Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - infected - please help


  • This topic is locked This topic is locked
15 replies to this topic

#1 sarahabutair

sarahabutair

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 08 March 2012 - 05:12 PM

Hi,

I've been having lots of problems with my computer. It's very slow, programs crash all the time, but the main problems are when I'm running IE8. It works fine for a few minutes then suddenly starts using up almost 100% of the CPU. I can physically hear my computer struggling. Avira keeps picking up (and claims to remove) something called TR/Crypt.XPACK.Gen. HJT log below. If I need to do anything else please let me know, thanks in advance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:04:06, on 08/03/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah\Desktop\ub1pvqh4.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1300318182757
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\Ralink\Common\RaRegistry.exe

--
End of file - 11048 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 11 March 2012 - 12:24 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:
    %systemroot%\*. /rp /s
    netsvcs
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.
Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • OTL.txt and Extras.txt logs
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 sarahabutair

sarahabutair
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 11 March 2012 - 02:20 PM

Hi,

Thank you so much for helping, here are the logs:

OTL:

OTL logfile created on: 11/03/2012 18:43:42 - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.73% Memory free
3.85 Gb Paging File | 2.93 Gb Available in Paging File | 76.20% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 38.48 Gb Free Space | 12.91% Space Free | Partition Type: NTFS

Computer Name: 2A5B0CCCC9B249D | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/11 18:40:36 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2012/02/15 10:32:12 | 000,055,144 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
PRC - [2011/06/28 19:53:52 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/28 02:29:43 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/21 18:52:34 | 000,107,000 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2011/03/17 09:34:38 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\javaw.exe
PRC - [2011/03/04 14:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/07/14 21:53:00 | 000,185,632 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaRegistry.exe
PRC - [2009/07/09 17:10:16 | 001,561,888 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaUI.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/20 16:00:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/27 06:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 06:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/03/02 12:40:51 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/06/17 14:27:22 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2009/07/03 18:34:26 | 000,811,008 | ---- | M] () -- C:\Program Files\Ralink\Common\RaWLAPI.dll
MOD - [2009/05/11 11:45:40 | 000,147,456 | ---- | M] () -- C:\WINDOWS\system32\DiagFunc.dll
MOD - [2008/04/14 00:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/06/28 19:53:52 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/28 02:29:43 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/07/14 21:53:00 | 000,185,632 | ---- | M] (Ralink Technology, Corp.) [Auto | Running] -- C:\Program Files\Ralink\Common\RaRegistry.exe -- (RalinkRegistryWriter)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (OMCI)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mbr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (awlcrkod)
DRV - [2011/06/28 19:53:53 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 19:53:53 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2010/02/11 07:38:10 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/06/30 11:06:02 | 000,722,432 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2009/04/21 15:31:10 | 000,019,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Scutum50.sys -- (Scutum50)
DRV - [2006/05/25 14:40:00 | 001,156,808 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {932955EE-389B-4C36-9778-AC2BE4CB3E51}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{932955EE-389B-4C36-9778-AC2BE4CB3E51}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {932955EE-389B-4C36-9778-AC2BE4CB3E51}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{932955EE-389B-4C36-9778-AC2BE4CB3E51}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGHP_en-GB
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:7.2.6
FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.3.0.7280
FF - prefs.js..keyword.URL: "http://www.google.com/search?sourceid=navclient&hl=en-GB&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2011/03/17 00:08:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/03/21 18:54:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/14 11:07:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/12 13:02:25 | 000,000,000 | ---D | M]

[2011/03/17 09:38:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Extensions
[2011/12/24 16:23:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions
[2011/04/06 21:42:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/07/04 21:48:07 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/06/19 21:37:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/05 05:47:58 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\SARAH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\3G4LBOGL.DEFAULT\EXTENSIONS\{B749FC7C-E949-447F-926C-3F4EED6ACCFE}.XPI
[2012/01/14 11:07:13 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/09/26 18:25:01 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/26 18:25:01 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/09/26 18:25:01 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/26 18:25:01 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/09/26 18:25:01 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 10:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [Facebook Update] C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)
O4 - Startup: C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1300318182757 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE25CB82-BC72-4984-9098-A9567DF14AE0}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/03/16 14:11:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/03/11 18:41:24 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Sarah\Desktop\aswMBR.exe
[2012/03/11 18:40:33 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2012/03/10 09:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/03/10 09:01:56 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/03/10 09:01:26 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/03/10 08:50:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/03/08 21:58:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Sarah\Start Menu\Programs\Administrative Tools
[2012/03/08 21:58:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2012/03/01 13:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\iphone pics
[2012/02/29 18:23:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\Copy of bday pics
[2012/02/29 18:21:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\bday pics
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/11 18:43:29 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/11 18:41:25 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Sarah\Desktop\aswMBR.exe
[2012/03/11 18:40:36 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2012/03/11 18:22:14 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004UA.job
[2012/03/11 10:43:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/11 00:22:01 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004Core.job
[2012/03/10 09:02:27 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/10 07:17:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/03/09 19:22:49 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/08 22:03:39 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\HiJackThis.lnk
[2012/03/08 21:59:49 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\ub1pvqh4.exe
[2012/03/08 21:58:34 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2012/03/07 22:44:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/06 11:44:00 | 000,000,030 | ---- | M] () -- C:\WINDOWS\Iedit_.INI
[2012/02/25 08:26:24 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/02/17 03:27:29 | 000,294,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/17 03:11:05 | 000,495,518 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/17 03:11:05 | 000,084,106 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/17 03:06:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/15 11:01:50 | 004,547,944 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2012/02/14 10:13:03 | 082,020,614 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0889.MOV
[2012/02/14 10:11:12 | 027,870,339 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0888.MOV
[2012/02/14 10:10:55 | 073,456,606 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0887.MOV
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/10 09:02:27 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/08 21:59:46 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\ub1pvqh4.exe
[2012/02/16 05:02:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/16 05:02:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/14 10:13:03 | 082,020,614 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0889.MOV
[2012/02/14 10:11:12 | 027,870,339 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0888.MOV
[2012/02/14 10:10:55 | 073,456,606 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0887.MOV
[2011/09/25 23:21:24 | 000,266,255 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\census.cache
[2011/09/25 23:20:52 | 000,185,017 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\ars.cache
[2011/09/25 22:57:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\housecall.guid.cache
[2011/08/31 10:58:26 | 000,000,059 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2011/08/31 10:58:26 | 000,000,020 | -H-- | C] () -- C:\WINDOWS\akebook.ini
[2011/08/31 10:58:26 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\a3kebook.ini
[2011/08/13 09:21:32 | 000,007,207 | R--- | C] () -- C:\WINDOWS\Disktool.INI
[2011/08/13 09:21:32 | 000,006,399 | R--- | C] () -- C:\WINDOWS\fwupgrade.ini
[2011/08/13 09:21:32 | 000,003,677 | R--- | C] () -- C:\WINDOWS\PlaySnd.INI
[2011/05/04 19:25:03 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/05/02 22:30:50 | 001,144,147 | ---- | C] () -- C:\WINDOWS\System32\ffmpegmt.dll
[2011/05/02 22:27:54 | 003,935,545 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.dll
[2011/05/02 20:23:46 | 000,324,096 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2011/05/02 20:19:34 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2011/05/02 20:19:20 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/04/20 21:58:08 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit_.INI
[2011/03/29 15:01:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/03/21 19:41:08 | 000,062,340 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/03/21 18:57:46 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/18 21:32:44 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2011/03/18 21:29:56 | 000,181,248 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2011/03/18 21:28:30 | 001,557,504 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2011/03/18 21:27:08 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2011/03/18 21:26:44 | 000,484,864 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2011/03/18 21:25:38 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2011/03/18 21:25:24 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2011/03/18 03:55:25 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2011/03/18 03:53:01 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2011/03/18 03:53:01 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/03/18 03:53:01 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/03/18 03:53:01 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/03/17 09:38:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/17 09:34:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/16 14:16:37 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\DiagFunc.dll
[2011/03/16 14:16:37 | 000,001,191 | ---- | C] () -- C:\WINDOWS\System32\W32N55.INI
[2011/03/16 14:16:37 | 000,000,480 | ---- | C] () -- C:\WINDOWS\System32\DiagFunc.ini
[2011/03/16 14:16:23 | 000,013,931 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2011/03/16 14:12:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/03/16 14:09:11 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/03/16 13:45:35 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/03/16 13:44:40 | 000,294,864 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/03 11:40:08 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2011/03/03 11:39:56 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2011/03/03 11:39:46 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2011/03/03 11:39:34 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2011/03/03 11:39:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2011/03/03 11:38:54 | 000,154,112 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2011/03/03 11:38:40 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2011/03/03 11:38:10 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2011/03/03 11:38:04 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2011/03/03 11:37:50 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2011/03/03 11:37:40 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2011/03/03 11:35:32 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2011/03/03 11:35:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2011/02/22 19:39:04 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/02/22 19:37:30 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/08/18 19:56:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini

========== Custom Scans ==========


< %systemroot%\*. /rp /s >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\CCC\2.0.0.0__90ba9c70f846762e] -> C:\WINDOWS\WinSxS\MSIL_CCC_90ba9c70f846762e_2.0.0.0_x-ww_c7ed2bb0 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\CLI\2.0.0.0__90ba9c70f846762e] -> C:\WINDOWS\WinSxS\MSIL_CLI_90ba9c70f846762e_2.0.0.0_x-ww_42656733 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\LOG\2.0.3693.42530__90ba9c70f846762e] -> C:\WINDOWS\WinSxS\MSIL_LOG_90ba9c70f846762e_2.0.3693.42530_x-ww_47e32df4 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\MOM\2.0.0.0__90ba9c70f846762e] -> C:\WINDOWS\WinSxS\MSIL_MOM_90ba9c70f846762e_2.0.0.0_x-ww_a60193a8 -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35] -> C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 -> Junction

< End of report >

Extras:

OTL Extras logfile created on: 11/03/2012 18:43:42 - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.73% Memory free
3.85 Gb Paging File | 2.93 Gb Available in Paging File | 76.20% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 38.48 Gb Free Space | 12.91% Space Free | Partition Type: NTFS

