Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desparate: svchost.exe error due to ztjen rootkit


  • This topic is locked This topic is locked
24 replies to this topic

#1 broigel

broigel

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 18 October 2010 - 12:23 PM

I have a near fatal problem with my main computer which manifests itself as: 'svchost Application error - the instruction at "0x001a61ae" referenced memory at "0x00000000". The memory could not be written'. I have trawled the net and found this to be a common problem but difficult to fix. I have tried all the solutions I have found, from turning off automatic windows updates to running CCleaner to ATF Cleaner to running REGSVR32 WUAPI.DLL to trying to run Malwarebytes and Sysclean - these last 2 will NOT run even in Safe Mode.
The symptoms of the problem are that my computer is totally unstable but variable: mostly it will not connect to the internet at all but occasionally it connects itself on booting and then appears to be sending and receiving stuff and will not disconnect. If I do manage to connect to the net, start with Google and try to open links in other tabs (using Firefox), I am hijacked to spurious unrelated sites and I often find I cannot open a web-page because it is held up waiting for "Google Analytics".
When trying to work with my usual spreadsheets or Word, mostly I get a shot at opening one application but if I try another it crashes. Some applications will not open at all in normal mode. The computer will hardly ever turn off from the screen but requires the button to be held in. Sometimes I re-boot and find the mouse is working but the keyboard is not - hopeless. I can start in Safe Mode but cannot connect to the net and therefore cannot use e-mail. The error message above appears in Safe Mode, every 30 seconds or so - so the error is not disabled in Safe Mode. And I cannot work properly or print anything in Safe Mode either. So I'm completely stuffed.
I did manage to run a HijackThis scan in Safe Mode and saw under Services 023 a couple of items which were not there in the past, namely "Google Update Service (gupdate) (gupdate) - Google Inc." and "NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE". When searching for Nalpeiron Ltd I came across a post on this site on 24/06/10 by Moses2112 suggesting that "nalpeiron is a virus?" but unfortunately this post was closed before being fixed. Neither of these 023 items remain fixed when trying to remove them with HijackThis.
I would be extremely grateful if someone could please help here because I cannot work at all due to this problem.
I have run DDS and GMER (which has identified rootkit activity) and their logs are as follows:


DDS (Ver_10-10-10.03) - NTFSx86 MINIMAL
Run by SMG at 14:32:17.06 on 18/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.811 [GMT 1:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.tiscali.co.uk
uSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\2.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\2.bin\SPYBLOCK.DLL
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LanguageMonitor] c:\windows\system32\Oplmsb01.exe OKI B4100
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 93.188.163.74,93.188.166.109
TCP: {0397E617-0FD4-4443-8E25-BC750942D4A2} = 93.188.163.74,93.188.166.109
Handler: ct - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\program files\caseware\cwproto.dll
Handler: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\program files\caseware\cwproto.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\smg\applic~1\mozilla\firefox\profiles\6emvpsj8.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\smg\application data\mozilla\firefox\profiles\6emvpsj8.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

S1 ensqio;ensqio;c:\windows\system32\drivers\ensqio.sys --> c:\windows\system32\drivers\ensqio.sys [?]
S1 sbpcint4;SB AudioPCI 128;c:\windows\system32\drivers\sbpcint4.sys --> c:\windows\system32\drivers\sbpcint4.sys [?]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-21 532224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176]
S2 nlsX86cc;NLS Service;c:\windows\system32\nlssrv32.exe --> c:\windows\system32\NLSSRV32.EXE [?]
S2 SMSCGISVC;System Managment Controler; [x]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 ztjen;Support Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2008-12-31 34064]
S3 pbrxlddp;pbrxlddp;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2010-10-13 17:12:22 -------- d--h--w- c:\windows\PIF
2010-10-12 19:28:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 19:28:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 18:59:30 -------- d-----w- c:\program files\CCleaner
2010-10-04 11:38:39 -------- d-----w- c:\program files\TweakNow RegCleaner Std
2010-10-04 11:32:25 90112 ------w- c:\windows\SDUnInst.exe
2010-10-04 11:32:25 -------- d-----w- c:\program files\Software by Design
2010-10-04 11:19:48 -------- d-----w- c:\program files\RegGenie

==================== Find3M ====================

2009-11-05 17:56:25 7908352 ----a-w- c:\program files\Firefox Setup 3.5.4.exe
2009-11-02 15:09:10 959592 ----a-w- c:\program files\EFRCSetup.exe
2009-11-02 10:33:24 25740144 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-04-06 11:12:30 267152 ----a-w- c:\program files\ZoneAlarmSetup_en.exe
2009-04-06 11:04:00 63049904 ----a-w- c:\program files\avg_free_stf_en_85_285a1462.exe
2008-12-31 00:27:54 127998 ----a-w- c:\program files\install_setup.exe
2008-09-30 08:41:30 46829456 ----a-w- c:\program files\zlsSetup_70_483_000_en.exe
2008-06-11 10:18:27 519650 ----a-w- c:\program files\2007_08_DividendDataFeed.exe
2008-06-11 10:17:03 33557446 ----a-w- c:\program files\PersonalTax_110_3789_Update.exe
2008-03-21 10:57:44 31768752 ----a-w- c:\program files\avg75free_519a1276.exe
2008-03-21 02:02:54 210416 ----a-w- c:\program files\zaSetup_en.exe
2008-03-18 11:43:21 1426752 ----a-w- c:\program files\dopdf.exe
2008-03-18 11:33:10 18473549 ----a-w- c:\program files\PDF_FreewarePrimo32Setup.exe
2007-11-12 11:05:07 3431053 ----a-w- c:\program files\MailWasher_Free_setup.exe
2007-11-09 15:12:32 4620542 ----a-w- c:\program files\FeedReader311Setup.exe

============= FINISH: 14:34:29.35 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 14/11/2006 09:27:46
System Uptime: 18/10/2010 10:37:06 (4 hours ago)

