Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ?? userinit & rundll32 errors


  • This topic is locked This topic is locked
20 replies to this topic

#1 doc518

doc518

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 24 October 2010 - 09:40 AM

My toshiba laptop developed a fault.

I have spent a number of days on this now, and my main question is should I try and fix this, or is it easier to reinstall OS and will that get rid of the problem anyway ?


two most common error messages on startup:

Userinit.exe – application error
The application failed to initialize properly (0xc00000005). Click on OK to terminate the application.

Rundll32.exe
The application failed to initialize properly (0xc00000005). Click on OK to terminate the application.


Also get the same error messages for crypt_all.exe, cmd.exe, find.exe and sometimes kill.exe

The userinit.exe disappears after two clicks on the OK, and the lap boots as far as a blank desktop with no taskbar or desktop icons.

I have tried following the Preparation Guide before posting …I cannot access the Internet Connection Firewall. The error message says it may be corrupted and suggests Systems Restore, however any earlier system restore dates have vanished ! (So I have turned off the wireless and am posting from my backup Thinkpad)

Then DDS will not run and reads “This tool does not support your operating system. Press any key to continue” whereupon it closes

Also had hours of fun with GMER which froze 4 times and wouldn't let me save anything, eventually managed to get the report shown below.

I have read through the discussion
http://www.bleepingcomputer.com/forums/topic31163.html
My problem must be similar but the fix doesn't seem to be relevant ...
I don't have the .ini or ini2 files in my system32 folder
But the MSCONFIG does show RUNDLL32 and an 8 gibberish letter version.
System32 folder doesn't show 8 letter gibberish named copies.

The laptop was bought with Vista pre-installed, but I didn't like it very much and consequently a savvy friend installed XP for me, in such a way that I have the option XP or Vista at startup.

I ran AVG - it showed over 2,000 instances of Win32/heur, but no solution. I also have Webroot Spysweeper which found over 4,000 items and quarantined the lot of them. However, userinit and rundll32 error persists.

I also have all these problems on my desktop pc, but I am hoping that any solution posted for the laptop will work for the pc too.

Finally, I am one of those people who knows a little, but not enough to be confident about fixing pc's, so I am grateful in advance for any help and advice. Please be gentle.

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-24 15:30:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: D:\Windows\Temp\ugtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 8A2E6BE8 ZwAllocateVirtualMemory
SSDT 8A3CF1E0 ZwCreateKey
SSDT 8A39E1E0 ZwCreateProcess
SSDT 8A39E168 ZwCreateProcessEx
SSDT 8A2E6EB8 ZwCreateThread
SSDT 8A379140 ZwDeleteKey
SSDT 8A39E2D0 ZwDeleteValueKey
SSDT 8A39E258 ZwOpenKey
SSDT 8A2E6C60 ZwQueueApcThread
SSDT 8A2E6AF8 ZwReadVirtualMemory
SSDT 8A383D10 ZwRenameKey
SSDT 8A2E6D50 ZwSetContextThread
SSDT 8A3820A8 ZwSetInformationKey
SSDT 8A2E6FA8 ZwSetInformationProcess
SSDT 8A2E6DC8 ZwSetInformationThread
SSDT 8A39E348 ZwSetValueKey
SSDT 8A2E6F30 ZwSuspendProcess
SSDT 8A2E6CD8 ZwSuspendThread
SSDT 8A2E6020 ZwTerminateProcess
SSDT 8A2E6E40 ZwTerminateThread
SSDT 8A2E6B70 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1456] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[3544] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 000160B0 D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[3544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00014930 D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[3544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000152F0 D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[3544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes [33, C0, C2, 0C, 00] {XOR EAX, EAX; RET 0xc}
.text D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[3544] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 000152A0 D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[3544] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 000152D0 D:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip 88A1A360
Device \Driver\Tcpip \Device\Ip 89652748
Device \Driver\Tcpip \Device\Ip 88EC0E10
Device \Driver\Tcpip \Device\Ip 893DE320
Device \Driver\Tcpip \Device\Ip 88CA4CE8
Device \Driver\Tcpip \Device\Tcp 88A1A360
Device \Driver\Tcpip \Device\Tcp 89652748
Device \Driver\Tcpip \Device\Tcp 88EC0E10
Device \Driver\Tcpip \Device\Tcp 893DE320
Device \Driver\Tcpip \Device\Tcp 88CA4CE8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Tcpip \Device\Udp 88A1A360
Device \Driver\Tcpip \Device\Udp 89652748
Device \Driver\Tcpip \Device\Udp 88EC0E10
Device \Driver\Tcpip \Device\Udp 893DE320
Device \Driver\Tcpip \Device\Udp 88CA4CE8
Device \Driver\Tcpip \Device\RawIp 88A1A360
Device \Driver\Tcpip \Device\RawIp 89652748
Device \Driver\Tcpip \Device\RawIp 88EC0E10
Device \Driver\Tcpip \Device\RawIp 893DE320
Device \Driver\Tcpip \Device\RawIp 88CA4CE8
Device \Driver\Tcpip \Device\IPMULTICAST 88A1A360
Device \Driver\Tcpip \Device\IPMULTICAST 89652748
Device \Driver\Tcpip \Device\IPMULTICAST 88EC0E10
Device \Driver\Tcpip \Device\IPMULTICAST 893DE320
Device \Driver\Tcpip \Device\IPMULTICAST 88CA4CE8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b050a5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b050a5@001a0e353567 0xF4 0x7C 0xA5 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272b050a5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272b050a5@001a0e353567 0xF4 0x7C 0xA5 0xEE ...

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 PM

Posted 02 November 2010 - 05:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    hlp.dat
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 doc518

doc518
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 02 November 2010 - 08:13 AM

Yes, still require help. Haven't done anything new to the laptop since first post above.

Here are the requested reports:

OTL logfile created on: 02/11/2010 11:42:36 - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = D:\Users\Ian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 55.89 Gb Total Space | 6.22 Gb Free Space | 11.12% Space Free | Partition Type: NTFS
Drive D: | 54.43 Gb Total Space | 29.98 Gb Free Space | 55.08% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Ian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/02 11:38:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- D:\Users\Ian\Desktop\OTL.exe
PRC - [2010/10/22 13:06:21 | 000,910,296 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/22 12:41:28 | 000,065,536 | ---- | M] (TOSHIBA) -- D:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
PRC - [2010/10/01 15:05:55 | 001,286,960 | ---- | M] (Webroot Software, Inc. ) -- D:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
PRC - [2010/10/01 15:01:45 | 003,066,528 | ---- | M] (Webroot Software, Inc. ) -- D:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
PRC - [2010/09/22 12:41:50 | 003,872,776 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- D:\Program Files\Webroot\Security\Current\plugins\antimalware\AEI.exe
PRC - [2010/09/22 12:41:30 | 000,157,536 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- D:\Program Files\Webroot\Security\Current\plugins\antimalware\SSU.exe
PRC - [2010/09/18 08:52:16 | 000,014,808 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2009/07/03 10:40:40 | 002,328,576 | ---- | M] (Vodafone) -- D:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
PRC - [2009/07/03 10:40:30 | 000,009,216 | ---- | M] (Vodafone) -- D:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
PRC - [2008/06/10 08:52:30 | 001,447,168 | ---- | M] (ESET) -- D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2008/04/14 03:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe
PRC - [2008/02/27 06:56:54 | 003,072,184 | ---- | M] (Kontiki Inc.) -- D:\Program Files\Kontiki\KService.exe
PRC - [2008/02/27 06:56:54 | 001,032,376 | ---- | M] (Kontiki Inc.) -- D:\Program Files\Kontiki\KHost.exe
PRC - [2007/12/20 22:21:16 | 000,468,224 | ---- | M] (ESET) -- D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2007/07/25 08:17:10 | 000,009,216 | ---- | M] (Agere Systems) -- D:\WINDOWS\system32\agrsmsvc.exe
PRC - [2006/05/19 04:00:00 | 000,139,264 | ---- | M] (SEIKO EPSON CORPORATION) -- D:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBNE.EXE
PRC - [2005/01/13 22:32:38 | 000,053,248 | ---- | M] () -- D:\WINDOWS\system32\PAStiSvc.exe
PRC - [2003/05/14 15:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/11/02 11:38:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- D:\Users\Ian\Desktop\OTL.exe
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/07/22 11:18:41 | 000,055,992 | -HS- | M] () -- D:\WINDOWS\system32\jayamuj.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- D:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/10/22 12:43:43 | 000,163,840 | ---- | M] (Alex Feinman) [On_Demand | Stopped] -- D:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe -- (Imapi Helper)
SRV - [2010/10/01 15:01:45 | 003,066,528 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- D:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe -- (WRConsumerService)
SRV - [2010/09/22 12:41:50 | 003,872,776 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- D:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe -- (WebrootSpySweeperService)
SRV - [2010/07/06 16:39:04 | 003,039,536 | ---- | M] (HideMyIP) [On_Demand | Stopped] -- D:\Program Files\Hide My IP\HideMyIpSrv.exe -- (HideMyIpSRV)
SRV - [2009/11/05 22:20:16 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- D:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/07/03 10:40:30 | 000,009,216 | ---- | M] (Vodafone) [Auto | Running] -- D:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2008/06/10 08:59:18 | 000,019,200 | ---- | M] (ESET) [On_Demand | Stopped] -- D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2008/02/27 06:56:54 | 003,072,184 | ---- | M] (Kontiki Inc.) [Auto | Running] -- D:\Program Files\Kontiki\KService.exe -- (KService)
SRV - [2007/12/20 22:21:16 | 000,468,224 | ---- | M] (ESET) [Auto | Running] -- D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2007/07/25 08:17:10 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- D:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2005/01/13 22:32:38 | 000,053,248 | ---- | M] () [Auto | Running] -- D:\WINDOWS\system32\PAStiSvc.exe -- (STI Simulator)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- D:\WINDOWS\System32\drivers\TotRec8.sys -- (TotRec8)
DRV - [2010/06/17 13:49:10 | 000,182,056 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2010/06/17 13:49:10 | 000,045,072 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [File_System | Auto | Running] -- D:\WINDOWS\system32\drivers\ssfmonm.sys -- (SSFMONM)
DRV - [2010/06/17 13:49:10 | 000,024,496 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2009/11/11 11:22:02 | 000,104,512 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2009/09/26 17:57:34 | 000,025,768 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2009/06/29 17:00:50 | 000,112,640 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/06/29 17:00:50 | 000,102,656 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2009/04/09 12:38:30 | 000,102,400 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2008/07/14 10:59:55 | 000,308,248 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- D:\WINDOWS\System32\drivers\iastor78.sys -- (iastor78)
DRV - [2008/06/10 08:56:10 | 000,034,312 | ---- | M] () [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2008/06/10 08:48:38 | 000,053,256 | ---- | M] (ESET) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2008/06/10 08:47:42 | 000,039,944 | ---- | M] (ESET) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/04/17 14:33:26 | 004,707,328 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/13 20:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/24 08:39:12 | 001,291,328 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/01/04 02:10:16 | 000,105,856 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/12/19 09:32:12 | 005,854,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/12/13 10:31:04 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/09/29 21:03:12 | 000,308,248 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/07/25 08:17:10 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2007/07/25 08:07:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/06/22 06:27:12 | 000,011,264 | ---- | M] (TOSHIBA ) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\TPwSav.sys -- (TPwSav)
DRV - [2005/05/09 10:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\cledx.sys -- (CLEDX)
DRV - [2005/02/24 01:29:14 | 000,162,176 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\PFC027.sys -- (PAC207)
DRV - [2003/09/19 04:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\pfc.sys -- (pfc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-1177238915-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-854245398-1177238915-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 49
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {d37dc5d0-431d-44e5-8c91-49419370caa1}:2.6.18


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/10/23 10:43:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/09/28 21:54:08 | 000,000,000 | ---D | M]

[2008/10/01 08:37:25 | 000,000,000 | ---D | M] -- D:\Users\Ian\Application Data\Mozilla\Extensions
[2010/11/02 11:40:05 | 000,000,000 | ---D | M] -- D:\Users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions
[2010/06/28 20:58:09 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2009/12/21 20:50:03 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/09/14 11:58:47 | 000,000,000 | ---D | M] (FoxClocks) -- D:\Users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
[2009/11/16 08:02:29 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- D:\Users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/11/02 11:40:05 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2010/08/09 17:53:46 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- D:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/10/26 22:40:03 | 000,106,496 | ---- | M] (British Broadcasting Corporation) -- D:\Program Files\Mozilla Firefox\plugins\npBBCPlugin.dll

