Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Vista Restore malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 darexms

darexms

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 13 June 2011 - 09:26 AM

Hi All,

Sorry to be a pain, I can normally sort this sort of thing out on my own but this one really is a bit of a b*tch.

I managed to do a DDS log in safe mode (below) but everytime I attempt to scan with GMER, it starts off OK, then freezes, then crashes, then if I try to run it again I get a BSOD.

It would appear to have also installed a rootkit because google is redirecting.

I went through the self help guide but towards the end it says to log and post due to the rootkit.

Any idea's?

.
DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19048
Run by Ky at 15:18:06 on 2011-06-13
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2814.2133 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vb32&d=1006&m=aspire_x3200
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vb32&d=1006&m=aspire_x3200
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vb32&d=1006&m=aspire_x3200
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: AOL Broadband Toolbar Search Class: {4a6e1b85-1193-4a2a-aab8-7417f275f18a} - c:\program files\aol broadband toolbar\aolbbtb.dll
mURLSearchHooks: AOL Broadband Toolbar Search Class: {4a6e1b85-1193-4a2a-aab8-7417f275f18a} - c:\program files\aol broadband toolbar\aolbbtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: AOL Broadband Toolbar Loader: {776a9d06-e178-4aa0-aee4-b4de3a64ad28} - c:\program files\aol broadband toolbar\aolbbtb.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: AOL Broadband Toolbar: {e6ed7f95-e571-4f81-8757-5eb11252703d} - c:\program files\aol broadband toolbar\aolbbtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [YGRLPHtuvIU] c:\programdata\YGRLPHtuvIU.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HostManager] c:\program files\common files\aol\1277208169\ee\AOLSoftware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://as.mandata.co.uk/members/PODStorage/alttiff.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://as.mandata.co.uk/members/printercontrol/smsx.cab
DPF: {173D9E48-B527-4AA0-A929-30B446002AA8} - hxxp://daresway.dyndns.org/DVRemoteAx.cab
DPF: {7E866715-C9B6-4C64-AAB8-342E0D137213} - hxxp://192.168.1.80/EDVR.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{AD2DAAA8-DA7C-4054-ABB3-C441DAD2BE2E} : DhcpNameServer = 192.168.1.254
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
.
============= SERVICES / DRIVERS ===============
.
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]
S1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\26762\RapportCerberus_26762.sys [2011-6-1 57144]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-5 352656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-10 24576]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-19 133104]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;d:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
S2 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2010-6-1 24576]
S2 SC0CLPT;SC0CLPT;c:\windows\system32\SC0CLPT.SYS [2009-7-7 54456]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-19 133104]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-10 43552]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-21 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-9-17 19968]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.txt=
.
=============== Created Last 30 ================
.
2011-06-13 13:37:24 764390 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-13 13:20:26 -------- d--h--w- c:\users\ky\appdata\roaming\Malwarebytes
2011-06-13 13:16:34 388096 ---ha-w- c:\programdata\41475832.exe
2011-06-13 13:07:31 485376 ---ha-w- c:\programdata\YGRLPHtuvIU.exe
2011-06-10 15:43:56 -------- d--h--w- c:\users\ky\appdata\roaming\DVRemote
2011-05-25 13:45:20 453456 ---ha-w- c:\windows\system32\d3dx10_42.dll
2011-05-25 13:45:20 235344 ---ha-w- c:\windows\system32\d3dx11_42.dll
2011-05-25 13:45:20 1974616 ---ha-w- c:\windows\system32\D3DCompiler_42.dll
2011-05-25 13:45:20 1892184 ---ha-w- c:\windows\system32\D3DX9_42.dll
2011-05-19 16:41:02 -------- d--h--w- c:\program files\China Eastern Airlines TravelDesk
2011-05-18 14:49:36 38224 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-18 14:49:35 -------- d--h--w- c:\programdata\Malwarebytes
2011-05-18 14:49:32 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-05-06 08:15:48 724992 ---ha-w- c:\windows\iun6002.exe
2011-04-28 13:34:50 53816 ---ha-w- c:\windows\system32\drivers\RapportKELL.sys
.
============= FINISH: 15:19:09.99 ===============

Update;

I managed to force a system restore via the Vista recovery console, I subsequently managed to Remove most traces of the infection with Combofix and Malwarebytes.

Still in the background, however, seems to be something initializing a hidden internet explorer and accessing random sites. Probably a rootkit of some sort? GMER seems to be OK now so I'm just trying another scan...

EDIT: Posts merged ~Budapest

Edited by Budapest, 14 June 2011 - 04:43 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 PM

Posted 21 June 2011 - 11:11 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 darexms

darexms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 22 June 2011 - 04:49 AM

Hello,

Thank you for your reply. Prior to your post (in my desperation) I re-ran combo fix, it found volsnap.sys was infected, cleared it, and there don't seem to be any more symptoms.

OTL logs are as follows;

OTL Extras logfile created on: 22/06/2011 10:42:41 - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = \\HPSERVER\Software\Dare utility programs
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.75 Gb Total Physical Memory | 1.64 Gb Available Physical Memory | 59.55% Memory free
5.70 Gb Paging File | 4.62 Gb Available in Paging File | 80.98% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 139.41 Gb Total Space | 68.86 Gb Free Space | 49.40% Space Free | Partition Type: NTFS
Drive D: | 140.18 Gb Total Space | 135.52 Gb Free Space | 96.67% Space Free | Partition Type: NTFS