Motherboard: Dell Computer Corp. | | 0CF458
Processor: Intel® Celeron® CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 63.804 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}
Description: OKI DATA CORPB4100
Device ID: USBPRINT\OKI_DATA_CORPB4100\7&2249CCC6&0&USB001
Manufacturer:
Name: OKI DATA CORPB4100
PNP Device ID: USBPRINT\OKI_DATA_CORPB4100\7&2249CCC6&0&USB001
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Belkin 802.11g Network Adapter
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_700114E4&REV_02\4&1C660DD6&0&10F0
Manufacturer: Belkin
Name: Belkin 802.11g Network Adapter
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_700114E4&REV_02\4&1C660DD6&0&10F0
Service: BCM43XX

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01D51028&REV_02\4&1C660DD6&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01D51028&REV_02\4&1C660DD6&0&40F0
Service: E100B

==== System Restore Points ===================

RP210: 12/08/2010 18:39:30 - System Checkpoint
RP211: 23/08/2010 10:00:25 - System Checkpoint
RP212: 23/08/2010 14:05:55 - Installed Nitro PDF Professional
RP213: 25/08/2010 13:21:55 - Removed Nitro PDF Professional
RP214: 26/08/2010 18:56:34 - System Checkpoint
RP215: 27/08/2010 13:22:50 - Unsigned driver install
RP216: 13/09/2010 13:23:34 - System Checkpoint
RP217: 24/09/2010 18:04:51 - System Checkpoint
RP218: 30/09/2010 14:43:53 - System Checkpoint
RP219: 02/10/2010 14:03:34 - System Checkpoint
RP220: 08/10/2010 13:12:59 - System Checkpoint
RP221: 14/10/2010 18:40:28 - System Checkpoint

==== Installed Programs ======================


Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
BitTorrent
Blubster 2.6.9
Bluetooth Stack for Windows by Kondor
CaseWare Working Papers 2001
CCleaner
Compatibility Pack for the 2007 Office system
Corel Photo Album 6
Corp2000v2 Standalone
Coupon Printer
Dell Driver Reset Tool
Dell System Restore
Digita Accounts Data Provider
Digita Accounts Production
Digita Database Backup
Digita Personal, Business and Trust Tax
Digita Shared Components v1.0
Digita Shared Components v2.0
Digita Tax Link
DLL Show
doPDF 6.0 printer
Egress Switch Reader
Eusing Free Registry Cleaner
Google Earth
Google Update Helper
GoToMeeting 4.0.0.320
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB954550-v5)
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
Java™ 6 Update 14
Java™ 6 Update 5
K-Lite Codec Pack 3.5.3 Standard
Keytime Accountant Suite Update
Keytime Accountants Suite
Keytime Accountants Suite Update
Keytime Accountants Suite v2008
Keytime Accountants Suite v2009
KODAK Gallery Upload Software
Learn2 Player (Uninstall Only)
MailWasher Free
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft SQL Server Desktop Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 2.0 SP3 Runtime
Microsoft XML Parser
Mozilla Firefox (3.6.10)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nokia Connectivity Cable Driver
NonCorp2000Kestv1 Standalone
OKI B4100_4250 Status Monitor
OpenOffice.org 2.0
PC Connectivity Solution
PowerDVD 5.5
PrimoPDF
RealPlayer
RealUpgrade 1.0
Runtime 8.0 Libraries
Sage Accounts
Sage Accounts 8.20
Sage Accounts V10.00
Sage Accounts V12.00
Sage MIS 3.01
SageAcc
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster AudioPCI 128
TweakNow RegCleaner Standard
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VC 9.0 Runtime
Voyager 105 ADSL Modem
WebFldrs XP
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

15/10/2010 13:09:04, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
14/10/2010 14:45:48, error: Service Control Manager [7000] - The NLS Service service failed to start due to the following error: The system cannot find the file specified.
13/10/2010 01:21:27, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.1.65. The machine with the IP address 192.168.1.69 did not allow the name to be claimed by this machine.
12/10/2010 21:06:21, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
12/10/2010 21:06:21, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/10/2010 16:58:24, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm Tosrfcom
12/10/2010 12:20:30, error: Service Control Manager [7034] - The Help and Support service terminated unexpectedly. It has done this 3 time(s).
12/10/2010 12:20:30, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2010 12:20:30, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tosrfcom vsdatant
12/10/2010 12:20:30, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2010 12:20:30, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2010 12:20:30, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2010 12:20:30, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2010 12:20:30, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2010 12:15:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/10/2010 12:15:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/10/2010 10:15:34, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
12/10/2010 10:15:16, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
12/10/2010 10:15:16, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
11/10/2010 18:57:06, error: Service Control Manager [7023] - The Support Installer service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
11/10/2010 16:37:43, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 2 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 2 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Secondary Logon service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 2 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 2 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
11/10/2010 15:43:05, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
11/10/2010 15:42:09, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/10/2010 15:18:38, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.1.64. The machine with the IP address 192.168.1.69 did not allow the name to be claimed by this machine.
11/10/2010 12:02:04, error: BROWSER [8019] - The browser was unable to promote itself to master browser. The browser will continue to attempt to promote itself to the master browser, but will no longer log any events in the event log in Event Viewer.
11/10/2010 10:26:48, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is SMG-DELL.

