Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Bamital.c virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 eag

eag

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 30 September 2010 - 03:16 AM

Hi, Last weekend I started to get problems with internet explorer in that it was shutting down about a minute after it opened. At the time I had (paid for) Mcafee antivirus running. I suspected it might be a virus, so uninstalled Mcafee, and installed Microsoft security essentials which found the bamital.c virus in seconds. After a bit of checking I thought I was safe, but the next day 2 further warnings appeared.
I have read the Microsoft advice about removal, but I am nervous about using the recovery console for Windows XP with no experience of doing so and limited knowledge generally of such things.
All help with removing this will be most gratefully received.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Liz at 13:17:08.73 on 29/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1249 [GMT 1:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Liz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.demon.net/
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [1A:Stardock TrayMonitor]
mRun: [Say the Time]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunServices: [1A:Stardock TrayMonitor]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\liz\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\saythe~1.lnk - c:\program files\say the time\SayTime.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://interactivebrokers.webex.com/client/T26L/nbr/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-4 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-1-14 2521880]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-1-16 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-1-16 14336]
S1 anaefxzw;anaefxzw;\??\c:\windows\system32\drivers\anaefxzw.sys --> c:\windows\system32\drivers\anaefxzw.sys [?]
S1 kahjyrhh;kahjyrhh;\??\c:\windows\system32\drivers\kahjyrhh.sys --> c:\windows\system32\drivers\kahjyrhh.sys [?]
S1 nnzocrjm;nnzocrjm;\??\c:\windows\system32\drivers\nnzocrjm.sys --> c:\windows\system32\drivers\nnzocrjm.sys [?]
S2 gupdate1c9ae0852b05dd2;Google Update Service (gupdate1c9ae0852b05dd2);c:\program files\google\update\GoogleUpdate.exe [2009-3-26 133104]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-1-23 42832]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-14 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-14 40552]

=============== Created Last 30 ================

2010-09-29 12:03:32 0 ----a-w- c:\documents and settings\liz\defogger_reenable
2010-09-28 12:57:05 0 d-----w- c:\windows\system32\NtmsData
2010-09-26 14:55:17 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-09-26 14:44:29 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-26 14:41:26 0 d-----w- c:\program files\Microsoft Security Essentials
2010-09-08 20:09:26 0 d-----w- c:\program files\iPod
2010-09-08 20:09:22 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-09-26 14:45:43 1033728 ----a-w- c:\windows\explorer.exe
2010-08-30 11:31:28 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-08-30 11:31:06 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ------w- c:\windows\system32\xpsp4res.dll
2010-07-17 04:00:04 423656 ------w- c:\windows\system32\deployJava1.dll
2008-10-06 07:43:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100620081007\index.dat

============= FINISH: 13:18:04.51 ===============

Hi again
I should add that my PC does now seem to be functioning as normal, and that the infected files have been either disinfected or quarantined, but the recommendation is to remove immediately which is what I would like to do.
I think the virus may have arrived via my daughter's laptop and the home network when she was at home at the weekend. I didn't download anything to my PC. I have now made the admin accounts password protected as per general advice (could that have been the problem?) but obviously that is a case of shutting the stable door after the horse has bolted!

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 30 September 2010 - 04:03 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:45 AM

Posted 04 October 2010 - 10:58 AM


Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 eag

eag
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 05 October 2010 - 10:51 AM

Hi Shannon
Thanks for responding to my thread. The GMER log took a couple of goes to do this time (don't know why it failed first time as ran overnight).

Since starting this thread last week I have done nothing more than set up passwords on the admin accounts on my PC, and change the name of another user account. All has been quiet on the machine since last Monday (27th) when 2 incidents of the virus were disinfected by the antivirus, and the Rapport software preventend capture of some info by iexplore.exe. The day before that there were 4 items that were quarantined and the bamital trojan was removed from another. Since then it seems to be running as normal although I am very nervous as the virus is presumably is still on my computer. I am very grateful for all help to remove it.

Here are the logs from today:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Liz at 6:21:52.93 on 05/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1242 [GMT 1:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Liz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.demon.net/
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [1A:Stardock TrayMonitor]
mRun: [Say the Time]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunServices: [1A:Stardock TrayMonitor]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\liz\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\saythe~1.lnk - c:\program files\say the time\SayTime.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://interactivebrokers.webex.com/client/T26L/nbr/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-4 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-1-14 2521880]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-1-16 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-1-16 14336]
S1 anaefxzw;anaefxzw;\??\c:\windows\system32\drivers\anaefxzw.sys --> c:\windows\system32\drivers\anaefxzw.sys [?]
S1 kahjyrhh;kahjyrhh;\??\c:\windows\system32\drivers\kahjyrhh.sys --> c:\windows\system32\drivers\kahjyrhh.sys [?]
S1 nnzocrjm;nnzocrjm;\??\c:\windows\system32\drivers\nnzocrjm.sys --> c:\windows\system32\drivers\nnzocrjm.sys [?]
S2 gupdate1c9ae0852b05dd2;Google Update Service (gupdate1c9ae0852b05dd2);c:\program files\google\update\GoogleUpdate.exe [2009-3-26 133104]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-1-23 42832]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-14 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-14 40552]