Computer Name: DYL-DESKTOP-2 | User Name: Ky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.txt [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01420CDC-3111-4102-AA00-EA6AE5542238}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{045AC3F3-2E52-408F-B23B-E666DC44856D}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{0BB82865-C81B-46A2-84F0-3898DB60144C}" = lport=445 | protocol=6 | dir=in | app=system |
"{1073CE8A-CD31-47BD-B0BF-D685B2FF07BA}" = rport=139 | protocol=6 | dir=out | app=system |
"{2389EA99-48E9-4ACE-88A6-5875BA63108B}" = lport=50900 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{2E82FA05-79CD-426C-8A5E-F7DA11C99391}" = lport=2869 | protocol=6 | dir=in | app=system |
"{2F7A332A-EB8D-48E5-B475-0EDC02724331}" = rport=10243 | protocol=6 | dir=out | app=system |
"{3ADF0EB9-C4AB-4E90-91A7-1E309B622FC7}" = rport=138 | protocol=17 | dir=out | app=system |
"{3DD5ECC0-0FB9-4EF1-B490-DF45EC94FD5C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{4E80CDA1-C4C9-4260-A00E-87BF753E3D6D}" = lport=138 | protocol=17 | dir=in | app=system |
"{55DE2265-F17D-4133-A8F8-E32DF59E2127}" = lport=50901 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{71496560-3A64-4E71-AA17-C03510CC411C}" = rport=137 | protocol=17 | dir=out | app=system |
"{85C40A11-7850-4A17-A878-D9ED733DDA5F}" = lport=2869 | protocol=6 | dir=in | app=system |
"{8EFAD5A9-C697-4741-90C0-20780B6D5608}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{96E8F2BE-6A71-4BC1-9019-85A47788912B}" = rport=445 | protocol=6 | dir=out | app=system |
"{9FE27FC7-0DC0-484A-AB96-0CCA0B55780A}" = lport=137 | protocol=17 | dir=in | app=system |
"{A50B5839-F850-446C-B877-A27CB03B93FD}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A9C3A548-F2A3-49D2-9D78-93FE157DAD74}" = lport=139 | protocol=6 | dir=in | app=system |
"{B8C927D9-56AF-4BBC-98B6-B5CCF2134304}" = lport=10243 | protocol=6 | dir=in | app=system |
"{BC1E2E0B-EBE5-4792-A97A-B504B5626684}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E1641F0D-B523-4D42-85CA-12D961E27F2D}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{ECED11BD-2639-4D4E-ACFD-FAD9F5E8549C}" = lport=3703 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{F04E4A4B-6A2E-4677-AD92-D07607376634}" = lport=3704 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{F3B609DC-7C61-4FDA-AB36-5BF81AA4793C}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F4D22A5D-5E62-4837-820D-B2516585D6A1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00A7013F-F61C-480D-910B-EEDF316758AB}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{03D14B15-7641-4769-9A9C-B55CF2D4E2AE}" = protocol=6 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{0F3DDA76-0F34-4C32-853C-D49AA7672162}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{110EB2C5-B3AF-4F9B-BF9D-0AEBCAA3DFB1}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{12B4DFFB-3B50-4044-A599-BC13404364A4}" = protocol=17 | dir=in | app=c:\program files\aol 9.1\waol.exe |
"{16053641-F311-4FC8-A9E1-2E840C5788F9}" = protocol=17 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{18FD7CA1-8E8B-416B-B6CD-3DC03FBC303D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1A16CACF-94DF-4D9B-A5A8-60DA83F162C3}" = protocol=6 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{1F120482-1462-48FF-90E6-94AA71D91A7F}" = protocol=6 | dir=out | app=system |
"{2330334E-7252-4436-ACBB-E54AB88BDDCB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{33644556-D774-4ABF-90B5-998769DE7868}" = protocol=6 | dir=in | app=d:\program files\autodesk\backburner\monitor.exe |
"{33E23474-208D-48D4-B0F0-1C24D2B63541}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{3BF94127-05C8-486B-842E-A9AE8057272C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{3D8043D3-B26B-4408-8FF2-849DE8A3FAF2}" = protocol=17 | dir=in | app=c:\program files\common files\aol\1277208169\ee\aolsoftware.exe |
"{4AA95970-45D2-4E8B-A568-A271157A117B}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{4BE4ACAC-530E-4070-80A6-C1B4C1AE7E93}" = dir=in | app=c:\program files\cyberlink\powerdvd\powerdvd.exe |
"{54F4DD7E-675E-45CD-A2CB-A4D727A01D74}" = protocol=17 | dir=in | app=d:\program files\autodesk\backburner\monitor.exe |
"{61AAD1AF-D5D3-430E-944F-9C71AA5046EE}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{6BE58E12-B567-4A39-9556-3F3717282423}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6CBD3EBA-468E-4E70-99CB-77EAFFDDC6D9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{6FAB6584-7CE1-410A-9569-F0F8069D7337}" = protocol=17 | dir=in | app=d:\program files\autodesk\3ds max 2009\3dsmax.exe |
"{6FB27FF5-D285-43FA-B543-C690BA5B8BD2}" = protocol=6 | dir=in | app=c:\program files\aol 9.1\waol.exe |
"{74606CB7-6276-4482-8440-F8E9F6717FBB}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{7830713B-B937-404E-A68F-628B66C17B48}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{797B74B0-A603-48F1-BF8C-03E11B105DE8}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{7F30E369-400A-4ECA-9117-EB849127CDD5}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{8365918A-1EF8-48EE-808B-26C96F3085CE}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{840B3D4D-B1A0-4BDA-B28B-4104C4675D00}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{956260F9-5844-47F3-B6CA-C5D72600B6A1}" = protocol=17 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{97A3275B-427E-4406-8015-D07B38556142}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{981B83C9-BB15-4BBD-A053-E1D09F14A8A2}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{9CD40CB2-7DCD-4B6A-95DE-0D628853F434}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{A7C8016F-58A9-4E60-BA3D-81B9CC85D72A}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{AA26F799-1A52-4ECD-9DF8-259974F939D5}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{AD11D265-4169-45DA-8ADF-F0FE035E8D6D}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{C55E25B6-9457-466F-A0D0-48B8F1152A95}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{C73A92DE-9BD0-415C-8718-AACD7EDB725C}" = protocol=17 | dir=in | app=d:\program files\autodesk\backburner\manager.exe |
"{CC61CC2C-A209-430C-B5A2-FC510A853A66}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D00C3944-1409-472B-B01E-A0A9667EA8DB}" = protocol=6 | dir=in | app=d:\program files\autodesk\backburner\manager.exe |
"{D28F10AE-DF2D-4640-8DDB-7D297951F080}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{D58A1321-5EE6-41D5-B6BC-81D2DCF53DCF}" = protocol=17 | dir=in | app=d:\program files\autodesk\backburner\server.exe |
"{D73DFB41-476C-4964-9CB6-8706E378E18D}" = protocol=6 | dir=in | app=d:\program files\autodesk\backburner\server.exe |
"{DA8159EF-824B-49CC-A690-C71E2EE9AC62}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{DE62B8F4-B047-4E43-AB84-F9311CC5638D}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{E7096DC3-5DE5-4B8F-8A21-9420AD222525}" = protocol=6 | dir=in | app=d:\program files\autodesk\3ds max 2009\3dsmax.exe |
"{E76A9A96-75F1-4DCA-87B6-863A88B67E06}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{EF46AD8C-4CD1-4022-BBFB-76DEB4225B1A}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{EF729522-59FB-465D-A389-4F998591E235}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{F1076E11-1C88-4785-A79D-CC9535BDBD3B}" = protocol=6 | dir=in | app=c:\program files\common files\aol\1277208169\ee\aolsoftware.exe |
"TCP Query User{11D3A793-DB1C-4211-BF36-E9DCCCFE89B2}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"TCP Query User{34E8DB35-9D45-40B4-8060-B54D24BBDA4D}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{126DA997-C644-40FC-AAB4-5ECF46CBAFEB}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{74DFC979-F801-4A75-BF9B-79B43601A2D5}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B56244C-7B61-0409-A739-3E29DDE4DC3C}" = Bluerock Technologies Flight Studio 3ds Max Design 2009 32-bit
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21E49794-7C13-4E84-8659-55BD378267D5}" = Windows Home Server Connector
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23767F5D-A80C-4264-B8EA-ED4085FC332A}" = Adobe Illustrator CS5.1
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{26918E50-6EDC-4A59-A31E-E9C1EF06F1BC}_is1" = Batch XLSX to XLS Converter 2010
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 26
"{2AB45FAF-2D92-0409-8D33-E2FE6172280E}" = Autodesk 3ds Max Design 2009 32-bit ProMaterials™ Library
"{305D5417-E687-0409-AA09-53DE06E059F8}" = Autodesk 3ds Max Design 2009 32-bit Movies
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D347E6D-5A03-4342-B5BA-6A771885F379}" = Autodesk Backburner 2008.1
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5545B622-9998-4f13-9CD6-B908675BDCB2}" = QuickBooks Pro Edition 2006
"{5783F2D7-5001-0409-0002-0060B0CE6BBA}" = AutoCAD 2007 - English
"{5783F2D7-A028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2012
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 7.0 with 5.1ch
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{71C2828F-2678-4675-BDEC-895424861262}_is1" = C:\Program Files\Acer GameZone\GameConsole
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{744A5C19-AA4C-0409-BC07-9F4C73C8B247}" = Autodesk 3ds Max Design 2009 32-bit Vault 2009 Plug-In
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{7A046E1F-BEB7-49C8-83E2-78E1F1C65C60}" = Turbo Squid Tentacles 3ds Max 2009 32-bit
"{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{80D437CA-8BDF-4BEF-81CC-7440D99211BC}" = AutoSolids 2007
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110082360}" = Alien Shooter
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110209593}" = Chicken Invaders 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110422467}" = Tiks Texas Hold em
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111199750}" = Cake Mania
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}" = Galapago
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111796363}" = Mystery Solitaire - Secret Island
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111940693}" = Bookworm Adventures
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112028410}" = Putt Mania
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112548397}" = The Rise of Atlantis
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113786380}" = Heroes of Hellas
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113832110}" = Dream Day First Home
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113848220}" = Agatha Christie Peril at End House
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113919217}" = Mythic Mahjong
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114072167}" = Go-Go Gourmet
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11408540}" = Magic Match Adventures
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114086870}" = Womens Murder Club
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114717227}" = Magic Farm
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8BC76277-4A32-4F41-8640-0F42D02945AC}" = HP MediaSmart Server
"{8F1B6239-FEA0-450A-A950-B05276CE177C}" = Acer Empowering Technology
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{936E1869-822B-4520-8748-C0AD0CC069AB}" = OKI C3200 Status Monitor
"{949DBB22-2FB7-4de1-804C-23D495A988D8}" = CuteFTP 8 Home
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{982B2A0F-7679-41D6-A584-C8E735F4A8CD}" = Windows Home Server Toolkit 1.1
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A8D93648-9F7F-407D-915C-62044644C3DA}" = MSI to redistribute MS VS2005 CRT libraries
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{BCE46757-7674-4416-BEDB-68205A60409E}" = CanoScan Toolbox Ver4.1
"{C251E4E6-89BA-0409-9B42-1B3D01D34783}" = Autodesk 3ds Max Design 2009 32-bit Architectural Materials Library
"{C568C85B-8006-458F-A1A7-45ED427FA8FA}" = MySQL Server 5.1
"{CA532E73-1BB7-11D8-9D6A-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_07
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector (Acer DT)
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1399216-81B2-457C-A0F7-73B9A2EF6902}" = PDFill PDF Editor with FREE Writer and Free Tools
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DA20E1A8-07CB-4EE7-9B72-A7E28C953F0E}" = Acer Product Registration
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EFCBBB01-F876-0409-B91F-7B6132E8BB64}" = Autodesk 3ds Max Design 2009 32-bit Vault 2008 Plug-In
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F429ED71-4A8B-457A-85E4-F6398CE73E58}" = AV Input Selection
"{F681200C-0446-0409-ABE4-EA9105E40EE4}" = Autodesk 3ds Max Design 2009 32-bit Additional Maps and Material Libraries
"{FDD8070F-E3B9-0409-822C-CCFE5E82C14D}" = Autodesk 3ds Max Design 2009 32-bit
"Able2Extract v6.0" = Able2Extract v6.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Advanced SystemCare 4_is1" = Advanced SystemCare 4
"AOL Broadband Toolbar" = AOL Broadband Toolbar
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"BitTorrent" = BitTorrent
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"China Eastern Airlines TravelDesk_is1" = China Eastern Airlines TravelDesk
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Core FTP LE 2.1" = Core FTP LE 2.1
"CoreFTP" = Core FTP LE
"Cutting Master 2 1.81" = Cutting Master 2 1.81
"Dan Elwell's Broadband Speed Test_is1" = Dan Elwell's Broadband Speed Test
"DWG TrueView 2012" = DWG TrueView 2012
"FBX Plugin 2009.0 for Max 2009" = FBX Plugin 2009.0 for Max 2009
"GPL Ghostscript 8.64" = GPL Ghostscript 8.64
"ImgBurn" = ImgBurn
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector (Acer DT)
"Java Web Start" = Java Web Start
"Magic ISO Maker v5.5 (build 0281)" = Magic ISO Maker v5.5 (build 0281)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"NVIDIA Drivers" = NVIDIA Drivers
"Olivetti Product Library" = Olivetti Product Library
"Ping tester9.32" = Ping tester
"Rapport_msi" = Rapport
"RealVNC_is1" = VNC Personal Edition P4.5.4
"Recovery Toolbox for Outlook Express_is1" = Recovery Toolbox for Outlook Express 1.1
"SHARP AL-1200 Series Button Manager" = Button Manager(SHARP Personal MFP series)
"SHARP MFP Driver" = SHARP MFP Driver
"ShockwaveFlash" = Macromedia Flash Player 8
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Switch" = Switch Sound File Converter
"ViewpointMediaPlayer" = Viewpoint Media Player
"VNCMirror_is1" = VNC Mirror Driver 1.8.0
"VNCPrinter_is1" = VNC Printer Driver 1.6.0
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2567099127-2097522887-1944419065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"RBSM" = RBSM

