pilotbob Posted November 10, 2011 Posted November 10, 2011 (edited) I managed to pick up an infection last night from an innocent site I use regularly, MS security essentials picked it up but not before it had installed a mock version of "Sytem Restore" and started running a scam scan of my system. MSSE found and removed the following ; Backdoor:Win32/Cycbot!cfg Trojan:Win32/Alureon.FE Trojan:Win32/Lukicsel.I Exploit:SWF/Blacole.F After this I still needed to use System Restore to get my system back to the previous days state to get rid of the installed nasty. However, I have a good few icons on my desktop which are shortcuts to web sites, all of these are now "Greyed" or appear to be translucent. They still work but do look rather odd and I'm concerned there is still some kind of infection. Any ideas? System is XP Pro SP3 with all latest updates. Thanks in anticipation, Bob. P.S. Just noticed that all my "Favourites" have dissapeared from IE8 too. Edited November 10, 2011 by pilotbob Quote
KenB Posted November 10, 2011 Posted November 10, 2011 Hi, I think you need one of our Security Experts to take a look at your system. I am no expert - but if you used System Restore you may well have re-introduced the bugs back into your system. I will leave a message for the Security guys - please be patient as they are very busy. They will get to you :) Quote There is an email going around offering processed pork - gelatin - and salt in a can ......this is simply SPAM !! MiniToolBoxNetwork TestWireless Test
pilotbob Posted November 10, 2011 Author Posted November 10, 2011 Thanks Ken, I'll wait their response. I did find that after the restore MSSE did find and deal with the "bugs" again but what had gone was the installed program which was taking over everything. Bob. Quote
Starbuck Posted November 10, 2011 Posted November 10, 2011 Hi pilotbob I'll move this thread to the Malware Removal forum. Firstly i'm afraid i have to give you this warning: The malware removed are linked to password stealing trojans. It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation. Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. For more information read ....Here If you choose to format and reinstall read...... Here Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again. If you wish us to try and clean this system, please follow the steps below. Step 1 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. Vista/Win7 users should right click on the icon and select Run as Administrator. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista/Win7, you may not see the recovery console screens Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Step 2 Download OTL to your desktop. right click on the link and select 'Save Link/Target As'. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png Now copy the lines in bold below. netsvcs msconfig %SYSTEMDRIVE%\*.* %systemroot%\system32\Spool\prtprocs\w32x86\*.dll %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\system32\*.exe /lockedfiles %systemroot%\System32\config\*.sav %PROGRAMFILES%\* %USERPROFILE%\..|smtmp;true;true;true /FP HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU hklm\software\clients\startmenuinternet|command /rs hklm\software\clients\startmenuinternet|command /64 /rs CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: ( if you wish to continue) Combofix.txt both reports from OTL Thanks. Quote Member of:UNITE
pilotbob Posted November 10, 2011 Author Posted November 10, 2011 Thanks for your efforts to assist me with this, much appreciated. I discovered that all my favourites had their properties changed to "Hidden" as had all the icons, I changed these back and all is ok with these now. I thought I would however take up the option of your assistance as re-installing everything would be a real pain in the butt and would take days, so scans complete and details below; hope these help. Regards, Bob. ComboFix 11-11-10.03 - Bob 10/11/2011 20:47:48.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.909 [GMT 0:00] Running from: c:\documents and settings\Bob\Desktop\Combo.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\24051EFF.TMP c:\documents and settings\Bob\WINDOWS C:\install.exe c:\windows\AutoRun.ini c:\windows\system32\regobj.dll c:\windows\system32\Thumbs.db c:\windows\system32\win.ini c:\windows\winhelp.ini . . ((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 ))))))))))))))))))))))))))))))) . . 2011-11-10 20:56 . 2011-11-10 20:56 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\offreg.dll 2011-11-10 07:35 . 2011-11-10 07:35 -------- d-----w- c:\windows\LastGood.Tmp 2011-11-09 23:26 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\mpengine.dll 2011-11-09 23:13 . 2011-11-09 23:13 -------- d-----w- c:\windows\system32\wbem\Repository 2011-11-01 17:34 . 2011-11-01 17:34 64272 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2011-10-29 17:53 . 2011-11-02 17:18 -------- d-----w- c:\program files\PolderbitS 2011-10-16 19:08 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-10-16 19:02 . 2011-10-16 19:02 -------- d-----w- c:\program files\Microsoft Security Client 2011-10-12 16:44 . 2011-10-16 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-13 16:47 . 2011-05-14 15:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-30 19:48 . 2006-04-30 06:56 26112 ----a-w- c:\windows\system32\userinit.exe 2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 10:41 . 2006-04-30 06:55 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 10:41 . 2006-04-30 06:55 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-09 09:12 . 2006-04-30 06:55 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 13:20 . 2006-04-30 06:55 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-22 23:48 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:48 . 2006-04-30 06:55 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:48 . 2006-04-30 06:55 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:56 . 2006-04-30 06:55 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49 . 2006-04-30 06:55 138496 ------w- c:\windows\system32\drivers\afd.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-05 39408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-12 17351304] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "snp2uvc"="c:\windows\vsnp2uvc.exe" [2006-12-29 569344] "RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000] "AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 89542] "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-03-03 72240] "VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-03-03 55856] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS] 2007-05-31 20:57 155648 ------w- c:\windows\system32\FpWinlogonNp.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-08-08 19:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave"=DrvTrNTm.dll "mixer"=DrvTrNTm.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] backup=c:\windows\pss\Bluetooth.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk] backup=c:\windows\pss\Service Manager.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware] c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch] 2006-11-07 10:51 91688 ------w- c:\program files\Lenovo\AwayTask\AwaySch.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp] 2009-12-07 11:50 1584640 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] 2009-01-29 22:20 57344 ------w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth] 2007-11-29 17:36 2872632 ------w- c:\program files\Lenovo\Client Security Solution\cssauth.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray] 2006-05-18 23:24 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-03-23 07:32 162584 ------w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-03-23 07:32 138008 ------w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager] 2007-04-26 17:10 120368 ------w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Message Center Plus] 2009-05-27 21:09 49976 ------w- c:\program files\Lenovo\Message Center Plus\MCPLaunch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent] 2010-04-30 11:47 1086760 ----a-w- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 14:40 155648 ------w- c:\windows\system32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler] 2007-03-16 05:26 31840 ------w- c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2007-06-29 06:24 286720 ------w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] 2003-10-14 09:22 155648 ------r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-08-09 20:11 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2008-09-05 21:46 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7] 2009-01-07 03:03 60704 ------w- c:\progra~1\Lenovo\NPDIRECT\tpfnf7sp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP] 2008-03-11 12:33 54560 ------w- c:\program files\Lenovo\HOTKEY\TpWAudAp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy] 2008-08-20 23:04 487424 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2006-11-03 18:20 866584 ------w- c:\program files\Windows Defender\MSASCui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-18 19:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"= "c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "c:\\Program Files\\CoffeeCup Software\\Direct FTP\\DirectFTP.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"= "c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"= "c:\\Program Files\\BMW Diagnostic Head Emulator\\DiagHead.exe"= "c:\\EDIABAS\\Bin\\IFHSrv32.exe"= "c:\\Program Files\\WebSite X5 v8 - Evolution\\WebSite.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "67:UDP"= 67:UDP:DHCP Discovery Service . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R1 eusk2par;Aladdin SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [09/10/2008 16:00 25680] R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [24/05/2006 18:48 10240] R1 RapportCerberus_32301;RapportCerberus_32301;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_32301.sys [07/11/2011 21:30 227312] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [07/11/2011 21:28 71440] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/11/2011 21:28 164112] R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [22/06/2007 18:45 106496] R2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [11/05/2007 02:22 54560] R2 MSSQL$NEBULA2K;MSSQL$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K [?] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [29/03/2011 14:33 598312] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/11/2011 21:28 931640] R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [08/02/2007 20:11 569344] R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [30/07/2008 17:34 47360] R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [15/08/2009 12:08 127496] R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22/05/2007 22:59 30336] S1 MpKsl0a72a4ed;MpKsl0a72a4ed;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF74210F-C64C-4EC2-BF73-6B96A7030007}\MpKsl0a72a4ed.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF74210F-C64C-4EC2-BF73-6B96A7030007}\MpKsl0a72a4ed.sys [?] S1 MpKsl1132a2a8;MpKsl1132a2a8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\MpKsl1132a2a8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\MpKsl1132a2a8.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/08/2010 08:51 135664] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/08/2010 08:51 135664] S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?] S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [16/11/2010 01:10 267568] S3 MAUSBML;Service for M-Audio Micro (WDM);c:\windows\system32\DRIVERS\mausbmr.sys --> c:\windows\system32\DRIVERS\mausbmr.sys [?] S3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys --> c:\windows\system32\drivers\pbsaudrv.sys [?] S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [07/08/2011 15:04 21520] S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [07/11/2011 21:28 56208] S3 SQLAgent$NEBULA2K;SQLAgent$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K [?] S3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys --> c:\windows\system32\drivers\vvftav.sys [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504] S3 ZSMC0305;USB PC Camera VC305;c:\windows\system32\Drivers\usbVM305.sys --> c:\windows\system32\Drivers\usbVM305.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - RAPPORTMGMTSERVICE . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-07-30 09:39 451872 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-29 08:50] . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-29 08:50] . 2011-11-10 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39] . 2011-11-09 c:\windows\Tasks\ParetoLogic Registration.job - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 11:25] . 2011-10-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57] . 2011-11-10 c:\windows\Tasks\User_Feed_Synchronization-{8033D9A4-F450-416F-9B7C-AB9C030B3C45}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://freeola.com/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://84.92.80.192:8081/activex/AMC.cab . - - - - ORPHANS REMOVED - - - - . WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) Notify-ACNotify - ACNotify.dll MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-10 20:58 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG11.00.00.01WORKSTATION"="97FA5732867E2502AFF1CC07A326271507954929FEB4E2CAE4ED981D5DE58759BC588BA0E5996ED9F1A62C195AB6EB377AC73F9398197BB9C90110516F9ABA9B0EBA9265C6222B2DBA5BD7660EC5D112652E482A857D1A00F5E03B9550E792999D8C507BDB19F3D2275324098F80776D920750C6D458017400E2BB25EB2B9ADBEFDCB99E0FE436A44B76FDDE6474CD92C1B0D7884A0047F17701FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A6171C11EC38DE3DFEBC9E127BECC74C373F1EA6DA692CF416E5AC1B24F7B8D2665DA4CC9BCEB90099C6C612782B619F08E088ECF9737675ACC55FBD5A8276E6BF3BCD0379F7177E0D8F48B374A2958929096F18EF7ACE43706410C3CC1C2C0FD962799499EC614096E89EC35A34787A7EAD8E8DA65E2E95D7F6B95E8C3A219B626A8098CD5248D138EB1E6663D4C6D6810959195A098049F1F80AA1F9530E0299AFEE8F3DD275DF8875CF209BFD3525BA98F2E99DE1A5DD5C2B63074DE3A05A56530358661A7F3C32276EDDE32EEA904C9F369457DA7177CC0E5C6890EBF762003730B896D776DC7366EB6CF1E50366E6A2308E40642CDD8B6B4087A26DAAFA95859E5BF3425BDB9EDB6D7E4DAB8A9A53ED233466F4117C73CB8D0937F14228A729AACCF311A57698F4CB29D30907C36B0E8345AA89D1E37781767553033A155A53E37EE201BD8F5E6290E8350B6F9CA0D57B65459D9047191D6038D232048B69760BC5E0D2822C7B99FE9B76432C06F35C691A3DB6677F72F567A3641284FD20CC9A5C624BC47614D38A8371499E00FD79DD5171D860872F28DA698BBA1682E051BC5F2EB34C3C5C0EDC46D1341A34E94D9D581391FB000F133A241EC8844F2044D1CF605752F02189CF6F98A3E36A773924642A6DAF2DE7D83ECE46D99044E6AAEB14E8088428BE4BF66D9A373894F7631D8B8DFEE1752061D04B0512F060544BD3F40C19069CA81D161181174644D5B5EA4AEC5EEEE6B45791DCAA1BCB4818B306A0DFE4EB2DE48B251248EA2F3089DEA37D49A528AEB62AD1AC5F9DC14677B2AF275246BF5A8DE7508BC1E08CB223510FEBF872CF23498C18469DCBE0C6CC5DB5FDA19F814B5147F7F9902B674CC6422D3BA5E89E3AA5F6209AB35830D9840BAE80E155A1C9718232412F7FC09E2A2D2D77CBAE411297A3D5FDC4F927B51FD8E7E97BCE85C2C4B746A6E8160A719A4E760F3EEED6E87F115FA8496D343234275E5D297989C736C6B0D560AEAA2FF5292157A3D773235183103789F2B74C6B98485FFBC5F91043D523DC8809FC67AF837A85749C20C81681742A24CC06A502160BD8D6299875FECD00ACACEBD1CBCFE706B57F74D6056AD6C9668EC2E883C8CCC317719A" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1584) c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\windows\system32\MSVCP71.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\windows\system32\FpWinLogonNp.dll c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll c:\program files\Lenovo Fingerprint Software\SharedResources.dll c:\program files\Lenovo Fingerprint Software\FPResource.dll c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll c:\program files\Lenovo\Client Security Solution\css_banner.dll c:\windows\system32\cssuserdatadispatcher.dll c:\windows\system32\tvttsp.dll c:\windows\system32\tcsrpc.dll c:\program files\Lenovo\HOTKEY\tphklock.dll . - - - - - - - > 'explorer.exe'(5704) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe c:\program files\Lenovo\PM Driver\PMSveH.exe c:\windows\system32\PSIService.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe c:\windows\system32\vmnetdhcp.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\Pure Networks\Network Magic\nmsrvc.exe c:\program files\lenovo\system update\suservice.exe c:\program files\VMware\VMware Workstation\vmware-authd.exe c:\windows\system32\msiexec.exe c:\windows\RTHDCPL.EXE c:\windows\AGRSMMSG.exe c:\windows\system32\wscntfy.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe . ************************************************************************** . Completion time: 2011-11-10 21:05:54 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-10 21:05 . Pre-Run: 303,223,468,032 bytes free Post-Run: 303,163,367,424 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 5D7AA6093E7FB495A6AAEC8FD9210EBA Other reports follow. Quote