=============== Created Last 30 ================

2010-09-29 12:03:32 0 ----a-w- c:\documents and settings\liz\defogger_reenable
2010-09-28 12:57:05 0 d-----w- c:\windows\system32\NtmsData
2010-09-26 14:55:17 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-09-26 14:44:29 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-26 14:41:26 0 d-----w- c:\program files\Microsoft Security Essentials
2010-09-08 20:09:26 0 d-----w- c:\program files\iPod
2010-09-08 20:09:22 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-09-26 14:45:43 1033728 ----a-w- c:\windows\explorer.exe
2010-08-30 11:31:28 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-08-30 11:31:06 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ------w- c:\windows\system32\xpsp4res.dll
2010-07-17 04:00:04 423656 ------w- c:\windows\system32\deployJava1.dll
2008-10-06 07:43:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100620081007\index.dat

============= FINISH: 6:22:44.32 ===============

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:45 AM

Posted 08 October 2010 - 12:53 PM

Hi, eag-

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

When asked to copy logs or reports into your reply, please copy them directly into your reply. Do not include them in quotes. Do not attach them unless asked to do so. In Notepad, please turn off Word Wrap under the Format menu.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Please give me some time to look over your log. I will post the reply as soon as possible.

Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:45 AM

Posted 09 October 2010 - 03:50 PM

Hi-

Sorry for the delay. Thanks for the logs.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as products fight for access to files which are being opened since they need to be checked for viruses. In general terms, the programs may conflict and cause:
    False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    System Performance Problems: Your system may lock up due to multiple products attempting to access the same file at the same time.
Therefore, please go to add/remove programs in the control panel and remove either McAfee or Microsoft Security Essentials.

Next, we need to check several files for infection.

Before we start, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following files in turn and click the Submit file button within Jotti.

C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\explorer.exe
C:\windows\system32\winlogon.exe


If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
To scan the next file, click on the Next File button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal

Next, please download Malwarebytes' Anti-Malware (MBAM) from HERE.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Then, please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

Finally, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Under the Custom Scan box paste in the contents of the CODE box.
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    /md5start
    wininit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the MBAM report, the MBRCheck report, and the two OTL scan reports. Please let me know the results of the Jotti scan and how you computer is running.

Thanks.

Shannon

#6 eag

eag
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 10 October 2010 - 10:21 AM

Hi Shannon

Thanks for your replies.

I did in fact uninstall Mcafee before I installed Microsoft Security Essentials, although I see from the logs that is not what it is saying. In control panel add/remove programs, Mcafee is not listed at all, and I have not got any Mcafee desktop icons at all. I understand what you are saying about not having more than one antivirus, but Mcafee let the virus in, and Microsoft Security Essentials found it immediately so I am reluctant to uninstall the Microsoft antivirus program. If you can give me any clues as to how to properly uninstall Mcafee that would be my preferred option.

I ran a full system antivirus scan earler today, and it found the Exloit virus in some Java files and removed it.

I am just about to carry out all of the instructions in your last post and will post all the results when I'm done.

Liz

#7 eag

eag
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 10 October 2010 - 03:00 PM

Hi Shannon

The Jotti scan found nothing on all 3 files

Here we go with all of the reports:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4791

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/10/2010 19:44:01
mbam-log-2010-10-10 (19-44-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 411089
Time elapsed: 2 hour(s), 18 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liz\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
___________

