow64\nbDX.dll
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:44:59.64 ===============


When I run GMER, I get error message saying it cannopt find the file specified (C:\windows\system32\config\system) - I'm running win7 64bit

Hope someone can help

Attached Files


Edited by happypig, 09 September 2010 - 04:14 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:04 PM

Posted 16 September 2010 - 10:31 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 happypig

happypig
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 17 September 2010 - 06:27 AM

Hi myrti
Thanks for the assistance. I'm not sure if the problem was sorted by my AVG but I suspect there's still something lurking as I have found further html files infected (I dual boot into linux and have been using that to search for infected files). The problem seems to be that something is injecting code into my html files (see 1st post) but I'm woried that it will be doing other things too.

I have run otl as requested, results are thus :

OTL.txt:

QUOTE
OTL logfile created on: 17/09/2010 12:07:09 - Run 1
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Users\gary\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 49.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 58.59 Gb Total Space | 1.45 Gb Free Space | 2.48% Space Free | Partition Type: NTFS
Drive D: | 465.55 Gb Total Space | 180.34 Gb Free Space | 38.74% Space Free | Partition Type: FAT32
Drive E: | 232.88 Gb Total Space | 73.33 Gb Free Space | 31.49% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEHEMOTH
Current User Name: gary
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/17 12:04:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\gary\Desktop\OTL.exe
PRC - [2010/09/09 08:44:21 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/07/26 16:45:14 | 002,568,192 | ---- | M] (SourceForge.net) -- C:\Program Files (x86)\Password Safe\pwsafe.exe
PRC - [2010/07/21 08:32:27 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe
PRC - [2010/07/15 19:37:24 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgtray.exe
PRC - [2010/07/15 19:37:20 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/15 19:37:16 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/18 11:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/17 10:35:52 | 008,319,560 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
PRC - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
PRC - [2010/02/24 21:17:04 | 000,385,928 | ---- | M] (Nokia) -- C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
PRC - [2010/02/03 09:46:52 | 001,531,904 | ---- | M] (Nokia) -- C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer.exe
PRC - [2010/01/26 12:41:08 | 000,652,800 | ---- | M] (Nokia) -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
PRC - [2009/12/17 11:23:54 | 000,272,896 | ---- | M] () -- C:\Program Files (x86)\Common Files\Nokia\NoA\nokiaaserver.exe
PRC - [2009/10/27 09:15:02 | 000,120,832 | ---- | M] (Nokia) -- C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2009/10/26 01:23:44 | 005,329,085 | ---- | M] () -- C:\Program Files (x86)\Vidalia Bundle\Tor\tor.exe
PRC - [2009/10/24 14:42:57 | 003,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/10/15 02:28:40 | 005,238,258 | ---- | M] () -- C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe
PRC - [2009/08/05 12:49:44 | 000,284,016 | ---- | M] (Eastman Kodak Company) -- C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe
PRC - [2009/05/27 17:14:56 | 000,090,112 | ---- | M] (Leadtek Research Inc.) -- C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
PRC - [2009/03/11 18:22:48 | 002,912,256 | ---- | M] (Leadtek Research Inc.) -- C:\Program Files\WinFast\WFDTV\WFWIZ.exe
PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/02/07 02:21:06 | 000,872,894 | ---- | M] () -- C:\Program Files (x86)\Vidalia Bundle\Polipo\polipo.exe
PRC - [2006/12/23 18:05:20 | 000,143,360 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2006/12/23 18:04:42 | 000,905,216 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2006/11/03 12:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\Windows\PixArt\PAC207\Monitor.exe
PRC - [2004/12/13 04:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2004/10/01 16:06:34 | 000,163,840 | ---- | M] (Broadcom Corporation) -- C:\Program Files (x86)\Belkin\Bluetooth Software\bin\btwdins.exe
PRC - [2003/09/04 11:45:08 | 000,135,214 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\Logitech\QCDriver2\LVComS.exe