pilotbob Posted November 10, 2011 Author Posted November 10, 2011 First OTL report ComboFix 11-11-10.03 - Bob 10/11/2011 20:47:48.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.909 [GMT 0:00] Running from: c:\documents and settings\Bob\Desktop\Combo.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\24051EFF.TMP c:\documents and settings\Bob\WINDOWS C:\install.exe c:\windows\AutoRun.ini c:\windows\system32\regobj.dll c:\windows\system32\Thumbs.db c:\windows\system32\win.ini c:\windows\winhelp.ini . . ((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 ))))))))))))))))))))))))))))))) . . 2011-11-10 20:56 . 2011-11-10 20:56 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\offreg.dll 2011-11-10 07:35 . 2011-11-10 07:35 -------- d-----w- c:\windows\LastGood.Tmp 2011-11-09 23:26 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\mpengine.dll 2011-11-09 23:13 . 2011-11-09 23:13 -------- d-----w- c:\windows\system32\wbem\Repository 2011-11-01 17:34 . 2011-11-01 17:34 64272 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2011-10-29 17:53 . 2011-11-02 17:18 -------- d-----w- c:\program files\PolderbitS 2011-10-16 19:08 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-10-16 19:02 . 2011-10-16 19:02 -------- d-----w- c:\program files\Microsoft Security Client 2011-10-12 16:44 . 2011-10-16 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-13 16:47 . 2011-05-14 15:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-30 19:48 . 2006-04-30 06:56 26112 ----a-w- c:\windows\system32\userinit.exe 2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 10:41 . 2006-04-30 06:55 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 10:41 . 2006-04-30 06:55 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-09 09:12 . 2006-04-30 06:55 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 13:20 . 2006-04-30 06:55 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-22 23:48 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:48 . 2006-04-30 06:55 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:48 . 2006-04-30 06:55 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:56 . 2006-04-30 06:55 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49 . 2006-04-30 06:55 138496 ------w- c:\windows\system32\drivers\afd.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-05 39408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-12 17351304] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "snp2uvc"="c:\windows\vsnp2uvc.exe" [2006-12-29 569344] "RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000] "AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 89542] "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-03-03 72240] "VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-03-03 55856] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS] 2007-05-31 20:57 155648 ------w- c:\windows\system32\FpWinlogonNp.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-08-08 19:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave"=DrvTrNTm.dll "mixer"=DrvTrNTm.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] backup=c:\windows\pss\Bluetooth.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk] backup=c:\windows\pss\Service Manager.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware] c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch] 2006-11-07 10:51 91688 ------w- c:\program files\Lenovo\AwayTask\AwaySch.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp] 2009-12-07 11:50 1584640 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] 2009-01-29 22:20 57344 ------w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth] 2007-11-29 17:36 2872632 ------w- c:\program files\Lenovo\Client Security Solution\cssauth.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray] 2006-05-18 23:24 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-03-23 07:32 162584 ------w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-03-23 07:32 138008 ------w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager] 2007-04-26 17:10 120368 ------w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Message Center Plus] 2009-05-27 21:09 49976 ------w- c:\program files\Lenovo\Message Center Plus\MCPLaunch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent] 2010-04-30 11:47 1086760 ----a-w- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 14:40 155648 ------w- c:\windows\system32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler] 2007-03-16 05:26 31840 ------w- c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2007-06-29 06:24 286720 ------w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] 2003-10-14 09:22 155648 ------r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-08-09 20:11 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2008-09-05 21:46 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7] 2009-01-07 03:03 60704 ------w- c:\progra~1\Lenovo\NPDIRECT\tpfnf7sp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP] 2008-03-11 12:33 54560 ------w- c:\program files\Lenovo\HOTKEY\TpWAudAp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy] 2008-08-20 23:04 487424 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2006-11-03 18:20 866584 ------w- c:\program files\Windows Defender\MSASCui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-18 19:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"= "c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "c:\\Program Files\\CoffeeCup Software\\Direct FTP\\DirectFTP.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"= "c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"= "c:\\Program Files\\BMW Diagnostic Head Emulator\\DiagHead.exe"= "c:\\EDIABAS\\Bin\\IFHSrv32.exe"= "c:\\Program Files\\WebSite X5 v8 - Evolution\\WebSite.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "67:UDP"= 67:UDP:DHCP Discovery Service . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R1 eusk2par;Aladdin SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [09/10/2008 16:00 25680] R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [24/05/2006 18:48 10240] R1 RapportCerberus_32301;RapportCerberus_32301;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_32301.sys [07/11/2011 21:30 227312] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [07/11/2011 21:28 71440] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/11/2011 21:28 164112] R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [22/06/2007 18:45 106496] R2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [11/05/2007 02:22 54560] R2 MSSQL$NEBULA2K;MSSQL$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K [?] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [29/03/2011 14:33 598312] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/11/2011 21:28 931640] R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [08/02/2007 20:11 569344] R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [30/07/2008 17:34 47360] R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [15/08/2009 12:08 127496] R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22/05/2007 22:59 30336] S1 MpKsl0a72a4ed;MpKsl0a72a4ed;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF74210F-C64C-4EC2-BF73-6B96A7030007}\MpKsl0a72a4ed.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF74210F-C64C-4EC2-BF73-6B96A7030007}\MpKsl0a72a4ed.sys [?] S1 MpKsl1132a2a8;MpKsl1132a2a8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\MpKsl1132a2a8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AC00EC9-A436-4671-9E1C-A42B48D0D3C1}\MpKsl1132a2a8.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/08/2010 08:51 135664] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/08/2010 08:51 135664] S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?] S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [16/11/2010 01:10 267568] S3 MAUSBML;Service for M-Audio Micro (WDM);c:\windows\system32\DRIVERS\mausbmr.sys --> c:\windows\system32\DRIVERS\mausbmr.sys [?] S3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys --> c:\windows\system32\drivers\pbsaudrv.sys [?] S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [07/08/2011 15:04 21520] S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [07/11/2011 21:28 56208] S3 SQLAgent$NEBULA2K;SQLAgent$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K [?] S3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys --> c:\windows\system32\drivers\vvftav.sys [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504] S3 ZSMC0305;USB PC Camera VC305;c:\windows\system32\Drivers\usbVM305.sys --> c:\windows\system32\Drivers\usbVM305.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - RAPPORTMGMTSERVICE . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-07-30 09:39 451872 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-29 08:50] . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-29 08:50] . 2011-11-10 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39] . 2011-11-09 c:\windows\Tasks\ParetoLogic Registration.job - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 11:25] . 2011-10-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57] . 2011-11-10 c:\windows\Tasks\User_Feed_Synchronization-{8033D9A4-F450-416F-9B7C-AB9C030B3C45}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://freeola.com/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://84.92.80.192:8081/activex/AMC.cab . - - - - ORPHANS REMOVED - - - - . WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) Notify-ACNotify - ACNotify.dll MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-10 20:58 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG11.00.00.01WORKSTATION"="97FA5732867E2502AFF1CC07A326271507954929FEB4E2CAE4ED981D5DE58759BC588BA0E5996ED9F1A62C195AB6EB377AC73F9398197BB9C90110516F9ABA9B0EBA9265C6222B2DBA5BD7660EC5D112652E482A857D1A00F5E03B9550E792999D8C507BDB19F3D2275324098F80776D920750C6D458017400E2BB25EB2B9ADBEFDCB99E0FE436A44B76FDDE6474CD92C1B0D7884A0047F17701FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A6171C11EC38DE3DFEBC9E127BECC74C373F1EA6DA692CF416E5AC1B24F7B8D2665DA4CC9BCEB90099C6C612782B619F08E088ECF9737675ACC55FBD5A8276E6BF3BCD0379F7177E0D8F48B374A2958929096F18EF7ACE43706410C3CC1C2C0FD962799499EC614096E89EC35A34787A7EAD8E8DA65E2E95D7F6B95E8C3A219B626A8098CD5248D138EB1E6663D4C6D6810959195A098049F1F80AA1F9530E0299AFEE8F3DD275DF8875CF209BFD3525BA98F2E99DE1A5DD5C2B63074DE3A05A56530358661A7F3C32276EDDE32EEA904C9F369457DA7177CC0E5C6890EBF762003730B896D776DC7366EB6CF1E50366E6A2308E40642CDD8B6B4087A26DAAFA95859E5BF3425BDB9EDB6D7E4DAB8A9A53ED233466F4117C73CB8D0937F14228A729AACCF311A57698F4CB29D30907C36B0E8345AA89D1E37781767553033A155A53E37EE201BD8F5E6290E8350B6F9CA0D57B65459D9047191D6038D232048B69760BC5E0D2822C7B99FE9B76432C06F35C691A3DB6677F72F567A3641284FD20CC9A5C624BC47614D38A8371499E00FD79DD5171D860872F28DA698BBA1682E051BC5F2EB34C3C5C0EDC46D1341A34E94D9D581391FB000F133A241EC8844F2044D1CF605752F02189CF6F98A3E36A773924642A6DAF2DE7D83ECE46D99044E6AAEB14E8088428BE4BF66D9A373894F7631D8B8DFEE1752061D04B0512F060544BD3F40C19069CA81D161181174644D5B5EA4AEC5EEEE6B45791DCAA1BCB4818B306A0DFE4EB2DE48B251248EA2F3089DEA37D49A528AEB62AD1AC5F9DC14677B2AF275246BF5A8DE7508BC1E08CB223510FEBF872CF23498C18469DCBE0C6CC5DB5FDA19F814B5147F7F9902B674CC6422D3BA5E89E3AA5F6209AB35830D9840BAE80E155A1C9718232412F7FC09E2A2D2D77CBAE411297A3D5FDC4F927B51FD8E7E97BCE85C2C4B746A6E8160A719A4E760F3EEED6E87F115FA8496D343234275E5D297989C736C6B0D560AEAA2FF5292157A3D773235183103789F2B74C6B98485FFBC5F91043D523DC8809FC67AF837A85749C20C81681742A24CC06A502160BD8D6299875FECD00ACACEBD1CBCFE706B57F74D6056AD6C9668EC2E883C8CCC317719A" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1584) c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\windows\system32\MSVCP71.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\windows\system32\FpWinLogonNp.dll c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll c:\program files\Lenovo Fingerprint Software\SharedResources.dll c:\program files\Lenovo Fingerprint Software\FPResource.dll c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll c:\program files\Lenovo\Client Security Solution\css_banner.dll c:\windows\system32\cssuserdatadispatcher.dll c:\windows\system32\tvttsp.dll c:\windows\system32\tcsrpc.dll c:\program files\Lenovo\HOTKEY\tphklock.dll . - - - - - - - > 'explorer.exe'(5704) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe c:\program files\Lenovo\PM Driver\PMSveH.exe c:\windows\system32\PSIService.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe c:\windows\system32\vmnetdhcp.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\Pure Networks\Network Magic\nmsrvc.exe c:\program files\lenovo\system update\suservice.exe c:\program files\VMware\VMware Workstation\vmware-authd.exe c:\windows\system32\msiexec.exe c:\windows\RTHDCPL.EXE c:\windows\AGRSMMSG.exe c:\windows\system32\wscntfy.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe . ************************************************************************** . Completion time: 2011-11-10 21:05:54 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-10 21:05 . Pre-Run: 303,223,468,032 bytes free Post-Run: 303,163,367,424 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 5D7AA6093E7FB495A6AAEC8FD9210EBA Quote
pilotbob Posted November 10, 2011 Author Posted November 10, 2011 Second OTL report OTL Extras logfile created on: 10/11/2011 21:15:49 - Run 1 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Bob\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1.99 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 54.90% Memory free 3.33 Gb Paging File | 2.57 Gb Available in Paging File | 77.28% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 459.74 Gb Total Space | 282.37 Gb Free Space | 61.42% Space Free | Partition Type: NTFS Drive E: | 382.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Drive F: | 182.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Drive H: | 976.13 Mb Total Space | 505.78 Mb Free Space | 51.82% Space Free | Partition Type: FAT Drive J: | 15.69 Mb Total Space | 3.45 Mb Free Space | 21.96% Space Free | Partition Type: NTFS Computer Name: LENOVO | User Name: Bob | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = htmlfile] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.) "C:\Program Files\IncrediMail\bin\ImApp.exe" = C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.) "C:\Program Files\IncrediMail\bin\IncMail.exe" = C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.) "C:\Program Files\IncrediMail\bin\ImpCnt.exe" = C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.) "C:\Program Files\CoffeeCup Software\Direct FTP\DirectFTP.exe" = C:\Program Files\CoffeeCup Software\Direct FTP\DirectFTP.exe:*:Enabled:Direct FTP Application -- (CoffeeCup Software, Inc.) "C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.) "C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd) "C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google) "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe" = C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe:*:Enabled:BT Broadband Desktop Help -- (Alcatel-Lucent) "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" = C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe:*:Enabled:BT Broadband Desktop Help Notifier -- (Alcatel-Lucent) "C:\Program Files\BMW Diagnostic Head Emulator\DiagHead.exe" = C:\Program Files\BMW Diagnostic Head Emulator\DiagHead.exe:*:Enabled:DiagHead -- (SoftCom Ltd.) "C:\EDIABAS\Bin\IFHSrv32.exe" = C:\EDIABAS\Bin\IFHSrv32.exe:*:Enabled:NETMAN Server -- () "C:\Program Files\WebSite X5 v8 - Evolution\WebSite.exe" = C:\Program Files\WebSite X5 v8 - Evolution\WebSite.exe:*:Enabled:WebSite X5 -- (Incomedia - www.websitex5.com) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional "{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2 "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{01A2E33A-8ADA-42D1-9173-8F65149E952F}" = Microsoft Money "{02CA7E66-1AD1-4DE9-BA9E-86A0EEB019C7}" = Microsoft Money System Pack "{02FCAA8F-59D3-4198-822E-135C61EE4F0B}" = NeroKwikMedia Help (CHM) "{0345CF70-FA00-4F4E-A218-0FA494F465A4}" = LightScribe Template Designs - Business Pack 1 "{0420F95C-11FF-4E02-B967-6CC22B188F9F}" = Nero BackItUp "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware "{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data "{0C9F8331-C56A-4600-A563-99CDBCE43694}" = WinPCSIGN Letter 2005 "{0DA9CEC1-67FB-473C-A5BF-7FECA017B725}" = PocketFMS EUR 1.5.0 "{0F6D55D8-89AA-4C1D-BC4C-ACBBDE8BE57A}" = Serif PhotoPlus 8.0 "{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message "{15382D89-6EF6-4D21-9484-B500F2B10E46}" = PhotoMail Maker "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{18DB3375-0649-4EA3-959A-44F1ACD278BA}" = IncrediMail "{1A8C5BB4-91EB-4AB4-B667-74EC501341B9}" = LightScribe Template Designs - 9 to 5 Pack 1 "{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP "{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86 "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe "{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10 "{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 15 "{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition "{284A25AA-96B4-449D-BBA0-D0C97A5E213E}" = PCB Artist Version 1.4 "{2b02f824-a9b9-458c-80e5-3ea8c0de8471}" = QuickBooks Premier Edition 2004 "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager "{305D4B08-5807-4475-B1C8-D54685534864}" = LightScribeTemplateLabeler "{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7 "{3724743C-C279-4ACA-A451-56479745208A}" = Memory-Map European Edition "{397516AE-7DFE-4F90-84E0-BD616D559434}" = Nero BurnRights "{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Integrated Camera "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{44E9D4C2-946C-4378-9354-558803C47A68}" = Client Security - Password Manager "{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows "{513148E7-B7A1-48B2-B518-668701E546F5}" = LightScribe System Software 1.14.19.1 "{51E2F9B3-A972-4F58-B4EF-4D9676D9F5D1}" = Nero RescueAgent "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English) "{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client "{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{57729BE1-DE2C-45DB-9FFA-5C1949679B3E}" = Watchtower Library 2010 - English "{58CB9A9A-1EFB-4EA8-B50C-3097E754AC21}" = High-Definition Video Playback "{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7 "{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.32 "{5FA08EAD-6532-4609-9E78-DBBEBE9AE6D2}" = Visual Site Designer "{6280149E-EFF3-4F1B-BD43-5B7EDD6F620A}" = Lenovo Care Supplement "{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director "{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler "{669179DB-431A-4759-954E-822D254112C0}" = PocketFMS EUR 1.6.0 "{69333A04-5134-40A5-A055-9166A7AA1EC8}" = "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7 "{6C3CF7AC-5AB0-42D9-93C0-68166A57AFB6}" = Nero Express "{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2 "{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution "{7075FDA1-1542-4659-8FC6-4C127B32F907}" = PocketFMS "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort "{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{77486339-D60A-494D-9492-55385419ED50}" = PocketFMS EUR 1.4.4 "{796E076A-82F7-4D49-98C8-DEC0C3BC733A}" = Diskeeper Lite "{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections "{7FC3BBEC-5A91-41B0-9CB8-960EC4421411}" = InterVideo WinDVD Creator 3 "{84814E6B-2581-46EC-926A-823BD1C670F6}" = Lenovo Bluetooth with Enhanced Data Rate Software "{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr "{8FE552F4-52D5-4ED8-B77B-672D5F88B427}" = DVR "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD "{9570A579-88E2-4B73-A28F-3ED8FCB8C0D8}_is1" = Incomedia WebSite X5 v9 - Free "{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime "{979B748C-6095-4A5A-BC7B-C15E720529D6}" = PCMSCAN "{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center "{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}" = Brother MFL-Pro Suite "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML "{9CE06167-6F6F-40E4-B723-3702FE2831DD}" = BMW Diagnostic Head Emulator "{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}" = Paint.NET v3.5.8 "{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender "{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver "{A182077A-8D6B-4194-B48A-B4DC37C69907}" = RealSpeak Solo for UK English Emily "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}" = VMware Workstation "{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser "{A62892A7-9D90-4A58-8FFF-78FC5A2BC3C5}" = OpenOffice.org 3.2 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5 "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio "{ABE02A4F-E00D-4E06-ADB8-CF5AB5B0239A}" = PocketFMS EUR 1.5.1 "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1) "{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy "{B1C2398C-6FAB-46D1-806C-5942F0829994}" = ParetoLogic Data Recovery "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0 "{B293806D-4407-4287-A00C-E9064174EF89}" = Network Magic "{B334D9AE-1393-423E-97C0-3BDC3360E692}" = Sonic Icons for Lenovo "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype "{B7588D45-AFDC-4C93-9E2E-A100F3554B64}" = Microsoft Fix it Center "{BDC83FD3-1A0F-46FB-8852-5E9A94294143}" = Serif PagePlus 8.0 PDF Edition "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C3580AC4-C827-4332-B935-9A282ED5BB97}" = Nero Dolby Files 10 "{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes "{C82185E8-C27B-4EF4-2007-3333BC2C2B6D}" = Microsoft AutoRoute 2007 "{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb" = Microsoft Automated Troubleshooting Services Shim "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CF52099A-3BEA-4C41-AEA8-1E190F04D737}" = Lenovo Care "{D08E34CE-0106-4C47-83B0-8A31D7098BB6}" = PocketFMS EUR Datapack 1.0.1.0 "{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005 "{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller "{D7D50D63-55C0-11D5-A6A2-00C0DF05DE71}" = TurboCAD Professional v8 "{D9B5AE52-FEF9-4E5C-A63E-06A6638B2935}" = Nero Kwik Media "{DA898F5C-4C85-4CF4-825B-E05D07DC39DD}" = BT Broadband Support Tools "{DAB5C521-80B2-48C3-B0DA-326A1B331F55}" = GoToAssist Corporate "{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers "{E08CC458-41FB-4BB5-9B08-2C83DB55A5B9}" = Nero BackItUp and Burn "{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (NEBULA2K) "{E4B024F9-2074-4FEB-9885-EDF9EC39026F}" = PocketFMS "{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center "{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore "{EC422FB2-9F4D-4FB1-A5CE-5F741132EBC5}" = Lenovo Fingerprint Software "{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial "{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729) "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01 "{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic "{F8650CB3-89F1-4AE0-81AC-917423C58DB8}" = Serif PhotoPlus Association File Formats "{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe "{FD331A3B-F7A5-4C31-B8D4-DF413C85AF7A}" = Message Center Plus "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "ABC Amber NBU Converter" = ABC Amber NBU Converter "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Agere Systems Soft Modem" = Agere Systems HDA Modem "ASIO4ALL" = ASIO4ALL "AU65_is1" = Advanced Uninstaller PRO 2004 - version 6 "Audacity_is1" = Audacity 1.2.6 "Avantext TechPubs Manager" = Avantext TechPubs Manager "AwayTask" = Maintenance Manager "AXIS Media Control Embedded" = AXIS Media Control Embedded "BT Broadband Desktop Help" = BT Broadband Desktop Help "BTHomeHub" = BTHomeHub "CCleaner" = CCleaner "CloneCD" = CloneCD "CoffeeCup Direct FTP 6.7.17" = CoffeeCup Direct FTP "CoffeeCup GIF Animator" = CoffeeCup GIF Animator "CoffeeCup HTML Editor" = CoffeeCup HTML Editor "CoffeeCup LockBox" = CoffeeCup LockBox "CoffeeCup Photo Gallery - Registered" = CoffeeCup Photo Gallery - Registered "CoffeeCup PixConverter" = CoffeeCup PixConverter "CoffeeCup Web Form Builder - Registered" = CoffeeCup Web Form Builder - Registered "CoffeeCup Web JukeBox - Registered" = CoffeeCup Web JukeBox - Registered "CutePDF Writer Installation" = CutePDF Writer 2.8 "DAEMON Tools Lite" = DAEMON Tools Lite "DAEMON Tools Toolbar" = DAEMON Tools Toolbar "Defraggler" = Defraggler "Digital Media LE" = Roxio Digital Media LE "DTE" = DTE "EditiX-Free-XML Editor2010 Free-2010" = EditiX-Free-XML Editor2010 Free-2010 "ESBUnitConv4_is1" = ESBUnitConv v5.2 "File Recover_is1" = File Recover 7.5 "Garden Encyclopedia" = Garden Encyclopedia version 3.0 "Google Chrome" = Google Chrome "Guitar Pro 5_is1" = Guitar Pro 5.0 "HDMI" = Intel® Graphics Media Accelerator Driver "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie8" = Windows Internet Explorer 8 "IncrediMail" = IncrediMail 2.0 "Inkscape" = Inkscape 0.46 "InstallShield_{62715632-A555-4D9E-9CEC-4F84EB55B07B}" = PM Driver "InstallShield_{DA8E52C7-8638-4AD6-B94E-53ED24EE5202}" = DesignPro 5 Lite Edition "KitchenDraw 5.0" = KitchenDraw 5.0 "KitchenDraw_is1" = KitchenDraw 5.5 "Lenovo Registration" = Lenovo Registration "MainApp.exe_is1" = CloneDVD 4.1.0.23 "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Media Player - Codec Pack" = Media Player Codec Pack 4.0.0 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft Security Client" = Microsoft Security Essentials "Microsoft SQL Server 2005" = Microsoft SQL Server 2005 "MP3 Workshop_is1" = MP3 Workshop 1.92 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "Nero - Burning Rom!UninstallKey" = Nero 6 "Nero BurnRights!UninstallKey" = Nero BurnRights "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "OnScreenDisplay" = On Screen Display "PC-Doctor for Windows" = Lenovo System Toolbox "PCMCIAPW" = ThinkPad PC Card Power Policy "PhotoMail" = PhotoMail Maker "Picasa2" = Picasa 2 "ProInst" = Intel® PROSet/Wireless Software "Rapport_msi" = Rapport "Recuva" = Recuva (remove only) "sm-un1.u32" = SoftMaker Office 2008 (C:\Program Files\SoftMaker Office 2008) "Spotify" = Spotify "SynTPDeinstKey" = Synaptics Pointing Device Driver "TotalRecorder" = Total Recorder 7.1 "USB Audio_is1" = Ver 1.2.0 "VCDS-Lite 1.1" = VCDS-Lite 1.1 "Vectorian Giotto_is1" = Vectorian Giotto 3.0.0 "WaveLab Lite" = WaveLab Lite "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinRAR archiver" = WinRAR archiver "WinUndelete" = WinUndelete "WinZip" = WinZip "Wise Registry Cleaner_is1" = Wise Registry Cleaner 5.9.4 "WMCSetup" = Windows Media Connect "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7 "ZC DVD Audio Ripper_is1" = ZC DVD Audio Ripper 2.8.6.296 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "NATS AFPEx Terminal" = NATS AFPEx Terminal "Notam Map" = Notam Map ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 05/11/2011 11:44:43 | Computer Name = LENOVO | Source = Application Error | ID = 1000 Description = Faulting application garden.exe, version 1.0.0.1, faulting module garden.exe, version 1.0.0.1, fault address 0x00015012. Error - 09/11/2011 18:52:02 | Computer Name = LENOVO | Source = Application Error | ID = 1000 Description = Faulting application rer160.tmp, version 0.0.0.0, faulting module rer160.tmp, version 0.0.0.0, fault address 0x00004104. Error - 09/11/2011 18:52:08 | Computer Name = LENOVO | Source = Application Error | ID = 1001 Description = Fault bucket -1606711140. Error - 09/11/2011 18:52:10 | Computer Name = LENOVO | Source = Application Error | ID = 1000 Description = Faulting application rer162.tmp, version 0.0.0.0, faulting module rer162.tmp, version 0.0.0.0, fault address 0x00004104. Error - 09/11/2011 18:52:16 | Computer Name = LENOVO | Source = Application Error | ID = 1000 Description = Faulting application rer164.tmp, version 0.0.0.0, faulting module rer164.tmp, version 0.0.0.0, fault address 0x00004104. Error - 09/11/2011 18:52:18 | Computer Name = LENOVO | Source = Application Error | ID = 1001 Description = Fault bucket -1606625605. Error - 09/11/2011 18:52:19 | Computer Name = LENOVO | Source = Application Error | ID = 1001 Description = Fault bucket -1606625590. Error - 09/11/2011 18:52:20 | Computer Name = LENOVO | Source = Application Error | ID = 1000 Description = Faulting application rer167.tmp, version 0.0.0.0, faulting module rer167.tmp, version 0.0.0.0, fault address 0x00004104. Error - 09/11/2011 18:52:25 | Computer Name = LENOVO | Source = Application Error | ID = 1001 Description = Fault bucket -1606625492. Error - 09/11/2011 19:53:26 | Computer Name = LENOVO | Source = MPSampleSubmission | ID = 5000 Description = EventType avsubmit, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 1.1.7801.0, P3 1.115.1571.0, P4 1.115.1571.0, P5 backdoor_win32_cycbot!cfg, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL. [ Lenovo-Message Center Plus/Admin Events ] Error - 03/08/2009 05:30:39 | Computer Name = LENOVO-EF57E96C | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = The remote server returned an error: (503) Server Unavailable. -> Exception message: The remote server returned an error: (503) Server Unavailable. Error - 18/10/2009 03:55:45 | Computer Name = LENOVO-EF57E96C | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 13/05/2010 14:32:39 | Computer Name = LENOVO-EF57E96C | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 23/12/2010 20:48:01 | Computer Name = LENOVO-EF57E96C | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 24/12/2010 00:49:59 | Computer Name = LENOVO-EF57E96C | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 24/12/2010 04:51:59 | Computer Name = LENOVO-EF57E96C | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 27/01/2011 08:23:46 | Computer Name = LENOVO-EF57E96C | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = The remote server returned an error: (503) Server Unavailable. -> Exception message: The remote server returned an error: (503) Server Unavailable. [ System Events ] Error - 09/11/2011 19:15:37 | Computer Name = LENOVO | Source = W32Time | ID = 39452701 Description = The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time. Error - 09/11/2011 19:47:43 | Computer Name = LENOVO | Source = iaStor | ID = 262153 Description = The device, \Device\Ide\iaStor0, did not respond within the timeout period. Error - 10/11/2011 16:43:17 | Computer Name = LENOVO | Source = sr | ID = 1 Description = The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume. Error - 10/11/2011 16:44:24 | Computer Name = LENOVO | Source = Service Control Manager | ID = 7031 Description = The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. Error - 10/11/2011 16:44:57 | Computer Name = LENOVO | Source = WMPNetworkSvc | ID = 866312 Description = A new media server was not initialized because WMCreateDeviceRegistration() encountered error '0xc00d2711'. The Windows Media DRM components on your computer might be corrupted. Verify that protected files play correctly in Windows Media Player, and then restart the WMPNetworkSvc service. Error - 10/11/2011 16:44:57 | Computer Name = LENOVO | Source = WMPNetworkSvc | ID = 866312 Description = A new media server was not initialized because WMCreateDeviceRegistration() encountered error '0xc00d2711'. The Windows Media DRM components on your computer might be corrupted. Verify that protected files play correctly in Windows Media Player, and then restart the WMPNetworkSvc service. Error - 10/11/2011 16:47:39 | Computer Name = LENOVO | Source = Service Control Manager | ID = 7031 Description = The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. Error - 10/11/2011 16:47:58 | Computer Name = LENOVO | Source = Service Control Manager | ID = 7016 Description = The Fingerprint Server service has reported an invalid current state 0. Error - 10/11/2011 16:50:11 | Computer Name = LENOVO | Source = Service Control Manager | ID = 7031 Description = The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. Error - 10/11/2011 17:04:15 | Computer Name = LENOVO | Source = Service Control Manager | ID = 7016 Description = The Fingerprint Server service has reported an invalid current state 0. < End of report > Quote
Starbuck Posted November 10, 2011 Posted November 10, 2011 Hi pilotbob I discovered that all my favourites had their properties changed to "Hidden" as had all the icons, I changed these back and all is ok with these now Yes, that's what the malware does. Running Combofix would have changed this for you and saved you the time. :) Sorry but you inadvertently posted the Combofix.txt twice. You didn't post the OTL main report. Can you please post it for me. Thanks Quote Member of:UNITE
pilotbob Posted November 10, 2011 Author Posted November 10, 2011 Sorry about that, senior moment again, report follows; OTL logfile created on: 10/11/2011 21:15:49 - Run 1 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Bob\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1.99 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 54.90% Memory free 3.33 Gb Paging File | 2.57 Gb Available in Paging File | 77.28% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 459.74 Gb Total Space | 282.37 Gb Free Space | 61.42% Space Free | Partition Type: NTFS Drive E: | 382.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Drive F: | 182.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Drive H: | 976.13 Mb Total Space | 505.78 Mb Free Space | 51.82% Space Free | Partition Type: FAT Drive J: | 15.69 Mb Total Space | 3.45 Mb Free Space | 21.96% Space Free | Partition Type: NTFS Computer Name: LENOVO | User Name: Bob | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Bob\Desktop\OTL.scr (OldTimer Tools) PRC - C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.) PRC - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.) PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) PRC - c:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited) PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation) PRC - C:\Program Files\Nero\Update\NASvc.exe (Nero AG) PRC - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (Lenovo ) PRC - C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe (Lenovo ) PRC - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (Lenovo ) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Lenovo\HOTKEY\FnF5svc.exe (Lenovo.) PRC - C:\WINDOWS\system32\vmnetdhcp.exe (VMware, Inc.) PRC - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (VMware, Inc.) PRC - C:\Program Files\VMware\VMware Workstation\vmware-tray.exe (VMware, Inc.) PRC - C:\Program Files\VMware\VMware Workstation\hqtray.exe (VMware, Inc.) PRC - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited) PRC - C:\WINDOWS\system32\FpLogonServ.exe (AuthenTec,Inc) PRC - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe (VMware, Inc.) PRC - C:\Program Files\Lenovo\PM Driver\PMSveH.exe (Lenovo) PRC - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe (Pure Networks, Inc.) PRC - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe () PRC - C:\Program Files\Common Files\Lenovo\Logger\logmon.exe () PRC - C:\WINDOWS\system32\IPSSVC.EXE (Lenovo Group Limited) PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo) PRC - C:\WINDOWS\vsnp2uvc.exe (Sonix) PRC - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe (Broadcom Corporation.) PRC - C:\WINDOWS\system32\PSIService.exe () PRC - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation) PRC - C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation) ========== Modules (No Company Name) ========== MOD - C:\Program Files\Trusteer\Rapport\bin\js32.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\90b90e700e59d73d6d692cf74e1ba16e\System.Management.