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000002d

Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xBA0A8000 vvlcl.sys
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0B8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0C8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0D8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9E44000 iaStor.sys
0xBA0E8000 disk.sys
0xBA0F8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E24000 fltmgr.sys
0xB9E12000 sr.sys
0xB9DFC000 DRVMCDB.SYS
0xBA108000 PxHelp20.sys
0xB9DE5000 KSecDD.sys
0xB9D58000 Ntfs.sys
0xB9D2B000 NDIS.sys
0xB9D11000 Mup.sys
0xBA158000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8E71000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8E5D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA168000 \SystemRoot\system32\DRIVERS\HECI.sys
0xBA178000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA578000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8E1C000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8DF8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8DD0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA410000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB8DBC000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA188000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA198000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xBA57C000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xBA5E8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xBA1A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8D99000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA418000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA721000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA584000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8D82000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA420000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8D71000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA428000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA430000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8D41000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA208000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA438000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA440000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5EA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8CE3000 \SystemRoot\system32\DRIVERS\update.sys
0xB9113000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA318000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA138000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA62A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA6283000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA625F000 \SystemRoot\system32\drivers\portcls.sys
0xAB9DA000 \SystemRoot\system32\drivers\drmk.sys
0xA61FF000 \SystemRoot\system32\drivers\Senfilt.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xA2E60000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA217F000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xAB9CA000 \SystemRoot\system32\DRIVERS\pmxusblf.sys
0xBA602000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA5126000 \SystemRoot\System32\Drivers\Null.SYS
0xAB9BA000 \SystemRoot\system32\DRIVERS\pmxmouse.sys
0xBA604000 \SystemRoot\System32\Drivers\Beep.SYS
0xA2968000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAB9AA000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA388000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA390000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xBA398000 \SystemRoot\System32\drivers\vga.sys
0xBA606000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA608000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3A0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3B0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA295C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA214C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA20F3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA20CB000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA20A5000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA2083000 \SystemRoot\System32\drivers\afd.sys
0xA8434000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8424000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA2058000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA2030000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xA1FD0000 \??\C:\WINDOWS\system32\drivers\RapportBuka.sys
0xA1F60000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA8414000 \SystemRoot\System32\Drivers\Fips.SYS
0xA83D4000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAB630000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAB62C000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB9CDC000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA1E99000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAACBA000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3D8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA79E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0D1000 \SystemRoot\System32\atikvmag.dll
0xBF13D000 \SystemRoot\System32\atiok3x2.dll
0xBF16B000 \SystemRoot\System32\ati3duag.dll
0xBF468000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA24C0000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA7FE000 \SystemRoot\System32\DLA\DLADResM.SYS
0x9ED20000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xBA498000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xBA5BC000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xBA4A0000 \SystemRoot\System32\DLA\DLABMFSM.SYS
0xBA4A8000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x9ED0A000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x9ECF3000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0x9ECB3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9EB86000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9E997000 \SystemRoot\system32\DRIVERS\srv.sys
0x9E95D000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0x9E628000 \SystemRoot\system32\drivers\wdmaud.sys
0x9E6CD000 \SystemRoot\system32\drivers\sysaudio.sys
0x9D4E6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x9D38A000 \SystemRoot\System32\Drivers\HTTP.sys
0x9C78C000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 60):
0 System Idle Process
4 System
660 C:\WINDOWS\system32\smss.exe
708 csrss.exe
736 C:\WINDOWS\system32\winlogon.exe
780 C:\WINDOWS\system32\services.exe
792 C:\WINDOWS\system32\lsass.exe
988 C:\WINDOWS\system32\ati2evxx.exe
1004 C:\WINDOWS\system32\svchost.exe
1076 svchost.exe
1208 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1260 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1352 C:\WINDOWS\system32\svchost.exe
1456 svchost.exe
1504 svchost.exe
1704 C:\WINDOWS\system32\spoolsv.exe
1952 svchost.exe
1988 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2000 C:\Program Files\Intel\ASF Agent\ASFAgent.exe
2012 C:\Program Files\Intel\AMT\atchksrv.exe
164 C:\Program Files\Bonjour\mDNSResponder.exe
196 C:\WINDOWS\system32\CTSVCCDA.EXE
308 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
312 C:\Program Files\Java\jre6\bin\jqs.exe
604 C:\Program Files\Kontiki\KService.exe
640 C:\Program Files\Intel\AMT\LMS.exe
1340 C:\WINDOWS\system32\svchost.exe
272 C:\Program Files\Intel\AMT\UNS.exe
2464 C:\WINDOWS\explorer.exe
2812 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2852 C:\WINDOWS\system32\ico.exe
2860 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
2868 C:\WINDOWS\system32\pmxmiced.exe
2948 C:\Program Files\Intel\AMT\atchk.exe
2980 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3000 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
3008 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
3020 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
3128 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
3144 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
3160 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
3200 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
3264 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3276 C:\Program Files\Microsoft Security Essentials\msseces.exe
3336 C:\Program Files\iTunes\iTunesHelper.exe
3356 C:\WINDOWS\system32\ctfmon.exe
3428 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
3460 C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
3472 C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
3508 C:\Program Files\Kontiki\KHost.exe
3640 C:\Program Files\FinePixViewer\QuickDCF2.exe
3664 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
2504 C:\Program Files\Common Files\Teleca Shared\Generic.exe
3352 C:\Program Files\iPod\bin\iPodService.exe
1216 alg.exe
2216 C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
2884 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
6132 C:\Program Files\Internet Explorer\iexplore.exe
4988 C:\Program Files\Internet Explorer\iexplore.exe
4292 C:\Documents and Settings\Liz\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)