O1 HOSTS File: ([2010/10/23 10:37:08 | 000,001,575 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 89.149.225.48 www.google.com
O1 - Hosts: 89.149.225.48 www.google.de
O1 - Hosts: 89.149.225.48 www.google.fr
O1 - Hosts: 89.149.225.48 www.google.co.uk
O1 - Hosts: 89.149.225.48 www.google.com.br
O1 - Hosts: 89.149.225.48 www.google.it
O1 - Hosts: 89.149.225.48 www.google.es
O1 - Hosts: 89.149.225.48 www.google.co.jp
O1 - Hosts: 89.149.225.48 www.google.com.mx
O1 - Hosts: 89.149.225.48 www.google.ca
O1 - Hosts: 89.149.225.48 www.google.com.au
O1 - Hosts: 89.149.225.48 www.google.nl
O1 - Hosts: 89.149.225.48 www.google.co.za
O1 - Hosts: 89.149.225.48 www.google.be
O1 - Hosts: 89.149.225.48 www.google.gr
O1 - Hosts: 89.149.225.48 www.google.at
O1 - Hosts: 89.149.225.48 www.google.se
O1 - Hosts: 89.149.225.48 www.google.ch
O1 - Hosts: 89.149.225.48 www.google.pt
O1 - Hosts: 89.149.225.48 www.google.dk
O1 - Hosts: 89.149.225.48 www.google.fi
O1 - Hosts: 89.149.225.48 www.google.ie
O1 - Hosts: 89.149.225.48 www.google.no
O1 - Hosts: 89.149.225.48 search.yahoo.com
O1 - Hosts: 6 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] D:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] D:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [egui] D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [MobileConnect] D:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)
O4 - HKLM..\Run: [tahijol] D:\WINDOWS\System32\jayamuj.DLL ()
O4 - HKLM..\Run: [WebrootTrayApp] D:\Program Files\Webroot\Security\Current\Framework\WRTray.exe (Webroot Software, Inc. )
O4 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003..\Run: [EPSON Stylus Photo R265 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003..\Run: [kdx] D:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003..\Run: [NBJ] D:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003..\Run: [TOSCDSPD] D:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (TOSHIBA)
O4 - Startup: D:\Users\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: D:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-1177238915-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - D:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - D:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe (Microgaming)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - D:\WINDOWS\System32\HMIPCore.dll (My Privacy Tools, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - D:\WINDOWS\System32\HMIPCore.dll (My Privacy Tools, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000055 - D:\WINDOWS\System32\HMIPCore.dll (My Privacy Tools, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000056 - File not found
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (d:\windows\system32\jayamuj.dll) - D:\WINDOWS\system32\jayamuj.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - D:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: D:\Users\Ian\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Users\Ian\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (ows\s) - File not found
O30 - LSA: Security Packages - (indows.common-controls_6595b641) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{6cb33804-98a9-11dd-bd53-001b9e9dfe0c}\Shell - "" = AutoRun
O33 - MountPoints2\{6cb33804-98a9-11dd-bd53-001b9e9dfe0c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6cb33804-98a9-11dd-bd53-001b9e9dfe0c}\Shell\explore\command - "" = .\RECYCLER\S-5-3-41-1763765056-7350077682-450468611-3101\LwoIkfUu.exe
O33 - MountPoints2\{6cb33804-98a9-11dd-bd53-001b9e9dfe0c}\Shell\Open\command - "" = .\RECYCLER\S-5-3-41-1763765056-7350077682-450468611-3101\LwoIkfUu.exe
O33 - MountPoints2\{7c121d8c-a3ca-11df-bf86-001b9e9dfe0c}\Shell - "" = AutoRun
O33 - MountPoints2\{7c121d8c-a3ca-11df-bf86-001b9e9dfe0c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7c121d8c-a3ca-11df-bf86-001b9e9dfe0c}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe -- File not found
O33 - MountPoints2\{7c121d8d-a3ca-11df-bf86-001b9e9dfe0c}\Shell - "" = AutoRun
O33 - MountPoints2\{7c121d8d-a3ca-11df-bf86-001b9e9dfe0c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7c121d8d-a3ca-11df-bf86-001b9e9dfe0c}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: WebrootSpySweeperService - D:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe (Webroot Software, Inc. (www.webroot.com))
SafeBootMin: WRConsumerService - D:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe (Webroot Software, Inc. )
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} -
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - D:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - d:\WINDOWS\system32\Rundll32.exe d:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - D:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - D:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - D:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: >{89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll

Drivers32: msacm.ac3acm - D:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - D:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - D:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - D:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - D:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - D:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - D:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
Drivers32: MSVideo8 - D:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - D:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - D:\WINDOWS\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - D:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - D:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - D:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - D:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - D:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XVID - D:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - D:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - D:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/11/02 11:37:55 | 000,576,000 | ---- | C] (OldTimer Tools) -- D:\Users\Ian\Desktop\OTL.exe
[2010/10/22 10:32:46 | 000,000,000 | ---D | C] -- D:\Program Files\MSXML 4.0
[2010/10/21 13:50:07 | 000,182,056 | ---- | C] (Webroot Software, Inc. (www.webroot.com)) -- D:\WINDOWS\System32\drivers\ssidrv.sys
[2010/10/21 13:50:07 | 000,045,072 | ---- | C] (Webroot Software, Inc. (www.webroot.com)) -- D:\WINDOWS\System32\drivers\ssfmonm.sys
[2010/10/21 13:50:07 | 000,024,496 | ---- | C] (Webroot Software, Inc. (www.webroot.com)) -- D:\WINDOWS\System32\drivers\sshrmd.sys
[2010/10/21 13:46:05 | 000,000,000 | -H-D | C] -- D:\Users\All Users\Application Data\{CB7DC039-811E-4CD1-81CD-8AD0EF4B8CBA}
[2010/10/21 13:16:06 | 000,000,000 | ---D | C] -- D:\Users\All Users\Application Data\Webroot
[2010/10/21 13:08:27 | 000,000,000 | ---D | C] -- D:\Users\LocalService\Local Settings\Application Data\ESET
[2010/10/21 13:06:49 | 000,000,000 | ---D | C] -- D:\Users\Ian\Local Settings\Application Data\PackageAware
[2010/10/21 10:03:44 | 000,000,000 | ---D | C] -- D:\Users\Ian\Application Data\Malwarebytes
[2010/10/21 10:03:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/21 10:03:32 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/10/21 10:03:32 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2010/10/21 10:03:32 | 000,000,000 | ---D | C] -- D:\Users\All Users\Application Data\Malwarebytes
[2010/10/21 00:38:55 | 000,000,000 | ---D | C] -- D:\Program Files\MSSOAP
[2010/10/21 00:38:29 | 000,000,000 | ---D | C] -- D:\Program Files\Webroot
[2010/10/16 09:13:02 | 000,000,000 | ---D | C] -- D:\Program Files\AVG
[2010/10/16 09:13:01 | 000,000,000 | ---D | C] -- D:\Users\All Users\Application Data\avg8
[2010/10/15 09:27:27 | 000,099,840 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\srvsvc.dll
[2010/10/15 09:26:41 | 001,288,192 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ole32.dll
[2010/10/15 09:26:34 | 000,974,848 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mfc42.dll
[2010/10/15 09:26:34 | 000,954,368 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mfc40.dll
[2010/10/15 09:26:34 | 000,953,856 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/10/15 09:26:30 | 000,617,472 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\comctl32.dll
[2010/10/13 14:19:45 | 000,000,000 | ---D | C] -- D:\Program Files\temp
[2010/10/12 13:36:01 | 000,000,000 | ---D | C] -- D:\Program Files\system
[2010/10/11 16:17:36 | 000,000,000 | ---D | C] -- D:\Program Files\windows
[2010/10/11 11:45:56 | 000,000,000 | ---D | C] -- D:\Program Files\win
[2010/10/11 11:41:35 | 000,000,000 | ---D | C] -- D:\Program Files\tmp
[2010/10/11 11:40:54 | 000,000,000 | ---D | C] -- D:\Program Files\Microsoft
[2010/10/08 17:57:41 | 000,000,000 | ---D | C] -- D:\Program Files\Audacity
[2010/10/07 14:31:41 | 000,000,000 | ---D | C] -- D:\Users\Ian\Application Data\Ahead
[2006/12/12 01:13:20 | 000,032,768 | ---- | C] (COMPAL ELECTRONIC INC.) -- D:\Users\All Users\Application Data\EBLib.dll
[2006/07/28 06:25:26 | 000,019,456 | ---- | C] (COMPAL ELECTRONIC INC.) -- D:\Users\All Users\Application Data\LPCFilter.sys
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/02 11:38:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- D:\Users\Ian\Desktop\OTL.exe
[2010/11/02 11:31:49 | 000,475,680 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2010/11/02 11:31:49 | 000,085,140 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2010/11/02 11:30:21 | 000,000,442 | -H-- | M] () -- D:\WINDOWS\tasks\User_Feed_Synchronization-{443A9346-A9BE-4490-BB86-A8BF77D0772F}.job
[2010/11/02 11:28:54 | 000,000,260 | ---- | M] () -- D:\WINDOWS\tasks\WGASetup.job
[2010/11/02 11:26:38 | 000,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/11/02 11:26:33 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/10/23 13:42:31 | 000,000,000 | ---- | M] () -- D:\WINDOWS\MEMORY.DMP
[2010/10/23 11:03:58 | 000,286,404 | ---- | M] () -- D:\Users\Ian\Desktop\gmer.zip
[2010/10/23 10:54:50 | 000,545,280 | ---- | M] () -- D:\Users\Ian\Desktop\dds.scr
[2010/10/23 10:37:08 | 000,001,575 | ---- | M] () -- D:\WINDOWS\System32\drivers\etc\HOSTS
[2010/10/22 10:43:15 | 000,335,360 | -HS- | M] () -- D:\Users\All Users\Application Data\{3953216932}2010.10.22.11.43.15.sdl
[2010/10/22 10:32:12 | 000,335,360 | -HS- | M] () -- D:\Users\All Users\Application Data\{1457945060}2010.10.22.11.32.12.sdl
[2010/10/21 13:51:43 | 000,335,360 | -HS- | M] () -- D:\Users\All Users\Application Data\{968218125}2010.10.21.14.51.43.sdl
[2010/10/21 13:46:09 | 000,001,972 | ---- | M] () -- D:\Users\All Users\Desktop\Webroot AntiVirus with Spy Sweeper.lnk
[2010/10/21 10:03:37 | 000,000,700 | ---- | M] () -- D:\Users\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/21 00:31:17 | 000,000,164 | ---- | M] () -- D:\WINDOWS\install.dat
[2010/10/20 21:11:56 | 000,000,288 | -HS- | M] () -- D:\Users\All Users\Application Data\ntuser.pls
[2010/10/20 20:50:28 | 000,335,360 | -HS- | M] () -- D:\Users\All Users\Application Data\{1457945060}2010.10.20.21.50.28.sdl
[2010/10/20 20:49:46 | 000,093,184 | ---- | M] () -- D:\WINDOWS\System32\uspe10.dll
[2010/10/19 15:00:08 | 000,294,912 | ---- | M] () -- D:\Users\Ian\Desktop\gmer.exe
[2010/10/18 13:48:29 | 000,808,439 | ---- | M] () -- D:\Users\Ian\Desktop\atlas1.pdf
