Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Vista total security" or similar - virus / adware??


  • This topic is locked This topic is locked
41 replies to this topic

#1 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 24 March 2011 - 06:27 PM

Hi. A friend's computer is infected with "Vista total security" or similar - its certainly adware if not more malicious.
I've followed the preparation guide.

Operating system: Windows Vista.

Please help me clean this PC!

Thanks.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 30 March 2011 - 05:52 PM

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  • Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • If you have already posted a log, please do so again as instructed below, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log. Thanks and again sorry for the delay.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 31 March 2011 - 01:25 PM

Acknowledged reply. Will be following steps when I'm able to access his PC.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#4 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 31 March 2011 - 05:06 PM

1. Problem is ongoing. No popus have been seen since posted DDS log. - PC has been turned off mostly since then though.
2. Not applicable
3. No windows disk is availiable.
4. ok
5. done
6. ok
7. Since previous logs have been posted, I have disabled Windows Defender and uninstalled McAfee Security Centre, then rebooted PC.
8. ok
9. ok

I forgot do do another GMER log. I'll see if I can do it tommorow.

OTL.txt:

OTL logfile created on: 31/03/2011 21:22:10 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James Rudland\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 683.57 Gb Total Space | 150.91 Gb Free Space | 22.08% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 4.85 Gb Free Space | 32.36% Space Free | Partition Type: NTFS
Drive F: | 3.84 Gb Total Space | 3.83 Gb Free Space | 99.95% Space Free | Partition Type: FAT32

Computer Name: PC-JAMES | User Name: James Rudland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/31 20:16:40 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/10/29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/14 00:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/08/14 00:04:42 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/05/29 14:55:43 | 000,077,824 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0\bin\jusched.exe
PRC - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
PRC - [2008/01/19 08:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/19 08:33:39 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/10/03 15:44:58 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/09/12 09:40:46 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/08/23 15:58:58 | 002,070,000 | ---- | M] () -- C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
PRC - [2007/07/31 19:02:22 | 000,151,552 | ---- | M] (Dell, Inc) -- C:\Program Files\Dell\Xcelerator\bin\ehLumaQuarkD.exe
PRC - [2007/05/23 20:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/02/13 11:43:38 | 000,715,568 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/02/13 11:43:36 | 001,600,304 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/11/08 15:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe


========== Modules (SafeList) ==========

MOD - [2011/03/31 20:16:40 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
MOD - [2010/08/31 16:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll
MOD - [2010/04/01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SessionLauncher)
SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/03/04 12:25:12 | 000,621,056 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/02/17 13:06:14 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/08/14 00:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/05/29 15:08:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/26 16:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe -- (AffinegyService)
SRV - [2008/01/19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/11 17:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/14 14:25:22 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/12/14 14:25:20 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/12/14 14:25:12 | 001,112,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/10/03 15:45:02 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/09/12 09:40:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)


========== Driver Services (SafeList) ==========

DRV - [2009/12/19 19:22:01 | 000,104,512 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2008/09/26 12:30:54 | 000,651,264 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2008/05/26 16:09:42 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2008/02/14 09:13:18 | 003,347,968 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2008/02/14 09:13:18 | 003,347,968 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/01/19 06:53:22 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2007/11/20 08:20:32 | 001,034,496 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2007/09/12 09:44:34 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/09/12 09:40:48 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/08/29 10:33:02 | 005,734,400 | ---- | M] (Lumanate Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LazerUsb.sys -- (LazerUsb)
DRV - [2007/06/01 13:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 16:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2005/08/02 16:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt73.sys -- (RT73)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1080529
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..keyword.URL: "http://uk.search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/03/06 17:29:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/31 21:16:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/10 22:17:56 | 000,000,000 | ---D | M]

[2008/11/13 18:03:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Extensions
[2011/03/23 00:02:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions
[2010/07/18 15:06:53 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/06/27 16:53:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/11/13 18:02:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/06 17:29:51 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/03/10 22:17:53 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2011/03/10 22:17:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2011/03/10 22:17:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/22 20:32:55 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2011/03/10 22:17:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Bluetooth HCI Monitor] C:\Windows\System32\HCIMNTR.DLL (Logitech Inc.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Wireless Manager] File not found
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..\Run: [AnyDVD] File not found
O4 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-internet-signup {A173B69A-1F9B-4823-9FDA-412F641E65D6} - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\James Rudland\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/09/26 15:54:10 | 000,000,016 | -H-- | M] () - F:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{d24d33b7-1b29-11df-a0b0-001e4ce660dd}\Shell\AutoRun\command - "" = F:\Launcher.exe
O33 - MountPoints2\{e856b057-8c00-11df-b8b0-001e4ce660dd}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.garmin.com/agent
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found