Computer Name: 2A5B0CCCC9B249D | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Documents and Settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe" = C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe:*:Enabled:Facebook Video Calling Plugin -- (Skype Limited)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03ADC8AB-C130-0C3D-1FF9-2C385DF25689}" = CCC Help Czech
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07021185-008D-ABF9-7716-475AC035F8B3}" = CCC Help Spanish
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0F8D0406-7755-AC37-6529-73AD649DBE32}" = Catalyst Control Center Graphics Previews Common
"{15803703-25FA-4C01-A062-3F4A59937E87}" = PhotoImpact X3
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{22072CC8-7230-96F8-52F4-05EAF3F906B6}" = CCC Help Polish
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2368ADBD-6FDF-4B9F-FE41-E20B4D78E79E}" = CCC Help Chinese Standard
"{25EF0DC4-B072-2E04-4581-A13C91423CE6}" = CCC Help Portuguese
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{26F7855C-443B-00A6-F7B8-A97A5403F617}" = CCC Help Danish
"{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}" = Ralink RT2870 Wireless LAN Card
"{2CB4A925-48A7-DA65-DCEE-D4DE224B7D84}" = CCC Help English
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{306D75B9-7FFF-FF65-0C76-57F2FE4FE1D6}" = Catalyst Control Center Core Implementation
"{32B12FE4-5A51-751A-1FB6-A14E97EBDD5C}" = CCC Help German
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{351512E5-01BD-E878-6F57-AA3E517D9ECE}" = Skins
"{354A387E-0374-21A3-6832-335674A6D7D1}" = CCC Help French
"{3C00BEE9-26D0-D9E0-A2D1-62F70D412A12}" = CCC Help Turkish
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4346F7AA-3D56-0941-424C-4454E04D37F6}" = CCC Help Italian
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CAE2F2C-75CD-A0DE-7520-449BCBBCC833}" = CCC Help Korean
"{57F7F0A5-8F22-8E63-E819-803B5C9CA3A5}" = CCC Help Dutch
"{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}" = MP3 Player Utilities
"{5EA437D2-7A57-B60E-E8F2-76BFAC0895A5}" = CCC Help Chinese Traditional
"{61AF4E75-050E-0304-3417-8BC16417FEB1}" = CCC Help Greek
"{624E54D0-E4F4-434F-9EF6-D4D066EE4348}" = Facebook Video Calling 1.1.1.1
"{632005DA-C291-5275-284C-5EE96B05C714}" = Catalyst Control Center HydraVision Full
"{6C72BE0C-3E25-CACD-0070-2FD9C02ABA14}" = ccc-core-preinstall
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{880BB617-914E-17E8-D877-A96BAC5794D2}" = Catalyst Control Center Graphics Full New
"{8897CF22-DB6C-8248-895C-12BFA2677F51}" = CCC Help Hungarian
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B92D97D-DB3D-4926-A8F7-718FE7C5EE18}" = iTunes
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AF710FDE-2815-8C8D-5281-8004C2654AA6}" = CCC Help Russian
"{AFF2D965-C6F2-A210-FBF7-532612AA1D23}" = CCC Help Swedish
"{B21336EE-4AEF-9940-4AC7-EDB89854B8D3}" = CCC Help Thai
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{BBA69346-61A1-BD34-E75A-4D81232DB1FE}" = Catalyst Control Center Localization All
"{BFD5ED08-F066-92D5-BE67-3B9AE5DCFF0C}" = CCC Help Japanese
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4609F15-FB3C-D97E-BAA1-4F10815039C2}" = Catalyst Control Center Graphics Full Existing
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D01FAC3D-86B4-3A19-9D10-9156A0EB3EBE}" = CCC Help Finnish
"{D73722C8-3F65-C75B-A631-5D36894DAB92}" = ccc-core-static
"{DDAD33B6-8C00-428D-087B-A7088355B9BE}" = Catalyst Control Center Graphics Light
"{E333F074-FC7F-596D-3D61-44F0EC28E8C0}" = ccc-utility
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{FA38F9E4-BED7-E021-B660-8FDFF7EC6E1A}" = CCC Help Norwegian
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"{FD9C31B6-F572-414D-81E3-89368C97A125}_is1" = CamStudio OSS Desktop Recorder
"3herosoft iPhone SMS to Computer Transfer" = 3herosoft iPhone SMS to Computer Transfer
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AI RoboForm" = RoboForm 7-2-6 (All Users)
"Aleesoft Free iPad Video Converter_is1" = Aleesoft Free iPad Video Converter 2.5.71
"All ATI Software" = ATI - Software Uninstall Utility
"Any Video Converter_is1" = Any Video Converter 3.2.0
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AviSynth" = AviSynth 2.5
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
"AVS4YOU Video Converter 7_is1" = AVS Video Converter 8
"DiskAid_is1" = DiskAid 4.6
"DivX Setup" = DivX Setup
"DVD Flick_is1" = DVD Flick 1.3.0.7
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ie8" = Windows Internet Explorer 8
"InstallShield_{15803703-25FA-4C01-A062-3F4A59937E87}" = PhotoImpact X3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Media Player - Codec Pack" = Media Player Codec Pack 4.0.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 9.0.1 (x86 en-GB)" = Mozilla Firefox 9.0.1 (x86 en-GB)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"Personal Video Database_is1" = Personal Video Database 0.9.9.21
"Portforward Static IP Address" = Portforward Static IP Address 1.0.45
"PROSet" = Intel® PRO Network Connections Drivers
"PS3 Media Server" = PS3 Media Server
"SpywareBlaster_is1" = SpywareBlaster 4.4
"Tansee iPhone Transfer SMS_is1" = Tansee iPhone Transfer SMS
"uTorrent" = µTorrent
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR 4.00 (32-bit)
"WM Capture 5" = WM Capture 5
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"3533927466.go.sky.com" = Sky Go Desktop
"Dropbox" = Dropbox
"Game Organizer" = EasyBits GO
"WM Capture 5" = WM Capture 5

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 07/03/2012 18:40:32 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application SoftwareUpdate.exe, version 2.1.3.127, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 07/03/2012 21:26:18 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/03/2012 12:27:37 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/03/2012 12:27:37 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/03/2012 13:45:49 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 09/03/2012 20:17:41 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 09/03/2012 20:17:43 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/03/2012 12:30:40 | Computer Name = 2A5B0CCCC9B249D | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/03/2012 11:22:14 | Computer Name = 2A5B0CCCC9B249D | Source = Google Update | ID = 20
Description =

Error - 11/03/2012 14:22:14 | Computer Name = 2A5B0CCCC9B249D | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 04/02/2012 18:27:34 | Computer Name = 2A5B0CCCC9B249D | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\D.

Error - 09/02/2012 11:22:29 | Computer Name = 2A5B0CCCC9B249D | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\D.

Error - 10/02/2012 08:28:12 | Computer Name = 2A5B0CCCC9B249D | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 00081072E739 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 10/02/2012 09:16:28 | Computer Name = 2A5B0CCCC9B249D | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.65
with the system having network hardware address 3C:D0:F8:77:01:B0. Network operations
on this system may be disrupted as a result.

Error - 10/02/2012 09:16:28 | Computer Name = 2A5B0CCCC9B249D | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.65
with the system having network hardware address 3C:D0:F8:77:01:B0. Network operations
on this system may be disrupted as a result.

Error - 18/02/2012 16:54:44 | Computer Name = 2A5B0CCCC9B249D | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 18/02/2012 16:55:02 | Computer Name = 2A5B0CCCC9B249D | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 18/02/2012 16:55:04 | Computer Name = 2A5B0CCCC9B249D | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 06/03/2012 09:45:13 | Computer Name = 2A5B0CCCC9B249D | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 00081072E739 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 07/03/2012 18:40:58 | Computer Name = 2A5B0CCCC9B249D | Source = Service Control Manager | ID = 7034
Description = The Windows Installer service terminated unexpectedly. It has done
this 1 time(s).


< End of report >

aswMBR:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-11 19:05:40
-----------------------------
19:05:40.625 OS Version: Windows 5.1.2600 Service Pack 3
19:05:40.625 Number of processors: 2 586 0xF06
19:05:40.625 ComputerName: 2A5B0CCCC9B249D UserName: Sarah
19:05:41.250 Initialize success
19:05:47.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:05:47.484 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 3
19:05:47.500 Disk 0 MBR read successfully
19:05:47.500 Disk 0 MBR scan
19:05:47.515 Disk 0 Windows XP default MBR code
19:05:47.515 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
19:05:47.515 Disk 0 scanning sectors +625121280
19:05:47.671 Disk 0 scanning C:\WINDOWS\system32\drivers
19:06:08.875 Service scanning
19:06:20.890 Modules scanning
19:06:43.953 Disk 0 trace - called modules:
19:06:44.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:06:44.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89de49c0]
19:06:44.000 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x898d4030]
19:06:44.000 Scan finished successfully
19:06:50.562 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sarah\Desktop\MBR.dat"
19:06:50.562 The log file has been saved successfully to "C:\Documents and Settings\Sarah\Desktop\aswMBR.txt"

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 11 March 2012 - 08:34 PM

Hi,

Does Avira give you the location or file name of that detection that keeps showing up? Please do this next:

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Commands
    [EmptyTemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • OTL Fix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 sarahabutair

sarahabutair
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 12 March 2012 - 07:15 AM

Hi,

Avira has since updated so the log isn't there anymore. MBAM didn't find anything, here are the logs:

OTL:


[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 113295951 bytes

User: Sarah
->Temp folder emptied: 287519482 bytes
->Temporary Internet Files folder emptied: 881606877 bytes
->Java cache emptied: 5312100 bytes
->FireFox cache emptied: 424897317 bytes
->Flash cache emptied: 145247 bytes

User: Zaki & Alfie
->Temp folder emptied: 247171 bytes
->Temporary Internet Files folder emptied: 63596 bytes
->Flash cache emptied: 56502 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2464794664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 155274234 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 386607321 bytes

Total Files Cleaned = 4,503.00 mb


OTL by OldTimer - Version 3.2.36.3 log created on 03122012_102943

Files\Folders moved on Reboot...
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\ZPB3CFV7\gplus_notifications_gadget[1].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\N8J0MKYX\fastbuttonCAT7YOTY.htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\MYQ4UF6O\plusone_gadget[1].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\CXBSK706\frame[1].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\CCK29BRT\fastbuttonCA5JO1PQ.htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\CCK29BRT\topic445529[1].html moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\4JOTN3BZ\commandCAGW3J9M.htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

MBAM:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.11.12

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sarah :: 2A5B0CCCC9B249D [administrator]

12/03/2012 10:44:00
mbam-log-2012-03-12 (10-44-00).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 275906
Time elapsed: 58 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 12 March 2012 - 04:17 PM

How is your computer running now? Is Avira still alerting you to problems? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 31
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u31-windows-i586.exe to install the newest version.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Edited by RPMcMurphy, 12 March 2012 - 04:18 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 sarahabutair

sarahabutair
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 12 March 2012 - 05:41 PM

Hi again,

Java updated, ESET found nothing and didn't produce any log. I tried but couldn't find one. No change as to how computer is running. IE and Firefox still freezing crashing all the time and after they've been open a while the CPU shoots up and I can hear my computer roaring! Also forgot to mention that a few weeks ago my yahoo email started spamming people, I'm not sure if thats related.