========== Modules (SafeList) ==========

MOD - [2010/09/17 12:04:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\gary\Desktop\OTL.exe
MOD - [2009/07/14 02:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/08/18 02:36:20 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/03/30 18:19:56 | 002,297,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV:64bit: - [2007/11/07 09:11:22 | 004,466,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90)
SRV - [2010/07/21 08:32:27 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/15 19:37:20 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2010/01/26 12:41:08 | 000,652,800 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/09/23 16:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/08/05 12:49:44 | 000,284,016 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2004/12/13 04:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2004/10/01 16:06:34 | 000,163,840 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files (x86)\Belkin\Bluetooth Software\bin\btwdins.exe -- (btwdins)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\TFsExDisk.sys -- (TFsExDisk)
DRV:64bit: - [2010/07/15 19:37:24 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (AvgTdiA)
DRV:64bit: - [2010/07/15 19:37:17 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (AvgLdx64)
DRV:64bit: - [2010/06/03 09:36:49 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (AvgMfx64)
DRV:64bit: - [2010/04/19 20:47:42 | 000,050,688 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2010/01/21 14:54:26 | 000,018,944 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcdx64)
DRV:64bit: - [2009/12/30 11:31:40 | 000,008,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64j.sys -- (UsbserFilt)
DRV:64bit: - [2009/12/30 11:31:30 | 000,025,088 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdcx64)
DRV:64bit: - [2009/12/30 11:31:30 | 000,008,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys -- (upperdev)
DRV:64bit: - [2009/12/30 11:25:12 | 000,173,056 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nmwcdnsux64.sys -- (nmwcdnsux64)
DRV:64bit: - [2009/12/30 11:25:10 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nmwcdnsucx64.sys -- (nmwcdnsucx64)
DRV:64bit: - [2009/08/18 03:48:48 | 006,037,504 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/08/10 03:26:00 | 000,474,496 | ---- | M] (Leadtek Research Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wfeaglxt.sys -- (WFLR6654) WinFast TV2000 XP Expert (FM1216MK3)
DRV:64bit: - [2009/07/14 02:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 02:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 02:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 01:09:02 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\irda.sys -- (irda)
DRV:64bit: - [2009/07/14 01:06:32 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser)
DRV:64bit: - [2009/06/10 21:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 21:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/29 17:28:30 | 000,030,208 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\KMWDFILTER.sys -- (KMWDFILTER)
DRV:64bit: - [2008/08/28 11:44:42 | 000,025,600 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd)
DRV:64bit: - [2008/01/19 07:28:36 | 000,033,792 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\irstusb.sys -- (STIrUsb)
DRV:64bit: - [2007/05/29 14:30:22 | 000,573,952 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\PFC027.SYS -- (PAC207)
DRV:64bit: - [2007/04/23 14:54:40 | 000,126,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s115mgmt.sys -- (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
DRV:64bit: - [2007/04/23 14:54:40 | 000,123,656 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s115obex.sys -- (s115obex)
DRV:64bit: - [2007/04/23 14:54:38 | 000,144,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s115mdm.sys -- (s115mdm)
DRV:64bit: - [2007/04/23 14:54:36 | 000,019,720 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s115mdfl.sys -- (s115mdfl)
DRV:64bit: - [2007/04/23 14:54:32 | 000,108,296 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s115bus.sys -- (s115bus) Sony Ericsson Device 115 driver (WDM)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\SysWow64\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/03/31 09:39:36 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)
DRV - [2004/10/01 15:48:30 | 001,241,482 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Stopped] -- C:\Windows\system32\drivers\btkrnl.sys -- (BTKRNL)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 80 A4 72 68 03 03 CB 01 [binary data]
IE - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0
FF - prefs.js..extensions.enabledItems: avg@igeared:2.709.018.001


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files (x86)\AVG\AVG9\Firefox [2010/07/21 08:33:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files (x86)\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/04/07 22:41:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files (x86)\Nokia\Nokia PC Suite 7\bkmrksync\ [2010/05/17 03:20:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.12\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/09/09 08:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.12\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/09/09 08:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/08/23 22:09:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files (x86)\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2010/04/07 22:41:04 | 000,000,000 | ---D | M]

[2009/10/21 19:35:30 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Extensions
[2010/09/09 16:01:35 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions
[2010/04/13 10:23:17 | 000,000,000 | ---D | M] (All-in-One Gestures) -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055}
[2010/03/07 00:21:47 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/09/07 20:02:20 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/09/07 20:02:19 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/20 15:53:24 | 000,000,000 | ---D | M] (Torbutton) -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2009/10/23 14:46:21 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/12/09 21:00:45 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\max@subfighter.com
[2010/09/07 20:02:16 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\nasanightlaunch@example.com
[2010/03/07 00:21:50 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\noia2_option@kk.noia
[2010/09/07 20:02:16 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\NuvolaFF@paenglab.ch
[2009/10/21 20:02:37 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\refspoof@mozdev.org
[2010/04/17 12:39:56 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\silvermel@pardal.de
[2010/04/17 12:40:00 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\silvermelxt@pardal.de
[2009/10/21 20:02:37 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5co7wrh7.gary\extensions\video-dowloader@magic-imv.ro
[2009/10/21 19:35:30 | 000,000,000 | ---D | M] -- C:\Users\gary\AppData\Roaming\Mozilla\Firefox\Profiles\5qsv52p6.default\extensions
[2010/04/22 11:53:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/04/22 11:53:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/08 17:05:29 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/11/08 17:05:29 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/11/08 17:05:29 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/11/08 17:05:29 | 000,000,831 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4:64bit: - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\SysNative\spool\drivers\x64\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4:64bit: - HKLM..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files (x86)\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Conime] C:\Windows\SysWow64\conime.exe File not found
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\SysWow64\spool\DRIVERS\x64\3\EKIJ5000MUI.exe File not found
O4 - HKLM..\Run: [LVCOMS] C:\Program Files (x86)\Common Files\Logitech\QCDriver2\LVComS.exe (Logitech Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [RDesc] File not found
O4 - HKLM..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe (Leadtek Research Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001..\Run: [] File not found
O4 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001..\Run: [msnmsgr] C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001..\Run: [NokiaOviSuite2] C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe (Nokia)
O4 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001..\Run: [Vidalia] C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe ()
O4 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe (Leadtek Research Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - Startup: C:\Users\gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Thunderbird.lnk = C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (Mozilla Corporation)
O4 - Startup: C:\Users\gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files (x86)\Password Safe\pwsafe.exe (SourceForge.net)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8:64bit: - Extra context menu item: Send To &Bluetooth - C:\Program Files (x86)\Belkin\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files (x86)\Belkin\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\..Trusted Domains: msn.com ([uk] http in Trusted sites)
O15 - HKU\S-1-5-21-3447124772-1253505117-4220477190-1001\..Trusted Ranges: Range1 ([*] in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files (x86)\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\Windows\SysWOW64\BTXPPanel.dll (Broadcom Corporation)
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30:64bit: - LSA: Security Packages - (livessp) - C:\Windows\SysNative\livessp.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\SysWow64\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/08 05:54:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig:64bit - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE - (Microsoft Corporation)
MsConfig:64bit - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files (x86)\QuickTime\QTTask.exe (Apple Inc.)
MsConfig:64bit - State: "startup" - Reg Error: Key error.