Drivers32: aux - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi2 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi3 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi4 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer2 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer3 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer4 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3acm - C:\Windows\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.imaadpcm - C:\Windows\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\Windows\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.msadpcm - C:\Windows\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.dvsd - C:\Windows\System32\pdvcodec.dll (Matsubleepa Electric Industrial Co., Ltd.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
Drivers32: vidc.i420 - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: VIDC.IYUV - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.XVID - C:\Windows\System32\xvidvfw.dll ()
Drivers32: VIDC.YUY2 - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\Windows\System32\yv12vfw.dll (www.helixcommunity.org)
Drivers32: VIDC.YVU9 - C:\Windows\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave2 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave3 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave4 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/03/31 21:06:59 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/03/24 21:37:31 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\Desktop\scan_logs
[2011/03/23 17:03:34 | 000,348,160 | -HS- | C] (Valve Corporation) -- C:\Users\James Rudland\AppData\Local\yei.exe
[2011/03/22 23:08:12 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\Desktop\ricsfinal sub
[2011/03/21 00:59:28 | 000,000,000 | ---D | C] -- C:\Users\James Rudland\Desktop\Budget back up
[2011/03/06 17:35:16 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell

========== Files - Modified Within 30 Days ==========

[2011/03/31 21:23:48 | 000,656,548 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/31 21:23:48 | 000,126,870 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/31 21:23:12 | 000,000,434 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
[2011/03/31 21:20:36 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2011/03/31 21:18:31 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/31 21:18:03 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 21:18:03 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 21:18:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/31 21:17:56 | 3487,485,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/31 21:17:00 | 000,002,409 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/03/31 20:54:05 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/31 20:16:40 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James Rudland\Desktop\OTL.exe
[2011/03/30 18:45:28 | 000,011,136 | -HS- | M] () -- C:\ProgramData\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1
[2011/03/30 18:45:27 | 000,011,136 | -HS- | M] () -- C:\Users\James Rudland\AppData\Local\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1
[2011/03/23 19:59:23 | 000,000,000 | ---- | M] () -- C:\Users\James Rudland\defogger_reenable
[2011/03/23 17:03:34 | 000,348,160 | -HS- | M] (Valve Corporation) -- C:\Users\James Rudland\AppData\Local\yei.exe
[2011/03/20 18:07:56 | 000,301,568 | ---- | M] () -- C:\Users\James Rudland\Desktop\dummy.exe

