Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Zbot.E Virus Identified


  • This topic is locked This topic is locked
6 replies to this topic

#1 HotShot2k

HotShot2k

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 04 November 2010 - 05:11 PM

Greetings I was recently asked to take a look at my cousins pc after he informed me it had a virus that seemed to be copying and deleting files. Having recently taken a look at it I thought it would be best to seek some advise. Upon starting the pc the 1st thing I noticed was that upon right clicking on desktop, folder etc a message box pops up Titled "ATI Catalyst Control Center" and a message saying "1. The InstallScript engine on this machine is older than the version required to run this setup. If available, please install the latest version of ISScript.msi, or contact your support personnel for further assistance. After Clicking ok another box behind it Titled "ATI Catalyst Control Center" says "Please wait while Windows Configures ATI Catalyst Control Center". They pop up 2-3 times and then close.

The Next thing to happen was AVG Resident Shield pops up with Multiple Threat detections:
1: c:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\Driver.exe | Virus Identified Win32/Zbot.E
2: c:\Program Files\EPSON\Creativity Suite\Attach To Email\AttachToEmail.exe | Virus Identified Win32/Zbot.E
3: c:\Program Files\EPSON\Creativity Suite\File Manager\EFileManager.exe | Virus Identified Win32/Zbot.E
4: c:\Program Files\EPSON\Creativity Suite\Scan Assistant\EScanAssist.exe | Virus Identified Win32/Zbot.E

Number 1 seems to be repeated everytime I Right Click on Desktop/folder as mentioned earlier.
It has also given other .exe patchs such as Winrar though It hasn't shown it since the 1st time.

Also trying to start certain programs fail, Messages pop up such as for Adobe Reader:
"AcroRD32.exe - Unable To Locate Component with a message of "This Application has failed to start because AGM.dll was not found, Re-installing the application may fix this problem.

It seems to be mostly for Adobe programs such as Reader, Dreamweaver CS3, Photoshop CS3 etc except for Winrar which says "You may not have the appropriate permission" despite being logged into the admin account.

Finally I recently set avg to do a scan and it's coming up with hundreds of .html files as being infected, It's still scanning at the moment.
Im using a different pc than the infected one to post this, so following instructions should be a bit easier as they're close by, I think ive explained as much as I can but if you need more info please ask.


DDS (Ver_10-11-03.01) - NTFSx86
Run by John at 20:42:33.92 on 04/11/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1394 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Barclays\Business Manager\bin\ticketservice.exe
C:\Program Files\Barclays\Business Manager\bin\updateservice.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe
C:\WINDOWS\system32\GSW32.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
uWinlogon: Shell=c:\documents and settings\john\application data\hotfix.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S9D.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [{D2EA7429-2A4B-771E-F503-A95F2A307EB0}] "c:\documents and settings\john\application data\qion\kuefi.exe"
uRun: [{457F23B8-47C5-7EFA-26FD-0091EECADB5B}] "c:\documents and settings\john\application data\ehsy\ceko.exe"
uRun: [{87D87CCD-3314-82F6-889C-E6D86B69979B}] "c:\documents and settings\john\application data\abydpi\liab.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [EPSON Stylus DX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiace.exe /f "c:\windows\temp\E_S114.tmp" /EF "HKLM"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LiveZilla] "c:\program files\livezilla\LiveZilla.exe" -minimize
mRun: [Barclays Business Manager] c:\program files\barclays\business manager\bin\BarclaysBusinessManager.exe /server
StartupFolder: c:\docume~1\john\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\8.0\PAS8_UD.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\m83dcw2e.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - plugin: c:\documents and settings\john\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npww.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-2 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-2 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 BBMTicketService;BBM Ticket Service;c:\program files\barclays\business manager\bin\ticketservice.exe [2009-10-12 40960]
R2 BBMUpdateService;BBM Update Service;c:\program files\barclays\business manager\bin\updateservice.exe [2009-10-12 49152]
S3 DCamUSBTP10;USB 2.0 PC Camera;c:\windows\system32\drivers\iP293x.SYS [2010-2-16 242176]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-2-23 122504]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]
S4 WLSVC;WLSVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2010-1-3 53307]