PhysicalDrive0 Model Number: ST3250310AS, Rev: 3.ADA

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


________________________


OTL logfile created on: 10/10/2010 20:16:09 - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Liz\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.76 Gb Total Space | 141.09 Gb Free Space | 60.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LIZOPTIPLEX
Current User Name: Liz
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/10/10 20:14:21 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Liz\Desktop\OTL.exe
PRC - [2010/09/26 15:45:43 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2008/03/17 17:06:00 | 001,848,648 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2008/02/27 18:56:54 | 003,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
PRC - [2008/02/27 18:56:54 | 001,032,376 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KHost.exe
PRC - [2008/01/14 13:29:02 | 001,838,592 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2007/10/18 21:10:42 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2007/09/24 20:12:48 | 001,036,288 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/07/26 20:03:46 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/07/26 20:03:44 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/06/12 18:09:16 | 002,521,880 | ---- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/06/12 18:09:16 | 000,183,064 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/06/12 18:09:14 | 000,408,344 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchk.exe
PRC - [2007/06/12 18:09:14 | 000,109,336 | ---- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/05/23 21:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxmiced.exe
PRC - [2007/01/30 13:02:00 | 000,303,104 | ---- | M] (FUJIFILM Corporation) -- C:\Program Files\FinePixViewer\QuickDCF2.exe
PRC - [2007/01/23 04:58:04 | 000,133,968 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe
PRC - [2006/11/08 16:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2006/10/20 18:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2006/09/25 10:12:20 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2006/08/17 10:00:00 | 001,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/05/10 13:42:32 | 000,872,448 | R--- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
PRC - [2005/11/29 19:19:00 | 000,057,344 | ---- | M] (OLYMPUS IMAGING CORP.) -- C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
PRC - [2005/10/26 17:17:24 | 000,159,744 | R--- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
PRC - [2005/08/10 08:54:34 | 000,385,024 | R--- | M] (Teleca Software Solutions) -- C:\Program Files\Common Files\Teleca Shared\Generic.exe
PRC - [2005/06/08 17:45:04 | 000,278,528 | ---- | M] (Teleca Software Solutions AB) -- C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
PRC - [2005/06/06 23:46:24 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2004/07/27 17:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2010/10/10 20:14:21 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Liz\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/06/23 12:57:18 | 000,131,072 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxscrll.dll
MOD - [2006/06/15 19:40:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxcomm.dll
MOD - [2006/06/15 19:40:26 | 000,065,536 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxhooks.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/02/27 18:56:54 | 003,072,184 | ---- | M] (Kontiki Inc.) [Auto | Running] -- C:\Program Files\Kontiki\KService.exe -- (KService)
SRV - [2008/01/14 13:29:02 | 001,838,592 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 11:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/07/26 20:03:46 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/06/12 18:09:16 | 002,521,880 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS) Intel®
SRV - [2007/06/12 18:09:16 | 000,183,064 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv) Intel®
SRV - [2007/06/12 18:09:14 | 000,109,336 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2007/01/23 04:58:04 | 000,133,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe -- (ASFAgent)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\nnzocrjm.sys -- (nnzocrjm)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\kahjyrhh.sys -- (kahjyrhh)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\anaefxzw.sys -- (anaefxzw)
DRV - [2010/07/01 12:07:30 | 000,166,632 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/07/01 12:07:30 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010/03/04 22:27:29 | 000,390,528 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\RapportBuka.sys -- (RapportBuka)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/04/13 19:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 19:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/10/07 15:05:06 | 002,455,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/09/24 20:12:48 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2007/09/24 20:12:48 | 000,307,712 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/09/23 21:03:40 | 000,305,688 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/07/23 19:42:12 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/06/01 14:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 17:56:00 | 000,014,336 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2007/04/13 14:33:34 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/01/23 04:45:44 | 000,042,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Asfalrt.sys -- (AsfAlrt)
DRV - [2006/08/18 14:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 14:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 14:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 14:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 14:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 14:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 14:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 14:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 12:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 11:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 11:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 12:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2004/10/08 02:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/03 12:10:00 | 000,071,596 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PfModNT.sys -- (PfModNT)
DRV - [2004/05/18 01:25:00 | 000,016,880 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctpdusb.sys -- (Jukebox3)
DRV - [2004/03/08 12:55:50 | 000,013,567 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk-r...html?channel=uk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk-r...html?channel=uk
IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.demon.net/
IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1028\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6080114
IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1028\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk-r...html?channel=uk
IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1028\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.demon.net/
IE - HKU\S-1-5-21-109209031-1851510006-1098153493-1028\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [1A:Stardock TrayMonitor] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [atchk] C:\Program Files\Intel\AMT\atchk.exe (Intel Corporation)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe (OLYMPUS IMAGING CORP.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [PMX Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [Say the Time] File not found
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe (Sony Ericsson Mobile Communications AB)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKU\S-1-5-21-109209031-1851510006-1098153493-1005..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKU\S-1-5-21-109209031-1851510006-1098153493-1005..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (OLYMPUS IMAGING CORP.)
O4 - HKU\S-1-5-21-109209031-1851510006-1098153493-1028..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (OLYMPUS IMAGING CORP.)
O4 - HKLM..\RunServices: [1A:Stardock TrayMonitor] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe (FUJIFILM Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe (Provenio Software Corporation)
O4 - Startup: C:\Documents and Settings\Liz\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157
O7 - HKU\S-1-5-21-109209031-1851510006-1098153493-1028\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} http://upload.facebook.com/controls/Facebo...Uploader4_5.cab (Facebook Photo Uploader 4)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://interactivebrokers.webex.com/client...nbr/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254 158.152.1.58 158.152.1.43
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Liz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Liz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\Shell\AutoRun\command - "" = E:\lky.exe -- File not found
O33 - MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\Shell\explore\Command - "" = E:\lky.exe -- File not found
O33 - MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\Shell\open\Command - "" = E:\lky.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/10 20:14:10 | 000,576,512 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Liz\Desktop\OTL.exe