========== Files Created - No Company Name ==========

[2011/03/23 19:59:23 | 000,000,000 | ---- | C] () -- C:\Users\James Rudland\defogger_reenable
[2011/03/23 17:03:51 | 000,011,136 | -HS- | C] () -- C:\Users\James Rudland\AppData\Local\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1
[2011/03/23 17:03:51 | 000,011,136 | -HS- | C] () -- C:\ProgramData\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1
[2011/03/20 18:07:56 | 000,301,568 | ---- | C] () -- C:\Users\James Rudland\Desktop\dummy.exe
[2011/03/06 17:31:29 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2011/03/06 17:31:29 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2011/03/06 17:31:29 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2010/10/16 15:09:16 | 000,015,312 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat
[2010/01/14 19:53:10 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010/01/06 22:13:05 | 000,005,052 | ---- | C] () -- C:\ProgramData\xqkcebzs.dik
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/04/02 20:16:36 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/04/02 20:16:32 | 000,795,648 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/04/02 20:16:31 | 000,130,048 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/04/02 20:16:31 | 000,067,584 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/02/03 23:18:45 | 000,000,680 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\d3d9caps.dat
[2008/11/19 04:00:53 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/11/19 04:00:53 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/08/05 23:02:12 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/08/05 22:58:14 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/07/01 22:34:54 | 000,115,712 | ---- | C] () -- C:\Users\James Rudland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/29 22:31:29 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/05/29 22:31:29 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/05/29 22:31:29 | 000,158,081 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2008/05/29 22:31:29 | 000,081,920 | ---- | C] () -- C:\Windows\System32\ATIODE.exe
[2008/05/29 22:31:29 | 000,040,960 | ---- | C] () -- C:\Windows\System32\ATIODCLI.exe
[2008/05/29 22:31:27 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwxds.dll
[2008/05/29 22:31:23 | 000,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2008/05/29 15:06:59 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/05/29 14:55:58 | 000,303,104 | ---- | C] () -- C:\Windows\System32\FontZoom.exe
[2008/05/29 14:55:57 | 000,131,062 | ---- | C] () -- C:\Windows\System32\DellPM.ini
[2008/05/29 14:44:09 | 000,002,409 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/05/29 14:36:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2007/02/13 11:14:18 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,499,184 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,656,548 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,126,870 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2010/01/07 22:19:56 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\AnvSoft
[2009/02/17 13:09:04 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Autodesk
[2008/07/20 15:21:39 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\CopyTrans
[2010/04/12 21:34:46 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Facebook
[2010/07/18 15:16:23 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\GARMIN
[2010/02/16 21:31:03 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Nokia
[2010/02/16 21:14:46 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\PC Suite
[2008/08/01 17:38:50 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Sony
[2011/01/25 23:06:32 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\Spotify
[2011/03/22 23:13:53 | 000,000,000 | ---D | M] -- C:\Users\James Rudland\AppData\Roaming\TuneUpMedia
[2011/03/31 21:17:00 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/03/31 21:23:12 | 000,000,434 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2008/02/14 09:13:16 | 000,368,640 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\Windows\System32\ATIDEMGX.dll
[2009/03/08 12:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/03/08 12:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll

< %systemroot%\system32\*.sys /90 >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 11:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 11:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 11:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %SYSTEMDRIVE%\*.* >
[2006/09/18 22:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2008/01/19 08:45:45 | 000,333,203 | RHS- | M] () -- C:\bootmgr
[2006/09/18 22:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2008/05/29 22:31:35 | 000,005,076 | RH-- | M] () -- C:\dell.sdr
[2011/03/31 21:17:56 | 3487,485,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/31 21:17:54 | 3801,120,768 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/01/19 08:34:28 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL
[2006/11/02 13:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< End of report >

Extras.txt:

OTL Extras logfile created on: 31/03/2011 21:22:10 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James Rudland\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 683.57 Gb Total Space | 150.91 Gb Free Space | 22.08% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 4.85 Gb Free Space | 32.36% Space Free | Partition Type: NTFS
Drive F: | 3.84 Gb Total Space | 3.83 Gb Free Space | 99.95% Space Free | Partition Type: FAT32