=============== Created Last 30 ================

2010-11-04 19:20:12 -------- d-----w- c:\program files\CCleaner
2010-10-16 08:26:16 -------- d-----w- c:\program files\win

==================== Find3M ====================

2007-04-25 06:46:54 9728 -c--a-w- c:\program files\LiveZilla Prerequisites.msi

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.ADG -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A100EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x883c9872; SUB DWORD [EBP-0x4], 0x883c912e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A4ECAB8]
3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\0000005b[0x8A4E0510]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A4C2940]
[0x8A074AE8] -> IRP_MJ_CREATE -> 0x8A100EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3320620AS_____________________________3.ADG___#5&71de149&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x8A100AEA
user & kernel MBR OK
sectors 625142446 (+237): user != kernel
Warning: possible TDL3 rootkit infection !

Filesystem trace:
called modules: ntkrnlpa.exe hal.dll fltMgr.sys avgmfx86.sys sr.sys Ntfs.sys
c:\windows\system32\drivers\avgmfx86.sys AVG Technologies CZ, s.r.o. AVG Internet Security
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A205CE8]
3 fltMgr[0xB9EEFE61] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A535C10]
5 sr[0xB9EDF870] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A4DF020]
7 ntkrnlpa[0x8057E6FD] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A205CE8]
9 fltMgr[0xB9EEFB29] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A535C10]
11 sr[0xB9EDA453] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A4DF020]

Registry trace:
called modules: ntkrnlpa.exe hal.dll

============= FINISH: 20:43:27.09 ===============

Attached File  Attach.txt   16.55KB   0 downloads
Attached File  ark.txt   35.16KB   1 downloads

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 12 November 2010 - 06:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 HotShot2k

HotShot2k
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 13 November 2010 - 05:13 PM

Hi and thanks for taking the time to help me with this.
I hadn't used the pc since my first post and have only done so to just now to get the required logs. The same problems I mentioned in my first post still apply and I haven't come across anything new.

Logs:

OTL logfile created on: 13/11/2010 21:47:26 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\John\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 264.53 Gb Free Space | 88.74% Space Free | Partition Type: NTFS
Drive I: | 978.08 Mb Total Space | 894.45 Mb Free Space | 91.45% Space Free | Partition Type: FAT

Computer Name: COMP1 | User Name: John | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/13 21:39:08 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.exe
PRC - [2010/10/05 08:32:24 | 002,067,808 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/09/23 08:43:10 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/21 11:33:42 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/16 11:49:55 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/16 11:49:53 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/16 11:49:50 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/16 11:49:49 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/05/17 08:39:06 | 002,651,576 | ---- | M] (LiveZilla GmbH) -- C:\Program Files\LiveZilla\LiveZilla.exe
PRC - [2009/10/12 10:54:46 | 000,181,568 | ---- | M] ( ) -- C:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe
PRC - [2009/10/12 10:54:44 | 000,049,152 | ---- | M] ( ) -- C:\Program Files\Barclays\Business Manager\bin\updateservice.exe
PRC - [2009/10/12 10:54:44 | 000,040,960 | ---- | M] ( ) -- C:\Program Files\Barclays\Business Manager\bin\ticketservice.exe
PRC - [2007/12/13 06:00:00 | 000,188,928 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIEFE.EXE
PRC - [2007/02/13 11:03:24 | 000,128,544 | ---- | M] (Palo Alto Software) -- C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe
PRC - [2004/08/04 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/11/13 21:39:08 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.exe
MOD - [2004/08/04 12:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/10/16 08:43:14 | 000,723,456 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/07/21 11:33:42 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/16 11:49:53 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/10/12 10:54:44 | 000,049,152 | ---- | M] ( ) [Auto | Running] -- C:\Program Files\Barclays\Business Manager\bin\updateservice.exe -- (BBMUpdateService)
SRV - [2009/10/12 10:54:44 | 000,040,960 | ---- | M] ( ) [Auto | Running] -- C:\Program Files\Barclays\Business Manager\bin\ticketservice.exe -- (BBMTicketService)
SRV - [2007/11/30 10:27:22 | 000,558,592 | ---- | M] (ReaSoft) [On_Demand | Stopped] -- C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe -- (rcp_service)
SRV - [2005/07/05 00:46:04 | 000,053,307 | ---- | M] (GEMTEKS) [Disabled | Stopped] -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- (WLSVC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2010/07/16 11:49:56 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/16 11:49:50 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/03 07:32:51 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/12/02 12:20:54 | 000,122,504 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EuDisk.sys -- (EuDisk)
DRV - [2008/03/13 11:16:24 | 000,242,176 | ---- | M] (iPassion Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iP293x.SYS -- (DCamUSBTP10)
DRV - [2006/07/27 14:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/06/07 17:08:58 | 001,580,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/12 17:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 12:00:00 | 000,012,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:27811