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll () MOD - C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportMS.dll () MOD - C:\Program Files\ThinkPad\ConnectUtilities\Res\US\GUIHlprRes.dll () MOD - C:\Program Files\ThinkPad\ConnectUtilities\Res\US\SvcHlprRes.dll () MOD - C:\WINDOWS\system32\msdmo.dll () MOD - C:\WINDOWS\system32\devenum.dll () MOD - C:\Program Files\VMware\VMware Workstation\zlib1.dll () MOD - C:\Program Files\VMware\VMware Workstation\libxml2.dll () MOD - C:\WINDOWS\system32\cpwmon2k.dll () MOD - C:\Program Files\Lenovo\Rescue and Recovery\CDRecord.dll () MOD - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\libeay32.dll () MOD - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\ssleay32.dll () MOD - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe () MOD - C:\Program Files\Common Files\Lenovo\Logger\logmon.exe () MOD - C:\Program Files\Lenovo Fingerprint Software\SharedResources.dll () MOD - C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll () MOD - C:\Program Files\Intel\Wireless\Bin\IntStngs.dll () MOD - C:\WINDOWS\system32\PSIService.exe () MOD - C:\WINDOWS\system32\BrMuSNMP.dll () ========== Win32 Services (SafeList) ========== SRV - (HidServ) -- File not found SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.) SRV - (SUService) -- c:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited) SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation) SRV - (NAUpdate) -- C:\Program Files\Nero\Update\NASvc.exe (Nero AG) SRV - (MatSvc) -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe (Microsoft Corporation) SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia) SRV - (AcPrfMgrSvc) -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (Lenovo ) SRV - (AcSvc) -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (Lenovo ) SRV - (FNF5SVC) -- C:\Program Files\Lenovo\HOTKEY\FnF5svc.exe (Lenovo.) SRV - (VMnetDHCP) -- C:\WINDOWS\system32\vmnetdhcp.exe (VMware, Inc.) SRV - (VMware NAT Service) -- C:\WINDOWS\system32\vmnat.exe (VMware, Inc.) SRV - (VMAuthdService) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (VMware, Inc.) SRV - (ufad-ws60) -- C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe (VMware, Inc.) SRV - (ThinkVantage Registry Monitor Service) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited) SRV - (FingerprintServer) -- C:\WINDOWS\system32\FpLogonServ.exe (AuthenTec,Inc) SRV - (vmount2) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe (VMware, Inc.) SRV - (PMSveH) -- C:\Program Files\Lenovo\PM Driver\PMSveH.exe (Lenovo) SRV - (nmservice) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe (Pure Networks, Inc.) SRV - (nmraapache) -- C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe (Pure Networks, Inc.) SRV - (TVT Backup Protection Service) -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe () SRV - (IPSSVC) -- C:\WINDOWS\system32\IPSSVC.EXE (Lenovo Group Limited) SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo) SRV - (btwdins) -- C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe (Broadcom Corporation.) SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe () SRV - (Diskeeper) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation) ========== Driver Services (SafeList) ========== DRV - (catchme) -- File not found DRV - (MpKslc198cbb5) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{659B2E40-74A5-456B-B197-FE482B2A39F5}\MpKslc198cbb5.sys (Microsoft Corporation) DRV - (RapportCerberus_32301) -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_32301.sys () DRV - (RapportEI) -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys (Trusteer Ltd.) DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.) DRV - (RapportKELL) -- C:\WINDOWS\system32\drivers\RapportKELL.sys (Trusteer Ltd.) DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys () DRV - (RapportIaso) -- c:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys (Trusteer Ltd.) DRV - (FTDIBUS) -- C:\WINDOWS\system32\drivers\ftdibus.sys (FTDI Ltd.) DRV - (FTSER2K) -- C:\WINDOWS\system32\drivers\ftser2k.sys (FTDI Ltd.) DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA)) DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA)) DRV - (TotRec7) -- C:\WINDOWS\system32\drivers\TotRec7.sys (High Criteria inc.) DRV - (TSMAPIP) -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS () DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (Lenovo (United States) Inc.) DRV - (eusk2par) -- C:\WINDOWS\system32\drivers\eusk2par.sys (Aladdin Knowledge Systems Ltd.) DRV - (ANC) -- C:\WINDOWS\system32\drivers\ANC.sys (IBM Corp.) DRV - (IBMTPCHK) -- C:\WINDOWS\system32\drivers\IBMBLDID.sys () DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia) DRV - (hcmon) -- C:\WINDOWS\system32\drivers\hcmon.sys (VMware, Inc.) DRV - (vmx86) -- C:\WINDOWS\system32\drivers\vmx86.sys (VMware, Inc.) DRV - (VMnetuserif) -- C:\WINDOWS\system32\drivers\vmnetuserif.sys (VMware, Inc.) DRV - (vmkbd) -- C:\WINDOWS\system32\drivers\VMkbd.sys (VMware, Inc.) DRV - (VMnetBridge) -- C:\WINDOWS\system32\drivers\vmnetbridge.sys (VMware, Inc.) DRV - (VMnetAdapter) -- C:\WINDOWS\system32\drivers\vmnetadapter.sys (VMware, Inc.) DRV - (vstor2-ws60) -- C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys (VMware, Inc.) DRV - (Ser2pl) -- C:\WINDOWS\system32\drivers\ser2pl.sys (Prolific Technology Inc.) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor) -- C:\WINDOWS\system32\drivers\atswpdrv.sys (AuthenTec, Inc.) DRV - (TVTI2C) -- C:\WINDOWS\system32\drivers\tvti2c.sys (Lenovo (United States) Inc.) DRV - (vstor2) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys (VMware, Inc.) DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC) DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation) DRV - (SNP2UVC) USB2.0 PC Camera (SNP2UVC) -- C:\WINDOWS\system32\drivers\snp2uvc.sys () DRV - (ElbyCDFL) -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys (SlySoft, Inc.) DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC) DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC) DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.) DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation) DRV - (PROCDD) -- C:\WINDOWS\system32\drivers\PROCDD.SYS (Lenovo Group Limited) DRV - (btwmodem) -- C:\WINDOWS\system32\drivers\btwmodem.sys (Broadcom Corporation.) DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.) DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.) DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.) DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.) DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems) DRV - (PMHler) -- C:\WINDOWS\system32\drivers\PMHler.sys (Lenovo ) DRV - (MTDVC2) -- C:\WINDOWS\system32\drivers\mtdv2ku2.sys (Matsu****a Electric Industrial Co., Ltd.) DRV - (MTDVC2_ENUM) -- C:\WINDOWS\system32\drivers\mtdv2ks2.sys (Matsu****a Electric Industrial Co., Ltd.) DRV - (FINEPIX_PCC) -- C:\WINDOWS\system32\drivers\V4CB0127.SYS (FUJI PHOTO FILM CO.,LTD.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/3000notebook [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/3000notebook [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://freeola.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) [2011/09/21 18:37:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2009/08/27 20:25:26 | 000,308,096 | ---- | M] (British Telecommunications Plc) -- C:\Program Files\mozilla firefox\plugins\npBTEmailConfig.dll ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7GGLL_en-GB CHR - default_search_provider: suggest_url = CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.120\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll CHR - plugin: QuickTime Plug-in 7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll CHR - plugin: Java Deployment Toolkit 6.0.150.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll CHR - plugin: Java Platform SE 6 U15 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.120\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.120\pdf.dll CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\Bob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\plugins/avgnpss.dll CHR - plugin: Skype Toolbars (Enabled) = C:\Documents and Settings\Bob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\npSkypeChromePlugin.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll CHR - plugin: Default Plug-in (Enabled) = default_plugin CHR - Extension: Click to call with Skype = C:\Documents and Settings\Bob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8153_0\ O1 HOSTS File: ([2011/11/10 20:56:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Reg Error: Value error.) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.) O2 - BHO: (IePasswordManagerHelper Class) - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited) O2 - BHO: (CPwmIEBrowserHelper Object) - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe (Sonix) O4 - HKLM..\Run: [VMware hqtray] C:\Program Files\VMware\VMware Workstation\hqtray.exe (VMware, Inc.) O4 - HKLM..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe (VMware, Inc.) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.) O9 - Extra 'Tools' menuitem : ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited) O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O9 - Extra Button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited) O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab (IASRunner Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://84.92.80.192:8081/activex/AMC.cab (AxisMediaControlEmb Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E2221548-3CF3-4A5C-96F8-327872E6716A}: DhcpNameServer = 192.168.1.254 O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll (Pure Networks, Inc.) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\ATFUS: DllName - (C:\WINDOWS\system32\FpWinLogonNp.dll) - C:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc) O20 - Winlogon\Notify\tphotkey: DllName - (C:\Program Files\Lenovo\HOTKEY\tphklock.dll) - C:\Program Files\Lenovo\HOTKEY\tphklock.dll (Lenovo Group Limited) O24 - Desktop WallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/04/30 07:13:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2002/10/16 08:16:14 | 000,000,057 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ] O32 - AutoRun File - [2002/10/18 13:02:47 | 000,126,976 | R--- | M] (Serif SPC) - E:\autorun.exe -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: HidServ - File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe - (Adobe Systems Incorporated) MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe - (Adobe Systems Incorporated) MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk - C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe - (Broadcom Corporation.) MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE - (Microsoft Corporation) MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe - (Intuit, Inc.) MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe - (Microsoft Corporation) MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated) MsConfig - StartUpReg: AwaySch - hkey= - key= - C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (Lenovo Group Limited) MsConfig - StartUpReg: btbb_McciTrayApp - hkey= - key= - C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent) MsConfig - StartUpReg: CloneCDTray - hkey= - key= - C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.) MsConfig - StartUpReg: cssauth - hkey= - key= - C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited) MsConfig - StartUpReg: DiskeeperSystray - hkey= - key= - C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation) MsConfig - StartUpReg: FingerPrintSoftware - hkey= - key= - C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (Authentec,Inc) MsConfig - StartUpReg: HotKeysCmds - hkey= - key= - File not found MsConfig - StartUpReg: IgfxTray - hkey= - key= - File not found MsConfig - StartUpReg: LPManager - hkey= - key= - C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited) MsConfig - StartUpReg: Message Center Plus - hkey= - key= - C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe () MsConfig - StartUpReg: NBAgent - hkey= - key= - C:\Program Files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe (Nero AG) MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found MsConfig - StartUpReg: PMHandler - hkey= - key= - C:\Program Files\Lenovo\PM Driver\PMHandler.exe (Lenovo) MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.) MsConfig - StartUpReg: SSBkgdUpdate - hkey= - key= - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.) MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) MsConfig - StartUpReg: TPFNF7 - hkey= - key= - C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe (Lenovo Group Limited) MsConfig - StartUpReg: TPWAUDAP - hkey= - key= - C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe (Lenovo Group Limited) MsConfig - StartUpReg: TVT Scheduler Proxy - hkey= - key= - C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited) MsConfig - StartUpReg: Windows Defender - hkey= - key= - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) MsConfig - StartUpReg: WMPNSCFG - hkey= - key= - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2011/11/10 21:13:05 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bob\Desktop\OTL.scr [2011/11/10 20:45:46 | 000,000,000 | RHSD | C] -- C:\cmdcons [2011/11/10 20:43:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2011/11/10 20:43:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2011/11/10 20:43:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2011/11/10 20:43:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2011/11/10 20:43:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2011/11/10 20:37:41 | 000,000,000 | ---D | C] -- C:\Qoobox [2011/11/10 20:31:07 | 004,289,249 | R--- | C] (Swearware) -- C:\Documents and Settings\Bob\Desktop\Combo.exe [2011/11/10 19:38:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bob\Recent [2011/11/07 21:28:38 | 000,056,208 | ---- | C] (Trusteer Ltd.) -- C:\WINDOWS\System32\drivers\RapportKELL.sys [2011/10/29 17:53:20 | 000,000,000 | ---D | C] -- C:\Program Files\PolderbitS [2011/10/29 14:36:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\My Documents\Guitar Stuff [2011/10/18 21:08:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\My Documents\WM_Bob My Documents [2011/10/16 19:02:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client [2011/10/12 16:44:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2008/08/01 20:36:08 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL [2008/07/30 17:34:43 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Bob\Application Data\pcouffin.sys [2008/04/23 02:13:13 | 000,167,936 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll [2008/04/23 02:13:13 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll [3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011/11/10 21:13:14 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob\Desktop\OTL.scr [2011/11/10 21:01:25 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2011/11/10 20:59:13 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2011/11/10 20:56:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2011/11/10 20:56:35 | 000,025,314 | ---- | M] () -- C:\WINDOWS\System32\PROCDB.INI [2011/11/10 20:56:26 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2011/11/10 20:56:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2011/11/10 20:56:13 | 2137,444,352 | -HS- | M] () -- C:\hiberfil.sys [2011/11/10 20:45:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini [2011/11/10 20:31:16 | 004,289,249 | R--- | M] (Swearware) -- C:\Documents and Settings\Bob\Desktop\Combo.exe [2011/11/10 20:26:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2011/11/10 20:15:59 | 000,019,967 | ---- | M] () -- C:\Documents and Settings\Bob\My Documents\bookmarks_11_10_11.html [2011/11/10 20:13:24 | 000,000,116 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\SkyDrive.url [2011/11/10 20:08:13 | 000,000,291 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\Flyer Forum.url [2011/11/10 20:03:52 | 000,305,176 | ---- | M] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\census.cache [2011/11/10 20:03:36 | 000,253,041 | ---- | M] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\ars.cache [2011/11/10 19:50:02 | 000,000,233 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\PAFRA Forum.url [2011/11/10 19:33:38 | 000,000,123 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\CSA.url [2011/11/10 19:31:21 | 000,000,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk [2011/11/10 19:27:21 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk [2011/11/10 18:44:29 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8033D9A4-F450-416F-9B7C-AB9C030B3C45}.job [2011/11/09 23:33:22 | 000,000,203 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\XC Weather.url [2011/11/09 23:20:10 | 000,504,416 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2011/11/09 23:20:10 | 000,090,150 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2011/11/09 23:05:36 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5k [2011/11/09 23:00:04 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5kr [2011/11/09 22:59:59 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\iqKl7AdbnVvY5k [2011/11/09 18:28:34 | 000,000,247 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\Booking Calendar.url [2011/11/09 18:00:00 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job [2011/11/09 16:59:05 | 000,000,312 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\ebay.url [2011/11/08 17:12:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat [2011/11/08 17:12:39 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat [2011/11/07 21:28:38 | 000,056,208 | ---- | M] (Trusteer Ltd.) -- C:\WINDOWS\System32\drivers\RapportKELL.sys [2011/11/05 15:48:33 | 000,000,275 | ---- | M] () -- C:\WINDOWS\BTW.INI [2011/11/04 22:08:23 | 000,000,209 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\Jango Music.url [2011/11/03 17:07:37 | 000,000,155 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2011/11/02 17:16:52 | 000,000,246 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\PC Help PBEK.url [2011/10/29 18:05:03 | 000,010,915 | ---- | M] () -- C:\WINDOWS\cdplayer.ini [2011/10/29 17:53:45 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\Drv64_32.dat [2011/10/28 20:27:06 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn [2011/10/27 18:43:44 | 000,000,572 | ---- | M] () -- C:\Documents and Settings\Bob\My Documents\spider.sav [2011/10/27 17:59:11 | 000,473,968 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2011/10/23 13:15:50 | 000,000,028 | ---- | M] () -- C:\WINDOWS\Acroread.ini [2011/10/22 10:05:31 | 000,005,054 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\HD2 Forum.url [2011/10/18 21:45:32 | 000,000,076 | ---- | M] () -- C:\WINDOWS\pwkforms.ini [2011/10/18 16:30:07 | 000,000,022 | ---- | M] () -- C:\WINDOWS\System32\PROTOCOL.INI [2011/10/16 19:38:15 | 000,017,888 | ---- | M] () -- C:\Documents and Settings\Bob\My Documents\cc_20111016_203811.reg [2011/10/16 19:03:44 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif [2011/10/16 08:07:14 | 000,000,265 | ---- | M] () -- C:\Documents and Settings\Bob\Desktop\Met Office.url [2011/10/13 19:15:49 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job [2011/10/13 16:47:20 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2011/10/12 17:11:42 | 000,006,278 | ---- | M] () -- C:\Documents and Settings\Bob\My Documents\cc_20111012_181137.reg [2011/10/11 22:17:24 | 000,002,359 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DiagHead.lnk [3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2011/11/10 20:45:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak [2011/11/10 20:45:50 | 000,260,272 | RHS- | C] () -- C:\cmldr [2011/11/10 20:43:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2011/11/10 20:43:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2011/11/10 20:43:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2011/11/10 20:43:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2011/11/10 20:43:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2011/11/10 20:15:59 | 000,019,967 | ---- | C] () -- C:\Documents