[2010/10/10 16:50:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Liz\Application Data\Malwarebytes
[2010/10/10 16:49:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/10 16:49:49 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/10/10 16:49:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/10 16:49:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/10/10 16:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Documents
[2010/10/06 19:56:34 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/10/06 19:56:31 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/10/06 19:51:52 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/10/06 19:51:48 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/09/29 13:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Liz\Desktop\gmer
[2010/09/29 13:21:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Liz\My Documents\diagnostics29sep10
[2010/09/28 13:57:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/09/26 15:44:29 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/09/26 15:41:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/10 20:17:40 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Liz\NTUSER.DAT
[2010/10/10 20:14:21 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Liz\Desktop\OTL.exe
[2010/10/10 20:00:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/10/10 19:54:52 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Liz\Desktop\MBRCheck.exe
[2010/10/10 19:51:48 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/10/10 19:47:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/10 19:47:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/10 19:46:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/10/10 19:46:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/10 19:46:33 | 2111,418,368 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/10 19:45:43 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Liz\ntuser.ini
[2010/10/10 19:45:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2010/10/10 19:45:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2010/10/10 16:49:53 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/10 16:03:30 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2010/10/10 16:03:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2010/10/09 22:22:47 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2010/10/09 22:22:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2010/10/08 19:26:55 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2010/10/08 19:26:55 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2010/10/07 18:36:02 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2010/10/07 18:36:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/10/07 12:58:23 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2010/10/07 12:58:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2010/10/06 22:45:52 | 000,507,858 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/10/06 22:45:52 | 000,445,700 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/06 22:45:52 | 000,072,780 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/06 22:42:35 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2010/10/06 22:42:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2010/10/06 19:57:17 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/10/06 19:48:06 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/10/06 19:48:06 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\Liz\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/10/06 18:44:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/05 22:13:51 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2010/10/05 22:13:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2010/10/05 06:38:00 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Liz\Desktop\gmer.zip
[2010/10/05 06:32:28 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2010/10/05 06:32:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2010/10/05 06:21:43 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Liz\Desktop\dds.scr
[2010/10/03 22:14:58 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2010/10/03 22:14:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2010/10/02 10:27:59 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2010/10/02 10:27:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2010/10/01 22:18:33 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2010/10/01 22:18:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2010/10/01 15:29:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2010/10/01 15:29:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2010/10/01 13:33:31 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2010/10/01 13:33:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2010/10/01 09:19:08 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2010/10/01 09:19:08 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2010/09/30 22:45:40 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2010/09/30 22:45:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2010/09/30 14:44:39 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2010/09/30 14:44:39 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2010/09/30 10:20:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2010/09/30 10:20:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2010/09/29 23:06:18 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2010/09/29 23:06:18 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2010/09/29 13:08:13 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2010/09/29 13:08:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2010/09/29 13:03:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Liz\defogger_reenable
[2010/09/29 13:02:30 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Liz\Desktop\Defogger.exe
[2010/09/26 15:45:43 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2010/09/26 15:41:27 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/09/23 06:04:12 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/09/21 12:12:03 | 001,055,666 | ---- | M] () -- C:\Documents and Settings\Liz\My Documents\technical templates continued.docx
[2010/09/15 22:25:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/10 19:54:51 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Liz\Desktop\MBRCheck.exe
[2010/10/10 16:49:53 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/06 19:57:17 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/10/05 06:37:58 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Liz\Desktop\gmer.zip
[2010/09/29 13:16:04 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Liz\Desktop\dds.scr
[2010/09/29 13:03:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Liz\defogger_reenable
[2010/09/29 13:02:30 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Liz\Desktop\Defogger.exe
[2010/09/26 15:46:37 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/09/26 15:41:27 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/04/04 17:24:22 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/12/22 09:45:07 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\UKCpInfo.sys
[2008/11/16 23:33:33 | 000,000,344 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/11/16 23:19:28 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\SystemConfiguration
[2008/11/16 23:19:28 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Liz\Application Data\Synth Leads
[2008/11/16 23:19:28 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2008/11/16 23:19:28 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Transportation
[2008/11/16 23:17:43 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Synth Textures
[2008/11/16 23:17:43 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Liz\Application Data\Sync Services
[2008/11/16 23:17:43 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2008/11/16 23:17:43 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Textures
[2008/10/22 09:14:15 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\sh33w32.dll
[2008/08/26 20:24:02 | 000,000,508 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/30 22:46:39 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\PdeSrvps.dll
[2008/03/07 07:47:16 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/03/02 15:53:16 | 000,000,075 | ---- | C] () -- C:\WINDOWS\SLS.INI
[2008/02/03 08:22:38 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Liz\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/25 11:38:42 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\ResDLL.dll
[2008/01/16 23:30:18 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Liz\Local Settings\Application Data\fusioncache.dat
[2008/01/14 13:32:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/01/14 13:26:02 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/01/14 13:26:02 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/01/14 13:23:46 | 000,131,070 | ---- | C] () -- C:\WINDOWS\System32\DellPM.ini
[2008/01/14 13:04:32 | 000,001,202 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/02/28 06:03:32 | 000,080,720 | ---- | C] () -- C:\WINDOWS\System32\AsfBios.dll
[2007/01/23 04:45:40 | 000,025,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\netamsg.dll
[2006/11/07 05:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2004/08/11 18:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[1996/12/06 01:00:00 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\PCDLIB32.DLL