==== End Of File ===========================

GMER 1.0.15.15315 - http://www.gmer.net
Rootkit scan 2010-10-18 17:56:32
Windows 5.1.2600 Service Pack 2
Running: i85gxh5o.exe; Driver: C:\DOCUME~1\SMG\LOCALS~1\Temp\pwtiqkog.sys


---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ztjen <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\ztjen@DisplayName Support Installer
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen@Description Maintains links between NTFS files within a computer or across computers in a network domain.
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ztjen\Parameters@ServiceDll C:\WINDOWS\system32\uttpcq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be014f0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen@DisplayName Support Installer
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen@Description Maintains links between NTFS files within a computer or across computers in a network domain.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ztjen\Parameters@ServiceDll C:\WINDOWS\system32\uttpcq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00081be014f0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen@DisplayName Support Installer
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen@Description Maintains links between NTFS files within a computer or across computers in a network domain.
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ztjen\Parameters@ServiceDll C:\WINDOWS\system32\uttpcq.dll
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00081be014f0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen@DisplayName Support Installer
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen@Description Maintains links between NTFS files within a computer or across computers in a network domain.
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\ztjen\Parameters@ServiceDll C:\WINDOWS\system32\uttpcq.dll

---- EOF - GMER 1.0.15 ----

Hope I've done this right and that someone can help!

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 27 October 2010 - 06:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    winlogon.exe
    wininit.exe
    explorer.exe
    hlp.dat
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 04 November 2010 - 05:18 AM

As it has gone stale, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 09 November 2010 - 06:11 AM

Topic reopened, pleadse post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 broigel

broigel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 09 November 2010 - 11:11 AM

Thanks Myrti - managed to run OTL and logs are as below. (Looks a nightmare to me! Good luck!)

OTL.Txt:

OTL logfile created on: 09/11/2010 15:49:38 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\SMG\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 575.00 Mb Available Physical Memory | 56.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.96 Gb Total Space | 62.38 Gb Free Space | 42.74% Space Free | Partition Type: NTFS

Computer Name: SMG_DELL_PC | User Name: SMG | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/09 15:43:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SMG\My Documents\Downloads\OTL.exe
PRC - [2010/11/08 23:15:08 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/17 12:41:23 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/06/23 12:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2010/06/23 12:51:30 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2007/06/13 10:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/11/17 10:56:30 | 001,740,800 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2005/10/20 21:27:48 | 005,541,888 | ---- | M] (Firetrust Ltd) -- C:\Program Files\MailWasher\MailWasher.exe
PRC - [2005/09/07 14:19:22 | 000,221,184 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2005/08/17 09:59:34 | 000,290,816 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2005/08/16 22:11:28 | 000,065,536 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2004/01/09 15:28:04 | 000,094,208 | ---- | M] (Oki Data Corporation) -- C:\WINDOWS\system32\Oplmsb01.exe


========== Modules (SafeList) ==========

MOD - [2010/11/09 15:43:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SMG\My Documents\Downloads\OTL.exe
MOD - [2010/07/17 12:43:28 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
MOD - [2006/08/25 15:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SMSCGISVC)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\NLSSRV32.EXE -- (nlsX86cc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/23 12:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/09/23 16:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/06/02 09:10:08 | 000,637,952 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\sbpcint4.sys -- (sbpcint4)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\02.tmp -- (pbrxlddp)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\ensqio.sys -- (ensqio)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\SMG\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/05/13 09:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/11/17 01:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/11/07 04:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2006/01/20 09:16:02 | 000,425,216 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/11/15 22:36:20 | 000,036,736 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2005/11/11 15:09:52 | 000,052,864 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfsnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2005/10/28 18:41:02 | 000,108,928 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (Tosrfbd)
DRV - [2005/10/24 18:42:24 | 000,063,488 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfhid.sys -- (Tosrfhid)
DRV - [2005/09/16 16:35:58 | 000,046,592 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/09/15 18:06:08 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2005/08/01 16:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2005/07/11 18:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\toshidpt.sys -- (toshidpt)
DRV - [2005/02/23 13:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/06 13:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/12/06 01:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/03 23:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 23:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 11:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/05/27 11:07:38 | 000,148,338 | ---- | M] (GlobespanVirata Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gwausb.sys -- (wanusb)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.co.uk/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.co.uk/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk
IE - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 48
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.29


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/07/17 12:43:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/08 23:15:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/08 23:15:15 | 000,000,000 | ---D | M]

[2009/11/05 17:57:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\SMG\Application Data\Mozilla\Extensions
[2010/11/08 19:31:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\SMG\Application Data\Mozilla\Firefox\Profiles\6emvpsj8.default\extensions
[2010/08/03 23:34:22 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\SMG\Application Data\Mozilla\Firefox\Profiles\6emvpsj8.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/11/05 18:58:10 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\SMG\Application Data\Mozilla\Firefox\Profiles\6emvpsj8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/11/08 17:53:12 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/27 17:35:06 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2008/09/30 08:45:25 | 000,024,673 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll
[2010/07/15 13:29:16 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/15 13:29:16 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/07/15 13:29:16 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/07/15 13:29:16 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/04 08:33:28 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (ZoneAlarm Spy Blocker BHO) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL (ZoneAlarm)
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL (ZoneAlarm)
O3 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL (ZoneAlarm)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LanguageMonitor] C:\WINDOWS\System32\Oplmsb01.exe (Oki Data Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O15 - HKU\S-1-5-21-3675716222-1085617785-1813893371-1007\..Trusted Domains: microsoft.com ([office] http in Trusted sites)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.74,93.188.166.109
O18 - Protocol\Handler\ct {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll (CaseWare International Inc.)
O18 - Protocol\Handler\cw {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll (CaseWare International Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2254973e-dce7-11de-9113-0011f5300101}\Shell - "" = AutoRun
O33 - MountPoints2\{2254973e-dce7-11de-9113-0011f5300101}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3c5988da-0676-11df-9129-0011f5300101}\Shell - "" = AutoRun
O33 - MountPoints2\{3c5988da-0676-11df-9129-0011f5300101}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{43c2c109-4c7b-11dd-aff1-0011f5300101}\Shell - "" = AutoRun
O33 - MountPoints2\{43c2c109-4c7b-11dd-aff1-0011f5300101}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6d099a5a-1c76-11df-912c-0011f5300101}\Shell - "" = AutoRun
O33 - MountPoints2\{6d099a5a-1c76-11df-912c-0011f5300101}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8fe42646-65aa-11df-913f-001150f654f2}\Shell - "" = AutoRun
O33 - MountPoints2\{8fe42646-65aa-11df-913f-001150f654f2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9cdba17e-87c5-11dc-882c-001320e5c31b}\Shell - "" = AutoRun
O33 - MountPoints2\{9cdba17e-87c5-11dc-882c-001320e5c31b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fdbd341d-1212-11de-a8d1-0011f5300101}\Shell - "" = AutoRun
O33 - MountPoints2\{fdbd341d-1212-11de-a8d1-0011f5300101}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {8D1D0E9A-C799-4D28-9E29-0061D1E66E43} - Microsoft .NET Framework 1.1 Hotfix (KB928366)
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: ztjen - C:\WINDOWS\system32\uttpcq.dll ()