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 06/06/2011 04:50:55 | Computer Name = Dyl-desktop-2 | Source = MsiInstaller | ID = 11706
Description =

Error - 06/06/2011 11:19:42 | Computer Name = Dyl-desktop-2 | Source = MsiInstaller | ID = 11706
Description =

Error - 07/06/2011 03:51:54 | Computer Name = Dyl-desktop-2 | Source = RaySat_3dsmax2009_32 Server | ID = 131074
Description =

Error - 07/06/2011 03:52:04 | Computer Name = Dyl-desktop-2 | Source = WinMgmt | ID = 10
Description =

Error - 08/06/2011 03:57:36 | Computer Name = Dyl-desktop-2 | Source = RaySat_3dsmax2009_32 Server | ID = 131074
Description =

Error - 08/06/2011 03:57:45 | Computer Name = Dyl-desktop-2 | Source = WinMgmt | ID = 10
Description =

Error - 09/06/2011 03:01:44 | Computer Name = Dyl-desktop-2 | Source = RaySat_3dsmax2009_32 Server | ID = 131074
Description =

Error - 09/06/2011 03:01:55 | Computer Name = Dyl-desktop-2 | Source = WinMgmt | ID = 10
Description =

Error - 10/06/2011 03:55:38 | Computer Name = Dyl-desktop-2 | Source = RaySat_3dsmax2009_32 Server | ID = 131074
Description =

Error - 10/06/2011 03:55:51 | Computer Name = Dyl-desktop-2 | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 22/06/2011 04:52:20 | Computer Name = Dyl-desktop-2 | Source = DCOM | ID = 10016
Description =

Error - 22/06/2011 05:02:20 | Computer Name = Dyl-desktop-2 | Source = DCOM | ID = 10016
Description =

Error - 22/06/2011 05:12:20 | Computer Name = Dyl-desktop-2 | Source = DCOM | ID = 10016
Description =

Error - 22/06/2011 05:22:20 | Computer Name = Dyl-desktop-2 | Source = DCOM | ID = 10016
Description =

Error - 22/06/2011 05:32:20 | Computer Name = Dyl-desktop-2 | Source = DCOM | ID = 10016
Description =

Error - 22/06/2011 05:38:24 | Computer Name = Dyl-desktop-2 | Source = Print | ID = 19
Description = The print spooler failed to share printer OKI C3200 with shared resource
name OKI C3200. Error 2114. The printer cannot be used by others on the network.

Error - 22/06/2011 05:38:43 | Computer Name = Dyl-desktop-2 | Source = Service Control Manager | ID = 7000
Description =

Error - 22/06/2011 05:38:43 | Computer Name = Dyl-desktop-2 | Source = Service Control Manager | ID = 7000
Description =

Error - 22/06/2011 05:38:43 | Computer Name = Dyl-desktop-2 | Source = Service Control Manager | ID = 7001
Description =

Error - 22/06/2011 05:39:24 | Computer Name = Dyl-desktop-2 | Source = DCOM | ID = 10016
Description =


< End of report >


OTL logfile created on: 22/06/2011 10:42:41 - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = \\HPSERVER\Software\Dare utility programs
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.75 Gb Total Physical Memory | 1.64 Gb Available Physical Memory | 59.55% Memory free
5.70 Gb Paging File | 4.62 Gb Available in Paging File | 80.98% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 139.41 Gb Total Space | 68.86 Gb Free Space | 49.40% Space Free | Partition Type: NTFS
Drive D: | 140.18 Gb Total Space | 135.52 Gb Free Space | 96.67% Space Free | Partition Type: NTFS

Computer Name: DYL-DESKTOP-2 | User Name: Ky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - \\HPSERVER\Software\Dare utility programs\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
PRC - C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (IObit)
PRC - C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe (IObit)
PRC - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe (IObit)
PRC - C:\Program Files\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Home Server\WHSTrayApp.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
PRC - C:\Program Files\RealVNC\VNC4\winvnc4.exe (RealVNC Ltd.)
PRC - \\?\C:\Windows\System32\wbem\WMIADAP.EXE ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe ()
PRC - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\bin32\nSvcAppFlt.exe ()
PRC - C:\Program Files\bin32\nSvcIp.exe ()
PRC - C:\Windows\System32\spool\drivers\w32x86\3\OPHCLDCS.EXE (Oki Data Corporation)
PRC - C:\Program Files\Common Files\aol\1277208169\ee\aolsoftware.exe (AOL LLC)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)


========== Modules (SafeList) ==========

MOD - \\HPSERVER\Software\Dare utility programs\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\davclnt.dll (Microsoft Corporation)
MOD - C:\Windows\System32\ntlanman.dll (Microsoft Corporation)
MOD - C:\Windows\System32\drprov.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
SRV - (AdvancedSystemCareService) -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe (IObit)
SRV - (WHSConnector) -- C:\Program Files\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (WinVNC4) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe (RealVNC Ltd.)
SRV - (ETService) -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe ()
SRV - (eDataSecurity Service) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (mi-raysat_3dsMax2009_32) -- D:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe ()
SRV - (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM) -- C:\Program Files\bin32\nSvcAppFlt.exe ()
SRV - (nSvcIp) -- C:\Program Files\bin32\nSvcIp.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (OKI OPHC DCS Loader) -- C:\Windows\System32\spool\drivers\w32x86\3\OPHCLDCS.EXE (Oki Data Corporation)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)