Thanks,

Sarah

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 12 March 2012 - 10:44 PM

Hi,

Please do this next:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed click on Yes[/b], to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 sarahabutair

sarahabutair
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 13 March 2012 - 06:10 AM

Hi,

Here is the combofix log:

ComboFix 12-03-12.03 - Sarah 13/03/2012 10:57:52.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1607 [GMT 0:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-12 21:21 . 2012-03-12 21:21 -------- d-----w- c:\program files\ESET
2012-03-12 18:16 . 2012-03-12 18:16 -------- d-----w- c:\program files\Common Files\Java
2012-03-12 18:16 . 2012-03-12 18:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-12 18:16 . 2012-03-12 18:16 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-12 17:54 . 2012-03-12 17:55 -------- d-----w- c:\windows\system32\Adobe
2012-03-12 12:02 . 2012-03-12 12:02 -------- d-----w- c:\documents and settings\Sarah\Application Data\Avira
2012-03-12 12:00 . 2012-01-31 08:57 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-12 12:00 . 2012-01-31 08:57 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-03-12 12:00 . 2011-09-16 16:09 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-03-12 11:59 . 2012-03-12 11:59 -------- d-----w- c:\program files\Avira
2012-03-12 11:59 . 2012-03-12 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-03-12 10:29 . 2012-03-12 10:29 -------- d-----w- C:\_OTL
2012-03-10 09:01 . 2012-03-10 09:01 -------- d-----w- c:\program files\iPod
2012-03-10 09:01 . 2012-03-10 09:02 -------- d-----w- c:\program files\iTunes
2012-02-16 05:02 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 05:02 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-12 18:16 . 2011-03-17 09:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-25 08:26 . 2011-05-31 22:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 11:01 . 2011-03-17 09:44 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 11:01 . 2011-03-17 09:44 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-01-29 09:25 . 2012-01-29 09:25 388096 ----a-r- c:\documents and settings\Sarah\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-12 16:53 . 2004-08-04 10:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2012-01-14 11:07 . 2011-06-22 00:31 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Sarah\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Sarah\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Sarah\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Sarah\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-03-21 107000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-06 39408]
"Facebook Update"="c:\documents and settings\Sarah\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-09-02 137536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-18 17360520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Sarah\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2011-3-16 1561888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 19:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 14:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-08-06 19:00 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2007-08-02 21:08 95504 ----a-w- c:\program files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Sarah\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Sarah\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/03/2012 12:00 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/03/2012 12:00 86224]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [16/03/2011 14:16 19072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17/03/2011 00:08 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [17/03/2011 00:08 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:57]
.
2012-03-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004Core.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-02 23:17]
.
2012-03-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004UA.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-02 23:17]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 00:08]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 00:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en-GB&q=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-3533927466.go.sky.com - c:\program files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-13 11:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\]*‘|ðOæ]
"DisplayName"="??"
"DeviceDesc"="??"
"ProviderName"=""
"MFG"="????¥"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\]???\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"\0c\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-03-13 11:08:17
ComboFix-quarantined-files.txt 2012-03-13 11:08
.
Pre-Run: 44,046,016,512 bytes free
Post-Run: 44,535,439,360 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - DBCC92F40D663909E3A0845C0B5D51B6

#10 sarahabutair

sarahabutair
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 13 March 2012 - 12:16 PM

Hi again,

Just now Avira popped up witha warning, it found html/infected.webpage.gen2. Thought I'd better include that log:



Avira Free Antivirus
Report file date: 13 March 2012 16:53

Scanning for 3550838 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 2A5B0CCCC9B249D

Version information:
BUILD.DAT : 12.0.0.898 41963 Bytes 1/31/2012 14:50:00
AVSCAN.EXE : 12.1.0.20 492496 Bytes 1/31/2012 08:56:54
AVSCAN.DLL : 12.1.0.18 54224 Bytes 1/31/2012 08:57:27
LUKE.DLL : 12.1.0.19 68304 Bytes 1/31/2012 08:57:02
AVSCPLR.DLL : 12.1.0.22 100048 Bytes 1/31/2012 08:56:54
AVREG.DLL : 12.1.0.29 228048 Bytes 1/31/2012 08:56:53
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 09:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 08:57:15
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 08:57:20
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 12:06:25
VBASE004.VDF : 7.11.21.239 2048 Bytes 2/1/2012 12:06:25
VBASE005.VDF : 7.11.21.240 2048 Bytes 2/1/2012 12:06:26
VBASE006.VDF : 7.11.21.241 2048 Bytes 2/1/2012 12:06:26
VBASE007.VDF : 7.11.21.242 2048 Bytes 2/1/2012 12:06:27
VBASE008.VDF : 7.11.21.243 2048 Bytes 2/1/2012 12:06:27
VBASE009.VDF : 7.11.21.244 2048 Bytes 2/1/2012 12:06:27
VBASE010.VDF : 7.11.21.245 2048 Bytes 2/1/2012 12:06:27
VBASE011.VDF : 7.11.21.246 2048 Bytes 2/1/2012 12:06:27
VBASE012.VDF : 7.11.21.247 2048 Bytes 2/1/2012 12:06:27
VBASE013.VDF : 7.11.22.33 1486848 Bytes 2/3/2012 12:07:08
VBASE014.VDF : 7.11.22.56 687616 Bytes 2/3/2012 12:07:31
VBASE015.VDF : 7.11.22.92 178176 Bytes 2/6/2012 12:07:36
VBASE016.VDF : 7.11.22.154 144896 Bytes 2/8/2012 12:07:41
VBASE017.VDF : 7.11.22.220 183296 Bytes 2/13/2012 12:07:49
VBASE018.VDF : 7.11.23.34 202752 Bytes 2/15/2012 12:07:54
VBASE019.VDF : 7.11.23.98 126464 Bytes 2/17/2012 12:08:04
VBASE020.VDF : 7.11.23.150 148480 Bytes 2/20/2012 12:08:06
VBASE021.VDF : 7.11.23.224 172544 Bytes 2/23/2012 12:08:10
VBASE022.VDF : 7.11.24.52 219648 Bytes 2/28/2012 12:08:15
VBASE023.VDF : 7.11.24.152 165888 Bytes 3/5/2012 12:08:19
VBASE024.VDF : 7.11.24.204 177664 Bytes 3/7/2012 12:08:24
VBASE025.VDF : 7.11.25.30 245248 Bytes 3/12/2012 10:38:31
VBASE026.VDF : 7.11.25.31 2048 Bytes 3/12/2012 10:38:31
VBASE027.VDF : 7.11.25.32 2048 Bytes 3/12/2012 10:38:31
VBASE028.VDF : 7.11.25.33 2048 Bytes 3/12/2012 10:38:32
VBASE029.VDF : 7.11.25.34 2048 Bytes 3/12/2012 10:38:32
VBASE030.VDF : 7.11.25.35 2048 Bytes 3/12/2012 10:38:32
VBASE031.VDF : 7.11.25.50 64000 Bytes 3/13/2012 10:38:34
Engineversion : 8.2.10.20
AEVDF.DLL : 8.1.2.2 106868 Bytes 1/31/2012 08:56:42
AESCRIPT.DLL : 8.1.4.9 455032 Bytes 3/12/2012 12:10:04
AESCN.DLL : 8.1.8.2 131444 Bytes 3/12/2012 12:10:00
AESBX.DLL : 8.2.5.5 606579 Bytes 3/12/2012 12:10:08
AERDL.DLL : 8.1.9.15 639348 Bytes 1/31/2012 08:56:42
AEPACK.DLL : 8.2.16.5 803190 Bytes 3/12/2012 12:09:58
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 1/31/2012 08:56:41
AEHEUR.DLL : 8.1.4.4 4460916 Bytes 3/12/2012 12:09:43
AEHELP.DLL : 8.1.19.0 254327 Bytes 3/12/2012 12:08:49
AEGEN.DLL : 8.1.5.23 409973 Bytes 3/12/2012 12:08:46
AEEXP.DLL : 8.1.0.24 74101 Bytes 3/12/2012 12:10:10
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/31/2012 08:56:38
AECORE.DLL : 8.1.25.5 201079 Bytes 3/12/2012 12:08:41
AEBB.DLL : 8.1.1.0 53618 Bytes 1/31/2012 08:56:38
AVWINLL.DLL : 12.1.0.17 27344 Bytes 1/31/2012 08:56:55
AVPREF.DLL : 12.1.0.17 51920 Bytes 1/31/2012 08:56:53
AVREP.DLL : 12.1.0.17 179408 Bytes 1/31/2012 08:56:53
AVARKT.DLL : 12.1.0.23 209360 Bytes 1/31/2012 08:56:49
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 1/31/2012 08:56:50
SQLITE3.DLL : 3.7.0.0 398288 Bytes 1/31/2012 08:57:08
AVSMTP.DLL : 12.1.0.17 62928 Bytes 1/31/2012 08:56:54
NETNT.DLL : 12.1.0.17 17104 Bytes 1/31/2012 08:57:04
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 1/31/2012 08:57:30
RCTEXT.DLL : 12.1.1.16 96208 Bytes 1/31/2012 08:57:30

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4f5e39b0\guard_slideup.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete
Deviating risk categories...........: +PCK,+PFS,+SPR,

Start of the scan: 13 March 2012 16:53

The scan of running processes will be started
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'uTorrent.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RaUI.exe' - '1' Module(s) have been scanned
Scan process 'javaw.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'ONENOTEM.EXE' - '1' Module(s) have been scanned
Scan process 'Skype.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'RoboTaskBarIcon.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'DivXUpdate.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RaRegistry.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\SR6WW7UJ\widget_IFRAMEcont[4].htm'
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\SR6WW7UJ\widget_IFRAMEcont[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen2 HTML script virus

Beginning disinfection:
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\SR6WW7UJ\widget_IFRAMEcont[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen2 HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '543bffea.qua'.


End of the scan: 13 March 2012 16:54
Used time: 00:06 Minute(s)

The scan has been done completely.

0 Scanned directories
48 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
47 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes


The scan results will be transferred to the Guard.

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 13 March 2012 - 08:10 PM

OK, please do this now:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to both options
  • click OK
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.7.1.0_19.01.2012_17.24.26_log.txt
  • Post that log, please.

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Commands
    [EmptyFlash]
    [EmptyTemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
  • Open OTL again and press "Quick Scan" to produce a fresh log
Please include the following in your next post:
  • TDSSKiller log
  • OTL Fix log
  • OTL Scan log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 sarahabutair

sarahabutair
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 14 March 2012 - 03:55 AM

Hi,

Here are the logs:

TDSSKiller:

08:36:50.0506 3900 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
08:36:50.0959 3900 ============================================================
08:36:50.0959 3900 Current date / time: 2012/03/14 08:36:50.0959
08:36:50.0959 3900 SystemInfo:
08:36:50.0959 3900
08:36:50.0959 3900 OS Version: 5.1.2600 ServicePack: 3.0
08:36:50.0959 3900 Product type: Workstation
08:36:50.0959 3900 ComputerName: 2A5B0CCCC9B249D
08:36:50.0959 3900 UserName: Sarah
08:36:50.0959 3900 Windows directory: C:\WINDOWS
08:36:50.0959 3900 System windows directory: C:\WINDOWS
08:36:50.0959 3900 Processor architecture: Intel x86
08:36:50.0959 3900 Number of processors: 2
08:36:50.0959 3900 Page size: 0x1000
08:36:50.0959 3900 Boot type: Normal boot
08:36:50.0959 3900 ============================================================
08:36:51.0647 3900 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
08:36:51.0709 3900 \Device\Harddisk0\DR0:
08:36:51.0709 3900 MBR used
08:36:51.0709 3900 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x254297C1
08:36:51.0772 3900 Initialize success
08:36:51.0772 3900 ============================================================
08:36:57.0475 3100 ============================================================
08:36:57.0475 3100 Scan started
08:36:57.0475 3100 Mode: Manual; SigCheck; TDLFS;
08:36:57.0475 3100 ============================================================
08:36:58.0428 3100 Abiosdsk - ok
08:36:58.0428 3100 abp480n5 - ok
08:36:58.0506 3100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:36:59.0709 3100 ACPI - ok
08:36:59.0818 3100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:36:59.0943 3100 ACPIEC - ok
08:36:59.0975 3100 adpu160m - ok
08:37:00.0037 3100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:37:00.0131 3100 aec - ok
08:37:00.0178 3100 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:37:00.0256 3100 AFD - ok
08:37:00.0256 3100 Aha154x - ok
08:37:00.0272 3100 aic78u2 - ok
08:37:00.0272 3100 aic78xx - ok
08:37:00.0287 3100 AliIde - ok
08:37:00.0287 3100 amsint - ok
08:37:00.0303 3100 asc - ok
08:37:00.0303 3100 asc3350p - ok
08:37:00.0318 3100 asc3550 - ok
08:37:00.0365 3100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:37:00.0475 3100 AsyncMac - ok
08:37:00.0506 3100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
08:37:00.0615 3100 atapi - ok
08:37:00.0678 3100 Atdisk - ok
08:37:00.0850 3100 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
08:37:01.0100 3100 ati2mtag ( UnsignedFile.Multi.Generic ) - warning
08:37:01.0100 3100 ati2mtag - detected UnsignedFile.Multi.Generic (1)
08:37:01.0147 3100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:37:01.0443 3100 Atmarpc - ok
08:37:01.0553 3100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:37:01.0647 3100 audstub - ok
08:37:01.0709 3100 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
08:37:01.0928 3100 avgntflt - ok
08:37:01.0959 3100 avipbb (13b02b9b969dde270cd7c351203dad3c) C:\WINDOWS\system32\DRIVERS\avipbb.sys
08:37:01.0975 3100 avipbb - ok
08:37:02.0068 3100 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
08:37:02.0068 3100 avkmgr - ok
08:37:02.0131 3100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:37:02.0240 3100 Beep - ok
08:37:02.0428 3100 catchme - ok
08:37:02.0475 3100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:37:02.0615 3100 cbidf2k - ok
08:37:02.0647 3100 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:37:02.0740 3100 CCDECODE - ok
08:37:02.0756 3100 cd20xrnt - ok
08:37:02.0818 3100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:37:02.0912 3100 Cdaudio - ok
08:37:02.0959 3100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:37:03.0037 3100 Cdfs - ok
08:37:03.0068 3100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:37:03.0178 3100 Cdrom - ok
08:37:03.0209 3100 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
08:37:03.0256 3100 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
08:37:03.0256 3100 cercsr6 - detected UnsignedFile.Multi.Generic (1)
08:37:03.0334 3100 Changer - ok
08:37:03.0365 3100 CmdIde - ok
08:37:03.0397 3100 Cpqarray - ok
08:37:03.0412 3100 dac2w2k - ok
08:37:03.0428 3100 dac960nt - ok
08:37:03.0459 3100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:37:03.0584 3100 Disk - ok
08:37:03.0631 3100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:37:03.0803 3100 dmboot - ok
08:37:03.0834 3100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:37:03.0943 3100 dmio - ok
08:37:03.0975 3100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:37:04.0115 3100 dmload - ok
08:37:04.0131 3100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:37:04.0225 3100 DMusic - ok
08:37:04.0225 3100 dpti2o - ok
08:37:04.0272 3100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:37:04.0350 3100 drmkaud - ok
08:37:04.0397 3100 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
08:37:04.0459 3100 e1express - ok
08:37:04.0522 3100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:37:04.0662 3100 Fastfat - ok
08:37:04.0678 3100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:37:04.0756 3100 Fdc - ok
08:37:04.0834 3100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:37:04.0959 3100 Fips - ok
08:37:04.0975 3100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:37:05.0068 3100 Flpydisk - ok
08:37:05.0131 3100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:37:05.0209 3100 FltMgr - ok
08:37:05.0240 3100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:37:05.0334 3100 Fs_Rec - ok
08:37:05.0334 3100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:37:05.0459 3100 Ftdisk - ok
08:37:05.0506 3100 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
08:37:05.0506 3100 GEARAspiWDM - ok
08:37:05.0600 3100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:37:05.0725 3100 Gpc - ok
08:37:05.0740 3100 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:37:05.0881 3100 HDAudBus - ok
08:37:05.0897 3100 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:37:06.0006 3100 hidusb - ok
08:37:06.0006 3100 hpn - ok
08:37:06.0068 3100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:37:06.0115 3100 HTTP - ok
08:37:06.0131 3100 i2omgmt - ok
08:37:06.0131 3100 i2omp - ok
08:37:06.0147 3100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
08:37:06.0272 3100 i8042prt - ok
08:37:06.0334 3100 iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
08:37:06.0397 3100 iastor - ok
08:37:06.0397 3100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:37:06.0522 3100 Imapi - ok
08:37:06.0522 3100 ini910u - ok
08:37:06.0537 3100 IntelIde - ok
08:37:06.0584 3100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:37:06.0662 3100 intelppm - ok
08:37:06.0693 3100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
08:37:06.0834 3100 Ip6Fw - ok
08:37:06.0865 3100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:37:06.0975 3100 IpFilterDriver - ok
08:37:07.0006 3100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:37:07.0131 3100 IpInIp - ok
08:37:07.0178 3100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:37:07.0256 3100 IpNat - ok
08:37:07.0303 3100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:37:07.0381 3100 IPSec - ok
08:37:07.0428 3100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:37:07.0522 3100 IRENUM - ok
08:37:07.0553 3100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:37:07.0647 3100 isapnp - ok
08:37:07.0693 3100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:37:07.0818 3100 Kbdclass - ok
08:37:07.0834 3100 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
08:37:07.0928 3100 kbdhid - ok
08:37:07.0959 3100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:37:08.0053 3100 kmixer - ok
08:37:08.0084 3100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:37:08.0178 3100 KSecDD - ok
08:37:08.0240 3100 lbrtfdc - ok
08:37:08.0287 3100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:37:08.0381 3100 mnmdd - ok
08:37:08.0459 3100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:37:08.0553 3100 Modem - ok
08:37:08.0615 3100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:37:08.0709 3100 Mouclass - ok
08:37:08.0740 3100 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:37:08.0850 3100 mouhid - ok
08:37:08.0897 3100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:37:09.0006 3100 MountMgr - ok
08:37:09.0006 3100 mraid35x - ok
08:37:09.0022 3100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:37:09.0131 3100 MRxDAV - ok
08:37:09.0193 3100 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:37:09.0240 3100 MRxSmb - ok
08:37:09.0287 3100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:37:09.0365 3100 Msfs - ok
08:37:09.0412 3100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:37:09.0506 3100 MSKSSRV - ok
08:37:09.0537 3100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:37:09.0662 3100 MSPCLOCK - ok
08:37:09.0693 3100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:37:09.0818 3100 MSPQM - ok
08:37:09.0881 3100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:37:09.0975 3100 mssmbios - ok
08:37:10.0006 3100 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:37:10.0147 3100 MSTEE - ok
08:37:10.0178 3100 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:37:10.0225 3100 Mup - ok
08:37:10.0256 3100 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:37:10.0397 3100 NABTSFEC - ok
08:37:10.0428 3100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:37:10.0553 3100 NDIS - ok
08:37:10.0615 3100 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:37:10.0740 3100 NdisIP - ok
08:37:10.0803 3100 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:37:10.0834 3100 NdisTapi - ok
08:37:10.0881 3100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:37:11.0022 3100 Ndisuio - ok
08:37:11.0068 3100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:37:11.0178 3100 NdisWan - ok
08:37:11.0225 3100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:37:11.0256 3100 NDProxy - ok
08:37:11.0287 3100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:37:11.0365 3100 NetBIOS - ok
08:37:11.0381 3100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:37:11.0475 3100 NetBT - ok
08:37:11.0490 3100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:37:11.0615 3100 Npfs - ok
08:37:11.0615 3100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:37:11.0725 3100 Ntfs - ok
08:37:11.0756 3100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:37:11.0834 3100 Null - ok
08:37:11.0881 3100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:37:11.0990 3100 NwlnkFlt - ok
08:37:11.0990 3100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:37:12.0100 3100 NwlnkFwd - ok
08:37:12.0100 3100 OMCI - ok
08:37:12.0147 3100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
08:37:12.0225 3100 Parport - ok
08:37:12.0240 3100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:37:12.0318 3100 PartMgr - ok
08:37:12.0350 3100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:37:12.0475 3100 ParVdm - ok
08:37:12.0490 3100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:37:12.0568 3100 PCI - ok
08:37:12.0584 3100 PCIDump - ok
08:37:12.0584 3100 PCIIde - ok
08:37:12.0615 3100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:37:12.0725 3100 Pcmcia - ok
08:37:12.0725 3100 PDCOMP - ok
08:37:12.0740 3100 PDFRAME - ok
08:37:12.0740 3100 PDRELI - ok
08:37:12.0756 3100 PDRFRAME - ok
08:37:12.0756 3100 perc2 - ok
08:37:12.0772 3100 perc2hib - ok
08:37:12.0787 3100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:37:12.0865 3100 PptpMiniport - ok
08:37:12.0897 3100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:37:12.0990 3100 PSched - ok
08:37:12.0990 3100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:37:13.0084 3100 Ptilink - ok
08:37:13.0084 3100 ql1080 - ok
08:37:13.0100 3100 Ql10wnt - ok
08:37:13.0100 3100 ql12160 - ok
08:37:13.0115 3100 ql1240 - ok
08:37:13.0115 3100 ql1280 - ok
08:37:13.0131 3100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:37:13.0209 3100 RasAcd - ok
08:37:13.0240 3100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:37:13.0318 3100 Rasl2tp - ok
08:37:13.0334 3100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:37:13.0428 3100 RasPppoe - ok
08:37:13.0428 3100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:37:13.0506 3100 Raspti - ok
08:37:13.0553 3100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:37:13.0647 3100 Rdbss - ok
08:37:13.0662 3100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:37:13.0772 3100 RDPCDD - ok
08:37:13.0818 3100 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
08:37:13.0850 3100 RDPWD - ok
08:37:13.0881 3100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:37:13.0959 3100 redbook - ok
08:37:14.0053 3100 rt2870 (b9b17aca28d3e60caabd92402de413d5) C:\WINDOWS\system32\DRIVERS\rt2870.sys
08:37:14.0131 3100 rt2870 - ok
08:37:14.0225 3100 Scutum50 (f34c06d1c706a6d9433570b087a18b02) C:\WINDOWS\system32\Drivers\Scutum50.sys
08:37:14.0240 3100 Scutum50 ( UnsignedFile.Multi.Generic ) - warning
08:37:14.0240 3100 Scutum50 - detected UnsignedFile.Multi.Generic (1)
08:37:14.0272 3100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:37:14.0381 3100 Secdrv - ok
08:37:14.0381 3100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:37:14.0490 3100 Serial - ok
08:37:14.0522 3100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:37:14.0615 3100 Sfloppy - ok
08:37:14.0615 3100 Simbad - ok
08:37:14.0662 3100 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:37:14.0787 3100 SLIP - ok
08:37:14.0787 3100 Sparrow - ok
08:37:14.0865 3100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:37:14.0959 3100 splitter - ok
08:37:14.0975 3100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:37:15.0068 3100 sr - ok
08:37:15.0115 3100 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:37:15.0147 3100 Srv - ok
08:37:15.0225 3100 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
08:37:15.0240 3100 ssmdrv - ok
08:37:15.0318 3100 STHDA (9db5dbed65f2d74acd1d20a53898af79) C:\WINDOWS\system32\drivers\sthda.sys
08:37:15.0412 3100 STHDA - ok
08:37:15.0459 3100 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:37:15.0568 3100 streamip - ok
08:37:15.0647 3100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:37:15.0740 3100 swenum - ok
08:37:15.0756 3100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:37:15.0834 3100 swmidi - ok
08:37:15.0850 3100 symc810 - ok
08:37:15.0850 3100 symc8xx - ok
08:37:15.0865 3100 sym_hi - ok
08:37:15.0865 3100 sym_u3 - ok
08:37:15.0881 3100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:37:15.0975 3100 sysaudio - ok
08:37:16.0037 3100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:37:16.0131 3100 Tcpip - ok
08:37:16.0178 3100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:37:16.0303 3100 TDPIPE - ok
08:37:16.0397 3100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:37:16.0506 3100 TDTCP - ok
08:37:16.0537 3100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:37:16.0615 3100 TermDD - ok
08:37:16.0631 3100 TosIde - ok
08:37:16.0647 3100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:37:16.0787 3100 Udfs - ok
08:37:16.0787 3100 ultra - ok
08:37:16.0865 3100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:37:16.0975 3100 Update - ok
08:37:17.0022 3100 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
08:37:17.0053 3100 USBAAPL - ok
08:37:17.0100 3100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:37:17.0240 3100 usbccgp - ok
08:37:17.0256 3100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:37:17.0397 3100 usbehci - ok
08:37:17.0397 3100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:37:17.0490 3100 usbhub - ok
08:37:17.0490 3100 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:37:17.0600 3100 usbscan - ok
08:37:17.0662 3100 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:37:17.0756 3100 usbstor - ok
08:37:17.0818 3100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:37:17.0897 3100 usbuhci - ok
08:37:17.0943 3100 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
08:37:18.0053 3100 usbvideo - ok
08:37:18.0115 3100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:37:18.0209 3100 VgaSave - ok
08:37:18.0209 3100 ViaIde - ok
08:37:18.0272 3100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:37:18.0381 3100 VolSnap - ok
08:37:18.0397 3100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:37:18.0490 3100 Wanarp - ok
08:37:18.0522 3100 WDICA - ok
08:37:18.0584 3100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:37:18.0709 3100 wdmaud - ok
08:37:18.0803 3100 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
08:37:18.0928 3100 WS2IFSL - ok
08:37:18.0959 3100 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:37:19.0068 3100 WSTCODEC - ok
08:37:19.0147 3100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:37:19.0193 3100 WudfPf - ok
08:37:19.0225 3100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:37:19.0256 3100 WudfRd - ok
08:37:19.0287 3100 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:37:19.0459 3100 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
08:37:19.0459 3100 \Device\Harddisk0\DR0 - detected TDSS File System (1)
08:37:19.0459 3100 Boot (0x1200) (e308a5762ec80ac70a064e5b6c906f01) \Device\Harddisk0\DR0\Partition0
08:37:19.0459 3100 \Device\Harddisk0\DR0\Partition0 - ok
08:37:19.0459 3100 ============================================================
08:37:19.0459 3100 Scan finished
08:37:19.0459 3100 ============================================================
08:37:19.0568 2656 Detected object count: 4
08:37:19.0568 2656 Actual detected object count: 4
08:38:17.0287 2656 ati2mtag ( UnsignedFile.Multi.Generic ) - skipped by user
08:38:17.0287 2656 ati2mtag ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:38:17.0287 2656 cercsr6 ( UnsignedFile.Multi.Generic ) - skipped by user
08:38:17.0287 2656 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:38:17.0287 2656 Scutum50 ( UnsignedFile.Multi.Generic ) - skipped by user
08:38:17.0287 2656 Scutum50 ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:38:17.0303 2656 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
08:38:17.0303 2656 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
08:38:21.0506 5524 Deinitialize success