========== Files/Folders - Created Within 30 Days ==========

[2010/10/13 17:12:22 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/10/12 19:28:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/12 19:28:03 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/10/12 19:01:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\SMG\Recent
[2010/10/12 18:59:30 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/11/05 17:56:12 | 007,908,352 | ---- | C] (Mozilla) -- C:\Program Files\Firefox Setup 3.5.4.exe
[2009/11/02 12:35:35 | 025,740,144 | ---- | C] (Microsoft Corporation) -- C:\Program Files\wmp11-windowsxp-x86-enu.exe
[2009/04/06 10:53:19 | 063,049,904 | ---- | C] (AVG Technologies) -- C:\Program Files\avg_free_stf_en_85_285a1462.exe
[2008/03/21 02:02:49 | 000,210,416 | ---- | C] (Check Point Software Technologies LTD) -- C:\Program Files\zaSetup_en.exe
[2008/03/18 11:43:03 | 001,426,752 | ---- | C] (Softland ) -- C:\Program Files\dopdf.exe
[2007/11/12 10:38:06 | 003,431,053 | ---- | C] ( ) -- C:\Program Files\MailWasher_Free_setup.exe
[2007/11/09 15:12:29 | 004,620,542 | ---- | C] (i-Systems Inc. ) -- C:\Program Files\FeedReader311Setup.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/09 15:45:06 | 000,000,575 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\OTL.exe.lnk
[2010/11/09 15:44:12 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3675716222-1085617785-1813893371-1007.job
[2010/11/09 15:44:11 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3675716222-1085617785-1813893371-1007.job
[2010/11/09 14:57:36 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/09 14:41:44 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/09 14:41:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/09 14:41:27 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/09 14:36:07 | 000,000,831 | ---- | M] () -- C:\WINDOWS\QPW.INI
[2010/11/09 00:07:30 | 000,051,712 | ---- | M] () -- C:\Documents and Settings\SMG\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/08 15:32:27 | 000,000,213 | ---- | M] () -- C:\boot.ini
[2010/11/08 15:31:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/07 12:28:41 | 000,481,338 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/07 12:28:41 | 000,087,380 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/21 10:34:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\Crystal Reports ActiveX Designer - SA302.pdf
[2010/10/20 09:40:15 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\Microsoft Office Outlook 2003.lnk
[2010/10/20 09:36:41 | 000,000,195 | ---- | M] () -- C:\WINDOWS\OPLP.INI
[2010/10/18 17:06:05 | 000,004,879 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\Attach.zip
[2010/10/18 13:30:53 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\SMG\defogger_reenable
[2010/10/14 22:47:14 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\Microsoft Office Excel 2003 (2).lnk
[2010/10/14 15:27:22 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\M'soft Office Word.lnk
[2010/10/14 15:01:59 | 000,452,713 | ---- | M] () -- C:\Documents and Settings\SMG\My Documents\2009 Tax Return (client copy) - Oppenheim.pdf
[2010/10/14 15:01:34 | 000,293,869 | ---- | M] () -- C:\Documents and Settings\SMG\My Documents\2009 Important Tax Papers - Oppenheim.pdf
[2010/10/12 19:33:06 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\HijackThis.lnk
[2010/10/12 19:28:08 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/12 19:08:02 | 000,000,506 | ---- | M] () -- C:\Documents and Settings\SMG\My Documents\cc_20101012_200758.reg
[2010/10/12 19:07:25 | 000,012,654 | ---- | M] () -- C:\Documents and Settings\SMG\My Documents\cc_20101012_200654.registrybackup.reg
[2010/10/12 18:59:31 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\SMG\Desktop\CCleaner.lnk
[2010/10/11 15:36:50 | 000,017,518 | ---- | M] () -- C:\WINDOWS\Sage.ini
[2010/10/11 15:36:44 | 000,000,080 | ---- | M] () -- C:\WINDOWS\SGREP32.INI
[2010/10/11 15:30:25 | 000,001,896 | ---- | M] () -- C:\WINDOWS\System32\SGLCH32.USR
[2010/10/11 15:30:25 | 000,000,138 | ---- | M] () -- C:\WINDOWS\System32\SageInformer50.ssf
[2010/10/11 14:43:03 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/09 15:45:06 | 000,000,575 | ---- | C] () -- C:\Documents and Settings\SMG\Desktop\OTL.exe.lnk
[2010/11/06 17:33:03 | 000,000,213 | ---- | C] () -- C:\boot.ini
[2010/10/21 10:32:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\SMG\Desktop\Crystal Reports ActiveX Designer - SA302.pdf
[2010/10/18 17:55:05 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/18 17:06:05 | 000,004,879 | ---- | C] () -- C:\Documents and Settings\SMG\Desktop\Attach.zip
[2010/10/18 13:30:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\SMG\defogger_reenable
[2010/10/14 15:01:59 | 000,452,713 | ---- | C] () -- C:\Documents and Settings\SMG\My Documents\2009 Tax Return (client copy) - Oppenheim.pdf
[2010/10/14 15:01:34 | 000,293,869 | ---- | C] () -- C:\Documents and Settings\SMG\My Documents\2009 Important Tax Papers - Oppenheim.pdf
[2010/10/12 19:07:59 | 000,000,506 | ---- | C] () -- C:\Documents and Settings\SMG\My Documents\cc_20101012_200758.reg
[2010/10/12 19:07:13 | 000,012,654 | ---- | C] () -- C:\Documents and Settings\SMG\My Documents\cc_20101012_200654.registrybackup.reg
[2010/10/12 18:59:31 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\SMG\Desktop\CCleaner.lnk
[2009/11/02 15:08:52 | 000,959,592 | ---- | C] () -- C:\Program Files\EFRCSetup.exe
[2009/09/23 12:23:39 | 000,171,784 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/09/16 16:27:58 | 000,508,224 | ---- | C] () -- C:\WINDOWS\System32\ICCProfiles.dll
[2009/07/27 17:35:06 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\UKCpInfo.sys
[2009/06/29 10:28:23 | 000,000,480 | ---- | C] () -- C:\WINDOWS\PSTrusts2009.ini
[2009/04/17 15:26:30 | 000,000,500 | ---- | C] () -- C:\WINDOWS\P11D2009.ini
[2009/04/17 15:25:49 | 000,000,689 | ---- | C] () -- C:\WINDOWS\PSTax2009.ini
[2009/04/06 11:12:26 | 000,267,152 | ---- | C] () -- C:\Program Files\ZoneAlarmSetup_en.exe
[2008/12/31 01:07:25 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008/12/31 00:27:48 | 000,127,998 | ---- | C] () -- C:\Program Files\install_setup.exe
[2008/12/09 00:28:47 | 000,000,223 | ---- | C] () -- C:\Documents and Settings\SMG\Application Data\APUSet.xml
[2008/12/09 00:28:45 | 000,000,284 | ---- | C] () -- C:\Documents and Settings\SMG\Application Data\PrimoPDFSet.xml
[2008/12/04 17:40:14 | 000,000,276 | ---- | C] () -- C:\WINDOWS\KeyAccountsV3.ini