SafeBootMin:64bit: AppMgmt - Service
SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: vmms - Service
SafeBootMin:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.ac3acm - C:\Windows\SysWow64\ac3acm.acm (fccHandler)
Drivers32: msacm.divxa32 - C:\Windows\SysWow64\DivXa32.acm (Packed With Joy !)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\Windows\SysWow64\lameACM.acm (http://www.mp3dev.org/)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: vidc.divx - C:\Windows\SysWow64\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - C:\Windows\SysWow64\ff_vfw.dll ()
Drivers32: VIDC.HFYU - C:\Windows\SysWow64\huffyuv.dll (Disappearing Inc.)
Drivers32: vidc.i420 - C:\Windows\SysWow64\i420vfw.dll (www.helixcommunity.org)
Drivers32: vidc.iv31 - C:\Windows\SysWow64\ir32_32.dll (Intel® Corporation)
Drivers32: vidc.iv32 - C:\Windows\SysWow64\ir32_32.dll (Intel® Corporation)
Drivers32: vidc.iv41 - C:\Windows\SysWow64\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\Windows\SysWow64\ir50_32.dll (Intel Corporation)
Drivers32: vidc.vp60 - C:\Windows\SysWow64\vp6vfw.dll (On2.com)
Drivers32: vidc.vp61 - C:\Windows\SysWow64\vp6vfw.dll (On2.com)
Drivers32: vidc.vp62 - C:\Windows\SysWow64\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP70 - C:\Windows\SysWow64\vp7vfw.dll (On2.com)
Drivers32: vidc.xvid - C:\Windows\SysWow64\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\Windows\SysWow64\yv12vfw.dll (www.helixcommunity.org)
Drivers32: vidc.yvu9 - C:\Windows\SysWow64\Iyvu9_32.dll ()