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:27811



IE - HKU\S-1-5-21-1085031214-2147155553-839522115-1003\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1085031214-2147155553-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1085031214-2147155553-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.8.0.12304
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.855
FF - prefs.js..extensions.enabledItems: avg@igeared:4.906.030.003
FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.18
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.5.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {4D144BC3-23FB-47de-90C5-63CCB0139CCF}:1.0
FF - prefs.js..extensions.enabledItems: ustreampublisher@ustream.tv:3.1.5.2
FF - prefs.js..keyword.URL: "http://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/09/23 08:44:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/10/05 18:15:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/12 19:56:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/21 11:02:28 | 000,000,000 | ---D | M]

[2010/06/09 17:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions
[2010/06/09 17:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/10/16 22:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\m83dcw2e.default\extensions
[2010/01/22 11:58:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\m83dcw2e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/04 10:44:37 | 000,000,000 | ---D | M] (TradeManager-Plugin) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\m83dcw2e.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
[2010/02/05 23:44:12 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\m83dcw2e.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2010/02/05 23:44:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\m83dcw2e.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash
[2010/02/05 22:18:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\m83dcw2e.default\extensions\firebug@software.joehewitt.com
[2010/02/16 16:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\m83dcw2e.default\extensions\ustreampublisher@ustream.tv
[2010/10/14 20:32:10 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/22 04:44:28 | 000,107,864 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npww.dll
[2010/09/21 11:02:22 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/09/21 11:02:22 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/09/21 11:02:22 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/09/21 11:02:22 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll File not found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003\..\Toolbar\ShellBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll File not found
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Barclays Business Manager] C:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe ( )
O4 - HKLM..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [LiveZilla] C:\Program Files\LiveZilla\LiveZilla.exe (LiveZilla GmbH)
O4 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003..\Run: [{457F23B8-47C5-7EFA-26FD-0091EECADB5B}] C:\Documents and Settings\John\Application Data\Ehsy\ceko.exe File not found
O4 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003..\Run: [{87D87CCD-3314-82F6-889C-E6D86B69979B}] C:\Documents and Settings\John\Application Data\Abydpi\liab.exe File not found
O4 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003..\Run: [{D2EA7429-2A4B-771E-F503-A95F2A307EB0}] C:\Documents and Settings\John\Application Data\Qion\kuefi.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003..\Run: [EPSON Stylus SX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe (Palo Alto Software)
O4 - Startup: C:\Documents and Settings\John\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://game.zylom.com/activex/zylomgamesplayer.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\program files\microsoft\desktoplayer.exe) - c:\Program Files\Microsoft\DesktopLayer.exe ()
O20 - HKU\S-1-5-21-1085031214-2147155553-839522115-1003 Winlogon: Shell - (C:\Documents and Settings\John\Application Data\hotfix.exe) - C:\Documents and Settings\John\Application Data\hotfix.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/03 00:41:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{43cf393e-43d3-11df-bd22-c86cbb747911}\Shell\AutoRun\command - "" = J-HJF-4EDHYZMV-GSJEWFCEKRJ-D4ZDBVDN-QJSDNELBO\0-YLQ-4Y94FBKG-FT1YIGXVF7I-CZ2BYBAK-EK33X3KLG\autorunme.exe
O33 - MountPoints2\{43cf393e-43d3-11df-bd22-c86cbb747911}\Shell\Explore\Command - "" = N:\
O33 - MountPoints2\{43cf393e-43d3-11df-bd22-c86cbb747911}\Shell\open\command - "" = J-HJF-4EDHYZMV-GSJEWFCEKRJ-D4ZDBVDN-QJSDNELBO\0-YLQ-4Y94FBKG-FT1YIGXVF7I-CZ2BYBAK-EK33X3KLG\autorunme.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "WLSVC"
MsConfig - Services: "Ati HotKey Poller"
MsConfig - Services: "ose"
MsConfig - Services: "odserv"
MsConfig - Services: "JavaQuickStarterService"
MsConfig - Services: "idsvc"
MsConfig - Services: "Bonjour Service"
MsConfig - Services: "ATI Smart"
MsConfig - Services: "Apple Mobile Device"
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: aliim - hkey= - key= - C:\Program Files\trademanager\AliIM.exe (Alibaba software (Shanghai) Corporation.)
MsConfig - StartUpReg: ATICCC - hkey= - key= - C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: EA Core - hkey= - key= - C:\Program Files\Electronic Arts\EADM\Core.exe File not found