[2008/09/30 08:41:19 | 046,829,456 | ---- | C] () -- C:\Program Files\zlsSetup_70_483_000_en.exe
[2008/09/15 14:34:20 | 000,000,094 | ---- | C] () -- C:\WINDOWS\KeytimeDBManager.ini
[2008/09/15 14:34:04 | 000,000,500 | ---- | C] () -- C:\WINDOWS\P11D2008.ini
[2008/09/15 14:34:03 | 000,000,881 | ---- | C] () -- C:\WINDOWS\Keytime Payroll.ini
[2008/09/15 14:33:58 | 000,000,361 | ---- | C] () -- C:\WINDOWS\KeyAccountsV2.ini
[2008/09/15 14:33:56 | 000,000,641 | ---- | C] () -- C:\WINDOWS\PSCorporationTax.ini
[2008/09/15 14:33:43 | 000,001,130 | ---- | C] () -- C:\WINDOWS\PSTax2008.ini
[2008/08/15 09:30:07 | 000,000,149 | ---- | C] () -- C:\Program Files\723jun01.htm
[2008/08/13 11:01:01 | 000,288,062 | ---- | C] () -- C:\Program Files\video_downloadhelper-3.2-fx.xpi
[2008/06/11 10:18:20 | 000,519,650 | ---- | C] () -- C:\Program Files\2007_08_DividendDataFeed.exe
[2008/06/11 10:16:56 | 033,557,446 | ---- | C] () -- C:\Program Files\PersonalTax_110_3789_Update.exe
[2008/04/04 11:20:19 | 000,000,097 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2008/03/21 10:57:40 | 031,768,752 | ---- | C] () -- C:\Program Files\avg75free_519a1276.exe
[2008/03/21 10:31:56 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/03/18 11:49:41 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/03/18 11:33:03 | 018,473,549 | ---- | C] () -- C:\Program Files\PDF_FreewarePrimo32Setup.exe
[2008/03/17 16:00:01 | 000,018,764 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2008/01/24 14:06:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008/01/22 21:47:25 | 000,000,508 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/12/18 18:17:02 | 000,256,512 | ---- | C] () -- C:\WINDOWS\System32\SGOPopDg.dll
[2007/12/12 01:24:52 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2007/11/12 14:19:20 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\30A94BF40E.sys
[2007/11/12 14:19:19 | 000,005,852 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/11/06 01:39:12 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2007/11/06 01:39:11 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/11/06 01:28:55 | 002,223,653 | ---- | C] () -- C:\Program Files\mpc2kxp6490.zip
[2007/11/05 14:40:17 | 002,028,336 | ---- | C] () -- C:\Program Files\mplayerc_20070918.zip
[2007/08/01 17:16:08 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\CoInst.dll
[2007/08/01 17:15:53 | 000,016,950 | ---- | C] () -- C:\WINDOWS\wwdslcfg.ini
[2007/08/01 16:19:41 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/07/09 18:38:44 | 000,051,712 | ---- | C] () -- C:\Documents and Settings\SMG\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/19 00:49:46 | 000,000,080 | ---- | C] () -- C:\WINDOWS\SGREP32.INI
[2007/06/18 13:58:08 | 000,000,266 | ---- | C] () -- C:\WINDOWS\TaxyDB.INI
[2007/06/12 15:23:53 | 000,000,195 | ---- | C] () -- C:\WINDOWS\OPLP.INI
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/11/14 10:17:00 | 000,000,831 | ---- | C] () -- C:\WINDOWS\QPW.INI
[2006/11/14 09:46:21 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\SMG\Local Settings\Application Data\fusioncache.dat
[2006/11/14 09:42:36 | 000,000,282 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2006/11/06 22:49:36 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/01/06 15:16:11 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/06 15:09:46 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/01/06 15:06:52 | 000,002,249 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/06 14:50:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2006/01/06 14:50:28 | 000,000,402 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/09/02 14:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/08/23 12:12:36 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\SDOApp.dll
[2005/08/22 11:12:08 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\SGCtrlEx.dll
[2005/08/22 11:11:58 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\SageFolderBrowser.dll
[2005/08/22 11:11:56 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\SGTBAR32.DLL
[2005/08/22 11:11:48 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\SGSTAT32.DLL
[2005/08/22 11:11:46 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\SGLOGO32.DLL
[2005/08/22 11:11:44 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\SGJPEG32.dll
[2005/08/22 11:11:38 | 000,241,664 | ---- | C] () -- C:\WINDOWS\System32\SGCDLG32.DLL
[2005/08/22 11:11:24 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\SGLIST32.DLL
[2005/08/22 11:11:14 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\SGTOOL32.DLL
[2005/08/22 11:11:08 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\SGINTL32.DLL
[2005/08/22 11:11:06 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\SGDT32.DLL
[2005/08/22 11:11:04 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\SGHELP32.DLL
[2005/08/22 11:10:58 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\SGAPPBAR.DLL
[2005/08/22 11:10:48 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\SG3D32.DLL
[2005/08/22 11:10:46 | 000,245,760 | ---- | C] () -- C:\WINDOWS\System32\SGSchemeXml.dll
[2005/08/22 11:10:32 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\SGSchemeXP.dll
[2005/08/22 11:10:26 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\SGSchemeDefault.dll
[2005/08/22 11:10:18 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\SGSchemeManager.dll
[2005/08/22 11:10:06 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\SGCOM32.DLL
[2005/08/22 11:08:30 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\SGWebBrowser.Dll
[2005/08/22 07:31:58 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\SGLCH32.DLL
[2005/08/22 07:31:48 | 001,712,128 | ---- | C] () -- C:\WINDOWS\System32\SGREP32.DLL
[2005/07/22 21:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2005/04/09 17:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 12:57:52 | 000,004,627 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 12:51:10 | 000,164,228 | RHS- | C] () -- C:\WINDOWS\System32\uttpcq.dll
[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/01/21 13:58:52 | 000,001,189 | ---- | C] () -- C:\WINDOWS\Sageintl.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/04/16 10:27:54 | 000,000,005 | -HS- | C] () -- C:\WINDOWS\System32\CdI5T.drv
[1999/10/25 09:53:58 | 000,017,518 | ---- | C] () -- C:\WINDOWS\Sage.ini
[1998/03/26 00:12:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SgHmZLib.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/06/16 12:48:42 | 000,259,185 | ---- | M] () -- C:\BlubsterSetup.exe