OTL Fix:


Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Sarah
->Temp folder emptied: 18800991 bytes
->Temporary Internet Files folder emptied: 137054469 bytes
->Java cache emptied: 44397 bytes
->FireFox cache emptied: 17067698 bytes
->Flash cache emptied: 0 bytes

User: Zaki & Alfie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1043141 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2044822 bytes

Total Files Cleaned = 168.00 mb


OTL by OldTimer - Version 3.2.36.3 log created on 03142012_083905

Files\Folders moved on Reboot...
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\SR6WW7UJ\plusone_gadget[1].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\FRLNOINC\command[3].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\803D9Z0N\gplus_notifications_gadget[1].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\5NTQKYXH\fastbutton[4].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\5NTQKYXH\fastbutton[5].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\5NTQKYXH\frame[3].htm moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\5NTQKYXH\topic445529[1].html moved successfully.
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...


OTL:

OTL logfile created on: 14/03/2012 08:43:27 - Run 2
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.37% Memory free
3.85 Gb Paging File | 3.40 Gb Available in Paging File | 88.52% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 33.33 Gb Free Space | 11.18% Space Free | Partition Type: NTFS

Computer Name: 2A5B0CCCC9B249D | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/11 18:40:36 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2012/02/14 23:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2012/01/31 08:57:32 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012/01/31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012/01/31 08:56:50 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/01/31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/07/28 23:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/03/21 18:52:34 | 000,107,000 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2009/07/14 21:53:00 | 000,185,632 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaRegistry.exe
PRC - [2009/07/09 17:10:16 | 001,561,888 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaUI.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/20 16:00:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/17 03:13:11 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll
MOD - [2012/02/17 03:12:59 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll
MOD - [2012/02/17 03:11:39 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll
MOD - [2012/01/31 08:57:08 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/10/13 02:13:38 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/09/27 06:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 06:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/28 23:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 23:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/03/29 12:47:54 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation\2.0.3309.28601__90ba9c70f846762e\LOG.Foundation.dll
MOD - [2011/03/29 12:47:54 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Foundation\2.0.3309.28626__90ba9c70f846762e\MOM.Foundation.dll
MOD - [2011/03/29 12:47:52 | 000,106,496 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Implementation\2.0.3693.42531__90ba9c70f846762e\MOM.Implementation.dll
MOD - [2011/03/29 12:47:52 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation\2.0.3693.42530__90ba9c70f846762e\LOG.Foundation.Implementation.dll
MOD - [2011/03/29 12:47:52 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Private\2.0.3309.28614__90ba9c70f846762e\LOG.Foundation.Private.dll
MOD - [2011/03/29 12:47:52 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation.Private\2.0.3309.28626__90ba9c70f846762e\LOG.Foundation.Implementation.Private.dll
MOD - [2009/07/03 18:34:26 | 000,811,008 | ---- | M] () -- C:\Program Files\Ralink\Common\RaWLAPI.dll
MOD - [2009/05/11 11:45:40 | 000,147,456 | ---- | M] () -- C:\WINDOWS\system32\DiagFunc.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012/01/31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/01/31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 21:53:00 | 000,185,632 | ---- | M] (Ralink Technology, Corp.) [Auto | Running] -- C:\Program Files\Ralink\Common\RaRegistry.exe -- (RalinkRegistryWriter)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (OMCI)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - [2012/01/31 08:57:31 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/01/31 08:57:31 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/09/16 16:09:17 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/02/11 07:38:10 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/06/30 11:06:02 | 000,722,432 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2009/04/21 15:31:10 | 000,019,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Scutum50.sys -- (Scutum50)
DRV - [2006/05/25 14:40:00 | 001,156,808 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {932955EE-389B-4C36-9778-AC2BE4CB3E51}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{932955EE-389B-4C36-9778-AC2BE4CB3E51}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {932955EE-389B-4C36-9778-AC2BE4CB3E51}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{932955EE-389B-4C36-9778-AC2BE4CB3E51}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGHP_en-GBGB423
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:7.2.6
FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.3.0.7280
FF - prefs.js..keyword.URL: "http://www.google.com/search?sourceid=navclient&hl=en-GB&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2011/03/17 00:08:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/03/21 18:54:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/14 11:07:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/12 18:16:15 | 000,000,000 | ---D | M]

[2011/03/17 09:38:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Extensions
[2011/12/24 16:23:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions
[2011/04/06 21:42:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/07/04 21:48:07 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/03/12 18:16:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/05 05:47:58 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/03/12 18:16:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\SARAH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\3G4LBOGL.DEFAULT\EXTENSIONS\{B749FC7C-E949-447F-926C-3F4EED6ACCFE}.XPI
[2012/01/14 11:07:13 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/03/12 18:16:07 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/26 18:25:01 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/26 18:25:01 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/09/26 18:25:01 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/26 18:25:01 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/09/26 18:25:01 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/03/13 11:05:19 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [Facebook Update] C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)
O4 - Startup: C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1300318182757 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/03/16 14:11:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/14 08:49:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/03/14 08:40:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2012/03/14 08:36:10 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2012/03/13 16:53:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/03/13 13:43:02 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/13 11:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/13 10:52:38 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/13 10:49:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/13 10:49:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/13 10:49:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/13 10:49:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/13 10:49:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/13 10:49:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/13 10:47:55 | 004,435,063 | R--- | C] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2012/03/12 21:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Start Menu\Programs\Dropbox
[2012/03/12 21:21:30 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/03/12 18:16:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/03/12 17:54:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2012/03/12 12:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Application Data\Avira
[2012/03/12 12:00:20 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2012/03/12 12:00:14 | 000,137,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2012/03/12 12:00:14 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2012/03/12 12:00:14 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avkmgr.sys
[2012/03/12 11:59:52 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2012/03/12 11:59:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2012/03/12 10:29:43 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/11 23:03:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\New Folder
[2012/03/11 18:41:24 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Sarah\Desktop\aswMBR.exe
[2012/03/11 18:40:33 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2012/03/10 09:01:56 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/03/10 09:01:26 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/03/08 21:58:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Sarah\Start Menu\Programs\Administrative Tools
[2012/03/08 21:58:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2012/03/01 13:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\iphone pics
[2012/02/29 18:23:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\Copy of bday pics
[2012/02/29 18:21:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\bday pics

========== Files - Modified Within 30 Days ==========

[2012/03/14 08:43:13 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/14 08:41:30 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/14 08:41:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/14 06:22:01 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004UA.job
[2012/03/14 00:22:00 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004Core.job
[2012/03/13 11:05:19 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/13 10:52:46 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/03/13 10:48:09 | 004,435,063 | R--- | M] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2012/03/12 21:43:47 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Dropbox.lnk
[2012/03/12 21:41:44 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\Dropbox.lnk
[2012/03/12 12:00:47 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2012/03/11 23:40:43 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/11 23:10:20 | 000,000,030 | ---- | M] () -- C:\WINDOWS\Iedit_.INI
[2012/03/11 22:56:27 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/11 22:46:07 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\SpywareBlaster.lnk
[2012/03/11 22:42:32 | 000,000,040 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\_rgpl
[2012/03/11 19:06:50 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\MBR.dat
[2012/03/11 18:41:25 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Sarah\Desktop\aswMBR.exe
[2012/03/11 18:40:36 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2012/03/10 09:02:27 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/10 07:17:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/03/09 17:12:06 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2012/03/08 22:03:39 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\HiJackThis.lnk
[2012/03/08 21:59:49 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\ub1pvqh4.exe
[2012/03/08 21:58:34 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2012/02/17 03:27:29 | 000,294,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/17 03:11:05 | 000,495,518 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/17 03:11:05 | 000,084,106 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/17 03:06:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/14 10:13:03 | 082,020,614 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0889.MOV
[2012/02/14 10:11:12 | 027,870,339 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0888.MOV
[2012/02/14 10:10:55 | 073,456,606 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0887.MOV