and Settings\Bob\My Documents\bookmarks_11_10_11.html [2011/11/10 20:13:12 | 000,000,116 | ---- | C] () -- C:\Documents and Settings\Bob\Desktop\SkyDrive.url [2011/11/10 20:03:52 | 000,305,176 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\census.cache [2011/11/10 20:03:36 | 000,253,041 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\ars.cache [2011/11/10 19:31:21 | 000,000,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk [2011/11/09 23:14:52 | 2137,444,352 | -HS- | C] () -- C:\hiberfil.sys [2011/11/09 23:00:04 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5k [2011/11/09 23:00:04 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5kr [2011/11/09 22:59:59 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\iqKl7AdbnVvY5k [2011/10/29 17:53:21 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\Drv64_32.dat [2011/10/16 19:38:13 | 000,017,888 | ---- | C] () -- C:\Documents and Settings\Bob\My Documents\cc_20111016_203811.reg [2011/10/16 19:03:44 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif [2011/10/16 19:03:41 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2011/10/16 19:02:41 | 000,001,687 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk [2011/10/12 17:11:40 | 000,006,278 | ---- | C] () -- C:\Documents and Settings\Bob\My Documents\cc_20111012_181137.reg [2011/10/01 18:37:01 | 000,037,192 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\Microsoft Excel.ADR [2011/09/28 16:06:44 | 000,037,203 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\Comma Separated Values (Windows).ADR [2011/08/16 16:57:59 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\mm-device-08.ini [2011/05/18 16:12:36 | 000,007,620 | -HS- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 [2011/05/18 16:12:36 | 000,007,620 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 [2011/05/08 09:11:14 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat [2011/05/08 09:11:14 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat [2011/05/02 22:30:50 | 001,144,147 | ---- | C] () -- C:\WINDOWS\System32\ffmpegmt.dll [2011/05/02 22:27:54 | 003,935,545 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.dll [2011/05/02 20:23:46 | 000,324,096 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll [2011/05/02 20:19:34 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll [2011/05/02 20:19:20 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll [2011/05/02 09:26:21 | 000,789,346 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1680706785-1795540141-2034184868-1008-0.dat [2011/04/23 18:51:11 | 000,394,810 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat [2011/03/30 21:22:16 | 000,000,998 | ---- | C] () -- C:\WINDOWS\OBD.INI [2011/03/18 21:32:44 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll [2011/03/18 21:29:56 | 000,181,248 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll [2011/03/18 21:28:30 | 001,557,504 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll [2011/03/18 21:27:08 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll [2011/03/18 21:26:44 | 000,484,864 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll [2011/03/18 21:25:38 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll [2011/03/18 21:25:24 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll [2011/03/03 11:40:08 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll [2011/03/03 11:39:56 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll [2011/03/03 11:39:46 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll [2011/03/03 11:39:34 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll [2011/03/03 11:39:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe [2011/03/03 11:38:54 | 000,154,112 | ---- | C] () -- C:\WINDOWS\System32\ts.dll [2011/03/03 11:38:40 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll [2011/03/03 11:38:10 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll [2011/03/03 11:38:04 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe [2011/03/03 11:37:50 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll [2011/03/03 11:37:40 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe [2011/03/03 11:35:32 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll [2011/03/03 11:35:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll [2011/02/22 19:39:04 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll [2011/02/22 19:37:30 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll [2011/02/09 17:34:24 | 000,459,648 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2011/02/01 17:06:09 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\vmcoinst_vc0305.dll [2010/12/24 23:41:33 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\housecall.guid.cache [2010/08/27 11:52:36 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat [2010/08/18 19:56:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini [2010/05/25 17:04:18 | 000,000,052 | ---- | C] () -- C:\WINDOWS\NReq.dat [2010/05/25 17:04:18 | 000,000,052 | ---- | C] () -- C:\WINDOWS\System32\CNFrs.drv [2010/01/22 07:50:19 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\prvlcl.dat [2009/11/23 17:58:56 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll [2009/11/01 22:17:28 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DGRip.dll [2009/10/31 14:59:44 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll [2009/10/29 20:36:00 | 000,000,208 | ---- | C] () -- C:\WINDOWS\System32\xpysys.dll [2009/09/17 19:01:27 | 000,225,280 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\SharedSettings.ccs [2009/09/16 13:19:20 | 001,015,808 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll [2009/09/16 13:19:20 | 000,220,160 | ---- | C] () -- C:\WINDOWS\System32\WnASPI32.dll [2009/09/16 13:19:17 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll [2009/09/16 13:19:17 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll [2009/09/16 13:19:16 | 001,163,264 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll [2009/09/16 13:19:16 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll [2009/09/16 13:19:16 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\MP2enc.dll [2009/08/11 21:21:26 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\ac3config.exe [2009/08/11 21:21:20 | 001,021,440 | ---- | C] () -- C:\WINDOWS\System32\ac3filter_intl.dll [2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe [2009/04/30 17:53:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2009/02/01 15:24:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\oodcnt.INI [2009/01/30 12:12:07 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll [2008/11/06 15:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll [2008/10/06 20:25:19 | 000,010,915 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2008/10/04 14:23:57 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc [2008/08/28 21:40:08 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD-Start.INI [2008/08/08 19:25:39 | 000,030,048 | ---- | C] () -- C:\WINDOWS\unsetup.exe [2008/08/08 19:25:33 | 000,000,275 | ---- | C] () -- C:\WINDOWS\BTW.INI [2008/08/01 20:46:57 | 000,000,028 | ---- | C] () -- C:\WINDOWS\Acroread.ini [2008/07/31 22:28:28 | 000,000,155 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008/07/31 22:08:22 | 000,000,099 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\ftpfile.dat [2008/07/30 20:57:08 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib [2008/07/30 19:21:27 | 000,002,528 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\$_hpcst$.hpc [2008/07/30 17:34:56 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo3.dll [2008/07/30 17:34:43 | 000,081,920 | ---- | C] () -- C:\Documents and Settings\Bob\Application Data\ezpinst.exe [2008/07/30 17:34:43 | 000,007,176 | ---- | C] () -- C:\Documents and Settings\Bob\Application Data\pcouffin.cat [2008/07/30 17:34:43 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Bob\Application Data\pcouffin.inf [2008/07/30 15:42:05 | 000,000,424 | -HS- | C] () -- C:\WINDOWS\WSYS049.SYS [2008/07/30 15:30:31 | 000,000,076 | ---- | C] () -- C:\WINDOWS\pwkforms.ini [2008/07/30 14:23:56 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008/07/30 08:08:55 | 000,375,296 | ---- | C] () -- C:\WINDOWS\System32\tx32.dll [2008/07/30 08:08:55 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\Ic32.ini [2008/07/29 21:32:15 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI [2008/07/29 21:32:15 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI [2008/07/29 21:31:49 | 000,000,226 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini [2008/07/29 21:31:49 | 000,000,094 | ---- | C] () -- C:\WINDOWS\brpcfx.ini [2008/07/29 21:31:49 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf06a.dat [2008/07/29 21:31:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat [2008/07/29 21:31:00 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll [2008/07/29 21:29:26 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini [2008/07/29 21:04:50 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.INI [2008/07/29 17:21:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008/07/29 16:06:44 | 000,000,168 | RHS- | C] () -- C:\WINDOWS\System32\A98658C768.sys [2008/07/29 16:06:43 | 000,005,954 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2008/04/23 02:50:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2008/04/23 02:32:18 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.sys [2008/04/23 02:30:52 | 000,114,688 | ---- | C] () -- C:\WINDOWS\desktopset.exe [2008/04/23 02:22:17 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll [2008/04/23 02:22:17 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll [2008/04/23 02:22:17 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll [2008/04/23 02:22:17 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll [2008/04/23 02:22:17 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll [2008/04/23 02:22:17 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll [2008/04/23 02:16:37 | 000,701,840 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll [2008/04/23 02:16:37 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4785.dll [2008/04/23 02:16:30 | 000,319,488 | ---- | C] () -- C:\WINDOWS\System32\AegisI5Installer.exe [2008/04/23 02:15:24 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe [2008/04/23 02:15:15 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ0.dat [2008/04/23 02:13:58 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll [2008/04/23 02:13:14 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini [2008/04/23 02:13:13 | 009,598,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys [2008/04/23 02:07:27 | 000,000,138 | ---- | C] () -- C:\WINDOWS\System32\Softkbd.exe.config [2007/08/16 10:28:38 | 000,025,314 | ---- | C] () -- C:\WINDOWS\System32\PROCDB.INI [2007/02/09 19:54:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2006/11/12 04:50:38 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll [2006/11/03 03:40:12 | 000,174,656 | ---- | C] () -- C:\WINDOWS\System32\PSIService.exe [2006/04/30 07:31:51 | 000,004,670 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2006/04/30 07:22:10 | 000,000,045 | ---- | C] () -- C:\WINDOWS\orun32.ini [2006/04/30 07:19:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2006/04/30 07:10:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2006/04/30 06:55:59 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2006/04/30 06:55:55 | 000,504,416 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2006/04/30 06:55:55 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2006/04/30 06:55:55 | 000,090,150 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2006/04/30 06:55:55 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2006/04/30 06:55:54 | 000,004,547 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2006/04/30 06:55:52 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2006/04/30 06:55:50 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [2006/04/30 06:55:44 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2006/04/30 06:55:44 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2006/04/30 06:55:37 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2006/04/30 06:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin [2006/04/30 00:04:28 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2006/04/30 00:03:29 | 000,473,968 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2006/03/04 04:52:00 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\OptimFROG.dll [2003/03/27 13:18:54 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\akrip.dll [2002/03/18 11:37:42 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\ezmp3enc.dll [2002/03/04 09:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll [2001/11/14 19:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll [2000/09/13 17:15:38 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pagesync.dll [1999/01/22 18:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL ========== LOP Check ========== [2009/09/16 23:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acoustica [2008/10/08 19:21:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo [2008/12/14 10:31:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avery [2011/10/16 19:30:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2010/12/05 11:42:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9 [2008/09/14 12:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BDEnetfile [2010/12/24 23:19:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bOgHm05310 [2008/11/05 19:35:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland [2009/10/07 16:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cached Installations [2011/03/04 15:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CoffeeCup Software [2010/12/05 11:52:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files [2011/11/08 17:07:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2008/07/30 17:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVDXStudio [2009/08/14 21:01:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM [2009/08/14 21:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail [2010/03/19 18:25:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Innovative Solutions [2010/04/09 22:16:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations [2011/02/27 19:13:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\jEkOcKn06308 [2009/08/30 15:39:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo [2009/08/31 13:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe [2011/05/03 21:39:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\M-Audio [2011/11/09 21:40:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Memory-Map-License [2011/10/16 19:02:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData [2009/08/21 13:16:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia [2010/01/17 09:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OrbNetworks [2009/09/22 11:03:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic [2008/10/06 18:10:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters [2009/05/29 17:41:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite [2011/07/25 19:58:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCB Artist [2010/01/14 17:43:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr [2010/03/02 17:04:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoMail [2011/02/19 23:00:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT [2008/07/29 21:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft [2008/08/10 10:59:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft [2008/07/29 16:06:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaskMgr [2009/12/22 22:24:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer [2011/03/09 17:32:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~0 [2011/09/14 16:54:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~1 [2009/09/16 23:15:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Acoustica [2011/06/19 15:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Arduino [2008/10/08 19:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Ashampoo [2011/02/15 17:26:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Business Suite [2011/06/22 18:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\CoffeeCup Software [2008/07/31 08:45:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\DAEMON Tools [2011/11/05 16:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\DAEMON Tools Lite [2011/10/08 11:30:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\DevFind [2009/06/23 16:48:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Downloaded Installations [2008/08/06 19:21:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\ESBUnitConv [2008/10/20 21:46:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Inkscape [2009/12/07 20:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\KEDDS [2008/07/29 16:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Leadertech [2009/08/30 15:39:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Lenovo [2009/07/01 19:50:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Nokia [2008/08/20 18:17:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Nvu [2009/04/13 13:29:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\OpenOffice.org [2009/12/28 21:27:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\PC Suite [2011/02/15 18:17:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\PO Management [2011/01/10 18:51:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\ScanSoft [2009/01/30 12:12:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Serif [2009/12/07 20:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Skinux [2008/09/19 14:37:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\SlySoft [2011/06/18 15:35:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\SoftMaker [2011/11/06 14:41:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Spotify [2009/05/01 21:05:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Thunderbird [2009/08/15 12:12:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\TotalRecorder [2009/12/22 22:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Trusteer [2009/08/31 15:14:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Vso [2011/01/18 