[2010/10/18 13:48:06 | 000,068,623 | ---- | M] () -- D:\Users\Ian\Desktop\atlas 2.pdf
[2010/10/18 13:42:09 | 000,035,607 | ---- | M] () -- D:\Users\Ian\Desktop\atla7.pdf
[2010/10/18 13:41:42 | 000,063,163 | ---- | M] () -- D:\Users\Ian\Desktop\atlas6.pdf
[2010/10/18 13:40:16 | 000,091,493 | ---- | M] () -- D:\Users\Ian\Desktop\ATLAS.pdf
[2010/10/16 12:32:29 | 000,002,497 | ---- | M] () -- D:\Users\Ian\Desktop\Microsoft Office Word 2003.lnk
[2010/10/16 12:03:53 | 000,000,796 | ---- | M] () -- D:\Users\Ian\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/10/16 08:51:47 | 000,237,552 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/16 02:04:56 | 000,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2010/10/15 21:21:00 | 001,287,732 | ---- | M] () -- D:\Users\Ian\My Documents\homework.jpg
[2010/10/13 13:24:20 | 000,135,680 | ---- | M] () -- D:\Users\Ian\Desktop\total_wipeout_application_form10.doc
[2010/10/13 10:45:00 | 000,013,824 | ---- | M] () -- D:\Users\Ian\My Documents\xmas10.xls
[2010/10/10 20:45:10 | 000,001,407 | ---- | M] () -- D:\WINDOWS\System32\LexFiles.usr
[2010/10/08 21:22:14 | 000,039,424 | ---- | M] () -- D:\Users\Ian\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/08 17:57:43 | 000,000,634 | ---- | M] () -- D:\Users\Ian\Desktop\Audacity.lnk
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/23 11:09:35 | 000,294,912 | ---- | C] () -- D:\Users\Ian\Desktop\gmer.exe
[2010/10/23 11:08:47 | 000,286,404 | ---- | C] () -- D:\Users\Ian\Desktop\gmer.zip
[2010/10/23 11:00:11 | 000,545,280 | ---- | C] () -- D:\Users\Ian\Desktop\dds.scr
[2010/10/22 10:43:15 | 000,335,360 | -HS- | C] () -- D:\Users\All Users\Application Data\{3953216932}2010.10.22.11.43.15.sdl
[2010/10/22 10:32:12 | 000,335,360 | -HS- | C] () -- D:\Users\All Users\Application Data\{1457945060}2010.10.22.11.32.12.sdl
[2010/10/21 13:51:43 | 000,335,360 | -HS- | C] () -- D:\Users\All Users\Application Data\{968218125}2010.10.21.14.51.43.sdl
[2010/10/21 13:50:07 | 000,030,424 | ---- | C] () -- D:\WINDOWS\System32\wrLZMA.dll
[2010/10/21 13:50:07 | 000,017,472 | ---- | C] () -- D:\WINDOWS\System32\SsiEfr.exe
[2010/10/21 13:46:09 | 000,001,972 | ---- | C] () -- D:\Users\All Users\Desktop\Webroot AntiVirus with Spy Sweeper.lnk
[2010/10/21 10:03:37 | 000,000,700 | ---- | C] () -- D:\Users\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/21 00:31:13 | 000,000,164 | ---- | C] () -- D:\WINDOWS\install.dat
[2010/10/20 21:11:56 | 000,000,288 | -HS- | C] () -- D:\Users\All Users\Application Data\ntuser.pls
[2010/10/20 20:50:28 | 000,335,360 | -HS- | C] () -- D:\Users\All Users\Application Data\{1457945060}2010.10.20.21.50.28.sdl
[2010/10/20 20:49:46 | 000,093,184 | ---- | C] () -- D:\WINDOWS\System32\uspe10.dll
[2010/10/18 13:48:27 | 000,808,439 | ---- | C] () -- D:\Users\Ian\Desktop\atlas1.pdf
[2010/10/18 13:48:02 | 000,068,623 | ---- | C] () -- D:\Users\Ian\Desktop\atlas 2.pdf
[2010/10/18 13:42:08 | 000,035,607 | ---- | C] () -- D:\Users\Ian\Desktop\atla7.pdf
[2010/10/18 13:41:42 | 000,063,163 | ---- | C] () -- D:\Users\Ian\Desktop\atlas6.pdf
[2010/10/18 13:40:07 | 000,091,493 | ---- | C] () -- D:\Users\Ian\Desktop\ATLAS.pdf
[2010/10/15 21:21:00 | 001,287,732 | ---- | C] () -- D:\Users\Ian\My Documents\homework.jpg
[2010/10/13 13:24:20 | 000,135,680 | ---- | C] () -- D:\Users\Ian\Desktop\total_wipeout_application_form10.doc
[2010/10/13 10:40:31 | 000,013,824 | ---- | C] () -- D:\Users\Ian\My Documents\xmas10.xls
[2010/10/08 17:57:43 | 000,000,634 | ---- | C] () -- D:\Users\Ian\Desktop\Audacity.lnk
[2010/08/22 15:07:41 | 000,000,748 | ---- | C] () -- D:\WINDOWS\LMAAL2DD.ini
[2010/08/06 14:38:05 | 000,038,407 | ---- | C] () -- D:\Users\Ian\Application Data\Comma Separated Values (Windows).ADR
[2010/07/22 11:18:41 | 000,055,992 | -HS- | C] () -- D:\WINDOWS\System32\jayamuj.dll
[2010/01/23 10:30:12 | 000,000,036 | ---- | C] () -- D:\WINDOWS\Tiny_Run.ini
[2009/06/16 12:25:02 | 000,121,512 | R--- | C] () -- D:\Users\All Users\Application Data\DeviceManager.xml.rc4
[2008/12/29 01:35:08 | 000,039,424 | ---- | C] () -- D:\Users\Ian\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/05 01:38:01 | 000,000,376 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2008/11/03 08:46:10 | 000,000,040 | -HS- | C] () -- D:\Users\All Users\Application Data\.zreglib
[2008/09/08 02:11:19 | 000,000,069 | ---- | C] () -- D:\WINDOWS\NeroDigital.ini
[2008/09/08 02:06:33 | 000,032,768 | ---- | C] () -- D:\WINDOWS\System32\EBLib.DLL
[2008/09/08 02:04:21 | 000,128,113 | ---- | C] () -- D:\WINDOWS\System32\csellang.ini
[2008/09/08 02:04:21 | 000,045,056 | ---- | C] () -- D:\WINDOWS\System32\csellang.dll
[2008/09/08 02:04:21 | 000,010,150 | ---- | C] () -- D:\WINDOWS\System32\tosmreg.ini
[2008/09/08 02:04:21 | 000,007,671 | ---- | C] () -- D:\WINDOWS\System32\cseltbl.ini
[2008/09/08 00:32:35 | 000,164,352 | ---- | C] () -- D:\WINDOWS\System32\unrar.dll
[2008/09/08 00:32:33 | 003,596,288 | ---- | C] () -- D:\WINDOWS\System32\qt-dx331.dll
[2008/09/08 00:32:33 | 000,755,027 | ---- | C] () -- D:\WINDOWS\System32\xvidcore.dll
[2008/09/08 00:32:33 | 000,159,839 | ---- | C] () -- D:\WINDOWS\System32\xvidvfw.dll
[2008/09/08 00:32:32 | 000,007,680 | ---- | C] () -- D:\WINDOWS\System32\ff_vfw.dll
[2008/09/06 14:45:47 | 000,004,161 | ---- | C] () -- D:\WINDOWS\ODBCINST.INI
[2008/09/06 14:38:45 | 000,147,456 | ---- | C] () -- D:\WINDOWS\System32\igfxCoIn_v4906.dll
[2008/09/06 14:38:45 | 000,104,636 | ---- | C] () -- D:\WINDOWS\System32\igmedcompkrn.dll
[2008/09/06 14:38:33 | 001,843,784 | ---- | C] () -- D:\WINDOWS\System32\igklg400.dll
[2008/09/06 14:38:33 | 001,399,880 | ---- | C] () -- D:\WINDOWS\System32\igklg450.dll
[2008/09/06 14:34:28 | 000,000,363 | ---- | C] () -- D:\WINDOWS\System32\Oeminfo.ini
[2008/09/06 04:50:33 | 000,394,752 | ---- | C] () -- D:\WINDOWS\System32\cygwinb19.dll
[2008/09/06 04:50:33 | 000,059,904 | ---- | C] () -- D:\WINDOWS\System32\zlib1.dll
[2008/06/10 08:56:10 | 000,034,312 | ---- | C] () -- D:\WINDOWS\System32\drivers\epfwtdir.sys
[2006/01/05 07:36:22 | 000,024,576 | ---- | C] () -- D:\WINDOWS\System32\EKECioCtl.dll
[2005/02/24 01:29:14 | 000,162,176 | ---- | C] () -- D:\WINDOWS\System32\drivers\PFC027.sys
[2005/01/25 04:15:42 | 000,010,240 | ---- | C] () -- D:\WINDOWS\System32\PA207USD.DLL
[2003/01/07 04:05:08 | 000,002,695 | ---- | C] () -- D:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 12:00:00 | 000,693,792 | ---- | C] () -- D:\WINDOWS\System32\OGACheckControl.DLL