< MD5 for: EXPLORER.EXE >
[2007/06/13 11:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 10:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\explorer.exe
[2007/06/13 10:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2007/04/16 15:52:53 | 000,164,228 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\uttpcq.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/10 12:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/10 12:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/10 12:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\drivers\beep.sys:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\WINDOWS:nlsPreferences
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:27AAAD97

< End of report >


Extras.Txt:

OTL Extras logfile created on: 09/11/2010 15:49:38 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\SMG\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 575.00 Mb Available Physical Memory | 56.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.96 Gb Total Space | 62.38 Gb Free Space | 42.74% Space Free | Partition Type: NTFS

Computer Name: SMG_DELL_PC | User Name: SMG | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" %*
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"8514:TCP" = 8514:TCP:*:Enabled:uiwttb

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Blubster\blubster.exe" = C:\Program Files\Blubster\blubster.exe:*:Enabled:Blubster -- (MP2P Technologies.)
"D:\HIW\tiscali.exe" = D:\HIW\tiscali.exe:*:Enabled:Tiscali Setup CD -- File not found
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{07854BCF-32EA-4DC0-BFE8-6735BAC6A1E8}" = Digita Accounts Data Provider
"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{1BF73494-70EB-497E-985F-106EE715DFAD}" = ArcSoft PhotoImpression 5
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 14
"{2CFB33D0-B5B2-4C3D-A590-2D48C149831B}" = Sage Accounts
"{2DBCB438-B761-4CB0-9798-4090945F38A1}" = Keytime Accountant Suite Update
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{37647BAA-33A9-4212-8BDA-BAB36BF121EB}" = ArcSoft VideoImpression 2
"{390DAE99-69F1-4AC5-A837-26AA8D0E7FD4}" = Keytime Accountants Suite
"{451C4E5F-43AC-411B-ACC7-C1D745CDA357}" = Digita Accounts Production
"{45534579-B75B-4A42-953B-2EF8E1DEB4F3}" = Microsoft XML Parser
"{52D02A2B-03D2-4E34-A358-DC5D951FD296}" = Nokia Connectivity Cable Driver
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6AB9E0A9-062D-4971-9204-C5210D3984A8}" = Digita Shared Components v1.0
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{76714F90-F3E7-4E3A-9E6F-1A9365C5BC28}" = Digita Shared Components v2.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{879EA19D-A327-43C4-AA59-9CE454A5A0DE}" = OKI B4100_4250 Status Monitor
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8E62D88D-0835-48A6-825C-AEC9D4F28A73}" = Digita Database Backup
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{987AE1EA-9AF0-484D-A0F9-11A2E0EB4AA0}" = OpenOffice.org 2.0
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B7F98125-4955-41E3-8A71-4CE11CE9C198}" = KODAK Gallery Upload Software
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD442089-F88D-4F46-8E3C-E4B2964B2415}" = SageAcc
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Kondor
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{EA4FA30B-7321-4428-90E9-28B088EC8DC9}" = Runtime 8.0 Libraries
"{EDB8FF5E-9D61-499D-906E-A049864E2F5B}" = Digita Personal, Business and Trust Tax
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BitTorrent" = BitTorrent
"Blubster" = Blubster 2.6.9
"CaseWare Working Papers 2001" = CaseWare Working Papers 2001
"CCleaner" = CCleaner
"Corp2000v2 Standalone" = Corp2000v2 Standalone
"Coupon Printer2.0" = Coupon Printer
"Digita Tax Link" = Digita Tax Link
"DLL Show" = DLL Show
"doPDF 6 printer_is1" = doPDF 6.0 printer
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{2CFB33D0-B5B2-4C3D-A590-2D48C149831B}" = Sage Accounts V12.00
"InstallShield_{451C4E5F-43AC-411B-ACC7-C1D745CDA357}" = Digita Accounts Production
"InstallShield_{CD442089-F88D-4F46-8E3C-E4B2964B2415}" = Sage Accounts V10.00
"Keytime Accountants Suite Update" = Keytime Accountants Suite Update
"Keytime Accountants Suite v2008" = Keytime Accountants Suite v2008
"Keytime Accountants Suite v2009" = Keytime Accountants Suite v2009
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.5.3 Standard
"MailWasher Free_is1" = MailWasher Free
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.11)" = Mozilla Firefox (3.6.11)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NonCorp2000Kestv1 Standalone" = NonCorp2000Kestv1 Standalone
"PrimoPDF4.0" = PrimoPDF
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 12.0" = RealPlayer
"Sage Accounts 8.20" = Sage Accounts 8.20
"Sage MIS 3.01" = Sage MIS 3.01
"Sound Blaster AudioPCI 128" = Sound Blaster AudioPCI 128
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TweakNow RegCleaner Standard_is1" = TweakNow RegCleaner Standard
"Voyager 105 ADSL Modem" = Voyager 105 ADSL Modem
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm" = ZoneAlarm
"ZoneAlarmSB Uninstall" = ZoneAlarm Spy Blocker