========== Driver Services (SafeList) ==========

DRV - (RapportCerberus_26762) -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys (Trusteer Ltd.)
DRV - (RapportEI) -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys (Trusteer Ltd.)
DRV - (RapportKELL) -- C:\Windows\System32\Drivers\RapportKELL.sys (Trusteer Ltd.)
DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.)
DRV - (vncmirror) -- C:\Windows\System32\drivers\vncmirror.sys (RealVNC Ltd.)
DRV - (WSDScan) -- C:\Windows\System32\drivers\WSDScan.sys (Microsoft Corporation)
DRV - (mcdbus) -- C:\Windows\System32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (int15) -- C:\Windows\System32\drivers\int15.sys (Acer, Inc.)
DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (nvstor32) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation)
DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\Windows\System32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (Par1284) -- C:\Program Files\Cutting Master 2 1.81\Program\Par1284.sys (Warp Nine Engineering)
DRV - (SC0CLPT) -- C:\Windows\System32\SC0CLPT.SYS (Sharp Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vb32&d=1006&m=aspire_x3200
IE - HKLM\..\URLSearchHook: {4a6e1b85-1193-4a2a-aab8-7417f275f18a} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll (AOL LLC.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
IE - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\..\URLSearchHook: {4a6e1b85-1193-4a2a-aab8-7417f275f18a} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll (AOL LLC.)
IE - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2011/06/14 09:28:00 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (AOL Broadband Toolbar Loader) - {776a9d06-e178-4aa0-aee4-b4de3a64ad28} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll (AOL LLC.)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
O2 - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (AOL Broadband Toolbar) - {e6ed7f95-e571-4f81-8757-5eb11252703d} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\..\Toolbar\WebBrowser: (AOL Broadband Toolbar) - {E6ED7F95-E571-4F81-8757-5EB11252703D} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll (AOL LLC.)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] File not found
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\aol\1277208169\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000..\Run: [Advanced SystemCare 4] C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (IObit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\nvLsp.dll (NVIDIA)
O15 - HKU\S-1-5-21-2567099127-2097522887-1944419065-1000\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://as.mandata.co.uk/members/PODStorage/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} http://as.mandata.co.uk/members/printercontrol/smsx.cab (MeadCo ScriptX)
O16 - DPF: {7E866715-C9B6-4C64-AAB8-342E0D137213} http://192.168.1.80/EDVR.CAB (DVR4204 Client Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab (IGDTester Class)
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab (Java Plug-in 1.4.1_07)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\intu-res {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Ky\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ky\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/05/25 14:30:34 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/20 13:42:50 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\Webstuff
[2011/06/20 13:21:11 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\FW_ AMG Alloys[1]
[2011/06/17 11:41:58 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\YL545-1680-E3
[2011/06/16 15:25:08 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\flashmo_098_3d_curve_wall
[2011/06/16 13:41:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/06/16 13:41:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/16 13:41:09 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/06/16 13:41:09 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/16 13:41:09 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/16 13:41:09 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/16 11:05:48 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\DSCN0960
[2011/06/15 16:47:02 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\homepage
[2011/06/15 16:41:24 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\homepage(1)
[2011/06/15 14:18:56 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\Concave
[2011/06/15 10:19:32 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\958959
[2011/06/15 09:46:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/06/15 09:46:00 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/06/15 08:12:11 | 004,128,730 | R--- | C] (Swearware) -- C:\Users\Ky\Desktop\ComboFix.exe
[2011/06/14 16:42:26 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\ller
[2011/06/14 16:35:57 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\tdsskiller
[2011/06/14 09:30:15 | 000,000,000 | ---D | C] -- C:\Users\Ky\AppData\Local\temp
[2011/06/14 09:20:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/06/14 09:20:10 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/06/14 09:20:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/06/14 09:19:15 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/06/14 09:18:49 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/13 16:36:31 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2011/06/13 16:26:41 | 000,000,000 | ---D | C] -- C:\Users\Ky\Desktop\gmer
[2011/06/13 14:20:26 | 000,000,000 | ---D | C] -- C:\Users\Ky\AppData\Roaming\Malwarebytes
[2011/06/13 11:28:37 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\lafoto
[2011/06/13 11:14:43 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\WC3-2295-2E
[2011/06/13 09:42:18 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\DSC08910
[2011/06/10 16:43:56 | 000,000,000 | ---D | C] -- C:\Users\Ky\AppData\Roaming\DVRemote
[2011/06/09 14:03:14 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\YL545-1680-E2
[2011/06/06 10:26:22 | 000,000,000 | ---D | C] -- C:\Users\Ky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RBOS
[2011/06/02 12:55:18 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\pic5219
[2011/06/01 15:32:04 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\180702_187861117913239_128271400538878_497792_7483816_n
[2011/06/01 14:10:17 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\photo1
[2011/05/31 12:52:35 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\SDC11728
[2011/05/27 13:25:55 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\P1020001
[2011/05/26 13:26:39 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\1000524--1985-7
[2011/05/25 14:45:20 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll
[2011/05/25 14:45:20 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll
[2011/05/25 14:45:20 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll
[2011/05/25 14:45:20 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll
[2011/05/25 14:44:59 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2011/05/25 09:26:56 | 000,000,000 | ---D | C] -- C:\Users\Ky\Documents\STELLAKWOK
[2009/01/10 00:29:06 | 000,049,152 | R--- | C] ( ) -- C:\Windows\Interop.IWshRuntimeLibrary.dll