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/09/22 12:41:42 | 000,030,424 | ---- | M] () Unable to obtain MD5 -- D:\WINDOWS\system32\wrLZMA.dll
[1 D:\WINDOWS\system32\*.tmp files -> D:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/09/06 14:33:22 | 000,098,304 | ---- | M] () -- D:\WINDOWS\system32\config\default.sav
[2008/09/06 14:33:22 | 001,089,536 | ---- | M] () -- D:\WINDOWS\system32\config\software.sav
[2008/09/06 14:33:22 | 000,921,600 | ---- | M] () -- D:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/08/26 13:39:50 | 000,357,248 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\srv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> D:\WINDOWS:877EA0D9FD0E7D7E

< End of report >


OTL Extras logfile created on: 02/11/2010 11:42:36 - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = D:\Users\Ian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 55.89 Gb Total Space | 6.22 Gb Free Space | 11.12% Space Free | Partition Type: NTFS
Drive D: | 54.43 Gb Total Space | 29.98 Gb Free Space | 55.08% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Ian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-854245398-1177238915-1417001333-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Program Files\Kontiki\KService.exe" = D:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)
"D:\Program Files\SecondLife\SLVoice.exe" = D:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice -- File not found
"F:\November 09 stick Data PILOT - Version3\Novell\Sandbox\cccBrowser\1.0.0.0\2009.11.18T12.43\Virtual\STUBEXE\@PROGRAMFILES@\Quest Software\vWorkspace Client\pntsc.exe" = F:\November 09 stick Data PILOT - Version3\Novell\Sandbox\cccBrowser\1.0.0.0\2009.11.18T12.43\Virtual\STUBEXE\@PROGRAMFILES@\Quest Software\vWorkspace Client\pntsc.exe:*:Enabled:pntsc -- File not found
"D:\WINDOWS\explorer.exe" = D:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{2204AF25-80E5-468E-B46D-795685B35DEB}" = ESET NOD32 Antivirus
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{67A070AE-F3AE-4454-8F94-787435FCD98A}" = Scooby-Doo!™
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = LiveUpdate BVRP Software
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7900D3A6-A9E8-4954-ACCB-AB15867978BF}" = TOSHIBA Hotkey Utility
"{79A64F98-1796-4FA2-B5FF-C90F83D8BACD}" = Vodafone Mobile Connect Lite
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B287B75-DF8D-40C8-9620-8E4492C38EF1}" = Webroot Software
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-1033-F400-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B8890B12-4E4C-4E53-9ECB-96193BBA7767}" = EPSON Easy Photo Print
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C765D9FF-4A34-4BF1-9F91-E9A3C60C86FC}" = ArcSoft VideoImpression 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D466F3D9-510C-4729-B7D4-2E70490E4CDF}" = BBC iPlayer Download Manager
"{DB780B85-B4B5-4864-A49C-9B706B169C93}" = TIPCI
"{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}" = mobile PhoneTools
"{F6CE1230-A694-4B86-B21C-A11A112689DA}" = Trust WB-1400T Webcam
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe SVG Viewer" = Adobe SVG Viewer
"AnyDVD" = AnyDVD
"ASIO4ALL" = ASIO4ALL
"Audacity_is1" = Audacity 1.2.6
"BBC iPlayer Download Manager" = BBC iPlayer Download Manager
"DVD Shrink_is1" = DVD Shrink 3.2
"EasyBCD" = EasyBCD 1.7.2
"EPSON Printer and Utilities" = EPSON Printer Software
"FL Studio 8" = FL Studio 8
"HDMI" = Intel® Graphics Media Accelerator Driver
"HMIP50_is1" = Hide My IP 5.2
"IL Download Manager" = IL Download Manager
"InstallShield_{7900D3A6-A9E8-4954-ACCB-AB15867978BF}" = TOSHIBA Hotkey Utility
"InstallShield_{DB780B85-B4B5-4864-A49C-9B706B169C93}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{F6CE1230-A694-4B86-B21C-A11A112689DA}" = Trust WB-1400T Webcam
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.0.0 (Full)
"Ladbrokes Poker" = Ladbrokes Poker
"Lexmark_HostCD" = Lexmark Software Uninstall
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"PoiZone" = PoiZone
"PokerStars" = PokerStars
"Steinberg Cubase SX v3.1.1.944" = Steinberg Cubase SX v3.1.1.944
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosoft's License Control
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Toxic Biohazard" = Toxic Biohazard
"Tweak UI 2.10" = Tweak UI
"Webroot Software" = Webroot Software
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 25/10/2010 10:17:46 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 25/10/2010 10:32:14 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 25/10/2010 10:56:16 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 25/10/2010 11:09:17 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 26/10/2010 14:14:11 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 27/10/2010 05:09:48 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 27/10/2010 06:04:01 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 27/10/2010 08:29:37 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = GetProcessOwner

Error - 28/10/2010 05:54:22 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 02/11/2010 07:27:02 | Computer Name = LAPTOP | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

[ System Events ]
Error - 26/10/2010 14:14:20 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 27/10/2010 05:09:56 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 27/10/2010 05:09:56 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 27/10/2010 06:04:08 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 27/10/2010 06:04:09 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 28/10/2010 05:54:30 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 28/10/2010 05:54:30 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 02/11/2010 07:27:08 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 02/11/2010 07:27:08 | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 02/11/2010 07:27:54 | Computer Name = LAPTOP | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 PM

Posted 03 November 2010 - 05:49 AM

Hi,

please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 doc518

doc518
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 03 November 2010 - 08:15 AM

OK ran the ComboFix. Q: I have an external drive which I have disconnected from the laptop, should I have reconnected it before running ComboFix ?
Also, since I have the option to run Vista from the C drive, should I boot Vista and run ComboFix again ??
Just want to make sure I'm covering all bases.
doc518

ComboFix 10-11-02.05 - Ian 03/11/2010 12:53:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.952 [GMT 0:00]
Running from: D:\Users\Ian\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Images
D:\Users\Administrator\Application Data\Umlace
D:\Users\Administrator\Application Data\Umlace\ifyv.exe
D:\Users\All Users\Application Data\{1457945060}2010.10.20.21.50.28.sdl
D:\Users\All Users\Application Data\{1457945060}2010.10.22.11.32.12.sdl
D:\Users\All Users\Application Data\{3953216932}2010.10.22.11.43.15.sdl
D:\Users\All Users\Application Data\{968218125}2010.10.21.14.51.43.sdl
D:\Users\All Users\Application Data\xp
d:\windows\system32\jayamuj.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 PM

Posted 04 November 2010 - 02:11 AM

Hi,

this is only half the log from ComboFix. Is that all that was in the log?

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Eset or Webroot

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 doc518

doc518
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 04 November 2010 - 05:02 AM

Yes. that was all that was in the log. Are you saying that ComboFix did not run completely ?
Should I run it again ?

I have removed Eset anti-virus software (very out of date anyway), Webroot remains, it's up-to-date but currently switched off.

regarsd
doc518

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 PM

Posted 04 November 2010 - 06:41 AM

Hi,

yes, please try to run ComboFix again in this case. It did not finish apparently.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 doc518

doc518
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 04 November 2010 - 09:14 AM

It seems to have done even less this time !

ComboFix 10-11-02.05 - Ian 04/11/2010 13:09:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1201 [GMT 0:00]
Running from: D:\Users\Ian\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}



Have I done something wrong, or this a good sign ?
regards
doc518
.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 PM

Posted 05 November 2010 - 03:45 AM

Hi,

how does the ComboFix run end for you? Do you get any warnings in between? Does it reboot?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 doc518

doc518
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 05 November 2010 - 05:49 AM

good morning
OK - here it is from boot to reboot:

Laptop boots to desktop with icons and taskbar.
one error message "rundll. eroor loading d:windows\system32\jayamuj.dll The specified module could not be found"
(I presume this is just one of the nasty files we have removed)

Run ComboFix
Shows the Blue Autoscan window, backs up the registry,the completes stages 1 to 50.
Briefly shows a message "Preparing log report...."
Flashes up an even briefer message "A problem has been detected with windows......."
(message disappeared too quickly for me to read it)
Laptop automatically reboots to desktop with icons and taskbar, and same rundll error message.


and this mornings log report is:
ComboFix 10-11-02.05 - Ian 05/11/2010 10:27:51.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1506 [GMT 0:00]
Running from: D:\Users\Ian\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

regards
doc518

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 PM

Posted 10 November 2010 - 01:10 PM

Hi,

sorry I missed your last reply. Could you please download a fresh copy of combofix.exe and save it as fun.com. Please also download the installer for your anti virus program. Or an installer for a free anti virus program such as Avast! and Antivir.