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2009/02/04 13:56:14 | 000,075,112 | ---- | M] (GEAR Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe
[2010/10/06 19:50:01 | 000,073,000 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
[2010/02/08 12:19:58 | 000,079,144 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
[2010/04/04 09:27:16 | 000,079,144 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
[2010/10/06 19:46:43 | 000,072,488 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe


< MD5 for: AGP440.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/10/05 14:18:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/10/05 14:18:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/10/05 14:18:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/10/05 14:18:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2006/08/28 03:02:10 | 000,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\i386\atapi.sys
[2006/08/27 22:02:10 | 000,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/09/23 21:03:40 | 000,305,688 | ---- | M] (Intel Corporation) MD5=BDC361489A7F22E568060FA6FB3C960E -- C:\drivers\storage\R165147\IaStor.sys
[2007/09/23 21:03:40 | 000,305,688 | ---- | M] (Intel Corporation) MD5=BDC361489A7F22E568060FA6FB3C960E -- C:\i386\iaStor.sys
[2007/07/26 20:02:44 | 000,305,688 | ---- | M] (Intel Corporation) MD5=BDC361489A7F22E568060FA6FB3C960E -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/09/23 21:03:40 | 000,305,688 | ---- | M] (Intel Corporation) MD5=BDC361489A7F22E568060FA6FB3C960E -- C:\WINDOWS\system32\drivers\iaStor.sys
[2007/07/26 20:03:14 | 000,381,976 | ---- | M] (Intel Corporation) MD5=D4E95DA8351AA16E627AE968FB77E6D9 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >

___________________

OTL Extras logfile created on: 10/10/2010 20:16:09 - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Liz\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.76 Gb Total Space | 141.09 Gb Free Space | 60.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LIZOPTIPLEX
Current User Name: Liz
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJIFILM Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\DealBook 360\DealBook 360.exe" = C:\Program Files\DealBook 360\DealBook 360.exe:*:Enabled:DealBook 360 -- ()
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Disabled:McAfee Network Agent -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{1103112B-513D-4DEF-96B4-9889774E0118}" = Creative Zen Touch
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP630_series" = Canon MP630 series MP Drivers
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F51A0CA-2BDD-474E-BB90-C7FA8EA78F52}" = ImageMixer VCD/DVD2 for OLYMPUS
"{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}" = Safari
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.5.5
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 21
"{26B5D684-75D6-44B9-BBFF-D4100F43092A}" = Sony Ericsson PC Suite
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{30BB4D60-81DB-11D5-BB77-00400536ABAC}" = OLYMPUS CAMEDIA Master 4.2
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4E906AAC-624C-4600-9823-1195A51345FC}" = DealBook 360
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{53183B25-FBDC-4B95-856A-DCDD69DFEE18}" = Intel® PRO Alerting Agent
"{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns
"{5AFA4872-16B2-419E-ADCA-8E96E739115D}" = Music Manager
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.4
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_BASICR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_BASICR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_BASICR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}" = Dell ETS Factory Installation
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AEBBFC67-7A03-4DF3-9E71-BA5C9EB4FBEF}" = MobileMe Control Panel
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B44529FF-501E-47CD-A06D-223C161BE058}" = FinePixViewer Resource
"{BA820A24-704B-428D-9904-71A10DAC1372}" = OLYMPUS Master
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D466F3D9-510C-4729-B7D4-2E70490E4CDF}" = BBC iPlayer Download Manager
"{DA0BF7AB-88EB-4675-8FA1-531EAD938821}" = SnagIt 8
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}" = FinePix Studio
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}" = Disc2Phone
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.8
"ATI Display Driver" = ATI Display Driver
"BASICR" = Microsoft Office Basic 2007
"BBC iPlayer Download Manager" = BBC iPlayer Download Manager
"Canon MP630 series User Registration" = Canon MP630 series User Registration
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"Corel Uninstaller" = Corel Uninstaller
"Coupon Printer2.0" = Coupon Printer
"Creative Jukebox Driver" = Creative Jukebox Driver
"DBFX Trading Station" = DBFX Trading Station
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{BA820A24-704B-428D-9904-71A10DAC1372}" = OLYMPUS Master
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Rapport_msi" = Rapport
"RealPlayer 6.0" = RealPlayer
"Say the Time" = Say the Time 9.0
"SearchAssist" = SearchAssist
"Spotify" = Spotify
"ST6UNST #1" = Secrets of the Masters Trading Game
"SysInfo" = Creative System Information
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-109209031-1851510006-1098153493-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{4E906AAC-624C-4600-9823-1195A51345FC}" = DealBook 360
"Trader Workstation" = Trader Workstation
"TWS Demo" = TWS Demo