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3675716222-1085617785-1813893371-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"EgressSwitchBrowser" = Egress Switch Reader
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20/10/2010 05:57:38 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 06:57:39 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 07:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 08:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 09:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 10:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 07/11/2010 08:27:13 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 07/11/2010 08:43:11 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 07/11/2010 08:57:37 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 08/11/2010 11:31:46 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

[ Application Events ]
Error - 20/10/2010 05:57:38 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 06:57:39 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 07:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 08:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 09:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 20/10/2010 10:54:05 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 07/11/2010 08:27:13 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 07/11/2010 08:43:11 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 07/11/2010 08:57:37 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

Error - 08/11/2010 11:31:46 | Computer Name = SMG_DELL_PC | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 09/11/2010 06:45:05 | Computer Name = SMG_DELL_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 09/11/2010 10:41:43 | Computer Name = SMG_DELL_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 09/11/2010 10:41:43 | Computer Name = SMG_DELL_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 09/11/2010 10:41:43 | Computer Name = SMG_DELL_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 09/11/2010 10:41:43 | Computer Name = SMG_DELL_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 09/11/2010 10:41:56 | Computer Name = SMG_DELL_PC | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 09/11/2010 10:41:56 | Computer Name = SMG_DELL_PC | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 09/11/2010 10:42:10 | Computer Name = SMG_DELL_PC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 09/11/2010 10:43:06 | Computer Name = SMG_DELL_PC | Source = Service Control Manager | ID = 7000
Description = The NLS Service service failed to start due to the following error:
%%2

Error - 09/11/2010 10:43:06 | Computer Name = SMG_DELL_PC | Source = Service Control Manager | ID = 7023
Description = The Support Installer service terminated with the following error:
%%1114


< End of report >

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 10 November 2010 - 04:30 AM

Hi,

please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 broigel

broigel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 10 November 2010 - 05:40 AM

Hi Myrti, have managed to do this. Initially ComboFix simply would not run but I renamed it to something innocuous and it then did run. It detected rootkit activity and had to reboot a couple of times but got through it OK.
The log is:

ComboFix 10-11-09.02 - SMG 10/11/2010 10:18:47.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.735 [GMT 0:00]
Running from: c:\documents and settings\SMG\My Documents\Downloads\academy.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - WINDOWS: deleted 128 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SMG\Application Data\Elte
c:\documents and settings\SMG\Application Data\Elte\heal.exe
c:\documents and settings\SMG\Application Data\Ohpa
c:\documents and settings\SMG\Application Data\Ohpa\wuyf.exe
c:\program files\RegGenie
c:\program files\RegGenie\RegGenie.bim
c:\program files\RegGenie\RegGenie.bin
c:\program files\RegGenie\RegGenie.exe
c:\program files\RegGenie\RegGenie.ini
c:\program files\RegGenie\RegGenieOnReboot.exe
c:\program files\RegGenie\RegGenieOnRebootExpired.exe
c:\program files\RegGenie\RegGenieOnUninstall.exe
c:\program files\RegGenie\RegGenieScheduler.exe
c:\program files\RegGenie\unins000.dat
c:\program files\RegGenie\unins000.exe
c:\program files\RegGenie\unins000.msg
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\tmp.reg
c:\windows\system32\uttpcq.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SMSCGISVC
-------\Legacy_ZTJEN
-------\Service_NPF
-------\Service_SMSCGISVC
-------\Service_ztjen