========== Files - Modified Within 30 Days ==========

[2011/06/22 10:38:57 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/22 10:38:53 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/22 10:38:30 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2011/06/22 10:38:26 | 000,002,399 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Home Server.lnk
[2011/06/22 10:38:25 | 000,000,874 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/22 10:38:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/22 10:38:14 | 2951,188,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/22 10:31:04 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/22 10:30:32 | 000,019,724 | ---- | M] () -- C:\Users\Ky\Documents\1656870123.jpg
[2011/06/22 10:22:54 | 000,190,334 | ---- | M] () -- C:\Users\Ky\Documents\BristolCommentary.pdf
[2011/06/22 08:05:40 | 000,644,400 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/22 08:05:40 | 000,122,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/20 13:29:54 | 000,000,792 | ---- | M] () -- C:\Users\Ky\Desktop\Core FTP LE.lnk
[2011/06/20 12:31:03 | 000,079,485 | ---- | M] () -- C:\Users\Ky\Documents\3247.pdf
[2011/06/20 12:23:03 | 000,070,399 | ---- | M] () -- C:\Users\Ky\Documents\3667.pdf
[2011/06/20 12:22:44 | 000,068,942 | ---- | M] () -- C:\Users\Ky\Documents\3731.pdf
[2011/06/20 12:22:23 | 000,067,987 | ---- | M] () -- C:\Users\Ky\Documents\3751.pdf
[2011/06/20 12:22:04 | 000,067,931 | ---- | M] () -- C:\Users\Ky\Documents\3757.pdf
[2011/06/20 11:22:13 | 000,072,072 | ---- | M] () -- C:\Users\Ky\Documents\3733.pdf
[2011/06/20 11:21:22 | 000,071,994 | ---- | M] () -- C:\Users\Ky\Documents\3700.pdf
[2011/06/20 09:14:26 | 000,007,813 | ---- | M] () -- C:\Users\Ky\Documents\ComprovativoDareWheels2011-06-17.pdf
[2011/06/20 09:13:00 | 000,081,077 | ---- | M] () -- C:\Users\Ky\Documents\2667.pdf
[2011/06/20 09:12:12 | 000,083,340 | ---- | M] () -- C:\Users\Ky\Documents\2424.pdf
[2011/06/20 09:11:44 | 000,081,571 | ---- | M] () -- C:\Users\Ky\Documents\2133.pdf
[2011/06/17 11:41:52 | 001,893,671 | ---- | M] () -- C:\Users\Ky\Documents\YL545-1680-E3.rar
[2011/06/17 11:17:12 | 000,036,043 | ---- | M] () -- C:\Users\Ky\Documents\Carfit Statement.pdf
[2011/06/16 15:25:02 | 000,418,030 | ---- | M] () -- C:\Users\Ky\Documents\flashmo_098_3d_curve_wall.zip
[2011/06/16 15:06:01 | 003,097,328 | ---- | M] () -- C:\Users\Ky\Documents\wordpress-3.1.3.zip
[2011/06/16 14:11:51 | 000,009,511 | ---- | M] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3234-20110616-141142.pdf
[2011/06/16 14:11:17 | 000,047,206 | ---- | M] () -- C:\Users\Ky\Documents\CLAIMFRM.pdf
[2011/06/16 14:10:56 | 000,038,771 | ---- | M] () -- C:\Users\Ky\Documents\DECLARATIONOFNOOTHERINSURANCE.pdf
[2011/06/16 13:47:08 | 000,007,069 | ---- | M] () -- C:\Users\Ky\Documents\GetAttachment.jpg
[2011/06/16 13:28:49 | 000,037,981 | ---- | M] () -- C:\Users\Ky\Documents\RS statement.pdf
[2011/06/16 11:05:48 | 007,052,670 | ---- | M] () -- C:\Users\Ky\Documents\DSCN0960.zip
[2011/06/16 08:17:24 | 000,045,628 | ---- | M] () -- C:\Users\Ky\Documents\$(KGrHqUOKkEE2-GG8jrrBN0pTwhFE!~~_12.jpg
[2011/06/15 16:47:02 | 001,996,653 | ---- | M] () -- C:\Users\Ky\Documents\homepage.zip
[2011/06/15 16:41:24 | 001,433,693 | ---- | M] () -- C:\Users\Ky\Documents\homepage(1).zip
[2011/06/15 14:18:56 | 000,802,643 | ---- | M] () -- C:\Users\Ky\Documents\Concave.zip
[2011/06/15 12:02:28 | 000,203,084 | ---- | M] () -- C:\Users\Ky\Documents\dare.pdf
[2011/06/15 11:35:35 | 000,018,819 | ---- | M] () -- C:\Users\Ky\Documents\1665280080
[2011/06/15 10:19:32 | 001,114,345 | ---- | M] () -- C:\Users\Ky\Documents\958959.zip
[2011/06/15 10:00:24 | 000,024,648 | ---- | M] () -- C:\Users\Ky\Documents\1652031192
[2011/06/15 09:38:12 | 004,128,730 | R--- | M] (Swearware) -- C:\Users\Ky\Desktop\ComboFix.exe
[2011/06/14 16:35:51 | 001,305,136 | ---- | M] () -- C:\Users\Ky\Documents\ller.zip
[2011/06/14 14:48:34 | 000,197,435 | ---- | M] () -- C:\Users\Ky\Documents\Pic458.jpg
[2011/06/14 14:45:22 | 000,036,650 | ---- | M] () -- C:\Users\Ky\Documents\ECP statement.pdf
[2011/06/14 12:13:33 | 000,009,783 | ---- | M] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3215-20110614-115709.pdf
[2011/06/14 11:07:52 | 000,009,563 | ---- | M] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3209-20110614-105444.pdf
[2011/06/14 09:56:39 | 000,009,590 | ---- | M] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3208-20110614-092434.pdf
[2011/06/14 09:28:00 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.msn
[2011/06/14 09:28:00 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/06/13 15:06:50 | 000,000,680 | ---- | M] () -- C:\Users\Ky\AppData\Local\d3d9caps.dat
[2011/06/13 11:28:37 | 003,251,636 | ---- | M] () -- C:\Users\Ky\Documents\lafoto.zip
[2011/06/13 11:14:43 | 000,603,618 | ---- | M] () -- C:\Users\Ky\Documents\WC3-2295-2E.zip
[2011/06/13 09:48:53 | 000,042,646 | ---- | M] () -- C:\Users\Ky\Documents\skidz statement 13 06 11.pdf
[2011/06/13 09:42:18 | 000,591,997 | ---- | M] () -- C:\Users\Ky\Documents\DSC08910.zip
[2011/06/10 15:53:58 | 000,118,324 | ---- | M] () -- C:\Users\Ky\Documents\MO 5 spoke final.jpeg
[2011/06/10 15:31:30 | 000,001,118 | ---- | M] () -- C:\Users\Ky\AppData\Roaming\wklnhst.dat
[2011/06/10 15:31:11 | 000,020,992 | ---- | M] () -- C:\Users\Ky\Documents\headedpaper.wps
[2011/06/10 15:30:15 | 000,116,318 | ---- | M] () -- C:\Users\Ky\Documents\F1 5 spoke.jpeg
[2011/06/10 14:03:55 | 000,001,855 | ---- | M] () -- C:\Users\Ky\rbstrade_desktop.xml
[2011/06/09 14:02:43 | 001,869,928 | ---- | M] () -- C:\Users\Ky\Documents\YL545-1680-E2.rar
[2011/06/08 17:26:21 | 000,064,189 | ---- | M] () -- C:\Users\Ky\Documents\CN3633.pdf
[2011/06/08 17:15:24 | 000,074,655 | ---- | M] () -- C:\Users\Ky\Documents\Sportedition21.jpg
[2011/06/08 16:17:18 | 000,715,327 | ---- | M] () -- C:\Users\Ky\Documents\IMG_0040.JPG
[2011/06/08 12:38:53 | 000,066,152 | ---- | M] () -- C:\Users\Ky\Documents\CN3612.pdf
[2011/06/08 11:55:23 | 000,280,702 | ---- | M] () -- C:\Users\Ky\Documents\Grant Application Form.pdf
[2011/06/08 09:43:15 | 000,561,188 | ---- | M] () -- C:\Users\Ky\Documents\IMG_0039.JPG
[2011/06/08 09:43:02 | 000,532,040 | ---- | M] () -- C:\Users\Ky\Documents\IMG_0038.JPG
[2011/06/08 09:37:04 | 000,067,512 | ---- | M] () -- C:\Users\Ky\Documents\849.pdf
[2011/06/08 09:35:15 | 000,011,995 | ---- | M] () -- C:\Users\Ky\Documents\1054.jpg
[2011/06/08 09:06:41 | 000,360,726 | ---- | M] () -- C:\Users\Ky\Documents\picr8v-10gm.jpg
[2011/06/08 09:06:17 | 000,035,507 | ---- | M] () -- C:\Users\Ky\Documents\Paymentinvoice3508.pdf
[2011/06/07 17:43:09 | 000,004,378 | ---- | M] () -- C:\Users\Ky\Documents\RenESWProp.xml
[2011/06/07 17:41:02 | 000,117,952 | ---- | M] () -- C:\Users\Ky\Documents\WCC_5_26_2011 modified spoke profile in progress a.dwg
[2011/06/07 17:23:51 | 000,162,441 | ---- | M] () -- C:\Users\Ky\Documents\WTCC shorter rim.jpeg
[2011/06/07 16:09:14 | 000,244,742 | ---- | M] () -- C:\Users\Ky\Documents\WTCC 5 spoke b.jpeg
[2011/06/07 15:59:29 | 000,210,597 | ---- | M] () -- C:\Users\Ky\Documents\WTCC 5 spoke.jpeg
[2011/06/07 15:23:22 | 000,308,672 | ---- | M] () -- C:\Users\Ky\Documents\new 5 spoke.jpeg
[2011/06/07 14:03:01 | 000,038,099 | ---- | M] () -- C:\Users\Ky\Documents\Wheel factory summary.pdf
[2011/06/07 09:59:12 | 000,048,898 | ---- | M] () -- C:\Users\Ky\Documents\paymentDare07-06-11.pdf
[2011/06/06 16:51:56 | 000,036,011 | ---- | M] () -- C:\Users\Ky\Documents\Sofa account report.pdf
[2011/06/06 11:47:10 | 000,034,006 | ---- | M] () -- C:\Users\Ky\Documents\UdlOverfoerselVis.pdf
[2011/06/06 10:59:29 | 000,371,222 | ---- | M] () -- C:\Users\Ky\Documents\PicTTRS.jpg
[2011/06/06 09:57:01 | 000,035,741 | ---- | M] () -- C:\Users\Ky\Documents\wheeltraders 06 06 11.pdf
[2011/06/06 09:34:44 | 000,233,309 | ---- | M] () -- C:\Users\Ky\Documents\photo.zip
[2011/06/02 12:55:17 | 000,604,852 | ---- | M] () -- C:\Users\Ky\Documents\pic5219.zip
[2011/06/02 10:59:14 | 000,126,335 | ---- | M] () -- C:\Users\Ky\Documents\02-06-201110;58;00.rtf
[2011/06/01 17:29:19 | 000,338,546 | ---- | M] () -- C:\Users\Ky\Documents\VIA.JPG
[2011/06/01 15:32:04 | 000,136,498 | ---- | M] () -- C:\Users\Ky\Documents\180702_187861117913239_128271400538878_497792_7483816_n.zip
[2011/06/01 14:10:17 | 002,268,748 | ---- | M] () -- C:\Users\Ky\Documents\photo1.zip
[2011/06/01 09:25:33 | 000,134,915 | ---- | M] () -- C:\Users\Ky\Documents\WTCC render.jpeg
[2011/05/31 17:03:05 | 000,040,058 | ---- | M] () -- C:\Users\Ky\Documents\Sofa statement 31 05 11.pdf
[2011/05/31 15:44:01 | 000,003,843 | ---- | M] () -- C:\Users\Ky\Documents\1289032257
[2011/05/31 12:59:01 | 000,069,565 | ---- | M] () -- C:\Users\Ky\Documents\CN3474.pdf
[2011/05/31 12:52:35 | 005,214,329 | ---- | M] () -- C:\Users\Ky\Documents\SDC11728.zip
[2011/05/31 11:04:40 | 001,420,286 | ---- | M] () -- C:\Users\Ky\Documents\03mmm.jpg
[2011/05/31 09:20:08 | 000,787,510 | ---- | M] () -- C:\Users\Ky\Documents\wheelsdare.bmp
[2011/05/27 13:25:54 | 012,949,102 | ---- | M] () -- C:\Users\Ky\Documents\P1020001.zip
[2011/05/27 10:40:47 | 000,036,818 | ---- | M] () -- C:\Users\Ky\Documents\MIC statement 270511.pdf
[2011/05/26 17:46:49 | 000,762,624 | ---- | M] () -- C:\Users\Ky\Documents\bbs wtcc progress b.dwg
[2011/05/26 17:30:11 | 000,215,296 | ---- | M] () -- C:\Users\Ky\Documents\bbs wtcc progress.dwg
[2011/05/26 16:33:01 | 000,131,680 | ---- | M] () -- C:\Users\Ky\Documents\WCC_5_26_2011 modified spoke profile in progress a.bak
[2011/05/26 15:36:17 | 000,142,496 | ---- | M] () -- C:\Users\Ky\Documents\WCC_5_26_2011 modified spoke profile a.dwg
[2011/05/26 13:26:39 | 000,505,565 | ---- | M] () -- C:\Users\Ky\Documents\1000524--1985-7.zip
[2011/05/26 13:06:58 | 001,481,563 | ---- | M] () -- C:\Users\Ky\Documents\AMG63.jpg
[2011/05/26 11:24:49 | 000,914,577 | ---- | M] () -- C:\Users\Ky\Documents\HK-E.zip
[2011/05/26 10:58:42 | 000,050,868 | ---- | M] () -- C:\Users\Ky\Documents\img57164889.jpg
[2011/05/25 16:43:46 | 000,129,472 | ---- | M] () -- C:\Users\Ky\Documents\WCC_5_25_2011 modified spoke profile a.dwg
[2011/05/25 16:29:20 | 000,129,472 | ---- | M] () -- C:\Users\Ky\Documents\WCC_5_25_2011 modified spoke profile a.bak
[2011/05/25 15:01:30 | 000,090,784 | ---- | M] () -- C:\Users\Ky\Documents\WCC_5_25_2011.dwg
[2011/05/25 14:52:08 | 004,060,064 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/05/25 14:43:55 | 000,035,879 | ---- | M] () -- C:\Users\Ky\Documents\Carfit Cork statement.pdf
[2011/05/25 14:41:39 | 000,068,941 | ---- | M] () -- C:\Users\Ky\Documents\carfit 3346.pdf
[2011/05/25 14:13:09 | 000,071,180 | ---- | M] () -- C:\Users\Ky\Documents\WCC_5_25_2011.bak
[2011/05/25 10:36:29 | 000,394,924 | ---- | M] () -- C:\Users\Ky\Documents\piccl63a.jpg
[2011/05/24 19:14:10 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2011/05/23 11:48:43 | 001,955,139 | ---- | M] () -- C:\Users\Ky\Documents\DSC_0132.jpg