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig - StartUpReg: iPPCamScan - hkey= - key= - C:\WINDOWS\iPScan.exe ( iPassion Technology Inc.)
MsConfig - StartUpReg: PWRISOVM.EXE - hkey= - key= - C:\Program Files\PowerISO\PWRISOVM.EXE File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe File not found
MsConfig - StartUpReg: SigmatelSysTrayApp - hkey= - key= - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.IYUV - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVU9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/13 21:43:55 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.exe
[2010/11/04 19:21:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\John\Recent
[2010/11/04 19:20:12 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/10/16 22:55:34 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/10/16 22:11:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/10/16 08:26:16 | 000,000,000 | ---D | C] -- C:\Program Files\win
[2010/10/16 08:26:15 | 000,000,000 | ---D | C] -- C:\Program Files\intel
[2007/11/28 14:19:48 | 000,184,320 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.MSXML2.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/13 21:39:08 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.exe
[2010/11/13 21:37:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/13 21:36:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/04 22:01:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-2147155553-839522115-1003UA.job
[2010/11/04 20:35:16 | 000,628,736 | ---- | M] () -- C:\Documents and Settings\John\Desktop\dds.scr
[2010/11/04 20:27:37 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\John\defogger_reenable
[2010/11/04 20:09:08 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\John\Desktop\Defogger.exe
[2010/11/04 20:01:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-2147155553-839522115-1003Core.job
[2010/11/04 19:15:46 | 000,001,024 | ---- | M] () -- C:\WINDOWS\MKDEWE.TRN
[2010/11/04 18:19:13 | 000,000,016 | ---- | M] () -- C:\WINDOWS\System32\dmlconf.dat
[2010/11/04 17:35:16 | 000,000,212 | RHS- | M] () -- C:\boot.ini
[2010/11/04 11:16:58 | 000,295,424 | ---- | M] () -- C:\Documents and Settings\John\Desktop\gmer.exe
[2010/10/31 16:22:11 | 000,440,684 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/31 16:22:11 | 000,071,002 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/19 09:43:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/16 22:18:40 | 066,482,599 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/10/16 21:04:06 | 001,454,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/16 20:21:36 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\prvlcl.dat
[2010/10/16 20:07:21 | 000,122,775 | ---- | M] () -- C:\Documents and Settings\John\Desktop\James Villas.pdf
[2010/10/16 18:34:22 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\complete.dat
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/04 20:58:12 | 000,295,424 | ---- | C] () -- C:\Documents and Settings\John\Desktop\gmer.exe
[2010/11/04 20:41:02 | 000,628,736 | ---- | C] () -- C:\Documents and Settings\John\Desktop\dds.scr
[2010/11/04 20:27:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\John\defogger_reenable
[2010/11/04 20:25:47 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\John\Desktop\Defogger.exe
[2010/10/16 20:07:21 | 000,122,775 | ---- | C] () -- C:\Documents and Settings\John\Desktop\James Villas.pdf
[2010/10/16 08:26:18 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\complete.dat
[2010/10/16 08:26:13 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\dmlconf.dat
[2010/09/20 18:32:20 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/09/20 18:26:00 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE SX200DEFGIPS.ini
[2010/07/12 11:16:08 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\John\Local Settings\Application Data\fusioncache.dat
[2010/04/06 14:11:05 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\W32mkrc.dll
[2010/04/06 14:11:05 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\TASSGLib.dll
[2010/02/16 10:46:42 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\John\Application Data\winscp.rnd
[2010/02/09 00:15:57 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\John\Local Settings\Application Data\PUTTY.RND
[2010/01/16 00:15:08 | 000,009,728 | ---- | C] () -- C:\Program Files\LiveZilla Prerequisites.msi
[2010/01/09 21:07:42 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/01/08 22:57:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\John\Local Settings\Application Data\prvlcl.dat
[2010/01/03 03:19:35 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2010/01/03 03:19:35 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2010/01/03 03:19:35 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2010/01/03 03:19:31 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2010/01/02 15:32:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/01/31 13:07:32 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\SgEData.dll
[2008/01/31 13:07:32 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\SgELauncher.dll
[2008/01/31 13:07:32 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\SgEEncrypt.dll
[2007/07/09 15:08:52 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\SageFolderBrowser.dll
[2007/07/09 15:07:06 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\SGSTDREG.dll
[2007/07/09 15:07:02 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\SGRegister.dll
[2004/08/04 12:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== LOP Check ==========