========== Files Created - No Company Name ==========

[2012/03/13 10:52:46 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/03/13 10:52:41 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/13 10:49:53 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/13 10:49:53 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/13 10:49:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/13 10:49:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/13 10:49:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/12 21:43:47 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Dropbox.lnk
[2012/03/12 21:41:44 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\Dropbox.lnk
[2012/03/12 12:00:47 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2012/03/11 22:42:32 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\_rgpl
[2012/03/11 19:06:50 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\MBR.dat
[2012/03/10 09:02:27 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/08 21:59:46 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\ub1pvqh4.exe
[2012/02/16 05:02:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/16 05:02:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/14 10:13:03 | 082,020,614 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0889.MOV
[2012/02/14 10:11:12 | 027,870,339 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0888.MOV
[2012/02/14 10:10:55 | 073,456,606 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0887.MOV
[2011/09/25 23:21:24 | 000,266,255 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\census.cache
[2011/09/25 23:20:52 | 000,185,017 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\ars.cache
[2011/09/25 22:57:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\housecall.guid.cache
[2011/08/13 09:21:32 | 000,007,207 | R--- | C] () -- C:\WINDOWS\Disktool.INI
[2011/08/13 09:21:32 | 000,006,399 | R--- | C] () -- C:\WINDOWS\fwupgrade.ini
[2011/08/13 09:21:32 | 000,003,677 | R--- | C] () -- C:\WINDOWS\PlaySnd.INI
[2011/05/04 19:25:03 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/05/02 22:30:50 | 001,144,147 | ---- | C] () -- C:\WINDOWS\System32\ffmpegmt.dll
[2011/05/02 22:27:54 | 003,935,545 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.dll
[2011/05/02 20:23:46 | 000,324,096 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2011/05/02 20:19:34 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2011/05/02 20:19:20 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/04/20 21:58:08 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit_.INI
[2011/03/29 15:01:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/03/21 19:41:08 | 000,062,340 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/03/21 18:57:46 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/18 21:32:44 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2011/03/18 21:29:56 | 000,181,248 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2011/03/18 21:28:30 | 001,557,504 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2011/03/18 21:27:08 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2011/03/18 21:26:44 | 000,484,864 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2011/03/18 21:25:38 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2011/03/18 21:25:24 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2011/03/18 03:55:25 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2011/03/18 03:53:01 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2011/03/18 03:53:01 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/03/18 03:53:01 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/03/18 03:53:01 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/03/17 09:38:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/17 09:34:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/16 14:16:37 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\DiagFunc.dll
[2011/03/16 14:16:37 | 000,001,191 | ---- | C] () -- C:\WINDOWS\System32\W32N55.INI
[2011/03/16 14:16:37 | 000,000,480 | ---- | C] () -- C:\WINDOWS\System32\DiagFunc.ini
[2011/03/16 14:16:23 | 000,013,931 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2011/03/16 14:12:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/03/16 14:09:11 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/03/16 13:45:35 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/03/16 13:44:40 | 000,294,864 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/03 11:40:08 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2011/03/03 11:39:56 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2011/03/03 11:39:46 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2011/03/03 11:39:34 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2011/03/03 11:39:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2011/03/03 11:38:54 | 000,154,112 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2011/03/03 11:38:40 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2011/03/03 11:38:10 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2011/03/03 11:38:04 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2011/03/03 11:37:50 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2011/03/03 11:37:40 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2011/03/03 11:35:32 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2011/03/03 11:35:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2010/08/18 19:56:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini

========== LOP Check ==========

[2011/03/16 14:16:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ralink Driver
[2011/03/21 18:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2012/03/13 11:09:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/03/18 04:07:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2011/03/17 09:44:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/03/25 10:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\AnvSoft
[2011/03/28 21:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\DiskAid
[2012/03/14 08:47:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Dropbox
[2011/06/28 21:44:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Personal Video Database
[2011/03/23 10:21:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\PFStaticIP
[2011/03/18 04:16:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Ulead Systems
[2012/03/14 08:39:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\uTorrent
[2012/03/14 00:22:00 | 000,000,976 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004Core.job
[2012/03/14 06:22:01 | 000,000,998 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004UA.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 14 March 2012 - 03:18 PM

Please do this next:

Posted Image Run TDSSKiller again
  • Execute TDSSKiller.exe by doubleclicking on it.
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to both options
  • click OK
  • Press Start Scan
  • This time, select "Delete" for these two detections:

    \Device\Harddisk0\DR0 ( TDSS File System )
    \Device\Harddisk0\DR0 ( TDSS File System )
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.7.1.0_19.01.2012_17.24.26_log.txt
  • Post that log, please.

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
  • Open OTL again and press "Quick Scan" to produce a fresh log
Please include the following in your next post:
  • TDSSKiller log
  • OTL Fix log
  • OTL Scan log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 sarahabutair

sarahabutair
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:08:45 AM

Posted 15 March 2012 - 05:00 AM

Hi again,

Here are the logs. TDSSKiller only found one of those things you wanted me to delete. Also, neither program asked me to reboot?

TDSSKiller:

09:46:48.0093 3304 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
09:46:48.0218 3304 ============================================================
09:46:48.0218 3304 Current date / time: 2012/03/15 09:46:48.0218
09:46:48.0218 3304 SystemInfo:
09:46:48.0218 3304
09:46:48.0218 3304 OS Version: 5.1.2600 ServicePack: 3.0
09:46:48.0218 3304 Product type: Workstation
09:46:48.0218 3304 ComputerName: 2A5B0CCCC9B249D
09:46:48.0218 3304 UserName: Sarah
09:46:48.0218 3304 Windows directory: C:\WINDOWS
09:46:48.0218 3304 System windows directory: C:\WINDOWS
09:46:48.0218 3304 Processor architecture: Intel x86
09:46:48.0218 3304 Number of processors: 2
09:46:48.0218 3304 Page size: 0x1000
09:46:48.0218 3304 Boot type: Normal boot
09:46:48.0218 3304 ============================================================
09:46:48.0625 3304 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
09:46:48.0671 3304 \Device\Harddisk0\DR0:
09:46:48.0671 3304 MBR used
09:46:48.0671 3304 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x254297C1
09:46:48.0703 3304 Initialize success
09:46:48.0703 3304 ============================================================
09:47:01.0375 4080 ============================================================
09:47:01.0375 4080 Scan started
09:47:01.0375 4080 Mode: Manual; SigCheck; TDLFS;
09:47:01.0375 4080 ============================================================
09:47:02.0171 4080 Abiosdsk - ok
09:47:02.0187 4080 abp480n5 - ok
09:47:02.0250 4080 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:47:03.0671 4080 ACPI - ok
09:47:03.0812 4080 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:47:03.0937 4080 ACPIEC - ok
09:47:03.0953 4080 adpu160m - ok
09:47:04.0015 4080 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:47:04.0125 4080 aec - ok
09:47:04.0187 4080 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:47:04.0250 4080 AFD - ok
09:47:04.0281 4080 Aha154x - ok
09:47:04.0296 4080 aic78u2 - ok
09:47:04.0296 4080 aic78xx - ok
09:47:04.0312 4080 AliIde - ok
09:47:04.0312 4080 amsint - ok
09:47:04.0328 4080 asc - ok
09:47:04.0328 4080 asc3350p - ok
09:47:04.0343 4080 asc3550 - ok
09:47:04.0390 4080 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:47:04.0500 4080 AsyncMac - ok
09:47:04.0515 4080 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
09:47:04.0656 4080 atapi - ok
09:47:04.0656 4080 Atdisk - ok
09:47:04.0828 4080 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
09:47:04.0984 4080 ati2mtag ( UnsignedFile.Multi.Generic ) - warning
09:47:04.0984 4080 ati2mtag - detected UnsignedFile.Multi.Generic (1)
09:47:05.0015 4080 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:47:05.0125 4080 Atmarpc - ok
09:47:05.0187 4080 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:47:05.0281 4080 audstub - ok
09:47:05.0343 4080 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
09:47:05.0531 4080 avgntflt - ok
09:47:05.0546 4080 avipbb (13b02b9b969dde270cd7c351203dad3c) C:\WINDOWS\system32\DRIVERS\avipbb.sys
09:47:05.0562 4080 avipbb - ok
09:47:05.0687 4080 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
09:47:05.0687 4080 avkmgr - ok
09:47:05.0734 4080 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:47:05.0812 4080 Beep - ok
09:47:05.0953 4080 catchme - ok
09:47:06.0000 4080 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:47:06.0125 4080 cbidf2k - ok
09:47:06.0171 4080 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
09:47:06.0250 4080 CCDECODE - ok
09:47:06.0296 4080 cd20xrnt - ok
09:47:06.0328 4080 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:47:06.0406 4080 Cdaudio - ok
09:47:06.0421 4080 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:47:06.0500 4080 Cdfs - ok
09:47:06.0531 4080 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:47:06.0625 4080 Cdrom - ok
09:47:06.0671 4080 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
09:47:06.0703 4080 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
09:47:06.0703 4080 cercsr6 - detected UnsignedFile.Multi.Generic (1)
09:47:06.0718 4080 Changer - ok
09:47:06.0718 4080 CmdIde - ok
09:47:06.0734 4080 Cpqarray - ok
09:47:06.0750 4080 dac2w2k - ok
09:47:06.0750 4080 dac960nt - ok
09:47:06.0781 4080 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:47:06.0890 4080 Disk - ok
09:47:06.0953 4080 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:47:07.0078 4080 dmboot - ok
09:47:07.0109 4080 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:47:07.0203 4080 dmio - ok
09:47:07.0203 4080 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:47:07.0328 4080 dmload - ok
09:47:07.0375 4080 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:47:07.0453 4080 DMusic - ok
09:47:07.0484 4080 dpti2o - ok
09:47:07.0515 4080 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:47:07.0593 4080 drmkaud - ok
09:47:07.0640 4080 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
09:47:07.0703 4080 e1express - ok
09:47:07.0750 4080 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:47:07.0843 4080 Fastfat - ok
09:47:07.0937 4080 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
09:47:08.0015 4080 Fdc - ok
09:47:08.0078 4080 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:47:08.0171 4080 Fips - ok
09:47:08.0171 4080 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
09:47:08.0281 4080 Flpydisk - ok
09:47:08.0343 4080 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
09:47:08.0421 4080 FltMgr - ok
09:47:08.0468 4080 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:47:08.0578 4080 Fs_Rec - ok
09:47:08.0609 4080 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:47:08.0703 4080 Ftdisk - ok
09:47:08.0750 4080 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
09:47:08.0750 4080 GEARAspiWDM - ok
09:47:08.0781 4080 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:47:08.0890 4080 Gpc - ok
09:47:08.0906 4080 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:47:09.0000 4080 HDAudBus - ok
09:47:09.0031 4080 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:47:09.0125 4080 hidusb - ok
09:47:09.0125 4080 hpn - ok
09:47:09.0203 4080 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:47:09.0281 4080 HTTP - ok
09:47:09.0281 4080 i2omgmt - ok
09:47:09.0296 4080 i2omp - ok
09:47:09.0343 4080 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
09:47:09.0437 4080 i8042prt - ok
09:47:09.0484 4080 iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
09:47:09.0546 4080 iastor - ok
09:47:09.0562 4080 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:47:09.0671 4080 Imapi - ok
09:47:09.0671 4080 ini910u - ok
09:47:09.0687 4080 IntelIde - ok
09:47:09.0750 4080 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:47:09.0828 4080 intelppm - ok
09:47:09.0859 4080 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:47:09.0984 4080 Ip6Fw - ok
09:47:10.0031 4080 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:47:10.0109 4080 IpFilterDriver - ok
09:47:10.0187 4080 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:47:10.0296 4080 IpInIp - ok
09:47:10.0343 4080 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:47:10.0437 4080 IpNat - ok
09:47:10.0453 4080 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:47:10.0531 4080 IPSec - ok
09:47:10.0562 4080 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:47:10.0656 4080 IRENUM - ok
09:47:10.0671 4080 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:47:10.0781 4080 isapnp - ok
09:47:10.0875 4080 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:47:10.0968 4080 Kbdclass - ok
09:47:10.0984 4080 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:47:11.0062 4080 kbdhid - ok
09:47:11.0078 4080 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:47:11.0171 4080 kmixer - ok
09:47:11.0203 4080 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:47:11.0343 4080 KSecDD - ok
09:47:11.0359 4080 lbrtfdc - ok
09:47:11.0390 4080 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:47:11.0484 4080 mnmdd - ok
09:47:11.0500 4080 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:47:11.0593 4080 Modem - ok
09:47:11.0625 4080 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:47:11.0703 4080 Mouclass - ok
09:47:11.0718 4080 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:47:11.0812 4080 mouhid - ok
09:47:11.0812 4080 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:47:11.0906 4080 MountMgr - ok
09:47:11.0906 4080 mraid35x - ok
09:47:11.0921 4080 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:47:12.0000 4080 MRxDAV - ok
09:47:12.0062 4080 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:47:12.0171 4080 MRxSmb - ok
09:47:12.0203 4080 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:47:12.0312 4080 Msfs - ok
09:47:12.0328 4080 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:47:12.0421 4080 MSKSSRV - ok
09:47:12.0421 4080 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:47:12.0546 4080 MSPCLOCK - ok
09:47:12.0578 4080 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:47:12.0687 4080 MSPQM - ok
09:47:12.0750 4080 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:47:12.0843 4080 mssmbios - ok
09:47:12.0890 4080 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
09:47:13.0000 4080 MSTEE - ok
09:47:13.0046 4080 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:47:13.0125 4080 Mup - ok
09:47:13.0218 4080 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
09:47:13.0343 4080 NABTSFEC - ok
09:47:13.0375 4080 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:47:13.0468 4080 NDIS - ok
09:47:13.0515 4080 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
09:47:13.0625 4080 NdisIP - ok
09:47:13.0750 4080 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:47:13.0812 4080 NdisTapi - ok
09:47:13.0843 4080 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:47:13.0937 4080 Ndisuio - ok
09:47:13.0953 4080 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:47:14.0031 4080 NdisWan - ok
09:47:14.0078 4080 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:47:14.0156 4080 NDProxy - ok
09:47:14.0156 4080 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:47:14.0234 4080 NetBIOS - ok
09:47:14.0265 4080 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:47:14.0375 4080 NetBT - ok
09:47:14.0453 4080 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:47:14.0562 4080 Npfs - ok
09:47:14.0578 4080 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:47:14.0671 4080 Ntfs - ok
09:47:14.0718 4080 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:47:14.0812 4080 Null - ok
09:47:14.0843 4080 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:47:14.0937 4080 NwlnkFlt - ok
09:47:14.0953 4080 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:47:15.0031 4080 NwlnkFwd - ok
09:47:15.0046 4080 OMCI - ok
09:47:15.0093 4080 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
09:47:15.0171 4080 Parport - ok
09:47:15.0187 4080 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:47:15.0265 4080 PartMgr - ok
09:47:15.0296 4080 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:47:15.0406 4080 ParVdm - ok
09:47:15.0421 4080 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:47:15.0500 4080 PCI - ok
09:47:15.0500 4080 PCIDump - ok
09:47:15.0515 4080 PCIIde - ok
09:47:15.0531 4080 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:47:15.0625 4080 Pcmcia - ok
09:47:15.0625 4080 PDCOMP - ok
09:47:15.0640 4080 PDFRAME - ok
09:47:15.0640 4080 PDRELI - ok
09:47:15.0656 4080 PDRFRAME - ok
09:47:15.0656 4080 perc2 - ok
09:47:15.0671 4080 perc2hib - ok
09:47:15.0703 4080 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:47:15.0796 4080 PptpMiniport - ok
09:47:15.0796 4080 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:47:15.0890 4080 PSched - ok
09:47:15.0921 4080 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:47:16.0031 4080 Ptilink - ok
09:47:16.0031 4080 ql1080 - ok
09:47:16.0046 4080 Ql10wnt - ok
09:47:16.0046 4080 ql12160 - ok
09:47:16.0046 4080 ql1240 - ok
09:47:16.0062 4080 ql1280 - ok
09:47:16.0078 4080 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:47:16.0156 4080 RasAcd - ok
09:47:16.0203 4080 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:47:16.0296 4080 Rasl2tp - ok
09:47:16.0312 4080 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:47:16.0421 4080 RasPppoe - ok
09:47:16.0437 4080 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:47:16.0515 4080 Raspti - ok
09:47:16.0546 4080 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:47:16.0625 4080 Rdbss - ok
09:47:16.0640 4080 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:47:16.0750 4080 RDPCDD - ok
09:47:16.0796 4080 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
09:47:16.0875 4080 RDPWD - ok
09:47:16.0906 4080 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:47:16.0984 4080 redbook - ok
09:47:17.0156 4080 rt2870 (b9b17aca28d3e60caabd92402de413d5) C:\WINDOWS\system32\DRIVERS\rt2870.sys
09:47:17.0250 4080 rt2870 - ok
09:47:17.0312 4080 Scutum50 (f34c06d1c706a6d9433570b087a18b02) C:\WINDOWS\system32\Drivers\Scutum50.sys
09:47:17.0312 4080 Scutum50 ( UnsignedFile.Multi.Generic ) - warning
09:47:17.0312 4080 Scutum50 - detected UnsignedFile.Multi.Generic (1)
09:47:17.0343 4080 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:47:17.0437 4080 Secdrv - ok
09:47:17.0437 4080 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
09:47:17.0531 4080 Serial - ok
09:47:17.0546 4080 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:47:17.0640 4080 Sfloppy - ok
09:47:17.0640 4080 Simbad - ok
09:47:17.0703 4080 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
09:47:17.0812 4080 SLIP - ok
09:47:17.0812 4080 Sparrow - ok
09:47:17.0828 4080 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:47:17.0921 4080 splitter - ok
09:47:17.0937 4080 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:47:18.0031 4080 sr - ok
09:47:18.0093 4080 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:47:18.0187 4080 Srv - ok
09:47:18.0250 4080 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
09:47:18.0265 4080 ssmdrv - ok
09:47:18.0375 4080 STHDA (9db5dbed65f2d74acd1d20a53898af79) C:\WINDOWS\system32\drivers\sthda.sys
09:47:18.0484 4080 STHDA - ok
09:47:18.0515 4080 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
09:47:18.0593 4080 streamip - ok
09:47:18.0625 4080 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:47:18.0718 4080 swenum - ok
09:47:18.0734 4080 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:47:18.0812 4080 swmidi - ok
09:47:18.0812 4080 symc810 - ok
09:47:18.0828 4080 symc8xx - ok
09:47:18.0828 4080 sym_hi - ok
09:47:18.0843 4080 sym_u3 - ok
09:47:18.0859 4080 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:47:18.0953 4080 sysaudio - ok
09:47:19.0015 4080 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:47:19.0109 4080 Tcpip - ok
09:47:19.0187 4080 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:47:19.0296 4080 TDPIPE - ok
09:47:19.0359 4080 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:47:19.0437 4080 TDTCP - ok
09:47:19.0484 4080 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:47:19.0562 4080 TermDD - ok
09:47:19.0578 4080 TosIde - ok
09:47:19.0593 4080 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:47:19.0703 4080 Udfs - ok
09:47:19.0781 4080 ultra - ok
09:47:19.0859 4080 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:47:19.0953 4080 Update - ok
09:47:20.0015 4080 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
09:47:20.0078 4080 USBAAPL - ok
09:47:20.0125 4080 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:47:20.0234 4080 usbccgp - ok
09:47:20.0296 4080 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:47:20.0390 4080 usbehci - ok
09:47:20.0406 4080 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:47:20.0500 4080 usbhub - ok
09:47:20.0531 4080 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:47:20.0640 4080 usbscan - ok
09:47:20.0718 4080 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:47:20.0812 4080 usbstor - ok
09:47:20.0828 4080 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:47:20.0906 4080 usbuhci - ok
09:47:20.0937 4080 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
09:47:21.0046 4080 usbvideo - ok
09:47:21.0109 4080 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:47:21.0203 4080 VgaSave - ok
09:47:21.0203 4080 ViaIde - ok
09:47:21.0250 4080 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:47:21.0359 4080 VolSnap - ok
09:47:21.0390 4080 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:47:21.0484 4080 Wanarp - ok
09:47:21.0484 4080 WDICA - ok
09:47:21.0546 4080 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:47:21.0625 4080 wdmaud - ok
09:47:21.0687 4080 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:47:21.0796 4080 WS2IFSL - ok
09:47:21.0843 4080 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
09:47:21.0937 4080 WSTCODEC - ok
09:47:21.0968 4080 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:47:22.0000 4080 WudfPf - ok
09:47:22.0015 4080 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:47:22.0031 4080 WudfRd - ok
09:47:22.0046 4080 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:47:22.0218 4080 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
09:47:22.0218 4080 \Device\Harddisk0\DR0 - detected TDSS File System (1)
09:47:22.0218 4080 Boot (0x1200) (e308a5762ec80ac70a064e5b6c906f01) \Device\Harddisk0\DR0\Partition0
09:47:22.0218 4080 \Device\Harddisk0\DR0\Partition0 - ok
09:47:22.0218 4080 ============================================================
09:47:22.0218 4080 Scan finished
09:47:22.0218 4080 ============================================================
09:47:22.0343 0544 Detected object count: 4
09:47:22.0343 0544 Actual detected object count: 4
09:47:40.0359 0544 ati2mtag ( UnsignedFile.Multi.Generic ) - skipped by user
09:47:40.0359 0544 ati2mtag ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:47:40.0359 0544 cercsr6 ( UnsignedFile.Multi.Generic ) - skipped by user
09:47:40.0359 0544 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:47:40.0359 0544 Scutum50 ( UnsignedFile.Multi.Generic ) - skipped by user
09:47:40.0359 0544 Scutum50 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:47:40.0390 0544 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
09:47:40.0390 0544 \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
09:47:40.0390 0544 \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
09:47:40.0390 0544 \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
09:47:40.0390 0544 \Device\Harddisk0\DR0\TDLFS\tdlclk.dll - copied to quarantine
09:47:40.0406 0544 \Device\Harddisk0\DR0\TDLFS - deleted
09:47:40.0406 0544 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete
09:47:46.0187 3648 Deinitialize success


OTL Fix:

========== OTL ==========
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.