========== Files/Folders - Created Within 30 Days ==========

[2010/09/17 12:04:14 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\gary\Desktop\OTL.exe
[2010/09/14 09:53:06 | 000,000,000 | ---D | C] -- d:\Video Converter
[2010/09/09 22:19:41 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/09/09 22:19:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/09/09 20:26:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WTN
[2010/09/09 08:56:33 | 000,000,000 | R--D | C] -- C:\Users\gary\Videos
[2010/09/06 13:08:29 | 000,000,000 | ---D | C] -- d:\testyyyyyy
[2010/08/29 20:32:24 | 000,000,000 | ---D | C] -- C:\Users\gary\AppData\Local\PasswordSafe
[2010/08/29 20:31:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Password Safe
[2010/08/28 07:51:24 | 000,000,000 | ---D | C] -- C:\Users\gary\temp
[2010/08/27 02:49:02 | 000,000,000 | ---D | C] -- C:\Users\gary\AppData\Local\WMTools Downloaded Files
[2010/08/24 21:40:50 | 000,861,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\oleaut32.dll
[2010/08/23 22:09:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2010/08/23 22:05:57 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/08/23 21:59:32 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/08/23 21:59:31 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/23 21:59:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/17 12:11:47 | 003,932,160 | -HS- | M] () -- C:\Users\gary\NTUSER.DAT
[2010/09/17 12:09:35 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/17 12:09:35 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/17 12:07:41 | 000,779,696 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/17 12:07:41 | 000,665,914 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/17 12:07:41 | 000,125,030 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/17 12:04:51 | 064,736,298 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/09/17 12:04:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\gary\Desktop\OTL.exe
[2010/09/17 12:02:23 | 000,019,528 | ---- | M] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys
[2010/09/17 12:01:07 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/17 12:00:59 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/17 12:00:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/17 12:00:52 | 3220,086,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/12 16:59:34 | 007,314,860 | -H-- | M] () -- C:\Users\gary\AppData\Local\IconCache.db
[2010/09/10 09:47:01 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/09 22:19:56 | 000,001,936 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/09/09 22:09:29 | 000,000,077 | ---- | M] () -- C:\Users\gary\Desktop\BleepingComputer.com - Virus, Trojan, Spyware, and Malware Removal Logs.URL
[2010/09/09 21:59:31 | 000,000,823 | ---- | M] () -- C:\Users\gary\.recently-used.xbel
[2010/09/09 09:42:02 | 000,000,059 | ---- | M] () -- C:\Users\gary\Desktop\Planet Rock Player.url
[2010/08/29 20:58:49 | 000,002,391 | ---- | M] () -- C:\Users\gary\Desktop\mflow.lnk
[2010/08/29 20:31:31 | 000,000,994 | ---- | M] () -- C:\Users\gary\Desktop\Password Safe.lnk
[2010/08/29 20:31:30 | 000,001,036 | ---- | M] () -- C:\Users\gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Password Safe.lnk
[2010/08/29 19:59:22 | 000,290,848 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/28 08:57:08 | 000,000,036 | ---- | M] () -- C:\Users\gary\AppData\Local\housecall.guid.cache
[2010/08/28 08:45:34 | 000,000,991 | ---- | M] () -- C:\Users\gary\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/28 07:40:01 | 000,153,600 | ---- | M] () -- C:\Users\gary\Desktop\divelog.xls
[2010/08/27 22:11:30 | 000,000,091 | ---- | M] () -- C:\Users\gary\Desktop\Absolute Classic Rock Player.url
[2010/08/27 03:23:40 | 013,778,944 | ---- | M] () -- C:\Users\gary\Desktop\testo
[2010/08/23 22:09:40 | 000,001,805 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/08/23 22:06:34 | 000,002,515 | ---- | M] () -- C:\Users\gary\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/08/23 22:06:34 | 000,002,491 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2010/08/23 21:59:54 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/09 22:20:08 | 000,019,528 | ---- | C] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys
[2010/09/09 22:19:41 | 000,001,936 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/09/09 22:09:29 | 000,000,077 | ---- | C] () -- C:\Users\gary\Desktop\BleepingComputer.com - Virus, Trojan, Spyware, and Malware Removal Logs.URL
[2010/09/09 21:59:31 | 000,000,823 | ---- | C] () -- C:\Users\gary\.recently-used.xbel
[2010/09/09 09:42:02 | 000,000,059 | ---- | C] () -- C:\Users\gary\Desktop\Planet Rock Player.url
[2010/08/29 20:58:49 | 000,002,391 | ---- | C] () -- C:\Users\gary\Desktop\mflow.lnk
[2010/08/29 20:31:31 | 000,000,994 | ---- | C] () -- C:\Users\gary\Desktop\Password Safe.lnk
[2010/08/29 20:31:30 | 000,001,036 | ---- | C] () -- C:\Users\gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Password Safe.lnk
[2010/08/29 20:12:11 | 000,589,824 | ---- | C] () -- C:\PFE32.EXE
[2010/08/28 08:57:08 | 000,000,036 | ---- | C] () -- C:\Users\gary\AppData\Local\housecall.guid.cache
[2010/08/28 08:46:00 | 000,000,991 | ---- | C] () -- C:\Users\gary\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/28 07:36:25 | 000,153,600 | ---- | C] () -- C:\Users\gary\Desktop\divelog.xls
[2010/08/27 22:11:30 | 000,000,091 | ---- | C] () -- C:\Users\gary\Desktop\Absolute Classic Rock Player.url
[2010/08/27 03:21:33 | 013,778,944 | ---- | C] () -- C:\Users\gary\Desktop\testo
[2010/08/23 22:09:40 | 000,001,805 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/08/23 21:59:54 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/06/13 16:37:02 | 000,170,470 | ---- | C] () -- C:\Users\gary\AppData\Local\installer.log
[2010/04/10 23:49:16 | 000,941,784 | ---- | C] () -- C:\Windows\SysWow64\drivers\CAMTHWDM.sys
[2010/04/07 22:43:03 | 000,004,608 | ---- | C] () -- C:\Users\gary\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/24 08:30:13 | 000,027,648 | ---- | C] () -- C:\Windows\SysWow64\AVSredirect.dll
[2009/11/21 08:45:40 | 000,000,600 | ---- | C] () -- C:\Users\gary\AppData\Local\PUTTY.RND
[2009/11/18 01:45:54 | 000,000,008 | ---- | C] () -- C:\Users\gary\AppData\Local\.mpid
[2009/11/04 23:15:37 | 000,178,176 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2009/11/04 23:15:37 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2009/10/23 19:24:12 | 000,002,528 | ---- | C] () -- C:\Users\gary\AppData\Roaming\$_hpcst$.hpc
[2009/10/22 20:15:56 | 000,143,872 | ---- | C] () -- C:\Windows\SysWow64\libmpeg2_ff.dll
[2009/10/22 20:01:22 | 004,835,652 | ---- | C] () -- C:\Windows\SysWow64\libavcodec.dll
[2009/10/22 09:33:53 | 000,722,382 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/10/22 08:41:17 | 000,000,520 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/10/17 00:58:06 | 000,183,296 | ---- | C] () -- C:\Windows\SysWow64\ff_samplerate.dll
[2009/10/17 00:57:06 | 000,146,944 | ---- | C] () -- C:\Windows\SysWow64\ff_tremor.dll
[2009/10/17 00:04:24 | 000,178,688 | ---- | C] () -- C:\Windows\SysWow64\ff_libmad.dll
[2009/10/17 00:04:08 | 000,113,152 | ---- | C] () -- C:\Windows\SysWow64\ff_unrar.dll
[2009/10/17 00:03:48 | 000,257,024 | ---- | C] () -- C:\Windows\SysWow64\ff_libdts.dll
[2009/10/17 00:03:44 | 000,142,848 | ---- | C] () -- C:\Windows\SysWow64\ff_liba52.dll
[2009/10/17 00:03:40 | 000,484,864 | ---- | C] () -- C:\Windows\SysWow64\ff_libfaad2.dll
[2009/10/16 23:10:10 | 000,281,748 | ---- | C] () -- C:\Windows\SysWow64\ff_kernelDeint.dll
[2009/10/16 21:53:32 | 000,100,864 | ---- | C] () -- C:\Windows\SysWow64\ff_wmv9.dll
[2009/10/16 21:53:20 | 000,085,504 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2009/10/16 20:40:42 | 000,957,047 | ---- | C] () -- C:\Windows\SysWow64\ff_x264.dll
[2009/10/16 20:38:20 | 000,881,664 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2009/10/16 20:35:50 | 000,311,204 | ---- | C] () -- C:\Windows\SysWow64\TomsMoComp_ff.dll
[2009/10/16 20:08:54 | 000,611,638 | ---- | C] () -- C:\Windows\SysWow64\libmplayer.dll
[2009/10/16 20:04:28 | 001,632,375 | ---- | C] () -- C:\Windows\SysWow64\ffmpegmt.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 22:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/01/10 23:17:32 | 000,163,840 | ---- | C] () -- C:\Windows\SysWow64\ts.dll
[2009/01/10 23:16:56 | 000,148,480 | ---- | C] () -- C:\Windows\SysWow64\mkx.dll
[2009/01/10 23:16:50 | 000,108,032 | ---- | C] () -- C:\Windows\SysWow64\avi.dll
[2009/01/10 23:16:14 | 000,141,312 | ---- | C] () -- C:\Windows\SysWow64\mp4.dll
[2009/01/10 23:15:54 | 000,120,832 | ---- | C] () -- C:\Windows\SysWow64\ogm.dll
[2009/01/10 23:15:44 | 000,159,744 | ---- | C] () -- C:\Windows\SysWow64\mmfinfo.dll
[2009/01/10 23:15:32 | 000,102,400 | ---- | C] () -- C:\Windows\SysWow64\avss.dll
[2009/01/10 23:15:28 | 000,246,784 | ---- | C] () -- C:\Windows\SysWow64\dxr.dll
[2009/01/10 23:15:12 | 000,097,280 | ---- | C] () -- C:\Windows\SysWow64\avs.dll
[2009/01/10 23:14:08 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\mkzlib.dll
[2009/01/10 23:14:06 | 000,023,552 | ---- | C] () -- C:\Windows\SysWow64\mkunicode.dll
[2008/12/03 23:11:50 | 000,205,824 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2008/11/06 17:37:32 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2008/11/06 17:34:00 | 000,000,416 | ---- | C] () -- C:\Windows\SysWow64\dtu100.dll.manifest
[2007/10/25 17:26:10 | 000,007,168 | ---- | C] () -- C:\Windows\SysWow64\drivers\StarOpen.sys
[2007/10/13 10:30:20 | 000,000,137 | ---- | C] () -- C:\Windows\SysWow64\Registration.ini
[2007/07/10 18:10:12 | 000,000,547 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll.manifest
[2006/11/02 10:27:46 | 000,000,518 | ---- | C] () -- C:\Windows\SysWow64\SP207.ini
[2004/10/01 16:01:22 | 000,086,016 | ---- | C] () -- C:\Windows\SysWow64\btprn2k.dll
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\SysWow64\lcppn21.dll
[1999/08/10 18:02:20 | 000,116,736 | ---- | C] () -- C:\Windows\SysWow64\LFKODAK.DLL
[1999/08/10 18:02:16 | 000,343,040 | ---- | C] () -- C:\Windows\SysWow64\lffpx7.dll
[1999/01/27 14:39:06 | 000,065,024 | ---- | C] () -- C:\Windows\SysWow64\indounin.dll
[1997/06/13 08:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\Iyvu9_32.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[1997/03/24 21:30:36 | 000,589,824 | ---- | M] () -- C:\PFE32.EXE


