JCE Posted June 19, 2012 Posted June 19, 2012 Hello all. I wonder if anyone could help me please.......all the files/folders in "My Documents" have disappeared (PDF's are still there). Also, anything new that I save to "My Documents" is not appearing there either. I've done the "show hidden folders" thing, system restore etc.. Also downloaded numerous "recover deleted files" programmes and they haven't found them. Nor does "search" find them. Now, I seem to have a programme called "Diskinternals Uneraser" installed on my computer though not sure where that came from! It shows on the menu when I right click on "My Documents". Thought I'd run that and see what happened. It found all the stuff that used to be in "My Documents", but of course, when I went to "recover" the stuff it takes me to a payment page. I presume that "Diskinternals Uneraser" is some sort of scam that has found its way onto my computer? Anyway, all the files and folders are obviously still on my computer somewhere, but where I know not. I have found a few in "My recent documents" but there are still many missing. Could anybody shed any light on this please? Quote
KenB Posted June 19, 2012 Posted June 19, 2012 Hi and welcome to ExTS Download MBAM from here: ( click on Products - you want the free version ) http://www.malwarebytes.org/products/malwarebytes_pro You may get redirected to a mirror site - this is OK. Run it and on completion it will produce a log. Copy this and post it with your next reply. If you cannot run MBAM in normal mode try running it in Safe Mode. Switch on and constantly tap F8 about once per second. Select S-M from the list. Starbuck or Etavares will pick this one up. Quote There is an email going around offering processed pork - gelatin - and salt in a can ......this is simply SPAM !! MiniToolBoxNetwork TestWireless Test
JCE Posted June 19, 2012 Author Posted June 19, 2012 Hi Ken....and thanks for your help. I have done what you advised and Malwarebytes produced the following log: Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 John :: D7B74Y1J [administrator] Protection: Enabled 19/06/2012 17:33:46 mbam-log-2012-06-19 (18-04-57).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 244035 Time elapsed: 20 minute(s), 10 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 4 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343CE214-9998-4B21-A151-FFE970167297} (Rogue.Installer) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DECEAAA2-370A-49BB-9362-68C3A58DDC62} (Adware.180Solutions) -> No action taken. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Detected: 2 C:\Program Files\MyWaySA (PUP.MyWebSearch) -> No action taken. C:\Program Files\MyWaySA\SrchAsDe (PUP.MyWebSearch) -> No action taken. Files Detected: 2 C:\Documents and Settings\John\Desktop\freeopener.exe (PUP.BundleOffers.IIQ) -> No action taken. C:\Documents and Settings\John\Desktop\freeopener_715.exe (PUP.BundleOffers.IIQ) -> No action taken. (end) Looks to be a few nasty things in there! Please note, I have also now uninstalled the strange "Diskinternals Uneraser" but the problem with "My Documents" still persists. I'm very grateful for any advice. Thanks again. Quote
KenB Posted June 19, 2012 Posted June 19, 2012 One of our Security Experts should pick this up soon - please be patient :) Quote There is an email going around offering processed pork - gelatin - and salt in a can ......this is simply SPAM !! MiniToolBoxNetwork TestWireless Test
Starbuck Posted June 19, 2012 Posted June 19, 2012 Hi JCE After i've posted my reply i'll move this thread to the malware removal forum so we can do some extra work. Your present link will take you to the moved thread, so reply as normal. Step 1 To make your files visible again: Download UnHide Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run. The program will give details on each step that it is performing. When Unhide completes its run, it will produce a log file on the Desktop called Unhide.txt. Please post this report in your next reply. Step 2 The added custom scans are quite important, so please don't forget to add them. Download OTL to your desktop. right click on the link and select 'Save Link/Target As'. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png Now copy the lines in bold below. netsvcs msconfig %SYSTEMDRIVE%\*.* %systemroot%\system32\Spool\prtprocs\w32x86\*.dll %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\system32\*.exe /lockedfiles %systemroot%\System32\config\*.sav %PROGRAMFILES%\* %USERPROFILE%\..|smtmp;true;true;true /FP HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU hklm\software\clients\startmenuinternet|command /rs hklm\software\clients\startmenuinternet|command /64 /rs CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: UnHide.txt and both reports from OTL. Thanks Quote Member of:UNITE