Disconnect your PC from the internet, uninstall Spysweeper and run ComboFix. Let me know if that helps. If it doesn't please reinstall an anti virus program and let me know.

reagrds myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 doc518

doc518
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 12 November 2010 - 09:28 AM

Hello again,
Downloaded another copy of Combofix and saved as fun.com
Disconnected from internet and uninstalled Webroot.
Ran ComboFix (fun.com) - a window popped up which read
Version_10-11-03.04
Current date is 2010-11-12. ComboFix has expired
click "Yes" to run in REDUCED FUNCTIONALITY mode
click "No" to Exit

So I clicked "Yes"

The ComboFix window popped up, backed up the registry and set a system restore point.
Then Completed Stage 49

and generated the following log:


ComboFix 10-11-03.04 - Ian 12/11/2010 14:15:56.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1509 [GMT 0:00]
Running from: d:\users\Ian\My Documents\Downloads\fun.com.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.

2010-11-12 14:02 . 2010-11-12 14:02 -------- d-----w- d:\users\All Users\Application Data\Webroot
2010-10-22 10:52 . 2010-10-22 10:52 -------- d-----w- d:\users\Administrator\Application Data\Vaweci
2010-10-22 10:32 . 2010-10-22 10:32 -------- d-----w- d:\program files\MSXML 4.0
2010-10-21 13:08 . 2010-10-21 13:08 -------- d-----w- d:\users\LocalService\Local Settings\Application Data\ESET
2010-10-21 13:06 . 2010-10-21 13:06 -------- d-----w- d:\users\Ian\Local Settings\Application Data\PackageAware
2010-10-21 10:03 . 2010-10-21 10:03 -------- d-----w- d:\users\Ian\Application Data\Malwarebytes
2010-10-21 10:03 . 2010-04-29 14:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-10-21 10:03 . 2010-10-21 11:57 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-10-21 10:03 . 2010-10-21 10:03 -------- d-----w- d:\users\All Users\Application Data\Malwarebytes
2010-10-21 10:03 . 2010-04-29 14:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-10-21 00:38 . 2010-10-21 00:38 -------- d-----w- d:\program files\MSSOAP
2010-10-21 00:38 . 2010-11-12 14:02 -------- d-----w- d:\program files\Webroot
2010-10-20 20:49 . 2010-10-20 20:49 93184 ----a-w- d:\windows\system32\uspe10.dll
2010-10-16 09:13 . 2010-10-16 09:13 -------- d-----w- d:\program files\AVG
2010-10-16 09:13 . 2010-10-16 10:30 -------- d-----w- d:\users\All Users\Application Data\avg8
2010-10-15 09:27 . 2010-08-27 05:57 99840 ------w- d:\windows\system32\dllcache\srvsvc.dll
2010-10-15 09:26 . 2010-07-16 12:05 1288192 ------w- d:\windows\system32\dllcache\ole32.dll
2010-10-15 09:26 . 2010-09-18 06:53 974848 ------w- d:\windows\system32\dllcache\mfc42.dll
2010-10-15 09:26 . 2010-09-18 06:53 954368 ------w- d:\windows\system32\dllcache\mfc40.dll
2010-10-15 09:26 . 2010-09-18 06:53 953856 ------w- d:\windows\system32\dllcache\mfc40u.dll
2010-10-15 09:26 . 2010-08-23 16:12 617472 ------w- d:\windows\system32\dllcache\comctl32.dll
2010-10-13 14:19 . 2010-11-04 09:55 -------- d-----w- d:\program files\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- d:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- d:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- d:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- d:\windows\system32\mfc40.dll
2010-09-09 13:36 . 2008-07-14 08:40 841216 ----a-w- d:\windows\system32\wininet.dll
2010-09-09 13:36 . 2008-07-14 08:39 1830912 ----a-w- d:\windows\system32\inetcpl.cpl
2010-09-09 13:36 . 2008-07-14 08:39 78336 ----a-w- d:\windows\system32\ieencode.dll
2010-09-09 13:36 . 2008-07-14 08:39 17408 ----a-w- d:\windows\system32\corpol.dll
2010-09-08 15:48 . 2008-07-14 08:39 389120 ----a-w- d:\windows\system32\html.iec
2010-09-01 11:51 . 2008-04-14 03:39 285824 ----a-w- d:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-13 23:00 1852800 ----a-w- d:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-14 03:42 119808 ----a-w- d:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 03:42 99840 ----a-w- d:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-13 22:45 357248 ----a-w- d:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-11-29 12:37 5120 ----a-w- d:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 03:41 617472 ----a-w- d:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 03:42 58880 ----a-w- d:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-14 03:42 590848 ----a-w- d:\windows\system32\rpcrt4.dll
2010-07-21 16:18 55992 --sha-w- d:\windows\system32\bodalen.dll
2010-07-21 17:29 55992 --sha-w- d:\windows\system32\tutatez.dll
.

------- Sigcheck -------

[-] 2008-07-14 . C9F5FC9DFC3DB9BAE3E4167535F7E6FF . 361600 . . [5.1.2600.5625] . . d:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="d:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2010-10-22 65536]
"kdx"="d:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"AnyDVD"="d:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-11-11 3124160]
"NBJ"="d:\program files\Ahead\Nero BackItUp\NBJ.exe" [2010-10-22 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="d:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MobileConnect"="d:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-07-03 2328576]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2010-09-09 124928]

d:\users\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - d:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-14 217193]
Adobe Gamma Loader.exe.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-9-11 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Kontiki\\KService.exe"=
"d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 iastor78;iastor78;d:\windows\system32\drivers\iastor78.sys [14/07/2008 10:59 308248]
R2 VMCService;Vodafone Mobile Connect Service;d:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [03/07/2009 10:40 9216]
R3 CLEDX;Team H2O CLEDX service;d:\windows\system32\drivers\cledx.sys [08/09/2008 03:59 33792]
S3 ewusbnet;HUAWEI USB-NDIS miniport;d:\windows\system32\drivers\ewusbnet.sys [09/08/2010 15:28 112640]
S3 HideMyIpSRV;HideMyIpSRV;d:\program files\Hide My IP\HideMyIpSrv.exe [14/08/2010 12:12 3039536]
S3 hwusbfake;Huawei DataCard USB Fake;d:\windows\system32\drivers\ewusbfake.sys [09/08/2010 15:37 102656]
S3 PAC207;Trust WB-1400T Webcam;d:\windows\system32\drivers\PFC027.sys [24/02/2005 01:29 162176]
S3 TotRec8;Total Recorder WDM audio filter driver;\??\d:\windows\system32\drivers\TotRec8.sys --> d:\windows\system32\drivers\TotRec8.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-12 d:\windows\Tasks\User_Feed_Synchronization-{443A9346-A9BE-4490-BB86-A8BF77D0772F}.job
- d:\windows\system32\msfeedssync.exe [2001-08-23 08:40]

2010-11-12 d:\windows\Tasks\WGASetup.job
- d:\windows\system32\KB905474\wgasetup.exe [2009-11-29 11:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
LSP: uspe10.dll
LSP: d:\windows\system32\HMIPCore.dll
FF - ProfilePath - d:\users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: d:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: d:\users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: d:\users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-tahijol - d:\windows\system32\jayamuj.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1080)
d:\windows\system32\uspe10.dll

- - - - - - - > 'explorer.exe'(2264)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-11-12 14:18:31
ComboFix-quarantined-files.txt 2010-11-12 14:18

Pre-Run: 34,689,843,200 bytes free
Post-Run: 34,649,149,440 bytes free

- - End Of File - - 603864818BD7B600D246FC16EA9DEC56

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 PM

Posted 14 November 2010 - 05:28 PM

Hi,

could you please try to download combofix from the second link and see if that improves things.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 doc518

doc518
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 16 November 2010 - 09:30 AM

Morning !
OK deleted previous versions of Combofix. Downloaded another from the 2nd link.