< MD5 for: AGP440.SYS >
[2009/07/14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysWow64\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysWow64\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/14 02:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 02:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysWow64\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 02:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 02:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVRAID.SYS >
[2009/07/14 02:48:27 | 000,149,056 | ---- | M] (NVIDIA Corporation) MD5=3E38712941E9BB4DDBEE00AFFE3FED3D -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvraid.sys
[2009/07/14 02:48:27 | 000,149,056 | ---- | M] (NVIDIA Corporation) MD5=3E38712941E9BB4DDBEE00AFFE3FED3D -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvraid.sys

< MD5 for: NVSTOR.SYS >
[2009/07/14 02:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 02:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/14 02:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >
< End of report >


extras.txt
QUOTE
OTL Extras logfile created on: 17/09/2010 12:07:09 - Run 1
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Users\gary\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 49.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 58.59 Gb Total Space | 1.45 Gb Free Space | 2.48% Space Free | Partition Type: NTFS
Drive D: | 465.55 Gb Total Space | 180.34 Gb Free Space | 38.74% Space Free | Partition Type: FAT32
Drive E: | 232.88 Gb Total Space | 73.33 Gb Free Space | 31.49% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEHEMOTH
Current User Name: gary
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.js[@ = JSFile] -- C:\Program Files (x86)\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\Program Files (x86)\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

[HKEY_USERS\S-1-5-21-3447124772-1253505117-4220477190-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [open] -- "C:\Program Files (x86)\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [open] -- "C:\Program Files (x86)\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160" = Canon MP160
"{23170F69-40C1-2702-0465-000001000000}" = 7-Zip 4.65 (x64 edition)
"{23B45E10-0CA5-43E9-BD6D-C2BD6CBE11AC}" = iTunes
"{29C93182-34F6-3275-A18D-59326851CD57}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
"{2BFA9B05-7418-4EDE-A6FC-620427BAAAA3}" = Crystal Reports Basic Runtime for Visual Studio 2008 (x64)
"{328CC232-CFDC-468B-A214-2E21300E4CB5}" = Apple Mobile Device Support
"{4D668D4F-FAA2-4726-834C-31F4614F312E}" = MSVC80_x64_v2
"{55E76113-3899-4A63-A308-71A9BD3491EE}" = MobileMe Control Panel
"{5DE154DF-A55E-4FA5-BE59-32E78FCACF3E}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{62EED300-E841-4083-A1D6-60B906271804}" = Microsoft Windows SDK for Visual Studio 2008 Tools
"{64D5BBC6-5270-3711-AA39-31C1087AF4E6}" = Microsoft Visual Studio 2008 Remote Debugger - ENU
"{79BF7CB8-1E09-489F-9547-DB3EE8EA3F16}" = Microsoft SQL Server Native Client
"{86177DAE-38B1-49DD-912E-35CB703AB779}" = Microsoft SQL Server VSS Writer
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9aa5f39c-a8de-46b0-919a-0248f8bc8490}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{A992BBAA-723D-4574-A07F-983BF8FAA3E1}" = Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
"{AB071C8B-873C-459F-ACA9-9EBE03C3E89B}" = MSVC90_x64
"{B0EFB716-085B-4564-8060-212E41F5CE50}" = Windows Live ID Sign-in Assistant
"{B91110FB-33B4-468B-90C2-4D5E8AE3FAE1}" = Bonjour
"{D3E39E77-0EB4-36FB-B97A-8C8AB21B9A45}" = Visual Studio .NET Prerequisites - English
"{EF8B1A2E-9CCB-3AB2-91E3-4EEDAB1294E1}" = Microsoft Device Emulator (64 bit) version 3.0 - ENU
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"FCEC33AD40CEA5E0FC4CEE6E42041A0DA189652D" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"HitmanPro35" = Hitman Pro 3.5
"Microsoft Visual Studio 2008 Remote Debugger - ENU" = Microsoft Visual Studio 2008 Remote Debugger - ENU
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile Modem Device" = Samsung Mobile Modem Device Software
"Samsung Mobile phone USB driver Drive" = Samsung Mobile phone USB driver Drive Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SAMSUNG USB Mobile Device" = SAMSUNG USB Mobile Device Software