Computer Name: PC-JAMES | User Name: James Rudland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0F6F656E-9E44-4AD3-A730-977FAB0003CF}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{43BA6545-4A8E-44B2-8349-0DAD065A3CD2}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{ABA82CC6-B718-435A-A75F-C2EAA9E9BFFE}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0096A731-71DB-4969-AF1A-651698B246A5}" = Sony Ericsson Media Manager 1.1
"{01D51B09-8C96-66F8-92BF-33A7E164C55C}" = Catalyst Control Center Localization Portuguese
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.4300
"{043D8259-3CAA-6F8C-6E2D-E38283FC0D4D}" = CCC Help Chinese Standard
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07183287-CF06-9557-D0A0-4DF5A237CD05}" = CCC Help Spanish
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{0C9F2F87-6FA3-488C-F489-3501F178C480}" = Catalyst Control Center Localization Chinese Standard
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E01E143-E78C-A324-FF2F-16EAA0C6CB1E}" = CCC Help Hungarian
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{1FB3C00D-E214-F383-0D86-47211D4472EC}" = CCC Help Chinese Traditional
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{30EE5A21-1E57-1DFF-3D59-E6B5EE5C274E}" = CCC Help English
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}" = Adobe Premiere Elements 4.0
"{3FB3647F-B6A6-46B4-8613-A09BCFAB80F0}" = Roxio Creator Premier 10
"{40C801DC-E428-E41B-C4BC-8AD9C07C4336}" = Catalyst Control Center Graphics Full New
"{419D6CBB-322C-4EE2-0866-FB582514BF62}" = Catalyst Control Center Localization Korean
"{41F09D47-DBF4-1497-ACAF-534AED2AD7F4}" = Catalyst Control Center Graphics Full Existing
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{43934147-4A8B-EFEF-BD42-CFE52CF5663B}" = Catalyst Control Center Localization Polish
"{44415FD8-A554-AA16-00E7-B1DF43F49CB0}" = Catalyst Control Center Graphics Previews Common
"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers
"{4498C780-9A00-105B-80CE-AB458C680888}" = Catalyst Control Center Localization Spanish
"{469EF13B-4AD0-48D7-AF89-6B92278293E2}" = Roxio Creator Premier
"{493909E8-83A7-E4D5-C7E8-E75E5E53FB07}" = Catalyst Control Center Localization Japanese
"{4AB9C5C3-B890-97EC-26ED-ECD96645B5FF}" = Catalyst Control Center Localization Chinese Traditional
"{4CA09BF7-1CFC-44B8-80EA-7B4D15D12DC5}" = Catalyst Control Center - Branding
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4EE9A620-46A0-4BCF-82AC-950D2BBED982}" = Belkin Wireless USB Adapter Setup
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5783F2D7-5001-0409-0002-0060B0CE6BBA}" = AutoCAD 2007 - English
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{58B2B6D3-E5FF-4D16-87AC-52CC5717C7C6}" = Tiscali Internet
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{5C82FB90-FD74-BB07-AA83-A6B683E407E8}" = Skins
"{5E14A164-4DC8-7686-DFF9-1B0DC0E9C22E}" = Catalyst Control Center Graphics Light
"{616BF52A-6B5C-E98A-D320-F7CB396289B4}" = CCC Help German
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6863264D-A026-74F9-B6B9-6432CD83E8D0}" = Catalyst Control Center Localization Thai
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{6FFB40A5-7F7D-4A32-8905-3CDF962EE1E4}" = Internet From BT
"{7160D728-3A2B-5E11-CF1C-F0F46790C1C5}" = ccc-core-static
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.4
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7CB2A775-9537-F0B3-B12C-39935FC406BE}" = CCC Help Portuguese
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84D58782-A2F0-47D4-A557-3041363893CF}" = Adobe Setup
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{92A300C0-E97B-48CC-9702-AB1AAED167E1}" = Adobe Soundbooth CS3 Scores
"{93DD0407-71F9-CC33-DFEB-6A972D9A0D6C}" = CCC Help Italian
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{96FB529E-634D-48EF-91CB-A1A06243E25C}" = CCC Help Korean
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{99CD4458-A1E7-BDCF-2838-B2FEC4D7F3BD}" = Catalyst Control Center Localization Hungarian
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9E327786-6078-3A3D-B161-34C57105B183}" = CCC Help Polish
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A43494A1-A4D4-A75B-EE06-5DD390DE9D6F}" = ccc-utility
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{A73BDB2A-E4A7-4FE8-960E-6A5C8BF76FCB}" = XPS MiniView Gadget
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AB5EC8FC-C7D5-797E-A33C-79695264E0E7}" = CCC Help French
"{ABA1C13F-D76E-4E8C-80CE-13BB88BBD955}" = Dell Xcelerator™ for Portable Devices
"{AC16252B-B731-8133-A10F-E4F8066945B4}" = CCC Help Turkish
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{AF094932-91E6-4EF8-8AB8-1C7226DFEECB}" = Hauppauge TV Tuner Driver
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1AE9D28-DA40-4C5E-94BC-5A6C7FA7A43B}" = Catalyst Control Center Graphics Previews Vista
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7CB0BF3-791E-44D3-9F04-786E36D51C9D}" = PC Connectivity Solution
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAD890B2-D495-E30F-48A7-95ADB7A7C811}" = CCC Help Thai
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C127414C-A625-4E0A-8AC1-F970F9E566A3}" = Adobe Elements Studio Launcher
"{C81A17EF-B3FA-3F03-DEF9-DC6E24F12D5A}" = CCC Help Japanese
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D17111CB-C992-42A9-9D56-C19395102AAA}" = Garmin WebUpdater
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DDB74B95-2169-9869-B4DA-7CC881C0AC59}" = Catalyst Control Center Core Implementation
"{DE44E86C-6339-394D-DD8A-D8BD499EB287}" = Catalyst Control Center Localization Turkish
"{E1E8CEE9-9A46-819C-2490-10B12E5A40EE}" = Catalyst Control Center Localization German
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator Premier
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EFBBCE37-DE8C-CC16-48E8-DBBFB51B6FC4}" = Catalyst Control Center Localization French
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F85C7118-F3DC-4ED9-AB27-3E7931EA3D88}" = Adobe Premiere Elements 4.0 Templates
"{FD28B75E-10A2-63A9-6EBA-D4494220F903}" = Catalyst Control Center Localization Italian
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"2B0D8F3C-18AD-4D8E-879A-74A867C5C3CB_is1" = Wireless Manager
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Adobe_19c4ee81f9cc4b3dffb9a17d9b648b2" = Adobe Soundbooth CS3
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Any Video Converter_is1" = Any Video Converter 3.0.1
"AnyDVD" = AnyDVD
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CCS97" = Construction Computer Software
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"Guitar Pro 5_is1" = Guitar Pro 5.2
"Hauppauge MCE2005 Software Encoder" = Hauppauge MCE XP/Vista Software Encoder (2.0.25296)
"iDump" = iDump (Backing up your iPod)
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.7.5 (Full)
"LastFM_is1" = Last.fm 1.5.4.27091
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"MySpaceMp3Gopher_is1" = MySpaceMp3Gopher
"Need4 Software Launcher" = Need4 Software Launcher 6.2
"Need4 Video Converter 6" = Need4 Video Converter 6
"PremElem40" = Adobe Premiere Elements 4.0
"PremElem40Templates" = Adobe Premiere Elements 4.0 Templates
"PROR" = Microsoft Office Professional 2007
"PROSetDX" = Intel® PRO Network Connections 12.1.12.4
"Spotify" = Spotify
"TuneUpMedia" = TuneUp Companion 1.9.0
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3531169547-2017799648-792648308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:31 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 02/12/2009 14:48:32 | Computer Name = PC-James | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 18/12/2010 20:33:16 | Computer Name = PC-James | Source = Recording | ID = 19
Description = The recording schedule has been corrupted and was automatically deleted
on 12/19/2010 00:33:16. You may need to reschedule your recordings.