[2010/10/16 19:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/10/31 16:58:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/07/12 10:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bmc
[2010/01/02 21:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CasualForge
[2010/07/12 11:12:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2010/02/15 11:47:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EA Logs
[2010/02/15 11:46:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2010/09/20 18:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/01/04 18:21:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2010/07/12 11:26:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IsolatedStorage
[2010/07/12 11:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Palo Alto Software
[2010/02/23 09:59:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Paragon
[2010/07/12 11:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PAS
[2010/04/06 14:11:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage
[2010/01/07 12:26:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2010/01/07 12:28:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/20 18:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2010/06/02 17:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{7269BE79-5722-4259-B764-61F0045B02FF}
[2010/01/05 14:09:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/07/15 10:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Bmc
[2010/07/12 11:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\1.0.0.0
[2010/10/16 21:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Abydpi
[2010/10/16 19:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Akago
[2010/01/04 19:33:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Be a King
[2010/01/07 00:00:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\BlamGames
[2010/07/12 10:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Bmc
[2010/07/12 11:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\bppeng11
[2010/10/01 10:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Caefe
[2010/06/03 10:42:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\com.rightmove.rmdesktop.303FAAB8E16C565CA4B74422796CD427470CE949.1
[2010/10/12 17:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Daga
[2010/07/12 11:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\data
[2010/10/16 17:49:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Ehsy
[2010/03/07 00:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Ekmuty
[2010/01/16 18:54:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\EPSON
[2010/10/01 17:33:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Esarfa
[2010/07/26 10:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\FileZilla
[2010/01/26 08:25:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Hisuw
[2010/10/16 07:36:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\LimeWire
[2010/10/16 17:22:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Nyyz
[2010/10/13 11:01:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Owyz
[2010/10/16 10:16:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Ozmeyd
[2010/07/12 11:34:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Palo Alto Software
[2010/07/12 11:34:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Palo Alto Software, Inc
[2010/08/26 01:22:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Qion
[2010/05/17 11:23:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\RCP 5
[2010/10/16 17:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Roiwk
[2010/10/16 17:49:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Sogio
[2010/08/16 10:29:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\TeamViewer
[2010/05/05 15:31:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\UDC Profiles
[2010/01/14 13:55:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Vyila
[2010/10/16 17:49:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Wodeid
[2010/01/06 18:41:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\World-LooM
[2010/10/16 17:49:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Woura
[2010/10/16 17:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Ygheub
[2010/07/12 10:55:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Bmc