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0463B519-E4C8-4C16-84AA-4743D1ED91B5}" = Labtec WebCam
"{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{10F5D9BB-E2F2-4B18-A65D-928B73D22E6F}" = USB-IrDA Adapter
"{19DC9559-9C20-4A46-A67D-7ECBA52A2788}" = Nokia PC Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 20
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{28FB7853-A6ED-4F67-8635-9F0E863FC0AD}" = WinFast Codec-TS SDK
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{2E5EEBB7-8B61-4FCC-AF7F-C2E0AC4583BB}" = Rapidshare Auto Downloader 3.7.1
"{2EEC2A94-7204-45C6-93BB-67EAEB19E4D6}" = Safari
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E1CD3D5-D4EE-4246-AE24-F0FD5A60390D}" = OviMPlatform
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{60DED9C2-22BF-47A3-B6C8-6B141BA31DFD}" = Ovi Desktop Sync Engine
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{70858C67-8761-4444-895A-0A8B2E9E144E}" = Opera 10.61
"{7397EDED-F38A-4654-B669-BF61065803D0}" = PC Connectivity Solution
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8DD0F820-3656-4AB3-A7F4-005CAA2D0897}_is1" = RDesc 2.32
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{8FE96B14-E1F9-47BF-8BA1-A81467CD259B}_is1" = Yawcam 0.3.3
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0000-0000-0000000FF1CE}_VisualWebDeveloper_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-0021-0409-0000-0000000FF1CE}_VisualWebDeveloper_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = Belkin Bluetooth Software
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{9A0E0340-C3D7-42D1-96D4-64179FD456AE}" = WinFast De-interlace SDK
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.2
"{A0D65C73-F2C5-432F-8788-90F8A2E99B98}" = Nokia Ovi Suite Software Updater
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{AF7E85DC-317C-47F5-810E-B82EE093A612}" = Samsung New PC Studio USB Driver Installer
"{AF9848E2-5F19-4E49-9E6E-044FBDC28404}" = WinFast TT-SB SDK
"{B28B351F-1232-46EA-85EF-B8EA91641033}" = Nero 7 Essentials
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B9C9DB4C-6D77-4AE9-AD1C-C708C23239A0}" = Nokia Connectivity Cable Driver
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C92C584E-C781-475E-A8E2-C67D993A6B95}" = WinFast PVR2
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}" = Nokia Ovi Suite
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Centre
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"{F4749535-2B87-498A-B74D-0A01B174E36D}" = PC Camera
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"{FF29527A-44CD-3422-945E-981A13584000}" = VC Runtimes MSI
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"Audacity_is1" = Audacity 1.2.6
"AVG9Uninstall" = AVG Free 9.0
"Canon MP160 User Registration" = Canon MP160 User Registration
"DataTrak" = DataTrak
"Fake Webcam_is1" = Fake Webcam 6.1.3
"FLAC" = FLAC 1.2.1b (remove only)
"FormatFactory" = FormatFactory 2.30
"Google Chrome" = Google Chrome
"Handbrake" = Handbrake 0.9.4
"Hard Disk Low Level Format Tool_is1" = Hard Disk Low Level Format Tool 2.36 build 1181
"InfoRapid Search & Replace" = InfoRapid Search & Replace
"InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"InstallShield_{F4749535-2B87-498A-B74D-0A01B174E36D}" = PC Camera
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.3.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mflow" = mflow
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"Mozilla Firefox (3.5.12)" = Mozilla Firefox (3.5.12)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"Nokia Ovi Suite" = Nokia Ovi Suite
"Nokia PC Suite" = Nokia PC Suite
"Password Safe" = Password Safe
"Polipo" = Polipo 1.0.4
"RealVNC_is1" = VNC Free Edition 4.1.3
"SmartTRAK" = SmartTRAK
"SUPER ©" = SUPER © Version 2010.bld.37 (Jan 2, 2010)
"Tor" = Tor 0.2.1.20
"TreeSize Free_is1" = TreeSize Free V2.3.3
"uTorrent" = µTorrent
"Vidalia" = Vidalia 0.2.5
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"VLC media player" = VLC media player 1.0.3
"WebcamMax" = WebcamMax
"Windows 7 - Codec Pack" = Windows 7 Codec Pack 2.2.0
"WinGimp-2.0_is1" = GIMP 2.6.4
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"ZIP Password Recovery Magic_is1" = ZIP Password Recovery Magic v6.1.1.169
"Zip Password Recovery Master" = Zip Password Recovery Master

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3447124772-1253505117-4220477190-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"mpowerplayer" = mpowerplayer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/09/2010 02:44:32 | Computer Name = Behemoth | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 10/09/2010 02:44:32 | Computer Name = Behemoth | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 10/09/2010 02:44:32 | Computer Name = Behemoth | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 10/09/2010 02:44:32 | Computer Name = Behemoth | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 10/09/2010 02:44:54 | Computer Name = Behemoth | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 12/09/2010 11:59:35 | Computer Name = Behemoth | Source = Bonjour Service | ID = 100
Description = 508: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 12/09/2010 11:59:35 | Computer Name = Behemoth | Source = Bonjour Service | ID = 100
Description = 512: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 12/09/2010 11:59:35 | Computer Name = Behemoth | Source = Bonjour Service | ID = 100
Description = 516: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 12/09/2010 11:59:35 | Computer Name = Behemoth | Source = Bonjour Service | ID = 100
Description = 520: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 12/09/2010 11:59:35 | Computer Name = Behemoth | Source = Bonjour Service | ID = 100
Description = 524: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

[ System Events ]
Error - 02/07/2010 04:22:13 | Computer Name = Behemoth | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 02/07/2010 04:22:35 | Computer Name = Behemoth | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BTKRNL

Error - 02/07/2010 06:35:31 | Computer Name = Behemoth | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 02/07/2010 06:36:10 | Computer Name = Behemoth | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 02/07/2010 07:02:14 | Computer Name = Behemoth | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 02/07/2010 07:02:24 | Computer Name = Behemoth | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 04/07/2010 02:29:54 | Computer Name = Behemoth | Source = volsnap | ID = 393241
Description = The shadow copies of volume C: were deleted because the shadow copy
storage could not grow in time. Consider reducing the IO load on the system or
choose a shadow copy storage volume that is not being shadow copied.