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/10/2010 05:56:20 | Computer Name = LIZOPTIPLEX | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/10/2010 05:56:20 | Computer Name = LIZOPTIPLEX | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 10822297

Error - 10/10/2010 05:56:20 | Computer Name = LIZOPTIPLEX | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 10822297

Error - 10/10/2010 09:01:10 | Computer Name = LIZOPTIPLEX | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6201.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 10/10/2010 09:01:10 | Computer Name = LIZOPTIPLEX | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/10/2010 09:01:10 | Computer Name = LIZOPTIPLEX | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6557562

Error - 10/10/2010 09:01:10 | Computer Name = LIZOPTIPLEX | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6557562

Error - 10/10/2010 09:01:13 | Computer Name = LIZOPTIPLEX | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile,
P4 2.1.6805.0, P5 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 10/10/2010 11:04:54 | Computer Name = LIZOPTIPLEX | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 10/10/2010 14:46:57 | Computer Name = LIZOPTIPLEX | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

[ OSession Events ]
Error - 17/04/2008 10:48:00 | Computer Name = LIZOPTIPLEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 78
seconds with 0 seconds of active time. This session ended with a crash.

Error - 21/04/2008 15:41:29 | Computer Name = LIZOPTIPLEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3711
seconds with 540 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 05/10/2010 01:35:07 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 05/10/2010 11:33:46 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 06/10/2010 01:13:19 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 07/10/2010 01:45:49 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 07/10/2010 12:32:03 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 08/10/2010 00:44:20 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 09/10/2010 03:55:01 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 10/10/2010 02:25:29 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 10/10/2010 11:06:32 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.

Error - 10/10/2010 14:48:20 | Computer Name = LIZOPTIPLEX | Source = Service Control Manager | ID = 7022
Description = The KService service hung on starting.


< End of report >

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:45 AM

Posted 11 October 2010 - 06:19 PM

Hi-

Thanks for the listings.

Sometime in the past you had an infected flash drive plugged into your computer as the E:\ drive. You need to use Flash_Disinfector.
Flash_Disinfector is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. Flash_Disinfector will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. This folder helps to keep the malicious autorun.ini file from being installed on the root drive and running other malicious files which will infect the computer.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

To get rid of McAfee -
  • Click on the following link to download the MCPR removal tool

    McAfee Uninstall download
  • Click Save and save the file to your desktop
  • Close all McAfee Application windows you may have open, and double-click on MCPR.exe to start the removal tool. Windows Vista users will have to right-click on the file and select "Run as Administrator"
  • After the removal tool finishes, you should be prompted to restart your computer.
  • Once the computer restarts, your McAfee product should be uninstalled.

Next, we need to run an OTL Fix.
  • Please reopen on your desktop.
  • Copy and Paste the following code into the textbox. Do not include the word "Code"
CODE
:OTL
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\nnzocrjm.sys -- (nnzocrjm)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\kahjyrhh.sys -- (kahjyrhh)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\anaefxzw.sys -- (anaefxzw)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKU\S-1-5-21-109209031-1851510006-1098153493-1005\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [1A:Stardock TrayMonitor] File not found
O4 - HKLM..\Run: [Say the Time] File not found
O4 - HKLM..\RunServices: [1A:Stardock TrayMonitor] File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O33 - MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\Shell\AutoRun\command - "" = E:\lky.exe -- File not found
O33 - MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\Shell\explore\Command - "" = E:\lky.exe -- File not found
O33 - MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\Shell\open\Command - "" = E:\lky.exe -- File not found
:commands
[emptytemp]
  • Push
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click .
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

In your reply, please copy in the OTL fix report and the ESET OnlineScan report (if you get one). Let me know how your computer is doing and what problems remain to be fixed.
Shannon

#9 eag

eag
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 13 October 2010 - 03:15 PM

Hi Shannon

Thanks for your continued help with cleaning up my computer..

I ran the flash disinfector. I don't own a flash drive, but my children do & they are not here right now so I couldn't plug it in. I do have an external hard drive that I bought to back up my system before I posted on this website. I didn't plug it in for the flash disinfector. Should I have done?

I ran the Mcafee uninstall program, and now each time I reboot a message briefly pops up to say I have no firewall, but then when I look in control panel it says the firewall is on. Perhaps there is just a moment when the system is firing up when the micrisoft firewall is not working?