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2004/08/04 12:00:00 | 001,392,671 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/02 15:30:51 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/02 15:30:51 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/02 15:30:51 | 000,913,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2010/01/03 00:41:29 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/11/04 17:35:16 | 000,000,212 | RHS- | M] () -- C:\boot.ini
[2010/01/03 00:41:29 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/01/03 00:41:29 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/03 00:41:29 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 12:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 12:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/11/13 21:36:54 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/05/12 11:32:42 | 000,013,030 | ---- | M] () -- C:\PDOXUSRS.NET

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 12:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:85C0059D
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9AE67195
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CDB75348
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5AE33054
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:18E90846
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FB647F34
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9026FFAC
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:12EA4DC9
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9F50A55A
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:16B49C20
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:957E9765
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:708BB0FA
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:953FDC1A
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:60F5A2F7
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FDE078B

< End of report >




OTL Extras logfile created on: 13/11/2010 21:47:26 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\John\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 264.53 Gb Free Space | 88.74% Space Free | Partition Type: NTFS
Drive I: | 978.08 Mb Total Space | 894.45 Mb Free Space | 91.45% Space Free | Partition Type: FAT

Computer Name: COMP1 | User Name: John | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1085031214-2147155553-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"14199:TCP" = 14199:TCP:*:Enabled:BitComet 14199 TCP
"14199:UDP" = 14199:UDP:*:Enabled:BitComet 14199 UDP
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"C:\Program Files\EA SPORTS\FIFA MANAGER 10\Manager10.exe" = C:\Program Files\EA SPORTS\FIFA MANAGER 10\Manager10.exe:*:Enabled:EA SPORTS™ FIFA Manager 10 -- File not found
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe -- File not found
"C:\Program Files\LiveZilla\LiveZilla Server Admin.exe" = C:\Program Files\LiveZilla\LiveZilla Server Admin.exe:*:Enabled:LiveZilla Server Admin -- (LiveZilla GmbH)
"C:\Program Files\trademanager\AliIM.exe" = C:\Program Files\trademanager\AliIM.exe:*:Enabled:AliIM -- (Alibaba software (Shanghai) Corporation.)
"C:\xampp\apache\bin\httpd.exe" = C:\xampp\apache\bin\httpd.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\xampp\mysql\bin\mysqld.exe" = C:\xampp\mysql\bin\mysqld.exe:*:Enabled:The MySQL Server -- (MySQL AB)
"C:\Program Files\Adobe\Flash Media Live Encoder 3\FlashMediaLiveEncoder.exe" = C:\Program Files\Adobe\Flash Media Live Encoder 3\FlashMediaLiveEncoder.exe:*:Enabled:Adobe Flash Media Live Encoder 3 -- File not found
"C:\Program Files\NWBusinessSoftware\MyBusiness.exe" = C:\Program Files\NWBusinessSoftware\MyBusiness.exe:*:Enabled:LaunchAnywhere GUI -- (Zero G)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- File not found
"C:\Program Files\TeamViewer\Version5\TeamViewer.exe" = C:\Program Files\TeamViewer\Version5\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05E3EFE7-DB4F-4BB1-89B5-7468F40D9CD7}" = TAS Basics
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0ED64E28-7284-4883-99C9-230FC6A614D2}" = TAS Basics
"{17C3D39D-CCA9-45F2-9176-493762B1EADF}" = TAS Basics