Error - 04/07/2010 02:29:58 | Computer Name = Behemoth | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter

Error - 04/07/2010 02:29:58 | Computer Name = Behemoth | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 04/07/2010 02:30:15 | Computer Name = Behemoth | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BTKRNL


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:04 PM

Posted 17 September 2010 - 09:24 AM

Hi,

please run a scan with Eset next:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Let's see if we can find what is causing these. Do you have "new" html files seen infected since you sorted it? Do you know what AVG deleted from your system?

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 happypig

happypig
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 17 September 2010 - 02:19 PM

I think there were some more files infected after AVG got rid of the virus.
AVG deleted all the HTML files and a few .exes as well (4551 files in total).

I ran ESET and it found 8 nasties:
QUOTE
C:\Users\gary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\5a896be2-47c51936 Java/TrojanDownloader.Agent.NBB trojan deleted - quarantined
C:\Users\gary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-145aea5d Java/TrojanDownloader.Agent.NBL trojan deleted - quarantined
C:\Users\gary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\2104f57f-72050a35 a variant of Java/Mugademel.A trojan deleted - quarantined
C:\Users\gary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-7fc7877f Java/TrojanDownloader.Agent.NBK trojan deleted - quarantined
D:\INSTALLER\FFSetup220.exe Win32/Adware.ADON application deleted - quarantined
D:\INSTALLER\FFSetup220.zip Win32/Adware.ADON application deleted - quarantined
D:\INSTALLER\OLD_stuff\kazaalite_202_b1.zip multiple threats deleted - quarantined
D:\INSTALLER\OLD_stuff\avi_mpg_rm_joiner.exe probably a variant of Win32/Agent.IVYXXWB trojan deleted - quarantined


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:04 PM

Posted 20 September 2010 - 07:43 AM

Hi,

if you still have one of those exe files, could you please upload it on this page: http://www.bleepingcomputer.com/submit-mal...php?channel=100

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 happypig

happypig
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 22 September 2010 - 02:41 AM

Hi,

Sorry didn't get back sooner, have been working away this week. I restored 3 files from the vault and uploaded all 3, one of each of SHEUR3.AQRA, Zbot and Generic trojan as reported by AVG (hope it's ok to send all 3).

Cheers

H

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:04 PM

Posted 23 September 2010 - 05:02 PM

Hi,

thanks, that has helped clearify the situation.

As Kaspersky seems to be able to identify the infection, please run an online scan with it:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 happypig

happypig
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 25 September 2010 - 04:49 AM

QUOTE(myrti @ Sep 23 2010, 11:02 PM) View Post
Hi,

thanks, that has helped clearify the situation.

As Kaspersky seems to be able to identify the infection, please run an online scan with it:


Have done this but there were some discrepancies between your instructions and what it actually did

QUOTE
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT


Didn't get a NEXT

QUOTE
  • Now click on [b]Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK


  • No option to change settings

    QUOTE
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
  • regards myrti


    Ok, ran it and saved report :
    QUOTE
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Saturday, September 25, 2010
    Operating system: Microsoft (build 7600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, September 24, 2010 08:51:20
    Records in database: 4234151
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    V:\
    Z:\

    Scan statistics:
    Objects scanned: 402992
    Threats found: 22
    Infected objects found: 53
    Suspicious objects found: 0
    Scan duration: 09:29:06