========== Files Created - No Company Name ==========

[2011/06/22 10:30:32 | 000,019,724 | ---- | C] () -- C:\Users\Ky\Documents\1656870123.jpg
[2011/06/20 13:29:54 | 000,000,792 | ---- | C] () -- C:\Users\Ky\Desktop\Core FTP LE.lnk
[2011/06/20 12:31:03 | 000,079,485 | ---- | C] () -- C:\Users\Ky\Documents\3247.pdf
[2011/06/20 12:23:03 | 000,070,399 | ---- | C] () -- C:\Users\Ky\Documents\3667.pdf
[2011/06/20 12:22:44 | 000,068,942 | ---- | C] () -- C:\Users\Ky\Documents\3731.pdf
[2011/06/20 12:22:23 | 000,067,987 | ---- | C] () -- C:\Users\Ky\Documents\3751.pdf
[2011/06/20 12:22:04 | 000,067,931 | ---- | C] () -- C:\Users\Ky\Documents\3757.pdf
[2011/06/20 11:22:13 | 000,072,072 | ---- | C] () -- C:\Users\Ky\Documents\3733.pdf
[2011/06/20 11:21:22 | 000,071,994 | ---- | C] () -- C:\Users\Ky\Documents\3700.pdf
[2011/06/20 09:14:26 | 000,007,813 | ---- | C] () -- C:\Users\Ky\Documents\ComprovativoDareWheels2011-06-17.pdf
[2011/06/20 09:13:00 | 000,081,077 | ---- | C] () -- C:\Users\Ky\Documents\2667.pdf
[2011/06/20 09:12:12 | 000,083,340 | ---- | C] () -- C:\Users\Ky\Documents\2424.pdf
[2011/06/20 09:11:44 | 000,081,571 | ---- | C] () -- C:\Users\Ky\Documents\2133.pdf
[2011/06/17 11:41:35 | 001,893,671 | ---- | C] () -- C:\Users\Ky\Documents\YL545-1680-E3.rar
[2011/06/17 11:17:12 | 000,036,043 | ---- | C] () -- C:\Users\Ky\Documents\Carfit Statement.pdf
[2011/06/16 15:25:01 | 000,418,030 | ---- | C] () -- C:\Users\Ky\Documents\flashmo_098_3d_curve_wall.zip
[2011/06/16 15:03:26 | 003,097,328 | ---- | C] () -- C:\Users\Ky\Documents\wordpress-3.1.3.zip
[2011/06/16 14:11:51 | 000,009,511 | ---- | C] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3234-20110616-141142.pdf
[2011/06/16 14:11:16 | 000,047,206 | ---- | C] () -- C:\Users\Ky\Documents\CLAIMFRM.pdf
[2011/06/16 14:10:55 | 000,038,771 | ---- | C] () -- C:\Users\Ky\Documents\DECLARATIONOFNOOTHERINSURANCE.pdf
[2011/06/16 13:47:08 | 000,007,069 | ---- | C] () -- C:\Users\Ky\Documents\GetAttachment.jpg
[2011/06/16 11:04:48 | 007,052,670 | ---- | C] () -- C:\Users\Ky\Documents\DSCN0960.zip
[2011/06/16 08:17:23 | 000,045,628 | ---- | C] () -- C:\Users\Ky\Documents\$(KGrHqUOKkEE2-GG8jrrBN0pTwhFE!~~_12.jpg
[2011/06/15 16:46:45 | 001,996,653 | ---- | C] () -- C:\Users\Ky\Documents\homepage.zip
[2011/06/15 16:41:09 | 001,433,693 | ---- | C] () -- C:\Users\Ky\Documents\homepage(1).zip
[2011/06/15 14:18:48 | 000,802,643 | ---- | C] () -- C:\Users\Ky\Documents\Concave.zip
[2011/06/15 12:02:26 | 000,203,084 | ---- | C] () -- C:\Users\Ky\Documents\dare.pdf
[2011/06/15 11:35:35 | 000,018,819 | ---- | C] () -- C:\Users\Ky\Documents\1665280080
[2011/06/15 10:19:21 | 001,114,345 | ---- | C] () -- C:\Users\Ky\Documents\958959.zip
[2011/06/15 10:00:23 | 000,024,648 | ---- | C] () -- C:\Users\Ky\Documents\1652031192
[2011/06/14 16:35:49 | 001,305,136 | ---- | C] () -- C:\Users\Ky\Documents\ller.zip
[2011/06/14 14:48:32 | 000,197,435 | ---- | C] () -- C:\Users\Ky\Documents\Pic458.jpg
[2011/06/14 14:45:22 | 000,036,650 | ---- | C] () -- C:\Users\Ky\Documents\ECP statement.pdf
[2011/06/14 12:13:32 | 000,009,783 | ---- | C] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3215-20110614-115709.pdf
[2011/06/14 11:07:52 | 000,009,563 | ---- | C] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3209-20110614-105444.pdf
[2011/06/14 09:56:39 | 000,009,590 | ---- | C] () -- C:\Users\Ky\Documents\PURCHASEORDER_DAREMOTO-3208-20110614-092434.pdf
[2011/06/14 09:20:10 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/14 09:20:10 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/06/14 09:20:10 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/06/14 09:20:10 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/06/14 09:20:10 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/13 16:21:59 | 2951,188,480 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/13 15:06:50 | 000,000,680 | ---- | C] () -- C:\Users\Ky\AppData\Local\d3d9caps.dat
[2011/06/13 11:28:09 | 003,251,636 | ---- | C] () -- C:\Users\Ky\Documents\lafoto.zip
[2011/06/13 11:14:37 | 000,603,618 | ---- | C] () -- C:\Users\Ky\Documents\WC3-2295-2E.zip
[2011/06/13 09:48:53 | 000,042,646 | ---- | C] () -- C:\Users\Ky\Documents\skidz statement 13 06 11.pdf
[2011/06/13 09:42:12 | 000,591,997 | ---- | C] () -- C:\Users\Ky\Documents\DSC08910.zip
[2011/06/10 15:53:58 | 000,118,324 | ---- | C] () -- C:\Users\Ky\Documents\MO 5 spoke final.jpeg
[2011/06/10 15:31:11 | 000,020,992 | ---- | C] () -- C:\Users\Ky\Documents\headedpaper.wps
[2011/06/10 15:30:15 | 000,116,318 | ---- | C] () -- C:\Users\Ky\Documents\F1 5 spoke.jpeg
[2011/06/09 14:02:26 | 001,869,928 | ---- | C] () -- C:\Users\Ky\Documents\YL545-1680-E2.rar
[2011/06/08 17:26:21 | 000,064,189 | ---- | C] () -- C:\Users\Ky\Documents\CN3633.pdf
[2011/06/08 17:15:23 | 000,074,655 | ---- | C] () -- C:\Users\Ky\Documents\Sportedition21.jpg
[2011/06/08 16:43:29 | 000,561,188 | ---- | C] () -- C:\Users\Ky\Documents\IMG_0039.JPG
[2011/06/08 16:43:29 | 000,532,040 | ---- | C] () -- C:\Users\Ky\Documents\IMG_0038.JPG
[2011/06/08 16:43:28 | 000,715,327 | ---- | C] () -- C:\Users\Ky\Documents\IMG_0040.JPG
[2011/06/08 12:38:53 | 000,066,152 | ---- | C] () -- C:\Users\Ky\Documents\CN3612.pdf
[2011/06/08 11:55:23 | 000,280,702 | ---- | C] () -- C:\Users\Ky\Documents\Grant Application Form.pdf
[2011/06/08 09:37:04 | 000,067,512 | ---- | C] () -- C:\Users\Ky\Documents\849.pdf
[2011/06/08 09:35:15 | 000,011,995 | ---- | C] () -- C:\Users\Ky\Documents\1054.jpg
[2011/06/08 09:06:38 | 000,360,726 | ---- | C] () -- C:\Users\Ky\Documents\picr8v-10gm.jpg
[2011/06/08 09:06:16 | 000,035,507 | ---- | C] () -- C:\Users\Ky\Documents\Paymentinvoice3508.pdf
[2011/06/07 17:41:02 | 000,131,680 | ---- | C] () -- C:\Users\Ky\Documents\WCC_5_26_2011 modified spoke profile in progress a.bak
[2011/06/07 17:23:51 | 000,162,441 | ---- | C] () -- C:\Users\Ky\Documents\WTCC shorter rim.jpeg
[2011/06/07 16:09:13 | 000,244,742 | ---- | C] () -- C:\Users\Ky\Documents\WTCC 5 spoke b.jpeg
[2011/06/07 15:59:29 | 000,210,597 | ---- | C] () -- C:\Users\Ky\Documents\WTCC 5 spoke.jpeg
[2011/06/07 15:23:22 | 000,308,672 | ---- | C] () -- C:\Users\Ky\Documents\new 5 spoke.jpeg
[2011/06/07 14:03:01 | 000,038,099 | ---- | C] () -- C:\Users\Ky\Documents\Wheel factory summary.pdf
[2011/06/07 09:59:11 | 000,048,898 | ---- | C] () -- C:\Users\Ky\Documents\paymentDare07-06-11.pdf
[2011/06/06 16:51:56 | 000,036,011 | ---- | C] () -- C:\Users\Ky\Documents\Sofa account report.pdf
[2011/06/06 10:24:11 | 000,037,981 | ---- | C] () -- C:\Users\Ky\Documents\RS statement.pdf
[2011/06/06 09:57:01 | 000,035,741 | ---- | C] () -- C:\Users\Ky\Documents\wheeltraders 06 06 11.pdf
[2011/06/06 09:34:42 | 000,233,309 | ---- | C] () -- C:\Users\Ky\Documents\photo.zip
[2011/06/02 12:55:12 | 000,604,852 | ---- | C] () -- C:\Users\Ky\Documents\pic5219.zip
[2011/06/02 10:59:12 | 000,126,335 | ---- | C] () -- C:\Users\Ky\Documents\02-06-201110;58;00.rtf
[2011/06/01 17:29:17 | 000,338,546 | ---- | C] () -- C:\Users\Ky\Documents\VIA.JPG
[2011/06/01 15:32:01 | 000,136,498 | ---- | C] () -- C:\Users\Ky\Documents\180702_187861117913239_128271400538878_497792_7483816_n.zip
[2011/06/01 14:09:57 | 002,268,748 | ---- | C] () -- C:\Users\Ky\Documents\photo1.zip
[2011/06/01 09:25:33 | 000,134,915 | ---- | C] () -- C:\Users\Ky\Documents\WTCC render.jpeg
[2011/05/31 17:03:05 | 000,040,058 | ---- | C] () -- C:\Users\Ky\Documents\Sofa statement 31 05 11.pdf
[2011/05/31 15:44:01 | 000,003,843 | ---- | C] () -- C:\Users\Ky\Documents\1289032257
[2011/05/31 12:59:01 | 000,069,565 | ---- | C] () -- C:\Users\Ky\Documents\CN3474.pdf
[2011/05/31 12:51:49 | 005,214,329 | ---- | C] () -- C:\Users\Ky\Documents\SDC11728.zip
[2011/05/31 11:04:27 | 001,420,286 | ---- | C] () -- C:\Users\Ky\Documents\03mmm.jpg
[2011/05/31 09:20:01 | 000,787,510 | ---- | C] () -- C:\Users\Ky\Documents\wheelsdare.bmp
[2011/05/27 13:23:52 | 012,949,102 | ---- | C] () -- C:\Users\Ky\Documents\P1020001.zip
[2011/05/27 09:32:59 | 000,036,818 | ---- | C] () -- C:\Users\Ky\Documents\MIC statement 270511.pdf
[2011/05/26 17:47:18 | 000,004,378 | ---- | C] () -- C:\Users\Ky\Documents\RenESWProp.xml
[2011/05/26 16:54:26 | 000,762,624 | ---- | C] () -- C:\Users\Ky\Documents\bbs wtcc progress b.dwg
[2011/05/26 16:54:26 | 000,215,296 | ---- | C] () -- C:\Users\Ky\Documents\bbs wtcc progress.dwg
[2011/05/26 15:24:23 | 000,142,496 | ---- | C] () -- C:\Users\Ky\Documents\WCC_5_26_2011 modified spoke profile a.dwg
[2011/05/26 15:24:23 | 000,117,952 | ---- | C] () -- C:\Users\Ky\Documents\WCC_5_26_2011 modified spoke profile in progress a.dwg
[2011/05/26 13:26:34 | 000,505,565 | ---- | C] () -- C:\Users\Ky\Documents\1000524--1985-7.zip
[2011/05/26 13:06:43 | 001,481,563 | ---- | C] () -- C:\Users\Ky\Documents\AMG63.jpg
[2011/05/26 11:24:40 | 000,914,577 | ---- | C] () -- C:\Users\Ky\Documents\HK-E.zip
[2011/05/26 10:58:42 | 000,050,868 | ---- | C] () -- C:\Users\Ky\Documents\img57164889.jpg
[2011/05/25 16:29:20 | 000,129,472 | ---- | C] () -- C:\Users\Ky\Documents\WCC_5_25_2011 modified spoke profile a.bak
[2011/05/25 15:15:54 | 000,129,472 | ---- | C] () -- C:\Users\Ky\Documents\WCC_5_25_2011 modified spoke profile a.dwg
[2011/05/25 15:01:30 | 000,071,180 | ---- | C] () -- C:\Users\Ky\Documents\WCC_5_25_2011.bak
[2011/05/25 14:43:55 | 000,035,879 | ---- | C] () -- C:\Users\Ky\Documents\Carfit Cork statement.pdf
[2011/05/25 14:41:39 | 000,068,941 | ---- | C] () -- C:\Users\Ky\Documents\carfit 3346.pdf
[2011/05/25 14:13:08 | 000,090,784 | ---- | C] () -- C:\Users\Ky\Documents\WCC_5_25_2011.dwg
[2011/05/25 12:33:20 | 000,034,006 | ---- | C] () -- C:\Users\Ky\Documents\UdlOverfoerselVis.pdf
[2011/05/25 10:36:23 | 000,394,924 | ---- | C] () -- C:\Users\Ky\Documents\piccl63a.jpg
[2011/05/24 15:47:46 | 000,371,222 | ---- | C] () -- C:\Users\Ky\Documents\PicTTRS.jpg
[2011/05/23 11:48:25 | 001,955,139 | ---- | C] () -- C:\Users\Ky\Documents\DSC_0132.jpg
[2011/01/24 11:18:55 | 000,000,027 | ---- | C] () -- C:\Windows\EZSET_SP.INI
[2010/11/24 17:18:03 | 000,000,036 | ---- | C] () -- C:\Users\Ky\AppData\Roaming\Opusbext.dat
[2010/06/22 12:57:54 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/06/22 12:57:53 | 000,000,056 | ---- | C] () -- C:\Windows\wininit.ini
[2010/06/18 15:25:55 | 000,026,624 | ---- | C] () -- C:\Windows\System32\VNCpm.dll
[2009/09/22 09:01:56 | 000,001,118 | ---- | C] () -- C:\Users\Ky\AppData\Roaming\wklnhst.dat
[2009/09/17 04:26:06 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/17 04:26:06 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/13 09:10:27 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/08/10 10:15:07 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2009/08/05 11:08:36 | 000,012,800 | ---- | C] () -- C:\Users\Ky\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/07 14:24:17 | 000,024,206 | ---- | C] () -- C:\Users\Ky\AppData\Roaming\UserTile.png
[2009/07/07 13:58:26 | 000,163,936 | ---- | C] () -- C:\Windows\_isusr32.dll
[2009/07/07 13:58:26 | 000,045,056 | ---- | C] () -- C:\Windows\System32\_isusr2k.dll
[2009/01/10 01:59:31 | 000,487,424 | ---- | C] () -- C:\Windows\System32\INT15.dll
[2009/01/10 01:49:45 | 000,001,694 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2009/01/10 01:49:45 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2009/01/10 01:49:45 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\rtkhdaud.dat
[2009/01/10 01:41:31 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2009/01/10 01:04:22 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2007/03/27 15:20:52 | 000,000,100 | ---- | C] () -- C:\Windows\System32\SC0CLMON.DAT
[2006/11/02 13:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:44:53 | 004,060,064 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 11:33:01 | 000,644,400 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,122,460 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/10/11 09:15:41 | 000,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini
[2006/10/11 09:15:41 | 000,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini
[2002/02/07 10:28:24 | 000,000,074 | ---- | C] () -- C:\Windows\System32\SC02STI.DAT
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== Custom Scans ==========