[ OSession Events ]
Error - 11/02/2009 23:11:07 | Computer Name = PC-James | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 11477
seconds with 120 seconds of active time. This session ended with a crash.

Error - 17/06/2009 12:46:58 | Computer Name = PC-James | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 15
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 22/03/2011 18:04:41 | Computer Name = PC-James | Source = DCOM | ID = 10010
Description =

Error - 23/03/2011 11:43:45 | Computer Name = PC-James | Source = HTTP | ID = 15016
Description =

Error - 23/03/2011 11:44:35 | Computer Name = PC-James | Source = Service Control Manager | ID = 7000
Description =

Error - 30/03/2011 13:44:57 | Computer Name = PC-James | Source = HTTP | ID = 15016
Description =

Error - 30/03/2011 13:45:46 | Computer Name = PC-James | Source = Service Control Manager | ID = 7000
Description =

Error - 31/03/2011 15:51:09 | Computer Name = PC-James | Source = HTTP | ID = 15016
Description =

Error - 31/03/2011 15:51:36 | Computer Name = PC-James | Source = Service Control Manager | ID = 7000
Description =

Error - 31/03/2011 15:53:43 | Computer Name = PC-James | Source = Service Control Manager | ID = 7009
Description =

Error - 31/03/2011 16:18:01 | Computer Name = PC-James | Source = HTTP | ID = 15016
Description =

Error - 31/03/2011 16:18:37 | Computer Name = PC-James | Source = Service Control Manager | ID = 7000
Description =


< End of report >

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 31 March 2011 - 05:59 PM

While the GMER is running, have you done anything since the first post such as run an antivirus scan or anything else? You definitely had a rogue from the first log, but it's not present in the OTL log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 31 March 2011 - 06:02 PM

Correction, still present, just not in the running processes. :)


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 01 April 2011 - 03:49 PM

I started the GMER scan like before, and went away from the computer. When I came back to check on its progress, only three lines were show in the GMER main window. I presumed the scan didn't run, so I clicked "scan" again. Then the PC gave me a BSOD with the familiar "IRQL_NOT_LESS_OR_EQUAL". It restarted, and I can't try to start the scan again as the PC has a password to login. I may not be able to run scan until monday eve now, due to myself being away & limited access to friend's PC.