    File name / Threat / Threats count
    C:\OpenSSL\bin\randtest.exe Infected: Exploit.Win32.IMG-WMF.cht 1
    C:\OpenSSL\bin\rc2test.exe Infected: Exploit.Win32.IMG-WMF.chu 1
    C:\OpenSSL\bin\rc5test.exe Infected: Exploit.Win32.IMG-WMF.chv 1
    C:\Program Files (x86)\Zip Password Recovery Master\vzr4fin.exe Infected: Backdoor.Win32.Delf.srf 1
    C:\Users\gary\Desktop\garys_usb_stik\installers\tightvnc-1.2.8-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
    C:\Users\gary\Desktop\zipprm.exe Infected: Backdoor.Win32.Delf.srf 1
    D:\INSTALLER\Essential Software\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
    D:\INSTALLER\Essential Software\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
    D:\INSTALLER\Essential Software\tightvnc-1.2.8-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
    D:\INSTALLER\OLD_stuff\agsetu~1.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 5
    D:\INSTALLER\OLD_stuff\agsetu~1.exe Infected: not-a-virus:AdWare.Win32.WebHancer 1
    D:\INSTALLER\OLD_stuff\agsetu~1.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
    D:\INSTALLER\OLD_stuff\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.281 1
    D:\INSTALLER\OLD_stuff\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
    D:\INSTALLER\OLD_stuff\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
    D:\Windows.old\Documents and Settings\gary\Local Settings\Temp\Win32OpenSSL-v0.9.6m.rar Infected: Exploit.Win32.IMG-WMF.cht 1
    D:\Windows.old\Documents and Settings\gary\Local Settings\Temp\Win32OpenSSL-v0.9.6m.rar Infected: Exploit.Win32.IMG-WMF.chu 1
    D:\Windows.old\Documents and Settings\gary\Local Settings\Temp\Win32OpenSSL-v0.9.6m.rar Infected: Exploit.Win32.IMG-WMF.chv 1
    D:\temp\AGSetup0606.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
    E:\temp\ophcrack-livecd-1.2.2.iso Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
    E:\temp\ophcrack-livecd-1.2.2.iso Infected: not-a-virus:PSWTool.Win32.PWDump.s 1
    E:\temp\ophcrack-livecd-1.2.2.iso Infected: not-a-virus:PSWTool.Win32.PWDump.d 2
    E:\USB_MultiBoot_10\MULTI_CONTENT\wintools\commandline\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
    E:\USB_MultiBoot_10\MULTI_CONTENT\wintools\othertools\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i 1
    E:\usb_multiboot_10.zip Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
    E:\usb_multiboot_10.zip Infected: not-a-virus:PSWTool.Win32.ProductKey.i 1
    Z:\Documents\temp\AGSetup0606.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
    Z:\Documents\INSTALLER\freecam.exe Infected: not-a-virus:AdWare.Win32.180Solutions 1
    Z:\Documents\INSTALLER\freecam.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.h 2
    Z:\Documents\INSTALLER\freecam.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.e 1
    Z:\Documents\INSTALLER\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
    Z:\Documents\INSTALLER\tightvnc-1.2.8-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
    Z:\Documents\INSTALLER\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.281 1
    Z:\Documents\INSTALLER\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
    Z:\Documents\INSTALLER\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
    Z:\Documents\INSTALLER\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
    Z:\Documents\INSTALLER\agsetu~1.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 5
    Z:\Documents\INSTALLER\agsetu~1.exe Infected: not-a-virus:AdWare.Win32.WebHancer 1
    Z:\Documents\INSTALLER\agsetu~1.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
    Z:\Documents\INSTALLER\kazaalite_202_b1.zip Infected: not-a-virus:AdWare.Win32.Altnet.o 1

    Selected area has been scanned.



    #10 myrti

    myrti

      Sillyberry


    • Malware Study Hall Admin
    • 33,779 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:At home
    • Local time:09:04 PM

    Posted 26 September 2010 - 07:43 AM

    Hi,

    I have been able to identify the infection from the files you uploaded.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed. As you can see by the fact that the scans come back clean, but your HTML files still get reinfected.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    QUOTE
    Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
    • Reimaging the system
    • Restoring the entire system using a full system backup from before the backdoor infection
    • Reformatting and reinstalling the system
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.
    QUOTE
    The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


    The only way of attempting cleaning a file infector is to use boot-CDs from different anti virus providers and see what they detect. The chances are however rather low, since a single infected file could relaunch the complete infection.
    regards myrti

    is that a bird?  a plane? nooo it's the flying blueberry!

    If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

     

    Follow BleepingComputer on: Facebook | Twitter | Google+


    #11 happypig

    happypig
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:08:04 PM

    Posted 27 September 2010 - 04:11 PM

    Righto, message received and understood. I will nuke the windows partition and re-install.

    Couple of questions though before I do :

    Can I safely assume that all my data (music, video and photos) is safe as it's not executable ?

    Can I also assume that my Linux partition is safe (Kubuntu 10.04) ?

    Cheers

    H


    #12 myrti

    myrti

      Sillyberry


    • Malware Study Hall Admin
    • 33,779 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:At home
    • Local time:09:04 PM

    Posted 27 September 2010 - 04:57 PM

    Hi,

    is the Kubuntu partition formatted in Ext4 or in Ext3? Are you able to see it from your windows install?

    Kubuntu itself by default has no windows executables. Some may have been added so when you use wine or mono. If the infection has seen the partition there is a possibility that it has infected some files, however no matter how infected the partition gets the infections shouldn't run by itself on kubuntu unless you manually start wine for example.

    You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

    regards myrti

    is that a bird?  a plane? nooo it's the flying blueberry!

    If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

     

    Follow BleepingComputer on: Facebook | Twitter | Google+


    #13 happypig

    happypig
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:08:04 PM

    Posted 27 September 2010 - 05:58 PM

    Yeah, I understand. Problem is, I have already backed a load of data (probably around 400-500 gb) to several external drives. To back up to DVD would take absolutely ages.

    I'm considering doing the following :

    (in linux) format external USB drive as ext3, copy all data (video/music/photos) to it.
    (also in linux) copy all html/websites (I run a few sites) to another external drive and check all html files manually - theres only a couple of hundred.
    nuke windows partition (C:)
    nuke D: and E:
    re-install windows
    scan external drive
    copy data back

    Sound ok ?

    Oh yeah, Kubuntu is ext3 and not visible from windows

    Edited by happypig, 27 September 2010 - 06:00 PM.


    #14 myrti

    myrti

      Sillyberry


    • Malware Study Hall Admin
    • 33,779 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:At home
    • Local time:09:04 PM

    Posted 28 September 2010 - 02:07 AM

    Hi,

    Windows can not read Ext3 by default, however you can make it see it when you install dedicated drivers. (If interested I can provide you a link). Ext4 is so new that there is to this day no way of reading the partition from Windows.
    As long as Windows is unable to read the partition, I believe that the infection won't be able to spread, so that should be fine.

    Copying the data over from linux should be fine too. I hope you can get the cleaning process somewhat automated and don't have to check all of the files by hand.

    regards myrti

    is that a bird?  a plane? nooo it's the flying blueberry!

    If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

     

    Follow BleepingComputer on: Facebook | Twitter | Google+


    #15 happypig

    happypig
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Local time:08:04 PM

    Posted 28 September 2010 - 07:11 AM

    I'm using it as an opportunity to clean, tidy and organise my disks :-)

    I'll spend the week doing that and then re-install win7. What's the best way to recheck once installed ? Use the kaspersky online tool ?

    Cheers

    H




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users