This is the generated report:

ComboFix 10-11-15.06 - Ian 16/11/2010 14:20:12.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1518 [GMT 0:00]
Running from: d:\users\Ian\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 )))))))))))))))))))))))))))))))
.

2010-11-12 14:13 . 2010-11-12 14:18 -------- d-----w- D:\fun.com
2010-11-12 14:02 . 2010-11-12 14:02 -------- d-----w- d:\users\All Users\Application Data\Webroot
2010-10-22 10:52 . 2010-10-22 10:52 -------- d-----w- d:\users\Administrator\Application Data\Vaweci
2010-10-22 10:32 . 2010-10-22 10:32 -------- d-----w- d:\program files\MSXML 4.0
2010-10-21 13:08 . 2010-10-21 13:08 -------- d-----w- d:\users\LocalService\Local Settings\Application Data\ESET
2010-10-21 13:06 . 2010-10-21 13:06 -------- d-----w- d:\users\Ian\Local Settings\Application Data\PackageAware
2010-10-21 10:03 . 2010-10-21 10:03 -------- d-----w- d:\users\Ian\Application Data\Malwarebytes
2010-10-21 10:03 . 2010-04-29 14:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-10-21 10:03 . 2010-10-21 11:57 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-10-21 10:03 . 2010-10-21 10:03 -------- d-----w- d:\users\All Users\Application Data\Malwarebytes
2010-10-21 10:03 . 2010-04-29 14:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-10-21 00:38 . 2010-10-21 00:38 -------- d-----w- d:\program files\MSSOAP
2010-10-21 00:38 . 2010-11-12 14:02 -------- d-----w- d:\program files\Webroot
2010-10-20 20:49 . 2010-10-20 20:49 93184 ----a-w- d:\windows\system32\uspe10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- d:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- d:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- d:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- d:\windows\system32\mfc40.dll
2010-09-09 13:36 . 2008-07-14 08:40 841216 ----a-w- d:\windows\system32\wininet.dll
2010-09-09 13:36 . 2008-07-14 08:39 1830912 ----a-w- d:\windows\system32\inetcpl.cpl
2010-09-09 13:36 . 2008-07-14 08:39 78336 ----a-w- d:\windows\system32\ieencode.dll
2010-09-09 13:36 . 2008-07-14 08:39 17408 ----a-w- d:\windows\system32\corpol.dll
2010-09-08 15:48 . 2008-07-14 08:39 389120 ----a-w- d:\windows\system32\html.iec
2010-09-01 11:51 . 2008-04-14 03:39 285824 ----a-w- d:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-13 23:00 1852800 ----a-w- d:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-14 03:42 119808 ----a-w- d:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 03:42 99840 ----a-w- d:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-13 22:45 357248 ----a-w- d:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-11-29 12:37 5120 ----a-w- d:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 03:41 617472 ----a-w- d:\windows\system32\comctl32.dll
2010-07-21 16:18 55992 --sha-w- d:\windows\system32\bodalen.dll
2010-07-21 17:29 55992 --sha-w- d:\windows\system32\tutatez.dll
.

------- Sigcheck -------

[-] 2008-07-14 . C9F5FC9DFC3DB9BAE3E4167535F7E6FF . 361600 . . [5.1.2600.5625] . . d:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-11-12_14.17.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-16 14:12 . 2010-11-16 14:12 16384 d:\windows\Temp\Perflib_Perfdata_49c.dat
+ 2010-11-16 14:12 . 2010-11-16 14:12 16384 d:\windows\Temp\Perflib_Perfdata_1f0.dat
+ 2010-11-16 14:23 . 2010-11-16 14:23 53248 d:\windows\Temp\catchme.dll
+ 2001-08-23 12:00 . 2010-11-16 14:16 85140 d:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-11-12 14:16 85140 d:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-11-16 14:16 475680 d:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-11-12 14:16 475680 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="d:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2010-10-22 65536]
"kdx"="d:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"AnyDVD"="d:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-11-11 3124160]
"NBJ"="d:\program files\Ahead\Nero BackItUp\NBJ.exe" [2010-10-22 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="d:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2010-09-09 124928]

d:\users\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - d:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-14 217193]
Adobe Gamma Loader.exe.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-9-11 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Kontiki\\KService.exe"=
"d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 iastor78;iastor78;d:\windows\system32\drivers\iastor78.sys [14/07/2008 10:59 308248]
R2 VMCService;Vodafone Mobile Connect Service;d:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [03/07/2009 10:40 9216]
R3 CLEDX;Team H2O CLEDX service;d:\windows\system32\drivers\cledx.sys [08/09/2008 03:59 33792]
S3 ewusbnet;HUAWEI USB-NDIS miniport;d:\windows\system32\drivers\ewusbnet.sys [09/08/2010 15:28 112640]
S3 HideMyIpSRV;HideMyIpSRV;d:\program files\Hide My IP\HideMyIpSrv.exe [14/08/2010 12:12 3039536]
S3 hwusbfake;Huawei DataCard USB Fake;d:\windows\system32\drivers\ewusbfake.sys [09/08/2010 15:37 102656]
S3 PAC207;Trust WB-1400T Webcam;d:\windows\system32\drivers\PFC027.sys [24/02/2005 01:29 162176]
S3 TotRec8;Total Recorder WDM audio filter driver;\??\d:\windows\system32\drivers\TotRec8.sys --> d:\windows\system32\drivers\TotRec8.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-16 d:\windows\Tasks\User_Feed_Synchronization-{443A9346-A9BE-4490-BB86-A8BF77D0772F}.job
- d:\windows\system32\msfeedssync.exe [2001-08-23 08:40]

2010-11-16 d:\windows\Tasks\WGASetup.job
- d:\windows\system32\KB905474\wgasetup.exe [2009-11-29 11:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
LSP: uspe10.dll
LSP: d:\windows\system32\HMIPCore.dll
FF - ProfilePath - d:\users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: d:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: d:\users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: d:\users\Ian\Application Data\Mozilla\Firefox\Profiles\qan1wt72.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MobileConnect - %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-16 14:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1072)
d:\windows\system32\uspe10.dll

- - - - - - - > 'explorer.exe'(1940)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-11-16 14:25:05
ComboFix-quarantined-files.txt 2010-11-16 14:25
ComboFix2.txt 2010-11-12 14:18

Pre-Run: 34,573,410,304 bytes free
Post-Run: 34,562,211,840 bytes free

- - End Of File - - 26CA2D8C782C410AAF4FEE6EC719061D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users