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.3
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A539CD9-0F75-4875-9A32-E06DD93C4114}" = Adobe Extension Manager CS3
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}" = Adobe Setup
"{3C719006-7478-4AA1-94C3-DC30DFC9FE24}" = TAS Basics
"{3F4C014E-32BB-465D-B4B0-72F0E195AD66}" = Sage e-Banking Core Components
"{404C781F-EEC0-404A-9D79-30CAE96CD771}" = Marketing Plan Pro 9.0 (UK)
"{42EDF895-158C-484E-A7F2-42B90759F281}" = Camera RAW Plug-In for EPSON Creativity Suite
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{46CBBDF8-55B5-40DB-B459-7B848394309C}" = EPSON File Manager
"{47E5588F-C3A0-11DE-9857-005056C00008}" = Paragon Partition Manager™ 2010 Free Edition
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{572F59D5-86A3-4A24-9554-AC83579F7458}" = TAS Basics
"{63A18A03-4284-4681-8141-FA51BDE235A5}" = TAS Basics
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6913FBE5-1B4B-4308-8DDD-2944F9C91E06}" = ATI Catalyst Control Center
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{74A56910-B186-4255-990F-3E227502478B}" = FreePOS V6
"{763A16C4-A51C-4FA4-9B1A-3800BDFA05D6}" = TAS Basics
"{786547F9-59BB-4FA3-B2D8-327FF1F14870}" = Adobe Flash Player 9 ActiveX
"{79D28264-7F51-42CC-8FCF-9DFDFCFE9F29}" = TAS Basics
"{7AE18999-86F7-4805-ACB0-F1211A9A3F0A}" = TAS Basics
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{861BBE6C-C6EC-40A1-AB55-F4A1A6D6E6C8}" = Business Manager
"{8A8F8391-4C2C-4BE1-A984-CD4A5A546467}" = EPSON Easy Photo Print
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{C09F832D-8742-4E1E-8EEE-CB2EBF2AEAC5}" = TAS Basics
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C4C91E02-D4E2-481E-BCBA-7D90CC8D43E1}" = LiveZilla
"{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}" = Linksys Wireless-G USB Network Adapter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEE176BB-EAEA-4CC1-B4D9-DFA4B7E7E446}" = Sage Protx VSP
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D2903FF4-6197-4E81-96E1-95C00FF0EFA8}" = TAS Basics
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D7E340B3-E949-4FF3-BDC2-ACF12F61BB2F}" = TAS Basics
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DC3F64CA-245E-4349-9BC5-8BB3C15B6E81}" = Business Plan Pro 11.0 (UK)
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E2E78020-45C7-6C28-E7FC-E31C656232BD}" = Rightmove Desktop
"{E398E7CC-30B8-4D63-B07B-741163A12565}" = USB 2.0 PC Camera Driver
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EAC8A01C-9F01-4C03-9C18-9E79E979880C}" = Palo Alto Software's Application Manager 8.2
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EE3DF62B-0D52-4869-8550-868CEE4BFDF8}" = TAS Basics
"{F01D5ED5-D53A-4468-B428-149DC2CB3110}" = Adobe Dreamweaver CS3
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FEDD9B5E-49AA-4BA4-9F0D-0C8D4915DF18}" = TAS Basics
"3002C1E8C395C4248EBD260C9DA548C220DD99D7" = Windows Driver Package - USB 2.0 PC Camera Driver (01/01/2007 6.0.0.1)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
"Adobe_435a6af7459cb02a9c1138113a26e93" = Adobe Dreamweaver CS3
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AVG9Uninstall" = AVG Free 9.0
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.rightmove.rmdesktop.303FAAB8E16C565CA4B74422796CD427470CE949.1" = Rightmove Desktop
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"EPSON Stylus SX200 Series" = EPSON Stylus SX200 Series Printer Uninstall
"EPSON Stylus SX200_SX400_TX200_TX400 User’s Guide" = EPSON Stylus SX200_SX400_TX200_TX400 Manual
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"LimeWire" = LimeWire 5.5.9
"LiveZilla" = LiveZilla
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.13)" = Mozilla Firefox (3.5.13)
"NatWest Business Software" = NatWest Business Software
"NVIDIA Drivers" = NVIDIA Drivers
"ReaConverter 5.5 Pro_is1" = ReaConverter 5.5 Pro
"Retail Plus 2.5" = Retail Plus 2.5
"TeamViewer 5" = TeamViewer 5
"TradeManager 2009" = TradeManager 2009
"Universal Document Converter_is1" = Universal Document Converter (Demo)
"Veetle TV" = Veetle TV 0.9.17
"WIC" = Windows Imaging Component
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.2.5