What would you like me to do next?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 01 April 2011 - 06:16 PM

Hello, dev00790.
OK, no worries. GMER does that a lot. We'll move into Combofix now given the infection that is in your logs.



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 04 April 2011 - 04:22 PM

Log as requested:

ComboFix 11-04-04.01 - James Rudland 04/04/2011 21:46:20.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3325.2124 [GMT 1:00]
Running from: c:\users\James Rudland\Desktop\etavaresCF.exe.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\James Rudland\AppData\Local\yei.exe
c:\users\James Rudland\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-04-04 20:53 . 2011-04-04 20:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-04 20:53 . 2011-04-04 20:53 -------- d-----w- c:\users\Martin\AppData\Local\temp
2011-03-08 21:52 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-08 21:52 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-08 21:52 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-08 21:52 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-08 21:50 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-08 21:50 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-08 07:50 . 2011-02-09 20:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-09 20:32 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-06-24 18:44 . 2010-01-06 15:31 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 9728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-05-29 77824]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-24 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-12-14 244208]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-12 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-13 715568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c991b9e382e70;Google Update Service (gupdate1c991b9e382e70);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 133104]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-12-14 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-12-14 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-24 30192]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2008-09-26 651264]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-12-14 1112560]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-11-20 1034496]
S3 LazerUsb;Lumanate Lazer USB;c:\windows\system32\DRIVERS\LazerUsb.sys [2007-08-29 5734400]
S3 pmxmouse;pmxmouse;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-06-01 18432]
S3 pmxusblf;pmxusblf;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-05-24 19008]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-18 22:00]
.
2011-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 11:07]
.
2011-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 11:07]
.
2011-04-04 c:\windows\Tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1080529
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - c:\users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
HKLM-Run-Wireless Manager - c:\program files\Virgin Broadband Wireless\Wireless Manager.exe
AddRemove-2B0D8F3C-18AD-4D8E-879A-74A867C5C3CB_is1 - c:\program files\Virgin Broadband Wireless\unins000.exe
AddRemove-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVD-uninst.exe
AddRemove-CCS97 - c:\program files\CCSWIN\UNCCS.EXE
AddRemove-Need4 Software Launcher - c:\program files\Need4 Software Launcher\uninst.exe
AddRemove-Need4 Video Converter 6 - c:\program files\Need4 Video Converter 6\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 21:54
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-04 21:56:01
ComboFix-quarantined-files.txt 2011-04-04 20:55
.
Pre-Run: 196,086,202,368 bytes free
Post-Run: 199,607,541,760 bytes free
.
- - End Of File - - 9CF3A2A0E442D94903210E3C53AA290E

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 04 April 2011 - 05:05 PM

Hello, dev00790.
Much better. How is it running on your end?



Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2

Do you know what this file is?

C:\Users\James Rudland\Desktop\dummy.exe

If not, please Jotti it. If you do know what it is, please let me know.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Users\James Rudland\Desktop\dummy.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 05 April 2011 - 01:34 PM

Hi

dummy.exe is a renamed GMER.exe :).

I'll hopefully be able to run th cfscript part later this eve.

dev

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#12 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 05 April 2011 - 04:16 PM

The PC is running better - less pop up messages, and unknown taskbar tray items for example.

Log below:

ComboFix 11-04-04.01 - James Rudland 05/04/2011 21:48:57.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3325.1877 [GMT 1:00]
Running from: c:\users\James Rudland\Desktop\etavaresCF.exe.exe
Command switches used :: c:\users\James Rudland\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-05 20:56 . 2011-04-05 20:56 -------- d-----w- c:\users\Martin\AppData\Local\temp
2011-04-05 20:56 . 2011-04-05 20:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-08 21:52 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-08 21:52 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-08 21:52 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-08 21:52 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-08 21:50 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-08 21:50 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-08 07:50 . 2011-02-09 20:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-09 20:32 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-06-24 18:44 . 2010-01-06 15:31 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 9728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-05-29 77824]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-24 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-12-14 244208]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-12 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-13 715568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c991b9e382e70;Google Update Service (gupdate1c991b9e382e70);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 133104]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-12-14 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-12-14 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-24 30192]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2008-09-26 651264]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-12-14 1112560]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-11-20 1034496]
S3 LazerUsb;Lumanate Lazer USB;c:\windows\system32\DRIVERS\LazerUsb.sys [2007-08-29 5734400]
S3 pmxmouse;pmxmouse;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-06-01 18432]
S3 pmxusblf;pmxusblf;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-05-24 19008]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-18 22:00]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 11:07]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 11:07]
.
2011-04-04 c:\windows\Tasks\User_Feed_Synchronization-{86E70E02-FBF7-48A1-85B8-2C9D7705C977}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=1080529
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - c:\users\James Rudland\AppData\Roaming\Mozilla\Firefox\Profiles\6vjzctkf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 21:56
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5460)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\System32\pmxscrll.dll
c:\windows\System32\PMXCOMM.dll
c:\windows\System32\PMXHOOKS.dll
.
Completion time: 2011-04-05 21:57:46
ComboFix-quarantined-files.txt 2011-04-05 20:57
ComboFix2.txt 2011-04-04 20:56
.
Pre-Run: 199,432,011,776 bytes free
Post-Run: 198,342,348,800 bytes free
.
- - End Of File - - EF0EE814C23D299F231D3AC71B2C07D8

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 05 April 2011 - 06:13 PM

Hello, dev00790.


Step 1

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :files
    C:\ProgramData\xqkcebzs.dik
    C:\Users\James Rudland\AppData\Local\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1
    C:\ProgramData\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (SessionLauncher)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [Wireless Manager] File not found
    O4 - HKU\S-1-5-21-3531169547-2017799648-792648308-1000..\Run: [AnyDVD] File not found
    O18 - Protocol\Filter\application/x-internet-signup {A173B69A-1F9B-4823-9FDA-412F641E65D6} - File not found
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:29 PM

Posted 06 April 2011 - 05:32 PM

ESET scan will be run soon. PC rebooted as you previously mentioned after OTL fix. There was a windows update that said it would be installed at shutdown - link - I can look to see if it has been installed if you like next time I am on PC?

OTL log:

All processes killed
========== FILES ==========
C:\ProgramData\xqkcebzs.dik moved successfully.
C:\Users\James Rudland\AppData\Local\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1 moved successfully.
C:\ProgramData\tebc76i61k5c01txo75x8687j84sqn3o5v12730870e5cy1 moved successfully.
========== OTL ==========
Service SessionLauncher stopped successfully!
Service SessionLauncher deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Wireless Manager not found.
Registry value HKEY_USERS\S-1-5-21-3531169547-2017799648-792648308-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AnyDVD not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\application/x-internet-signup\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A173B69A-1F9B-4823-9FDA-412F641E65D6}\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: James Rudland
->Temp folder emptied: 88489 bytes
->Temporary Internet Files folder emptied: 205444377 bytes
->Java cache emptied: 98848 bytes
->FireFox cache emptied: 55048153 bytes
->Google Chrome cache emptied: 274217579 bytes
->Flash cache emptied: 147955 bytes

User: Martin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 721599 bytes

Total Files Cleaned = 511.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04062011_213156

Files\Folders moved on Reboot...
File\Folder C:\Users\James Rudland\AppData\Local\Temp\~DF6F12.tmp not found!
File\Folder C:\Users\James Rudland\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5497E23D-2D7E-49DC-8DF8-CB38254D6644}.tmp not found!
File\Folder C:\Users\James Rudland\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{059D1CB1-7F9A-4A44-95F7-6B4EF5233353}.tmp not found!
File\Folder C:\Users\James Rudland\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F79E3643-7205-4016-AC22-BAB31A2F0FF3}.tmp not found!

Registry entries deleted on Reboot...


MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6290

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19019

06/04/2011 21:51:19
mbam-log-2011-04-06 (21-51-19).txt

Scan type: Quick scan
Objects scanned: 183773
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 06 April 2011 - 05:42 PM

OK, please don't miss the request for a fresh OTL quick scan in addition to the ESET log. If ESET finds nothing, just let me know, it doesn't spit out a log in that case.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users