((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-10-13 17:12 . 2010-10-13 17:12 -------- d--h--w- c:\windows\PIF
2010-10-12 19:28 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 19:28 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 18:59 . 2010-10-12 18:59 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 17:56 . 2009-11-05 17:56 7908352 ----a-w- c:\program files\Firefox Setup 3.5.4.exe
2009-11-02 15:09 . 2009-11-02 15:08 959592 ----a-w- c:\program files\EFRCSetup.exe
2009-11-02 10:33 . 2009-11-02 12:35 25740144 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-04-06 11:12 . 2009-04-06 11:12 267152 ----a-w- c:\program files\ZoneAlarmSetup_en.exe
2009-04-06 11:04 . 2009-04-06 10:53 63049904 ----a-w- c:\program files\avg_free_stf_en_85_285a1462.exe
2008-12-31 00:27 . 2008-12-31 00:27 127998 ----a-w- c:\program files\install_setup.exe
2008-09-30 08:41 . 2008-09-30 08:41 46829456 ----a-w- c:\program files\zlsSetup_70_483_000_en.exe
2008-06-11 10:18 . 2008-06-11 10:18 519650 ----a-w- c:\program files\2007_08_DividendDataFeed.exe
2008-06-11 10:17 . 2008-06-11 10:16 33557446 ----a-w- c:\program files\PersonalTax_110_3789_Update.exe
2008-03-21 10:57 . 2008-03-21 10:57 31768752 ----a-w- c:\program files\avg75free_519a1276.exe
2008-03-21 02:02 . 2008-03-21 02:02 210416 ----a-w- c:\program files\zaSetup_en.exe
2008-03-18 11:43 . 2008-03-18 11:43 1426752 ----a-w- c:\program files\dopdf.exe
2008-03-18 11:33 . 2008-03-18 11:33 18473549 ----a-w- c:\program files\PDF_FreewarePrimo32Setup.exe
2007-11-12 11:05 . 2007-11-12 10:38 3431053 ----a-w- c:\program files\MailWasher_Free_setup.exe
2007-11-09 15:12 . 2007-11-09 15:12 4620542 ----a-w- c:\program files\FeedReader311Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"LanguageMonitor"="c:\windows\system32\Oplmsb01.exe" [2004-01-09 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-17 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Blubster\\blubster.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8514:TCP"= 8514:TCP:uiwttb

S1 ensqio;ensqio;c:\windows\system32\DRIVERS\ensqio.sys --> c:\windows\system32\DRIVERS\ensqio.sys [?]
S1 sbpcint4;SB AudioPCI 128;c:\windows\system32\DRIVERS\sbpcint4.sys --> c:\windows\system32\DRIVERS\sbpcint4.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/05/2010 23:49 136176]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE --> c:\windows\system32\NLSSRV32.EXE [?]
S3 pbrxlddp;pbrxlddp;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 23:49]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 23:49]

2010-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3675716222-1085617785-1813893371-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-11-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3675716222-1085617785-1813893371-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]
.
.
------- Supplementary Scan -------
.
uStart Page = www.tiscali.co.uk
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
FF - ProfilePath - c:\documents and settings\SMG\Application Data\Mozilla\Firefox\Profiles\6emvpsj8.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\SMG\Application Data\Mozilla\Firefox\Profiles\6emvpsj8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 10:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pbrxlddp]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2336)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-10 10:32:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 10:32
ComboFix2.txt 2008-04-11 00:10
ComboFix3.txt 2008-04-10 11:40
ComboFix4.txt 2008-04-04 08:35

Pre-Run: 66,661,580,800 bytes free
Post-Run: 66,608,713,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 0B801C44A3DEB5C127E2BF3A2A00F1E9

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 10 November 2010 - 09:30 AM

Hi,

well this is looking very promising. Is your PC doing better?

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Let me know what you decide to do.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 broigel

broigel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 10 November 2010 - 10:17 AM

Myrti, many thanks for your help - I did think I had/have some extremely malicious virus. My machine is certainly much improved but it seems very sluggish and it will take some time to see whether there are any problems remaining.

I was particularly concerned about the amount of information my computer was sending while connected to the net - and still am. I know that normally there is some information sent but with this problem, there was far too much. I will indeed have to review bank and credit card details and perhaps other items also. As of now, when I connect to the net but do not open IE, Firefox or any site at all, my machine is still steadily sending and receiving packets of information according to the status box - and there is still more being sent than received. I do not think this is normal when there is nothing open, do you?

I take your point about reformatting but I know this is time-consuming especially as regards re-loading all the programs I have. I will have to do this I guess but I need to catch up on some stuff first. And this machine was supplied without a Windows XP disk. I do have an XP reinstallation disk, with key, from a laptop of mine - can I use that when I bite the bullet?

And do you think I should run any other anti-malware program at this point?

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 11 November 2010 - 05:26 AM

Hi,

you seem to be having an sql server running, is this intentional? You could use the command netstat -ban to get an output of all IPs you are connecting to. This could show you were the connections are going.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 broigel

broigel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 12 November 2010 - 09:01 AM

The sql server is not intentional - I've often wondered if it is doing anything at all. I've tried running netstat -ban and it brings up 4 ports to begin with then starts to bring up dozens and dozens more before seemingly falling over; it just disappears from the screen. Perhaps I should try an alternative 'listening ports identifier' - would you recommend any? However, even if I obtain a listing of listening ports, how would I know which were valid and which should be blocked?

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 14 November 2010 - 05:13 PM

Hi,

it is less the ports than the IPs I am interested in. Wireshark is usually used as the reference when it comes to nettraffic surveillance.

Could you run this command in netstat -ban > "%userprofile%\desktop\iplist.txt" in command line. Wait until it is done, then post/attach iplist.txt to your next reply. I'll take a look.

reagrds myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 broigel

broigel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 15 November 2010 - 05:59 AM

Hi again, have tried to run a variety of netstat commands, i.e. -a, -n, -o, -ban, etc but, although each of these seems to start to run, the window disappears from the screen almost immediately. I cannot get it to stay or complete. I thought I would try to run netstat in safe mode.... but the machine will still not boot in safe mode.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 15 November 2010 - 06:05 AM

Hi,

if you use the command I gave you, nothing will appear. You need to wait until the command is done (that is until a new lines appears with the blinking cursor) and then you can read all connections in the file that has been created on your desktop.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 broigel

broigel
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 15 November 2010 - 08:03 PM

I'm sorry but as I said netstat -ban does not complete - it starts to run and then disappears. I cannot get to a command line in it because it does not stay on screen. When I run netstat -ban it brings up the black window and starts listing active connections. It lists a lot of these but before it is complete it vanishes. The black window disappears. I have tried running the whole command you supplied but it does not complete and nothing is created on the desktop.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users