Here is the OTL log:

All processes killed
========== OTL ==========
Service nnzocrjm stopped successfully!
Service nnzocrjm deleted successfully!
File C:\WINDOWS\System32\drivers\nnzocrjm.sys not found.
Service kahjyrhh stopped successfully!
Service kahjyrhh deleted successfully!
File C:\WINDOWS\System32\drivers\kahjyrhh.sys not found.
Service anaefxzw stopped successfully!
Service anaefxzw deleted successfully!
File C:\WINDOWS\System32\drivers\anaefxzw.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_USERS\S-1-5-21-109209031-1851510006-1098153493-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\1A:Stardock TrayMonitor deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Say the Time deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\\1A:Stardock TrayMonitor deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bd806171-da8f-11dd-87c8-001e4f96d12b}\ not found.
File E:\lky.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bd806171-da8f-11dd-87c8-001e4f96d12b}\ not found.
File E:\lky.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd806171-da8f-11dd-87c8-001e4f96d12b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bd806171-da8f-11dd-87c8-001e4f96d12b}\ not found.
File E:\lky.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Laura
->Temp folder emptied: 2438217 bytes
->Temporary Internet Files folder emptied: 133508727 bytes
->Java cache emptied: 25537310 bytes
->Flash cache emptied: 1831 bytes

User: Liz
->Temp folder emptied: 793650313 bytes
->Temporary Internet Files folder emptied: 568930971 bytes
->Java cache emptied: 261437774 bytes
->Flash cache emptied: 130857 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 5106293 bytes
->Flash cache emptied: 8246 bytes

User: NetworkService
->Temp folder emptied: 148746 bytes
->Temporary Internet Files folder emptied: 214255283 bytes

User: Test 16

User: test 20

User: test15

User: test17

User: TEST18
->Temp folder emptied: 953363 bytes
->Temporary Internet Files folder emptied: 393078 bytes
->Java cache emptied: 0 bytes

User: test19

User: test21
->Temp folder emptied: 9634359 bytes
->Temporary Internet Files folder emptied: 74185709 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1936 bytes

User: Vicky
->Temp folder emptied: 23777181 bytes
->Temporary Internet Files folder emptied: 58548447 bytes
->Java cache emptied: 31493864 bytes
->Flash cache emptied: 100106 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 198364818 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 91291282 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 538633313 bytes

Total Files Cleaned = 2,892.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10132010_122933

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Liz\Local Settings\Temp\~DFC86D.tmp not found!
File\Folder C:\Documents and Settings\Liz\Local Settings\Temp\~DFC886.tmp not found!
File\Folder C:\Documents and Settings\Liz\Local Settings\Temp\~DFC92A.tmp not found!
File\Folder C:\Documents and Settings\Liz\Local Settings\Temp\~DFC940.tmp not found!
File\Folder C:\Documents and Settings\Liz\Local Settings\Temp\~DFCB0E.tmp not found!
File\Folder C:\Documents and Settings\Liz\Local Settings\Temp\~DFCB1F.tmp not found!
File\Folder C:\Documents and Settings\Liz\Local Settings\Temp\~DFF3AD.tmp not found!
C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\KTTMEZFU\topic350627[1].htm moved successfully.
C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\IVR1U3U1\iframe[1].htm moved successfully.

Registry entries deleted on Reboot...


The ESET scan said 'No threats found'.

My computer seems to be running OK. Nothing unusual or out of the ordinary seems to be happening.

Liz

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:45 AM

Posted 14 October 2010 - 02:01 PM

Hi-

It looks like you have a clean computer, but we do need to take care of a few things before we clear off the tools we used and I pass on some words of advice.

On the Flash_Disinfector, keep the instructions handy and use Flash_Disinfector on any USB storage device including your extrenal hard drive.

Please delete the MBRCheck.exe and the MCPR.exe icons from your desktop.

Time to delete ComboFix and Clean Up
  • Click on the Start button in your system tray
  • click on Run
  • key in the following in bold type:
      combofix /Uninstall
  • click on Ok

Next, we should remove the tools we used and we will do that with OTL-
  • Double click on the icon on your desktop.
  • Click the "CleanUp" button.
  • Restart your computer when prompted.

Please take the time to read below to secure your machine and take the necessary steps to keep it clean.

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a pop up appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop ups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a pop up that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Update your Java runtimes regularly

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Download the latest version here - http://java.sun.com/javase/downloads/index.jsp. You want to select the JRE version.
Follow this list and your potential for being infected again will reduce dramatically.

Good Luck!!


Shannon

#11 eag

eag
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 October 2010 - 07:44 AM

Hi Shannon

Thanks so much for all of your help to get my computer clean. I wouldn't have had the first clue how to go about getting rid of the little beasties residing on my PC without your direction. Thanks to anyone else behind the scenes who was helping too.

Great advice also on how to stay safe, which I will be keeping uptodate with from now on.

All the best

Liz

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:45 AM

Posted 19 October 2010 - 01:27 PM

You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users