17:25:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Watchtower [2011/11/10 21:01:25 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job [2011/11/09 18:00:00 | 000,000,438 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job [2011/10/13 19:15:49 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job [2011/11/10 18:44:29 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{8033D9A4-F450-416F-9B7C-AB9C030B3C45}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2011/03/30 19:09:35 | 000,001,024 | ---- | M] () -- C:\.rnd [2011/09/07 18:28:05 | 000,021,276 | ---- | M] () -- C:\aaw7boot.log [2010/05/07 17:35:26 | 000,034,228 | ---- | M] () -- C:\ASLog.txt [2006/04/30 07:13:35 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT [2008/07/30 05:18:43 | 000,000,211 | ---- | M] () -- C:\Boot.bak [2011/11/10 20:45:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr [2011/11/10 21:05:54 | 000,026,032 | ---- | M] () -- C:\ComboFix.txt [2006/04/30 07:13:35 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS [2008/04/23 02:23:26 | 000,001,496 | ---- | M] () -- C:\drivez.log [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt [2007/11/07 08:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt [2007/11/07 08:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt [2009/12/22 14:10:57 | 000,000,000 | ---- | M] () -- C:\FileRecovery.log [2007/11/07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini [2011/11/10 20:56:13 | 2137,444,352 | -HS- | M] () -- C:\hiberfil.sys [2007/11/07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini [2007/11/07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll [2007/11/07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll [2007/11/07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll [2007/11/07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll [2007/11/07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll [2007/11/07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll [2007/11/07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll [2006/04/30 07:13:35 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2006/04/30 07:13:35 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2004/08/04 12:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM [2008/07/29 22:36:35 | 000,250,048 | RHS- | M] () -- C:\NTLDR [2004/02/29 15:44:34 | 000,052,576 | ---- | M] () -- C:\orange.bmp [2011/11/10 20:56:11 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys [2008/04/23 02:15:26 | 000,000,542 | ---- | M] () -- C:\RHDSetup.log [2008/04/23 02:02:13 | 000,000,083 | ---- | M] () -- C:\syslevel.lgl [2008/09/28 16:36:04 | 000,000,336 | ---- | M] () -- C:\TPHKLOCK.TXT [2007/11/07 08:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp [2007/11/07 08:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab [2007/11/07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI < %systemroot%\system32\Spool\prtprocs\w32x86\*.dll > [2008/07/06 12:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll [2001/11/20 13:37:28 | 000,047,616 | R--- | M] (Black Ice Software) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\ppbiPr.dll < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > [2011/08/11 17:08:01 | 000,443,448 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys < %systemroot%\system32\*.exe /lockedfiles > [3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\System32\config\*.sav > [2006/04/30 00:03:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav [2006/04/30 00:03:02 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav [2006/04/30 00:03:02 | 000,876,544 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav < %PROGRAMFILES%\* > < %USERPROFILE%\..|smtmp;true;true;true /FP > < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU > < hklm\software\clients\startmenuinternet|command /rs > HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/08/22 11:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/08/22 11:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/08/22 11:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) < hklm\software\clients\startmenuinternet|command /64 /rs > HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/11/08 03:02:58 | 001,036,344 | ---- | M] (Google Inc.) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/08/22 11:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/08/22 11:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/08/22 11:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) < End of report > Quote
Starbuck Posted November 11, 2011 Posted November 11, 2011 Hi pilotbob Sorry about that, senior moment again Don't worry, i've had a few of those in my time. :o Step 1 Double click on OTL to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :otl CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\Bob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfme joahla\10.0.0.1409_0\plugins/avgnpss.dll O2 - BHO: (Reg Error: Value error.) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 [2011/10/12 16:44:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2011/11/09 23:00:04 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5k [2011/11/09 23:00:04 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5kr [2011/11/09 22:59:59 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\iqKl7AdbnVvY5k [2011/05/18 16:12:36 | 000,007,620 | -HS- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 [2011/05/18 16:12:36 | 000,007,620 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 [2011/10/16 19:30:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2010/12/05 11:42:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9 [2011/02/27 19:13:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\jEkOcKn06308 :Files ipconfig /flushdns /c :commands [emptytemp] [purity] [RESETHOSTS] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 2 Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:Download the latest version of Java Runtime Environment (JRE) 7 Update 1 and save it to your desktop. Scroll down to where it says "Java SE 7 Update 1". Click the "Download JRE" button to the right. Accept the license agreement. select 'Windows x86'offline from the list. Save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. . J2SE Runtime Environment 5.0 Update 6 Java 6 Update 7 Java 6 Update 15 . Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-7u1-windows-i586-p.exe to install the newest version. Step 3 I'd like you to do an ESET OnlineScan You may find it beneficial to close your resident AV program before running the scan. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Note: It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% ) To prevent this happening: When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked): Enable Anti-Stealth technology http://img.photobucket.com/albums/v708/starbuck50/eset.png In your next reply, please submit: OTL fix report Eset scan report Thanks. Quote Member of:UNITE
pilotbob Posted November 11, 2011 Author Posted November 11, 2011 OK, OTL scan run again, report below. Java removed and re-installed up to date. Prior to running ESET online scan, msse found and removed the following too, Adware:Win32/ClickPotato Adware:Win32/OpenCandy Exploit:Java/Blacole.AR Exploit:Java/CVE-2010-4452.E Exploit:Java/Blacole.AN Exploit:Java/Blacole.AQ Exploit:Java/Blacole.AP Exploit:Java/Blacole.AO Exploit:Java/Blacole.AR Exploit:Java/CVE-2010-0840.HH Exploit:Java/CVE-2010-0840.DR TrojanDownloader:Java/OpenConnection.OU During the ESET scan the following was found and removed by msse. Trojan:Win32/FakeSysdef Scan Reports below; All processes killed ========== OTL ========== File C:\Documents and Settings\Bob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfme joahla\10.0.0.1409_0\plugins/avgnpss.dll not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\ deleted successfully. C:\Program Files\Microsoft Money\System\mnyside.dll moved successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLinkedConnections deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully. C:\Documents and Settings\All Users\Application Data\AVG2012\Dumps folder moved successfully. C:\Documents and Settings\All Users\Application Data\AVG2012 folder moved successfully. C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5k moved successfully. C:\Documents and Settings\All Users\Application Data\~iqKl7AdbnVvY5kr moved successfully. C:\Documents and Settings\All Users\Application Data\iqKl7AdbnVvY5k moved successfully. C:\Documents and Settings\Bob\Local Settings\Application Data\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 moved successfully. C:\Documents and Settings\All Users\Application Data\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 moved successfully. Folder C:\Documents and Settings\All Users\Application Data\AVG2012\ not found. C:\Documents and Settings\All Users\Application Data\avg9\update\prepare\temp folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\update\prepare folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\update\backup folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\update folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\Temp folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\scanlogs folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\Log folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\emc folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\Dumps folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\CfgAll folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\Cfg folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\AvgApi folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\AvgAm folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\admincli folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully. Folder C:\Documents and Settings\All Users\Application Data\jEkOcKn06308\ not found. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\Bob\Desktop\System Tools\cmd.bat deleted successfully. C:\Documents and Settings\Bob\Desktop\System Tools\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: Bob ->Temp folder emptied: 14773888 bytes ->Temporary Internet Files folder emptied: 27673155 bytes ->Java cache emptied: 27976417 bytes ->Google Chrome cache emptied: 6235663 bytes ->Flash cache emptied: 1433 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes ->Flash cache emptied: 56466 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 49286 bytes User: NetworkService ->Temp folder emptied: 15102 bytes ->Temporary Internet Files folder emptied: 32902 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19593 bytes %systemroot%\System32 .tmp files removed: 5540749 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 101223 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 689 bytes Total Files Cleaned = 79.00 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully OTL by OldTimer - Version 3.2.31.0 log created on 11112011_073915 Files\Folders moved on Reboot... C:\Documents and Settings\Bob\Local Settings\Temp\WCESLog.log moved successfully. C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\WOM906MR\ads[5].htm moved successfully. C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\W1NLWHOJ\12620-Icons-quot-Greyed-quot-after-infection-Why[2].htm moved successfully. C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\W1NLWHOJ\KIS2012_728x90_uk_mexad[1].html moved successfully. C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\CL0LRL37\ads[8].htm moved successfully. C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\4PXQ81JO\sed[1].htm moved successfully. C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully. C:\WINDOWS\temp\Perflib_Perfdata_14c.dat moved successfully. File\Folder C:\WINDOWS\temp\Perflib_Perfdata_dd4.dat not found! Registry entries deleted on Reboot... C:\Documents and Settings\Bob\My Documents\Downloads\registrybooster.exe Win32/RegistryBooster application deleted - quarantined C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP581\A0138881.exe a variant of Win32/Kryptik.UOE trojan cleaned by deleting - quarantined Quote
Starbuck Posted November 11, 2011 Posted November 11, 2011 Hi pilotbob Download aswMBR and save it to your desktop. Double click the aswMBR.exe to run it. The latest version gives you the option of adding the latest Avast definitions: http://img.photobucket.com/albums/v708/starbuck50/new/03-07-201116-24-19.png It is recommended at this time to click NO. ( as there is a possibility of crashing the system) Click the Scan button to start scan. http://img.photobucket.com/albums/v708/starbuck50/new/asw1.gif On completion of the scan click Save log and save it to your desktop. http://img.photobucket.com/albums/v708/starbuck50/new/asw2.gif Please post this in your reply. NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it. Quote Member of:UNITE
pilotbob Posted November 11, 2011 Author Posted November 11, 2011 Many thanks again for your continued support, latest scan results below; aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software Run date: 2011-11-11 17:09:13 ----------------------------- 17:09:13.609 OS Version: Windows 5.1.2600 Service Pack 3 17:09:13.609 Number of processors: 2 586 0xF0D 17:09:13.609 ComputerName: LENOVO UserName: Bob 17:09:15.484 Initialize success 17:09:42.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 17:09:42.812 Disk 0 Vendor: FUJITSU_ 0000 Size: 476940MB BusType: 3 17:09:42.812 Disk 1 \Device\Harddisk1\DR4 -> \Device\000000a0 17:09:42.812 Disk 1 Vendor: RICOH 01 Size: 976MB BusType: 0 17:09:44.890 Disk 0 MBR read successfully 17:09:44.890 Disk 0 MBR scan 17:09:44.890 Disk 0 unknown MBR code 17:09:44.890 Disk 0 scanning sectors +976768065 17:09:44.968 Disk 0 scanning C:\WINDOWS\system32\drivers 17:09:58.718 Service scanning 17:09:59.328 Service MpKsl4fb75db6 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A00AE24-F257-461D-8528-98D6FBBF8C15}\MpKsl4fb75db6.sys **LOCKED** 32 17:09:59.453 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32 17:10:00.046 Modules scanning 17:10:25.453 Disk 0 trace - called modules: 17:10:25.562 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys sptd.sys 17:10:25.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7446c8] 17:10:25.578 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000090[0x8a761b58] 17:10:25.578 5 ACPI.sys[f7498620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a75c030] 17:10:25.578 Scan finished successfully 17:10:47.500 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bob\Desktop\MBR.dat" 17:10:47.515 The log file has been saved successfully to "C:\Documents and Settings\Bob\Desktop\aswMBR.txt" Quote
Starbuck Posted November 12, 2011 Posted November 12, 2011 Hi pilotbob Download TDSSKiller and save it to your Desktop. Doubleclick on TDSSKiller.exe to run the application, then on Start Scan. Vista/Win7 users should right-click and select Run As Administrator. http://img.photobucket.com/albums/v708/starbuck50/new/tdss1.png If an infected file is detected, the default action will be Cure, click on Continue. http://img.photobucket.com/albums/v708/starbuck50/new/tdss2.png If a suspicious file is detected, the default action will be Skip, click on Continue. http://img.photobucket.com/albums/v708/starbuck50/new/tdss3.png It may ask you to reboot the computer to complete the process. Click on Reboot Now. http://img.photobucket.com/albums/v708/starbuck50/new/tdss4.png If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here. If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next reply. Thanks Quote Member of:UNITE