< %TEMP%\smtmp\*.* /s >

========== Files - Unicode (All) ==========
[2011/06/07 10:10:13 | 000,042,496 | ---- | M] ()(C:\Users\Ky\Documents\DARE????--6.3.xls) -- C:\Users\Ky\Documents\DARE库存清单--6.3.xls
[2011/06/07 10:10:11 | 000,042,496 | ---- | C] ()(C:\Users\Ky\Documents\DARE????--6.3.xls) -- C:\Users\Ky\Documents\DARE库存清单--6.3.xls
[2011/05/27 10:24:35 | 005,896,192 | ---- | M] ()(C:\Users\Ky\Documents\???????????1.xls) -- C:\Users\Ky\Documents\浙江新事业车轮有限公司1.xls
[2011/05/27 10:24:24 | 005,896,192 | ---- | C] ()(C:\Users\Ky\Documents\???????????1.xls) -- C:\Users\Ky\Documents\浙江新事业车轮有限公司1.xls
[2011/04/20 10:55:46 | 000,036,557 | ---- | M] ()(C:\Users\Ky\Documents\????-11.04.06_fri_am_order.ods) -- C:\Users\Ky\Documents\库存报表-11.04.06_fri_am_order.ods
[2011/04/20 10:55:46 | 000,036,557 | ---- | C] ()(C:\Users\Ky\Documents\????-11.04.06_fri_am_order.ods) -- C:\Users\Ky\Documents\库存报表-11.04.06_fri_am_order.ods