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1085031214-2147155553-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 09/06/2010 07:35:07 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 15/06/2010 07:34:11 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module unknown, version 0.0.0.0, fault address 0x4003d0a8.

Error - 15/06/2010 07:34:22 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 17/06/2010 04:54:35 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module unknown, version 0.0.0.0, fault address 0x4003d0a8.

Error - 18/06/2010 04:13:08 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application avgtray.exe, version 9.0.0.825, faulting module
kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 18/06/2010 07:21:19 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module unknown, version 0.0.0.0, fault address 0x4003d0a8.

Error - 18/06/2010 07:21:34 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 18/06/2010 07:27:29 | Computer Name = COMP1 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3726, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 05/07/2010 06:19:51 | Computer Name = COMP1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module unknown, version 0.0.0.0, fault address 0x4003d0a8.

Error - 05/07/2010 06:21:09 | Computer Name = COMP1 | Source = Application Error | ID = 1001
Description = Fault bucket 15930561.

[ System Events ]
Error - 04/11/2010 14:19:32 | Computer Name = COMP1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 04/11/2010 14:20:42 | Computer Name = COMP1 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 04/11/2010 14:20:42 | Computer Name = COMP1 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 04/11/2010 15:03:56 | Computer Name = COMP1 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 04/11/2010 15:03:56 | Computer Name = COMP1 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 04/11/2010 17:24:55 | Computer Name = COMP1 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 04/11/2010 17:24:55 | Computer Name = COMP1 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 13/11/2010 17:37:24 | Computer Name = COMP1 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 13/11/2010 17:37:24 | Computer Name = COMP1 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 13/11/2010 17:38:14 | Computer Name = COMP1 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

Attached Files

  • Attached File  ark.txt   37.71KB   1 downloads


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 13 November 2010 - 05:41 PM

Hello, HotShot2k.

Ok, you have a backdoor rookit and a file infector. We can clean it if you want, but please first read the warnings below as both of these are serious infections. If you want to proceed, please follow Step 1.


I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).




P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case ). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.



Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578










Step 1

ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. We can reinstall it when we're done with CF. Please let me know if you do uninstall it.

Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 HotShot2k

HotShot2k
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 15 November 2010 - 02:56 PM

Hi and thanks again for your reply and taking time to deal with this issue.
I will take the safest option and do a reformat, all the information you have provided is very helpful.
Thanks!

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 15 November 2010 - 07:07 PM

OK, thanks for letting me know. Let me know if you have any questions about it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 20 November 2010 - 07:52 AM

Since this issue appears to be resolved ... this Topic has been closed.

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users