JCE Posted June 20, 2012 Author Posted June 20, 2012 Hi Starbuck, Many thanks for your help on this. I have now done all the scans and here is the information you requested: Unhide.txt: Unhide by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2012 BleepingComputer.com More Information about Unhide.exe can be found at this link: http://www.bleepingcomputer.com/forums/topic405109.html Program started at: 06/20/2012 01:26:42 PM Windows Version: Windows XP Please be patient while your files are made visible again. Processing the C:\ drive Finished processing the C:\ drive. 98453 files processed. The C:\DOCUME~1\John\LOCALS~1\Temp\smtmp\ folder does not exist!! Unhide cannot restore your missing shortcuts!! Please see this topic in order to learn how to restore default Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html Searching for Windows Registry changes made by FakeHDD rogues. - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced No registry changes detected. Restarting Explorer.exe in order to apply changes. Program finished at: 06/20/2012 01:34:43 PM Execution time: 0 hours(s), 8 minute(s), and 1 seconds(s) OTL.txt: OTL logfile created on: 20/06/2012 13:48:14 - Run 1 OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\John\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1022.07 Mb Total Physical Memory | 603.10 Mb Available Physical Memory | 59.01% Memory free 2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.48% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 145.95 Gb Total Space | 104.32 Gb Free Space | 71.48% Space Free | Partition Type: NTFS Computer Name: D7B74Y1J | User Name: John | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\John\Desktop\OTL.scr (OldTimer Tools) PRC - C:\Program Files\YourFileDownloader\YourFileUpdater.exe (http://yourfiledownloader.com) PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.) PRC - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.) PRC - C:\WINDOWS\system32\FsUsbExService.Exe (Teruten) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) PRC - C:\Program Files\Lexmark 1200 Series\lxczbmon.exe (Lexmark International, Inc.) PRC - C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) PRC - C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation) ========== Modules (No Company Name) ========== MOD - C:\Program Files\Lexmark 1200 Series\ConvDIB.dll () MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\LXCZPP5C.DLL () ========== Win32 Services (SafeList) ========== SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe (AVG Technologies CZ, s.r.o.) SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) SRV - (FsUsbExService) -- C:\WINDOWS\system32\FsUsbExService.Exe (Teruten) SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe () ========== Driver Services (SafeList) ========== DRV - (WDICA) -- File not found DRV - (wanatw) WAN Miniport (ATW) -- system32\DRIVERS\wanatw4.sys File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found DRV - (lbrtfdc) -- File not found DRV - (Changer) -- File not found DRV - (AVGIDSHX) -- C:\WINDOWS\system32\drivers\avgidshx.sys (AVG Technologies CZ, s.r.o. ) DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.) DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\avgidsshimx.sys (AVG Technologies CZ, s.r.o. ) DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\avgidsfilterx.sys (AVG Technologies CZ, s.r.o. ) DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys (AVG Technologies CZ, s.r.o. ) DRV - (FsUsbExDisk) -- C:\WINDOWS\system32\FsUsbExDisk.Sys () DRV - (ss_bmdm) -- C:\WINDOWS\system32\drivers\ss_bmdm.sys (MCCI Corporation) DRV - (ss_bbus) SAMSUNG USB Mobile Device (WDM) -- C:\WINDOWS\system32\drivers\ss_bbus.sys (MCCI) DRV - (ss_bmdfl) SAMSUNG USB Mobile Modem (Filter) -- C:\WINDOWS\system32\drivers\ss_bmdfl.sys (MCCI Corporation) DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.) DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (STHDA) High Definition Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/cs/*http://uk.docs.yahoo.com/info/bt_side.html IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {3E39BC95-F5DF-4D87-8429-CC077D50EC71} IE - HKCU\..\SearchScopes\{3E39BC95-F5DF-4D87-8429-CC077D50EC71}: "URL" = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta= IE - HKCU\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = http://search.ibryte.com/i/playbryte/search/redirect/?type=default-ie&user_id=bc5fd840-cfed-49ac-9a95-d064978ac4e7&query={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.660: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.660: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.660: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll () FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/28 00:06:04 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/06/15 17:54:02 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/06/15 17:53:23 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock\Extensions\\Plugins: C:\Program Files\Flock\flock\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock\Extensions\\Components: C:\Program Files\Flock\flock\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Components: C:\Program Files\Flock\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Plugins: C:\Program Files\Flock\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/31 18:27:58 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/12 15:57:45 | 000,000,000 | ---D | M] [2011/06/12 15:57:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions [2009/07/16 18:29:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b} [2012/06/19 