pilotbob Posted November 12, 2011 Author Posted November 12, 2011 Scan completed results below; 11:44:58.0750 3560 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15 11:44:59.0015 3560 ============================================================ 11:44:59.0015 3560 Current date / time: 2011/11/12 11:44:59.0015 11:44:59.0015 3560 SystemInfo: 11:44:59.0015 3560 11:44:59.0015 3560 OS Version: 5.1.2600 ServicePack: 3.0 11:44:59.0015 3560 Product type: Workstation 11:44:59.0015 3560 ComputerName: LENOVO 11:44:59.0015 3560 UserName: Bob 11:44:59.0015 3560 Windows directory: C:\WINDOWS 11:44:59.0015 3560 System windows directory: C:\WINDOWS 11:44:59.0015 3560 Processor architecture: Intel x86 11:44:59.0015 3560 Number of processors: 2 11:44:59.0015 3560 Page size: 0x1000 11:44:59.0015 3560 Boot type: Normal boot 11:44:59.0015 3560 ============================================================ 11:44:59.0859 3560 Initialize success 11:45:23.0656 5560 ============================================================ 11:45:23.0656 5560 Scan started 11:45:23.0656 5560 Mode: Manual; 11:45:23.0656 5560 ============================================================ 11:45:24.0046 5560 Abiosdsk - ok 11:45:24.0093 5560 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 11:45:24.0093 5560 abp480n5 - ok 11:45:24.0218 5560 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys 11:45:24.0218 5560 ac97intc - ok 11:45:24.0281 5560 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 11:45:24.0296 5560 ACPI - ok 11:45:24.0406 5560 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 11:45:24.0406 5560 ACPIEC - ok 11:45:24.0453 5560 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 11:45:24.0453 5560 adpu160m - ok 11:45:24.0593 5560 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 11:45:24.0609 5560 aec - ok 11:45:24.0765 5560 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys 11:45:24.0781 5560 AegisP - ok 11:45:24.0890 5560 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys 11:45:24.0890 5560 AFD - ok 11:45:25.0031 5560 AgereSoftModem (4e6294a06be883c9bd685a8dfd9fcd4e) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 11:45:25.0062 5560 AgereSoftModem - ok 11:45:25.0156 5560 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 11:45:25.0156 5560 agp440 - ok 11:45:25.0281 5560 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 11:45:25.0281 5560 agpCPQ - ok 11:45:25.0343 5560 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 11:45:25.0343 5560 Aha154x - ok 11:45:25.0453 5560 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 11:45:25.0453 5560 aic78u2 - ok 11:45:25.0468 5560 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 11:45:25.0468 5560 aic78xx - ok 11:45:25.0484 5560 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 11:45:25.0484 5560 AliIde - ok 11:45:25.0515 5560 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 11:45:25.0515 5560 alim1541 - ok 11:45:25.0546 5560 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 11:45:25.0546 5560 amdagp - ok 11:45:25.0656 5560 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 11:45:25.0671 5560 amsint - ok 11:45:25.0734 5560 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS 11:45:25.0750 5560 ANC - ok 11:45:25.0859 5560 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 11:45:25.0859 5560 Arp1394 - ok 11:45:25.0968 5560 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 11:45:25.0984 5560 asc - ok 11:45:26.0031 5560 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 11:45:26.0031 5560 asc3350p - ok 11:45:26.0109 5560 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 11:45:26.0109 5560 asc3550 - ok 11:45:26.0250 5560 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 11:45:26.0250 5560 AsyncMac - ok 11:45:26.0328 5560 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 11:45:26.0328 5560 atapi - ok 11:45:26.0437 5560 Atdisk - ok 11:45:26.0562 5560 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 11:45:26.0562 5560 Atmarpc - ok 11:45:26.0718 5560 ATSWPDRV (f70d2392158cb68e775f8c4cd3d12fbb) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys 11:45:26.0718 5560 ATSWPDRV - ok 11:45:26.0781 5560 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 11:45:26.0781 5560 audstub - ok 11:45:26.0937 5560 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys 11:45:26.0937 5560 b57w2k - ok 11:45:27.0000 5560 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 11:45:27.0000 5560 Beep - ok 11:45:27.0171 5560 btaudio (0f249be872f618aaba8d641e81aa3d21) C:\WINDOWS\system32\drivers\btaudio.sys 11:45:27.0171 5560 btaudio - ok 11:45:27.0281 5560 BTDriver (07f0a66cfa550b13ad0674ae09e3cba0) C:\WINDOWS\system32\DRIVERS\btport.sys 11:45:27.0281 5560 BTDriver - ok 11:45:27.0453 5560 BTKRNL (d84166d41a05f66d9084039427e5025b) C:\WINDOWS\system32\DRIVERS\btkrnl.sys 11:45:27.0468 5560 BTKRNL - ok 11:45:27.0671 5560 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys 11:45:27.0671 5560 BTWDNDIS - ok 11:45:27.0718 5560 btwmodem (e206ec370646e42dc862fd995869d31d) C:\WINDOWS\system32\DRIVERS\btwmodem.sys 11:45:27.0718 5560 btwmodem - ok 11:45:27.0906 5560 BTWUSB (a01fd9851406de0870c23759e2f7b6ea) C:\WINDOWS\system32\Drivers\btwusb.sys 11:45:27.0906 5560 BTWUSB - ok 11:45:27.0921 5560 catchme - ok 11:45:28.0093 5560 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 11:45:28.0093 5560 cbidf - ok 11:45:28.0234 5560 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 11:45:28.0250 5560 cbidf2k - ok 11:45:28.0312 5560 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 11:45:28.0312 5560 CCDECODE - ok 11:45:28.0484 5560 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 11:45:28.0484 5560 cd20xrnt - ok 11:45:28.0656 5560 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 11:45:28.0656 5560 Cdaudio - ok 11:45:28.0781 5560 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 11:45:28.0781 5560 Cdfs - ok 11:45:28.0890 5560 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys 11:45:28.0890 5560 Cdrom - ok 11:45:28.0953 5560 Changer - ok 11:45:29.0031 5560 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 11:45:29.0031 5560 CmBatt - ok 11:45:29.0156 5560 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 11:45:29.0156 5560 CmdIde - ok 11:45:29.0375 5560 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 11:45:29.0375 5560 Compbatt - ok 11:45:29.0546 5560 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 11:45:29.0546 5560 Cpqarray - ok 11:45:29.0734 5560 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 11:45:29.0734 5560 dac2w2k - ok 11:45:29.0890 5560 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 11:45:29.0890 5560 dac960nt - ok 11:45:29.0968 5560 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 11:45:29.0968 5560 Disk - ok 11:45:30.0203 5560 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 11:45:30.0218 5560 dmboot - ok 11:45:30.0437 5560 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 11:45:30.0437 5560 dmio - ok 11:45:30.0593 5560 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 11:45:30.0593 5560 dmload - ok 11:45:30.0796 5560 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 11:45:30.0812 5560 DMusic - ok 11:45:30.0968 5560 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 11:45:30.0968 5560 dpti2o - ok 11:45:31.0171 5560 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 11:45:31.0171 5560 drmkaud - ok 11:45:31.0343 5560 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys 11:45:31.0343 5560 E100B - ok 11:45:31.0562 5560 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys 11:45:31.0562 5560 ElbyCDFL - ok 11:45:31.0765 5560 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys 11:45:31.0765 5560 ElbyCDIO - ok 11:45:31.0984 5560 eusk2par (0c79689b4840ef8ec522598343f26849) C:\WINDOWS\system32\Drivers\eusk2par.sys 11:45:32.0000 5560 eusk2par - ok 11:45:32.0203 5560 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 11:45:32.0218 5560 Fastfat - ok 11:45:32.0421 5560 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 11:45:32.0421 5560 Fdc - ok 11:45:32.0609 5560 FINEPIX_PCC (c05d16c1ef3f5519764fefdf281ca4d2) C:\WINDOWS\system32\Drivers\V4CB0127.SYS 11:45:32.0609 5560 FINEPIX_PCC - ok 11:45:32.0687 5560 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 11:45:32.0703 5560 Fips - ok 11:45:32.0906 5560 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 11:45:32.0906 5560 Flpydisk - ok 11:45:33.0109 5560 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 11:45:33.0109 5560 FltMgr - ok 11:45:33.0281 5560 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 11:45:33.0281 5560 Fs_Rec - ok 11:45:33.0390 5560 FTDIBUS (8142d5d886829b9876cb93af59475c09) C:\WINDOWS\system32\drivers\ftdibus.sys 11:45:33.0390 5560 FTDIBUS - ok 11:45:33.0437 5560 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 11:45:33.0437 5560 Ftdisk - ok 11:45:33.0546 5560 FTSER2K (63d72a4cf9f163b59db0ceed940a7d76) C:\WINDOWS\system32\drivers\ftser2k.sys 11:45:33.0546 5560 FTSER2K - ok 11:45:33.0640 5560 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 11:45:33.0640 5560 Gpc - ok 11:45:33.0765 5560 hcmon (d0a5716e6095ec080f5a1a5892e9fdc6) C:\WINDOWS\system32\Drivers\hcmon.sys 11:45:33.0765 5560 hcmon - ok 11:45:33.0875 5560 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 11:45:33.0875 5560 HDAudBus - ok 11:45:34.0031 5560 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 11:45:34.0031 5560 HidUsb - ok 11:45:34.0203 5560 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 11:45:34.0203 5560 hpn - ok 11:45:34.0421 5560 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 11:45:34.0421 5560 HTTP - ok 11:45:34.0625 5560 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 11:45:34.0625 5560 i2omgmt - ok 11:45:34.0812 5560 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 11:45:34.0812 5560 i2omp - ok 11:45:35.0156 5560 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 11:45:35.0156 5560 i8042prt - ok 11:45:35.0406 5560 ialm (c1c2d6940d6ec2f247b0f3c11e0a18e0) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 11:45:35.0531 5560 ialm - ok 11:45:35.0703 5560 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\DRIVERS\iaStor.sys 11:45:35.0703 5560 iaStor - ok 11:45:35.0765 5560 IBMTPCHK (3a7dbe81ec5edb96a0a61c7d4af3198d) C:\WINDOWS\system32\Drivers\IBMBLDID.sys 11:45:35.0781 5560 IBMTPCHK - ok 11:45:36.0000 5560 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 11:45:36.0000 5560 Imapi - ok 11:45:36.0046 5560 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 11:45:36.0046 5560 ini910u - ok 11:45:36.0328 5560 IntcAzAudAddService (8f924588c272fdaa28cf31a9bbc21a72) C:\WINDOWS\system32\drivers\RtkHDAud.sys 11:45:36.0437 5560 IntcAzAudAddService - ok 11:45:36.0640 5560 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 11:45:36.0640 5560 IntelIde - ok 11:45:36.0828 5560 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 11:45:36.0828 5560 intelppm - ok 11:45:37.0031 5560 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 11:45:37.0031 5560 Ip6Fw - ok 11:45:37.0187 5560 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 11:45:37.0203 5560 IpFilterDriver - ok 11:45:37.0265 5560 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 11:45:37.0265 5560 IpInIp - ok 11:45:37.0468 5560 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 11:45:37.0468 5560 IpNat - ok 11:45:37.0671 5560 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 11:45:37.0671 5560 IPSec - ok 11:45:37.0812 5560 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 11:45:37.0812 5560 IRENUM - ok 11:45:37.0890 5560 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 11:45:37.0906 5560 isapnp - ok 11:45:37.0968 5560 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys 11:45:38.0000 5560 Iviaspi - ok 11:45:38.0171 5560 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 11:45:38.0171 5560 Kbdclass - ok 11:45:38.0203 5560 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 11:45:38.0203 5560 kmixer - ok 11:45:38.0281 5560 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 11:45:38.0281 5560 KSecDD - ok 11:45:38.0375 5560 Lavasoft Kernexplorer - ok 11:45:38.0437 5560 lbrtfdc - ok 11:45:38.0468 5560 MAUSBML - ok 11:45:38.0531 5560 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 11:45:38.0531 5560 mnmdd - ok 11:45:38.0640 5560 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 11:45:38.0640 5560 Modem - ok 11:45:38.0687 5560 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 11:45:38.0687 5560 Mouclass - ok 11:45:38.0796 5560 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 11:45:38.0796 5560 MountMgr - ok 11:45:38.0859 5560 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys 11:45:38.0859 5560 MpFilter - ok 11:45:38.0937 5560 MpKsl0a72a4ed - ok 11:45:38.0953 5560 MpKsl1132a2a8 - ok 11:45:39.0015 5560 MpKsl771f9dee (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4E3D1B4D-6DCA-4E7A-B176-9BEDCBDE55E7}\MpKsl771f9dee.sys 11:45:39.0015 5560 MpKsl771f9dee - ok 11:45:39.0125 5560 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 11:45:39.0140 5560 mraid35x - ok 11:45:39.0203 5560 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS 11:45:39.0203 5560 MREMP50 - ok 11:45:39.0312 5560 MREMPR5 - ok 11:45:39.0328 5560 MRENDIS5 - ok 11:45:39.0406 5560 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS 11:45:39.0421 5560 MRESP50 - ok 11:45:39.0546 5560 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 11:45:39.0546 5560 MRxDAV - ok 11:45:39.0718 5560 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 11:45:39.0718 5560 MRxSmb - ok 11:45:39.0875 5560 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 11:45:39.0875 5560 Msfs - ok 11:45:39.0937 5560 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 11:45:39.0937 5560 MSKSSRV - ok 11:45:40.0062 5560 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 11:45:40.0062 5560 MSPCLOCK - ok 11:45:40.0140 5560 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 11:45:40.0140 5560 MSPQM - ok 11:45:40.0296 5560 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 11:45:40.0296 5560 mssmbios - ok 11:45:40.0359 5560 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 11:45:40.0359 5560 MSTEE - ok 11:45:40.0484 5560 MTDVC2 (cd3c06f56104bac9268587bf1c25a84c) C:\WINDOWS\system32\DRIVERS\mtdv2ku2.sys 11:45:40.0484 5560 MTDVC2 - ok 11:45:40.0546 5560 MTDVC2_ENUM (a25b4cec85388f2e88567b4d629aa6e4) C:\WINDOWS\system32\DRIVERS\mtdv2ks2.sys 11:45:40.0546 5560 MTDVC2_ENUM - ok 11:45:40.0656 5560 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys 11:45:40.0656 5560 Mup - ok 11:45:40.0718 5560 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 11:45:40.0718 5560 NABTSFEC - ok 11:45:40.0843 5560 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 11:45:40.0843 5560 NDIS - ok 11:45:40.0906 5560 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 11:45:40.0906 5560 NdisIP - ok 11:45:41.0046 5560 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 11:45:41.0046 5560 NdisTapi - ok 11:45:41.0109 5560 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 11:45:41.0125 5560 Ndisuio - ok 11:45:41.0234 5560 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 11:45:41.0250 5560 NdisWan - ok 11:45:41.0312 5560 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 11:45:41.0312 5560 NDProxy - ok 11:45:41.0468 5560 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 11:45:41.0468 5560 NetBIOS - ok 11:45:41.0500 5560 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 11:45:41.0515 5560 NetBT - ok 11:45:41.0671 5560 NETw3x32 (f43da6b7e26fff9ac4d3210f2f9b5d8c) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys 11:45:41.0718 5560 NETw3x32 - ok 11:45:42.0015 5560 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 11:45:42.0015 5560 NIC1394 - ok 11:45:42.0062 5560 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 11:45:42.0062 5560 Npfs - ok 11:45:42.0187 5560 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 11:45:42.0203 5560 Ntfs - ok 11:45:42.0359 5560 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 11:45:42.0359 5560 Null - ok 11:45:42.0437 5560 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 11:45:42.0468 5560 nv - ok 11:45:42.0609 5560 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 11:45:42.0609 5560 NwlnkFlt - ok 11:45:42.0671 5560 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 11:45:42.0671 5560 NwlnkFwd - ok 11:45:42.0812 5560 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 11:45:42.0812 5560 ohci1394 - ok 11:45:42.0875 5560 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 11:45:42.0875 5560 Parport - ok 11:45:43.0015 5560 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 11:45:43.0015 5560 PartMgr - ok 11:45:43.0078 5560 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 11:45:43.0078 5560 ParVdm - ok 11:45:43.0171 5560 PbsAuDrv - ok 11:45:43.0234 5560 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys 11:45:43.0234 5560 pccsmcfd - ok 11:45:43.0437 5560 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 11:45:43.0437 5560 PCI - ok 11:45:43.0593 5560 PCIDump - ok 11:45:43.0656 5560 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 11:45:43.0656 5560 PCIIde - ok 11:45:43.0843 5560 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 11:45:43.0843 5560 Pcmcia - ok 11:45:43.0953 5560 pcouffin (02aaafb7ba137ce5ddabcdf8090954d9) C:\WINDOWS\system32\Drivers\pcouffin.sys 11:45:43.0953 5560 pcouffin - ok 11:45:44.0078 5560 PDCOMP - ok 11:45:44.0125 5560 PDFRAME - ok 11:45:44.0203 5560 PDRELI - ok 11:45:44.0281 5560 PDRFRAME - ok 11:45:44.0359 5560 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 11:45:44.0359 5560 perc2 - ok 11:45:44.0515 5560 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 11:45:44.0515 5560 perc2hib - ok 11:45:44.0609 5560 pmem (dedef40e1d05842639491365cb2c069e) C:\WINDOWS\System32\drivers\pmemnt.sys 11:45:44.0625 5560 pmem - ok 11:45:44.0796 5560 PMHler (c6114ccd63db3925a0450b1089ece503) C:\WINDOWS\system32\drivers\PMHler.sys 11:45:44.0796 5560 PMHler - ok 11:45:44.0890 5560 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 11:45:44.0906 5560 PptpMiniport - ok 11:45:45.0062 5560 PROCDD (c9ca089787aa4ca892f2173a8e15c1b0) C:\WINDOWS\system32\DRIVERS\PROCDD.SYS 11:45:45.0062 5560 PROCDD - ok 11:45:45.0265 5560 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 11:45:45.0265 5560 Processor - ok 11:45:45.0437 5560 psadd (f8a25f1dd8b2c332cbc663e3579566e7) C:\WINDOWS\system32\DRIVERS\psadd.sys 11:45:45.0437 5560 psadd - ok 11:45:45.0500 5560 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 11:45:45.0500 5560 PSched - ok 11:45:45.0656 5560 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 11:45:45.0656 5560 Ptilink - ok 11:45:45.0718 5560 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys 11:45:45.0718 5560 PxHelp20 - ok 11:45:45.0890 5560 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 11:45:45.0890 5560 ql1080 - ok 11:45:45.0953 5560 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 11:45:45.0953 5560 Ql10wnt - ok 11:45:46.0125 5560 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 11:45:46.0125 5560 ql12160 - ok 11:45:46.0187 5560 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 11:45:46.0187 5560 ql1240 - ok 11:45:46.0359 5560 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 11:45:46.0359 5560 ql1280 - ok 11:45:46.0687 5560 RapportCerberus_32301 (2fccc769cdba34c6ab6183aa4d2f7519) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_32301.sys 11:45:46.0703 5560 RapportCerberus_32301 - ok 11:45:46.0796 5560 RapportEI (5074fe56c70b31909c6b3129280c4cf2) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 11:45:46.0796 5560 RapportEI - ok 11:45:46.0953 5560 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys 11:45:46.0953 5560 RapportIaso - ok 11:45:47.0156 5560 RapportKELL (d6c7c196ad59375e9dde68d70db6e7a1) C:\WINDOWS\system32\Drivers\RapportKELL.sys 11:45:47.0156 5560 RapportKELL - ok 11:45:47.0296 5560 RapportPG (1205f9ccc78d152a5cc509f5ee32800d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 11:45:47.0296 5560 RapportPG - ok 11:45:47.0421 5560 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 11:45:47.0421 5560 RasAcd - ok 11:45:47.0453 5560 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 11:45:47.0453 5560 Rasl2tp - ok 11:45:47.0562 5560 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 11:45:47.0562 5560 RasPppoe - ok 11:45:47.0609 5560 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 11:45:47.0609 5560 Raspti - ok 11:45:47.0734 5560 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 11:45:47.0734 5560 Rdbss - ok 11:45:47.0765 5560 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 11:45:47.0781 5560 RDPCDD - ok 11:45:47.0906 5560 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 11:45:47.0906 5560 rdpdr - ok 11:45:47.0984 5560 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys 11:45:47.0984 5560 RDPWD - ok 11:45:48.0171 5560 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 