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:0B4227B4

< End of report >

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 PM

Posted 22 June 2011 - 05:34 AM

Hello

I would ike to see the last report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\ComboFix.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 darexms

darexms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 22 June 2011 - 06:21 AM

ComboFix 11-06-14.03 - Ky 15/06/2011 9:39.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2814.1821 [GMT 1:00]
Running from: c:\users\Ky\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))
.
.
2011-06-15 08:45 . 2011-06-15 08:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-14 08:30 . 2011-06-15 08:45 -------- d-----w- c:\users\Ky\AppData\Local\temp
2011-06-13 15:36 . 2011-06-13 15:36 -------- d-----w- c:\programdata\WindowsSearch
2011-06-13 13:20 . 2011-06-13 13:20 -------- d--h--w- c:\users\Ky\AppData\Roaming\Malwarebytes
2011-06-10 15:43 . 2011-06-10 15:43 -------- d--h--w- c:\users\Ky\AppData\Roaming\DVRemote
2011-05-25 13:45 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-05-25 13:45 . 2009-09-04 16:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2011-05-25 13:45 . 2009-09-04 16:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2011-05-25 13:45 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-05-19 16:41 . 2011-06-13 15:18 -------- d-----w- c:\program files\China Eastern Airlines TravelDesk
2011-05-18 14:49 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-18 14:49 . 2011-05-18 14:49 -------- d-----w- c:\programdata\Malwarebytes
2011-05-18 14:49 . 2011-06-13 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-17 07:58 . 2011-05-17 07:58 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-06 08:15 . 2011-05-06 08:16 724992 ----a-w- c:\windows\iun6002.exe
2011-04-28 13:34 . 2011-04-28 13:34 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-04-11 07:04 . 2011-05-03 08:23 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B65D01D5-CCAB-4DF3-A5AC-EBAF55FE5E78}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-04-21 402832]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-07 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13584928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-15 149280]
"HostManager"="c:\program files\Common Files\AOL\1277208169\ee\AOLSoftware.exe" [2007-05-25 42032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - [N/A]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-17 113664]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-7-7 806912]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2009-8-13 603504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-19 133104]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;d:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R2 SC0CLPT;SC0CLPT;c:\windows\system32\SC0CLPT.SYS [2002-05-27 54456]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-19 133104]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-04-28 53816]
S1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [2011-06-01 57144]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-04-28 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-04-28 158904]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2011-04-21 352656]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-10-01 24576]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE [2007-05-29 24576]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-04-28 870200]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2011-01-10 376688]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-03-22 43552]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-19 12:44]
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-19 12:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vb32&d=1006&m=aspire_x3200
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 192.168.1.254
DPF: {7E866715-C9B6-4C64-AAB8-342E0D137213} - hxxp://192.168.1.80/EDVR.CAB
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.txt=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-15 09:45
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2592)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2011-06-15 09:46:45
ComboFix-quarantined-files.txt 2011-06-15 08:46
ComboFix2.txt 2011-06-14 08:30
.
Pre-Run: 75,589,398,528 bytes free
Post-Run: 75,556,835,328 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 79ADBE3AF3ABB938435235F1AAF7E6DD

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 PM

Posted 22 June 2011 - 06:35 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 darexms

darexms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 22 June 2011 - 06:54 AM

Able2Extract v6.0
Acer eDataSecurity Management
Acer Empowering Technology
Acer eRecovery Management
Acer Product Registration
Acer ScreenSaver
Acrobat.com
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 ActiveX
Adobe Illustrator CS5.1
Adobe Photoshop 7.0
Adobe Reader 9.3.3
Advanced SystemCare 4
Agatha Christie Peril at End House
Alice Greenfingers
Alien Shooter
AOL Broadband Toolbar
AOL Uninstaller (Choose which Products to Remove)
AutoCAD 2007 - English
Autodesk 3ds Max Design 2009 32-bit
Autodesk 3ds Max Design 2009 32-bit Additional Maps and Material Libraries
Autodesk 3ds Max Design 2009 32-bit Architectural Materials Library
Autodesk 3ds Max Design 2009 32-bit Movies
Autodesk 3ds Max Design 2009 32-bit ProMaterials™ Library
Autodesk 3ds Max Design 2009 32-bit Vault 2008 Plug-In
Autodesk 3ds Max Design 2009 32-bit Vault 2009 Plug-In
Autodesk Backburner 2008.1
Autodesk DWF Viewer
AutoSolids 2007
AV Input Selection
Batch XLSX to XLS Converter 2010
BitTorrent
Bluerock Technologies Flight Studio 3ds Max Design 2009 32-bit
Bookworm Adventures
Button Manager(SHARP Personal MFP series)
C:\Program Files\Acer GameZone\GameConsole
Cake Mania
CanoScan Toolbox Ver4.1
Chicken Invaders 2
China Eastern Airlines TravelDesk
Compatibility Pack for the 2007 Office system
Core FTP LE 2.1
CuteFTP 8 Home
Cutting Master 2 1.81
Dan Elwell's Broadband Speed Test
Download Updater (AOL LLC)
Dream Day First Home
DWG TrueView 2012
eSobi v2
FBX Plugin 2009.0 for Max 2009
Galapago
Go-Go Gourmet
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GPL Ghostscript 8.64
Heroes of Hellas
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP MediaSmart Server
ImgBurn
Java 2 Runtime Environment, SE v1.4.1_07
Java Web Start
Java™ 6 Update 17
Macromedia Flash Player 8
Magic Farm
Magic ISO Maker v5.5 (build 0281)
Magic Match Adventures
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2000 Premium
Microsoft Office Excel Viewer
Microsoft Office Suite Activation Assistant
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Microsoft WSE 3.0 Runtime
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
MSI to redistribute MS VS2005 CRT libraries
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySQL Server 5.1
Mystery Solitaire - Secret Island
Mythic Mahjong
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
OGA Notifier 2.0.0048.0
OKI C3200 Status Monitor
Olivetti Product Library
PDF Settings CS5
PDFill PDF Editor with FREE Writer and Free Tools
Ping tester
PowerDirector (Acer DT)
PowerDVD 7.0 with 5.1ch
Putt Mania
QuickBooks Pro Edition 2006
Rapport
RBSM
Realtek High Definition Audio Driver
Recovery Toolbox for Outlook Express 1.1
RTC Client API v1.2
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
SHARP MFP Driver
Switch Sound File Converter
The Rise of Atlantis
Tiks Texas Hold em
Turbo Squid Tentacles 3ds Max 2009 32-bit
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Viewpoint Media Player
VNC Mirror Driver 1.8.0
VNC Personal Edition P4.5.4
VNC Printer Driver 1.6.0
Windows Home Server Connector
Windows Home Server Toolkit 1.1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
Womens Murder Club

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 PM

Posted 22 June 2011 - 07:52 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.3.3
Java 2 Runtime Environment, SE v1.4.1_07
Java Web Start
Viewpoint Media Player


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 darexms

darexms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 22 June 2011 - 10:30 AM

Hi Gringo,

Thank you for your reply. The computer has been fine since the last time I ran combofix. Logs are as follows;

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6919

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

22/06/2011 16:24:31
mbam-log-2011-06-22 (16-24-31).txt

Scan type: Quick scan
Objects scanned: 164562
Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:29:34, on 22/06/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\aol\1277208169\ee\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vb32&d=1006&m=aspire_x3200
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOL Broadband Toolbar Search Class - {4a6e1b85-1193-4a2a-aab8-7417f275f18a} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: AOL Broadband Toolbar Loader - {776a9d06-e178-4aa0-aee4-b4de3a64ad28} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: BrowserHelper Class - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll
O3 - Toolbar: AOL Broadband Toolbar - {e6ed7f95-e571-4f81-8757-5eb11252703d} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1277208169\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced SystemCare 4] "C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Home Server.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://as.mandata.co.uk/members/PODStorage/alttiff.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://as.mandata.co.uk/members/printercontrol/smsx.cab
O16 - DPF: {7E866715-C9B6-4C64-AAB8-342E0D137213} (DVR4204 Client Control) - http://192.168.1.80/EDVR.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD2DAAA8-DA7C-4054-ABB3-C441DAD2BE2E}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{AD2DAAA8-DA7C-4054-ABB3-C441DAD2BE2E}: NameServer = 192.168.1.254
O17 - HKLM\System\CS8\Services\Tcpip\..\{AD2DAAA8-DA7C-4054-ABB3-C441DAD2BE2E}: NameServer = 192.168.1.254
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\bin32\nSvcAppFlt.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - D:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\bin32\nSvcIp.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\Windows\system32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10065 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 PM

Posted 22 June 2011 - 03:24 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
      O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
      O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 PM

Posted 25 June 2011 - 02:48 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:50 PM

Posted 28 June 2011 - 02:50 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users