OTL by OldTimer - Version 3.2.36.3 log created on 03152012_094818


OTL:

OTL logfile created on: 15/03/2012 09:49:05 - Run 3
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.26 Gb Available Physical Memory | 63.22% Memory free
3.85 Gb Paging File | 3.13 Gb Available in Paging File | 81.32% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 33.03 Gb Free Space | 11.08% Space Free | Partition Type: NTFS

Computer Name: 2A5B0CCCC9B249D | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/11 18:40:36 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2012/01/31 08:57:32 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012/01/31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012/01/31 08:56:50 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/01/31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/07/28 23:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/06/01 09:23:09 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2011/03/21 18:52:34 | 000,107,000 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2009/07/14 21:53:00 | 000,185,632 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaRegistry.exe
PRC - [2009/07/09 17:10:16 | 001,561,888 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaUI.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/20 16:00:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/17 03:16:23 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\29bdc8352d3c26e3c572ea60639dec3b\System.Web.ni.dll
MOD - [2012/02/17 03:13:11 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll
MOD - [2012/02/17 03:12:59 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll
MOD - [2012/02/17 03:11:39 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll
MOD - [2012/02/17 03:10:57 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2012/01/31 08:57:08 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/10/13 02:17:23 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll
MOD - [2011/10/13 02:13:38 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/09/27 06:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 06:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/28 23:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 23:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/03/29 12:47:54 | 000,073,728 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation\2.0.3309.28604__90ba9c70f846762e\CLI.Foundation.dll
MOD - [2011/03/29 12:47:54 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation\2.0.3309.28601__90ba9c70f846762e\LOG.Foundation.dll
MOD - [2011/03/29 12:47:54 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\NEWAEM.Foundation\2.0.3309.28603__90ba9c70f846762e\NEWAEM.Foundation.dll
MOD - [2011/03/29 12:47:54 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Foundation\2.0.3309.28626__90ba9c70f846762e\MOM.Foundation.dll
MOD - [2011/03/29 12:47:53 | 000,014,848 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AxInterop.WBOCXLib\1.0.0.0__90ba9c70f846762e\AxInterop.WBOCXLib.dll
MOD - [2011/03/29 12:47:53 | 000,013,312 | ---- | M] () -- C:\WINDOWS\assembly\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.dll
MOD - [2011/03/29 12:47:52 | 000,106,496 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Implementation\2.0.3693.42531__90ba9c70f846762e\MOM.Implementation.dll
MOD - [2011/03/29 12:47:52 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation\2.0.3693.42530__90ba9c70f846762e\LOG.Foundation.Implementation.dll
MOD - [2011/03/29 12:47:52 | 000,057,344 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.SkinFactory\2.0.3693.42441__90ba9c70f846762e\CLI.Component.SkinFactory.dll
MOD - [2011/03/29 12:47:52 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Private\2.0.3309.28614__90ba9c70f846762e\LOG.Foundation.Private.dll
MOD - [2011/03/29 12:47:52 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation.Private\2.0.3309.28626__90ba9c70f846762e\LOG.Foundation.Implementation.Private.dll
MOD - [2011/03/29 12:47:51 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CCC.Implementation\2.0.3693.42531__90ba9c70f846762e\CCC.Implementation.dll
MOD - [2009/07/03 18:34:26 | 000,811,008 | ---- | M] () -- C:\Program Files\Ralink\Common\RaWLAPI.dll
MOD - [2009/05/11 11:45:40 | 000,147,456 | ---- | M] () -- C:\WINDOWS\system32\DiagFunc.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012/01/31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/01/31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 21:53:00 | 000,185,632 | ---- | M] (Ralink Technology, Corp.) [Auto | Running] -- C:\Program Files\Ralink\Common\RaRegistry.exe -- (RalinkRegistryWriter)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (OMCI)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - [2012/01/31 08:57:31 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/01/31 08:57:31 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/09/16 16:09:17 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/02/11 07:38:10 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/06/30 11:06:02 | 000,722,432 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2009/04/21 15:31:10 | 000,019,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Scutum50.sys -- (Scutum50)
DRV - [2006/05/25 14:40:00 | 001,156,808 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {932955EE-389B-4C36-9778-AC2BE4CB3E51}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{932955EE-389B-4C36-9778-AC2BE4CB3E51}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {932955EE-389B-4C36-9778-AC2BE4CB3E51}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{932955EE-389B-4C36-9778-AC2BE4CB3E51}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGHP_en-GBGB423
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:7.2.6
FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.3.0.7280
FF - prefs.js..keyword.URL: "http://www.google.com/search?sourceid=navclient&hl=en-GB&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2011/03/17 00:08:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/03/21 18:54:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/14 11:07:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/12 18:16:15 | 000,000,000 | ---D | M]

[2011/03/17 09:38:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Extensions
[2011/12/24 16:23:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions
[2011/04/06 21:42:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/07/04 21:48:07 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\3g4lbogl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/03/12 18:16:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/05 05:47:58 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/03/12 18:16:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\SARAH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\3G4LBOGL.DEFAULT\EXTENSIONS\{B749FC7C-E949-447F-926C-3F4EED6ACCFE}.XPI
[2012/01/14 11:07:13 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/03/12 18:16:07 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/26 18:25:01 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/26 18:25:01 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/09/26 18:25:01 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/26 18:25:01 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/09/26 18:25:01 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/03/13 11:05:19 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [Facebook Update] C:\Documents and Settings\Sarah\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)
O4 - Startup: C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Sarah\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1300318182757 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE25CB82-BC72-4984-9098-A9567DF14AE0}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/03/16 14:11:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/15 09:47:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/03/14 08:40:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2012/03/14 08:36:10 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2012/03/13 16:53:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/03/13 13:43:02 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/13 11:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/13 10:52:38 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/13 10:49:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/13 10:49:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/13 10:49:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/13 10:49:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/13 10:49:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/13 10:49:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/13 10:47:55 | 004,435,063 | R--- | C] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2012/03/12 21:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Start Menu\Programs\Dropbox
[2012/03/12 21:21:30 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/03/12 18:16:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/03/12 17:54:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2012/03/12 12:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Application Data\Avira
[2012/03/12 12:00:20 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2012/03/12 12:00:14 | 000,137,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2012/03/12 12:00:14 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2012/03/12 12:00:14 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avkmgr.sys
[2012/03/12 11:59:52 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2012/03/12 11:59:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2012/03/12 10:29:43 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/11 23:03:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\New Folder
[2012/03/11 18:41:24 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Sarah\Desktop\aswMBR.exe
[2012/03/11 18:40:33 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2012/03/10 09:01:56 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/03/10 09:01:26 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/03/08 21:58:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Sarah\Start Menu\Programs\Administrative Tools
[2012/03/08 21:58:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2012/03/01 13:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\iphone pics
[2012/02/29 18:23:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\Copy of bday pics
[2012/02/29 18:21:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\bday pics

========== Files - Modified Within 30 Days ==========

[2012/03/15 09:43:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/15 09:40:12 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/15 09:22:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004UA.job
[2012/03/15 03:16:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/15 03:16:10 | 000,294,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/15 00:22:00 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004Core.job
[2012/03/14 08:51:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/13 11:05:19 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/13 10:52:46 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/03/13 10:48:09 | 004,435,063 | R--- | M] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2012/03/12 21:43:47 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Dropbox.lnk
[2012/03/12 21:41:44 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\Dropbox.lnk
[2012/03/12 12:00:47 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2012/03/11 23:40:43 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/11 23:10:20 | 000,000,030 | ---- | M] () -- C:\WINDOWS\Iedit_.INI
[2012/03/11 22:56:27 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/11 22:46:07 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\SpywareBlaster.lnk
[2012/03/11 22:42:32 | 000,000,040 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\_rgpl
[2012/03/11 19:06:50 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\MBR.dat
[2012/03/11 18:41:25 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Sarah\Desktop\aswMBR.exe
[2012/03/11 18:40:36 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2012/03/10 09:02:27 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/10 07:17:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/03/09 17:12:06 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2012/03/08 22:03:39 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\HiJackThis.lnk
[2012/03/08 21:59:49 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\ub1pvqh4.exe
[2012/03/08 21:58:34 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Sarah\Desktop\dds.scr
[2012/02/17 03:11:05 | 000,495,518 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/17 03:11:05 | 000,084,106 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/14 10:13:03 | 082,020,614 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0889.MOV
[2012/02/14 10:11:12 | 027,870,339 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0888.MOV
[2012/02/14 10:10:55 | 073,456,606 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0887.MOV

========== Files Created - No Company Name ==========

[2012/03/13 10:52:46 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/03/13 10:52:41 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/13 10:49:53 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/13 10:49:53 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/13 10:49:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/13 10:49:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/13 10:49:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/12 21:43:47 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Dropbox.lnk
[2012/03/12 21:41:44 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\Dropbox.lnk
[2012/03/12 12:00:47 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2012/03/11 22:42:32 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\_rgpl
[2012/03/11 19:06:50 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\MBR.dat
[2012/03/10 09:02:27 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/08 21:59:46 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\ub1pvqh4.exe
[2012/02/16 05:02:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/16 05:02:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/14 10:13:03 | 082,020,614 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0889.MOV
[2012/02/14 10:11:12 | 027,870,339 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0888.MOV
[2012/02/14 10:10:55 | 073,456,606 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\IMG_0887.MOV
[2011/09/25 23:21:24 | 000,266,255 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\census.cache
[2011/09/25 23:20:52 | 000,185,017 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\ars.cache
[2011/09/25 22:57:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\housecall.guid.cache
[2011/08/13 09:21:32 | 000,007,207 | R--- | C] () -- C:\WINDOWS\Disktool.INI
[2011/08/13 09:21:32 | 000,006,399 | R--- | C] () -- C:\WINDOWS\fwupgrade.ini
[2011/08/13 09:21:32 | 000,003,677 | R--- | C] () -- C:\WINDOWS\PlaySnd.INI
[2011/05/04 19:25:03 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/05/02 22:30:50 | 001,144,147 | ---- | C] () -- C:\WINDOWS\System32\ffmpegmt.dll
[2011/05/02 22:27:54 | 003,935,545 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.dll
[2011/05/02 20:23:46 | 000,324,096 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2011/05/02 20:19:34 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2011/05/02 20:19:20 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/04/20 21:58:08 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit_.INI
[2011/03/29 15:01:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/03/21 19:41:08 | 000,062,340 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/03/21 18:57:46 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/18 21:32:44 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2011/03/18 21:29:56 | 000,181,248 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2011/03/18 21:28:30 | 001,557,504 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2011/03/18 21:27:08 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2011/03/18 21:26:44 | 000,484,864 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2011/03/18 21:25:38 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2011/03/18 21:25:24 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2011/03/18 03:55:25 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2011/03/18 03:53:01 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2011/03/18 03:53:01 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/03/18 03:53:01 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/03/18 03:53:01 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/03/17 09:38:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/17 09:34:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/16 14:16:37 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\DiagFunc.dll
[2011/03/16 14:16:37 | 000,001,191 | ---- | C] () -- C:\WINDOWS\System32\W32N55.INI
[2011/03/16 14:16:37 | 000,000,480 | ---- | C] () -- C:\WINDOWS\System32\DiagFunc.ini
[2011/03/16 14:16:23 | 000,013,931 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2011/03/16 14:12:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/03/16 14:09:11 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/03/16 13:45:35 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/03/16 13:44:40 | 000,294,864 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/03 11:40:08 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2011/03/03 11:39:56 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2011/03/03 11:39:46 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2011/03/03 11:39:34 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2011/03/03 11:39:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2011/03/03 11:38:54 | 000,154,112 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2011/03/03 11:38:40 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2011/03/03 11:38:10 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2011/03/03 11:38:04 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2011/03/03 11:37:50 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2011/03/03 11:37:40 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2011/03/03 11:35:32 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2011/03/03 11:35:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2010/08/18 19:56:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini

========== LOP Check ==========

[2011/03/16 14:16:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ralink Driver
[2011/03/21 18:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2012/03/13 11:09:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/03/18 04:07:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2011/03/17 09:44:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/03/25 10:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\AnvSoft
[2011/03/28 21:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\DiskAid
[2012/03/15 09:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Dropbox
[2011/06/28 21:44:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Personal Video Database
[2011/03/23 10:21:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\PFStaticIP
[2011/03/18 04:16:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Ulead Systems
[2012/03/15 09:54:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\uTorrent
[2012/03/15 00:22:00 | 000,000,976 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004Core.job
[2012/03/15 09:22:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2052111302-861567501-725345543-1004UA.job

========== Purity Check ==========



< End of report >

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 15 March 2012 - 10:01 PM

Is it running any better now? Please run another ESET scan for me next. Here are the instructions if you need them:

Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users