11:45:48.0187 5560 redbook - ok 11:45:48.0390 5560 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 11:45:48.0390 5560 rimmptsk - ok 11:45:48.0593 5560 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 11:45:48.0593 5560 rimsptsk - ok 11:45:48.0796 5560 rismxdp (c663af77e2f4eabf8eb08b388d2f1f36) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 11:45:48.0796 5560 rismxdp - ok 11:45:48.0984 5560 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys 11:45:48.0984 5560 ROOTMODEM - ok 11:45:49.0062 5560 s24trans (decee0d67d032b57c1f5ef649a67a967) C:\WINDOWS\system32\DRIVERS\s24trans.sys 11:45:49.0109 5560 s24trans - ok 11:45:49.0296 5560 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys 11:45:49.0296 5560 sdbus - ok 11:45:49.0406 5560 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 11:45:49.0421 5560 Secdrv - ok 11:45:49.0500 5560 Ser2pl (de0a165d9f8ea295e62ea702ef2f8125) C:\WINDOWS\system32\DRIVERS\ser2pl.sys 11:45:49.0500 5560 Ser2pl - ok 11:45:49.0593 5560 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 11:45:49.0609 5560 serenum - ok 11:45:49.0703 5560 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 11:45:49.0703 5560 Serial - ok 11:45:49.0968 5560 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys 11:45:49.0968 5560 sffdisk - ok 11:45:50.0015 5560 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys 11:45:50.0015 5560 sffp_sd - ok 11:45:50.0171 5560 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 11:45:50.0187 5560 Sfloppy - ok 11:45:50.0343 5560 Simbad - ok 11:45:50.0406 5560 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 11:45:50.0406 5560 sisagp - ok 11:45:50.0578 5560 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 11:45:50.0578 5560 SLIP - ok 11:45:51.0015 5560 SNP2UVC (537cd54295cdbcc4dcffe95e234387ae) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys 11:45:51.0250 5560 SNP2UVC - ok 11:45:51.0437 5560 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 11:45:51.0437 5560 Sparrow - ok 11:45:51.0531 5560 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 11:45:51.0531 5560 splitter - ok 11:45:51.0703 5560 sptd (8ea0fd60a5b047e0c734d51aace531c9) C:\WINDOWS\System32\Drivers\sptd.sys 11:45:51.0703 5560 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: 8ea0fd60a5b047e0c734d51aace531c9 11:45:51.0703 5560 sptd ( LockedFile.Multi.Generic ) - warning 11:45:51.0703 5560 sptd - detected LockedFile.Multi.Generic (1) 11:45:51.0796 5560 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 11:45:51.0796 5560 sr - ok 11:45:51.0953 5560 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 11:45:51.0953 5560 Srv - ok 11:45:52.0078 5560 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys 11:45:52.0078 5560 StillCam - ok 11:45:52.0171 5560 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 11:45:52.0171 5560 streamip - ok 11:45:52.0265 5560 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 11:45:52.0281 5560 swenum - ok 11:45:52.0375 5560 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 11:45:52.0375 5560 swmidi - ok 11:45:52.0437 5560 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 11:45:52.0437 5560 symc810 - ok 11:45:52.0562 5560 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 11:45:52.0562 5560 symc8xx - ok 11:45:52.0640 5560 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 11:45:52.0640 5560 sym_hi - ok 11:45:52.0765 5560 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 11:45:52.0765 5560 sym_u3 - ok 11:45:52.0875 5560 SynTP (ae4052fc36bd4c390cee45a38ec1199a) C:\WINDOWS\system32\DRIVERS\SynTP.sys 11:45:52.0875 5560 SynTP - ok 11:45:53.0078 5560 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 11:45:53.0078 5560 sysaudio - ok 11:45:53.0312 5560 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 11:45:53.0312 5560 Tcpip - ok 11:45:53.0500 5560 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 11:45:53.0500 5560 TDPIPE - ok 11:45:53.0687 5560 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 11:45:53.0687 5560 TDTCP - ok 11:45:53.0875 5560 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 11:45:53.0875 5560 TermDD - ok 11:45:53.0921 5560 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 11:45:53.0921 5560 TosIde - ok 11:45:54.0109 5560 TotRec7 (9f5eeba83c88eb747b831b6eeadc2442) C:\WINDOWS\system32\drivers\TotRec7.sys 11:45:54.0125 5560 TotRec7 - ok 11:45:54.0328 5560 TSMAPIP (f10f36e20448a5500a5f83f67ee4aad4) C:\WINDOWS\system32\drivers\TSMAPIP.SYS 11:45:54.0343 5560 TSMAPIP - ok 11:45:54.0421 5560 tvtfilter (49258a02a1e8d304ed88b0f1c56b1738) C:\WINDOWS\system32\DRIVERS\tvtfilter.sys 11:45:54.0421 5560 tvtfilter - ok 11:45:54.0640 5560 TVTI2C (8ab24d4b7da715c2c80455137910e792) C:\WINDOWS\system32\DRIVERS\Tvti2c.sys 11:45:54.0640 5560 TVTI2C - ok 11:45:54.0843 5560 TVTPktFilter (0727cce3ff1a4446f4a1d507361567ab) C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys 11:45:54.0843 5560 TVTPktFilter - ok 11:45:54.0906 5560 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 11:45:54.0906 5560 Udfs - ok 11:45:55.0078 5560 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 11:45:55.0078 5560 ultra - ok 11:45:55.0187 5560 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 11:45:55.0187 5560 Update - ok 11:45:55.0406 5560 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 11:45:55.0406 5560 usbaudio - ok 11:45:55.0578 5560 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 11:45:55.0593 5560 usbccgp - ok 11:45:55.0781 5560 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 11:45:55.0781 5560 usbehci - ok 11:45:55.0875 5560 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 11:45:55.0875 5560 usbhub - ok 11:45:56.0031 5560 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 11:45:56.0031 5560 usbscan - ok 11:45:56.0093 5560 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys 11:45:56.0093 5560 usbser - ok 11:45:56.0265 5560 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 11:45:56.0265 5560 USBSTOR - ok 11:45:56.0453 5560 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 11:45:56.0453 5560 usbuhci - ok 11:45:56.0656 5560 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys 11:45:56.0656 5560 usbvideo - ok 11:45:56.0859 5560 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys 11:45:56.0859 5560 usb_rndisx - ok 11:45:56.0968 5560 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 11:45:56.0968 5560 VgaSave - ok 11:45:57.0078 5560 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 11:45:57.0093 5560 viaagp - ok 11:45:57.0234 5560 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 11:45:57.0234 5560 ViaIde - ok 11:45:57.0390 5560 vmkbd (805fc839929789151a95b3e7655a2012) C:\WINDOWS\system32\drivers\VMkbd.sys 11:45:57.0390 5560 vmkbd - ok 11:45:57.0593 5560 VMnetAdapter (f68c99f41c3cf6e1c3c542fadd2e20cf) C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys 11:45:57.0593 5560 VMnetAdapter - ok 11:45:58.0000 5560 VMnetBridge (121fbda3a14f0744a8c213d3e9f14d63) C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys 11:45:58.0000 5560 VMnetBridge - ok 11:45:58.0078 5560 VMnetuserif (7c4cb8d53945d7d94514259d4b42483e) C:\WINDOWS\system32\drivers\vmnetuserif.sys 11:45:58.0078 5560 VMnetuserif - ok 11:45:58.0281 5560 vmx86 (3c273f0f027cdff4a5799520bd40b22c) C:\WINDOWS\system32\Drivers\vmx86.sys 11:45:58.0296 5560 vmx86 - ok 11:45:58.0500 5560 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 11:45:58.0500 5560 VolSnap - ok 11:45:58.0609 5560 vstor2 (9e4ff401725fe6a26d8fe492bf0ea2b1) C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys 11:45:58.0609 5560 vstor2 - ok 11:45:58.0656 5560 vstor2-ws60 (256318cdef640ad2062754871bc96bfc) C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys 11:45:58.0671 5560 vstor2-ws60 - ok 11:45:58.0781 5560 vvftav - ok 11:45:58.0937 5560 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 11:45:58.0937 5560 Wanarp - ok 11:45:59.0125 5560 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys 11:45:59.0125 5560 wceusbsh - ok 11:45:59.0281 5560 WDICA - ok 11:45:59.0437 5560 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 11:45:59.0437 5560 wdmaud - ok 11:45:59.0531 5560 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 11:45:59.0531 5560 WmiAcpi - ok 11:45:59.0593 5560 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 11:45:59.0593 5560 WSTCODEC - ok 11:45:59.0656 5560 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 11:45:59.0656 5560 WudfPf - ok 11:45:59.0796 5560 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 11:45:59.0796 5560 WudfRd - ok 11:45:59.0875 5560 ZSMC0305 - ok 11:45:59.0921 5560 MBR (0x1B8) (2ab40fd3bc9212826f45ca4f99d15f4d) \Device\Harddisk0\DR0 11:45:59.0921 5560 \Device\Harddisk0\DR0 - ok 11:45:59.0937 5560 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR4 11:45:59.0953 5560 \Device\Harddisk1\DR4 - ok 11:45:59.0953 5560 Boot (0x1200) (cd07d4a45b6ff05dc018c13c35a4050d) \Device\Harddisk0\DR0\Partition0 11:45:59.0953 5560 \Device\Harddisk0\DR0\Partition0 - ok 11:45:59.0984 5560 Boot (0x1200) (5a8916ec16e60710f40bccbfa8f1d9eb) \Device\Harddisk0\DR0\Partition1 11:45:59.0984 5560 \Device\Harddisk0\DR0\Partition1 - ok 11:45:59.0984 5560 Boot (0x1200) (4f3c7dd2250b22bc7f96a9f6ff2c7f2c) \Device\Harddisk1\DR4\Partition0 11:45:59.0984 5560 \Device\Harddisk1\DR4\Partition0 - ok 11:45:59.0984 5560 ============================================================ 11:45:59.0984 5560 Scan finished 11:45:59.0984 5560 ============================================================ 11:46:00.0000 2880 Detected object count: 1 11:46:00.0000 2880 Actual detected object count: 1 11:46:37.0953 2880 HKLM\SYSTEM\ControlSet001\services\sptd - will be deleted on reboot 11:46:37.0953 2880 HKLM\SYSTEM\ControlSet002\services\sptd - will be deleted on reboot 11:46:37.0953 2880 C:\WINDOWS\System32\Drivers\sptd.sys - will be deleted on reboot 11:46:37.0953 2880 sptd ( LockedFile.Multi.Generic ) - User select action: Delete 11:47:37.0265 2744 Deinitialize success Quote
Starbuck Posted November 14, 2011 Posted November 14, 2011 Hi pilotbob How's the system running? Any problems at all? Quote Member of:UNITE
pilotbob Posted November 14, 2011 Author Posted November 14, 2011 Hi, Everything seems to be fine, I've not noticed any unusual activity. Do you think it's likely to be "clean" now?. Whilst I think about it, although I don't understand the info in all the scan reports produced so far it's evident that there is a lot of "garbage" left over from old uninstalled programs. I can delve into the file system and delete unnecessary foldes and files but is there a reliable registry cleaner you could recommend? I've not had a great deal of success with these in the past. Regards, and thanks again for sticking with me. Bob. Quote
Starbuck Posted November 14, 2011 Posted November 14, 2011 Hi Bob, Everything seems to be fine, I've not noticed any unusual activity. Do you think it's likely to be "clean" now?. Like i said at the beginning... we can in no way guarantee it to be trustworthy again. But we've removed everything that we can see. We may have removed everything and the system may be ok, but with 'rootkits' you can never tell. Even if there was anything still hiding, the programs we use would have severely crippled it. it's evident that there is a lot of "garbage" left over from old uninstalled programs. Anything in particular? but is there a reliable registry cleaner you could recommend? I've not had a great deal of success with these in the past. No, there isn't. We just don't recommend any of them. It's just too dangerous to leave the registry at the mercy of a piece of software. The best registry cleaner is a bit of common sense, a bit of knowledge and OTL. :o Let me know what you require removed, i'll check it out and then write a fix for you if you want. thanks again for sticking with me. It's no problem at all, glad i can help. Once we've removed anything else you want removing, we can finish off the cleaning process. Quote Member of:UNITE
pilotbob Posted November 14, 2011 Author Posted November 14, 2011 The best registry cleaner is a bit of common sense, a bit of knowledge and OTL. :o Let me know what you require removed, i'll check it out and then write a fix for you if you want. Ah, that's what I thought and as I since my understanding of how the registry works is nill I think I'll leave well alone. I recall seeing references to some files from AVG, Nokia PC suite and one or two others which I no longer use so thought it would be good to get rid of them. Not overly concerned though. Probably best to go ahead with whatever the final process is and I'll see how things go for a few weeks before I trust it all. Bob. Quote
Starbuck Posted November 14, 2011 Posted November 14, 2011 Hi Bob, Don't worry about AVG, combofix took care of one entry and i removed a few more with the OTL fix: - - - - ORPHANS REMOVED - - - - . WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) Notify-ACNotify - ACNotify.dll MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe C:\Documents and Settings\All Users\Application Data\AVG2012\Dumps folder moved successfully. C:\Documents and Settings\All Users\Application Data\AVG2012 folder moved successfully. Folder C:\Documents and Settings\All Users\Application Data\AVG2012\ not found. C:\Documents and Settings\All Users\Application Data\avg9\update\prepare\temp folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\update\prepare folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\update\backup folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\update folder moved successfully. C:\Documents and Settings\All Users\Application Data\avg9\Temp folder moved successfully. moved, means removed. The rest really aren't that important and won't cause any problems. Step 1 Restart MBAM. Click on the Quarantine tab If there are items in quarantine..... Make sure everything is selected and then click Delete All. Close MBAM. Step 2 Please uninstall ComboFix by Clicking on Start ...then run ... and type in combofix /uninstall (don't forget there's is a gap between x and /) Then press Ok http://img.photobucket.com/albums/v708/starbuck50/new/cfu.png This action will uninstall Combofix and also perform a few cleanup measures Step 3 Please double-click OTL to run it. You should see a CleanUp! button, press that button, http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png This will cleanup an assortment of tools used during malware removal, plus itself Note: MBAM will not be removed Step 3 Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then go to Start > Run and type: Cleanmgr Click "OK". Select the drive for cleaning then click OK (usually 'C' drive) Click the "More Options" Tab. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. To find out how you may have been infected....read this topic: How did i get infected? Not all of the following information will be applicable to you, but it's still best to read it all. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Use an AntiVirus Software Avira AntiVir ... see note* ....installation guide Here Avast free MS Security Essentials ... see note** ...installation guide Here Note*: Avira now includes the Ask.com Toolbar unless you choose not to install it. This means it is pre-checked by default and it is recommended that you uncheck that option during installation. Note**: Upon installation MS Security Essentials will check that your OS is a legal copy. Only install one AntiVirus program [*]Update your AntiVirus Software regularly [*]Use a 3rd party Firewall Online Armor Free ZoneAlarm ...Important note below NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option. Only install one software Firewall Some 3rd party Firewalls will turn off the windows firewall when they are installed. It's always best to check that the Windows Firewall is turned off: How to turn off Windows Firewall: Start ... Control Panel ...click on 'Classic View'. now select Windows Firewall. When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner: Installing another scanner that you can run once or twice a week is always beneficial. Something like: Malwarebytes Anti-Malware SUPERAntiSypware Remember to update these programs each time before running. You can install more than one of these if you only run them as stand alone programs. [*] Use an alternative browser: Some excellent alternatives to MS Internet Explorer are: Firefox For added security, add the NoScript extension to this browser: Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks also consider adding: WOT - Safe Browsing Tool Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web. Btw: you don't have to make a contribution. Opera They offer better security, more stability, and better speed. [*]Keep a backup of your registry Keeping a regular backup of your registry will help when something goes wrong. Use a program like: Erunt A full tutorial on how to set up and use Erunt can be found here: Erunt tutorial [*]Keep your system clean of temp files etc, using a 'Cleaner': Cleaners are programs that will help to clean out your: Windows temp files Current user temp files Cookies Temporary Internet flies Browser history Recycle bin Etc....... In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc. Programs like: TFC by OldTimer ATF Cleaner [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using and installing SpywareBlaster [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Glad I was able to help. Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif Quote Member of:UNITE
pilotbob Posted November 14, 2011 Author Posted November 14, 2011 Thanks again for an excellent service, I appreciate your help enormously and have no hesitation in recommending you. Hope you don't mind the extra workload ;-) All the best, Oh, and should I mark this thread "Solved" or will you? Bob. Quote
Starbuck Posted November 14, 2011 Posted November 14, 2011 I appreciate your help enormously and have no hesitation in recommending you. Thank you Bob, that's appreciated. Hope you don't mind the extra workload No we don't mind at all. ( gives us something to do while the wives watch tv ) Oh, and should I mark this thread "Solved" or will you? All sorted and marked. Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.