11:17:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\9ygpjs4z.default\extensions [2012/06/15 17:38:33 | 000,000,000 | ---D | M] (Yontoo) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\9ygpjs4z.default\extensions\plugin@yontoo.com [2012/05/31 18:27:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2012/04/21 02:18:00 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2006/06/22 14:44:58 | 002,078,344 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll [2012/04/21 03:09:17 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml [2012/04/21 03:09:17 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012/04/21 03:09:17 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml [2012/04/21 03:09:17 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml [2012/04/21 03:09:17 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml [2012/04/21 03:09:18 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (NetAssistantBHO Class) - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll (Yontoo LLC) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u File not found O4 - HKCU..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKCU..\Run: [eyeBeam SIP Client] File not found O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 () O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_26.dll (Sun Microsystems, Inc.) O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O16 - DPF: {0A89E06C-0BE4-4D92-80FD-9F1009A4F3E1} http://www.the-saleroom.com/LiveAuctions/ActiveX/SaleRoomBidder.cab (Sale Room Bidder) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool) O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module) O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} http://cid-c089f59c7b1c157f.spaces.live.com/PhotoUpload/MsnPUpld.cab (Windows Live Photo Upload Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2A44CE98-3D02-4811-A005-DC2770058E21}: DhcpNameServer = 192.168.1.254 192.168.1.254 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) NetSvcs: 6to4 - File not found NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012/06/20 13:46:10 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.scr [2012/06/20 12:57:04 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\John\Desktop\unhide.exe [2012/06/19 17:31:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\Malwarebytes [2012/06/19 17:31:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/06/19 17:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2012/06/19 17:31:32 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012/06/19 17:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/06/19 13:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Desktop\MY DOCS [2012/06/15 18:28:49 | 000,000,000 | ---D | C] -- C:\Program Files\YourFileDownloader [2012/06/15 18:28:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\YourFileDownloader [2012/06/15 17:55:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\AVG2012 [2012/06/15 17:54:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG [2012/06/15 17:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2012/06/15 17:38:33 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo Layers Runtime [2012/06/15 17:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Desktop\CSA [2012/06/15 15:38:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\OfficeRecovery [2012/06/15 15:38:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Local Settings\Application Data\Apps [2012/06/14 16:18:58 | 000,000,000 | ---D | C] -- C:\Program Files\ParetoLogic [2012/06/14 14:40:32 | 000,521,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll [2012/05/31 18:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2012/05/31 18:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla [2012/05/22 18:00:37 | 000,000,000 | ---D | C] -- C:\ad303a4e208a87a99824891da506 [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/06/20 13:47:19 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/20 13:47:18 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/20 13:46:12 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.scr [2012/06/20 13:43:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/06/20 13:43:45 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2012/06/20 13:43:43 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\Your File Updater.job [2012/06/20 13:43:43 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1011.job [2012/06/20 13:43:43 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1010.job [2012/06/20 13:40:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/06/20 12:57:05 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\John\Desktop\unhide.exe [2012/06/20 12:40:11 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2012/06/20 12:22:50 | 100,582,230 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm [2012/06/19 18:04:48 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job [2012/06/19 17:31:35 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/19 16:40:58 | 000,054,156 | ---- | M] () -- C:\WINDOWS\QTFont.qfn [2012/06/19 13:44:24 | 000,029,530 | ---- | M] () -- C:\Documents and Settings\John\Application Data\wklnhst.dat [2012/06/19 13:12:16 | 000,000,338 | ---- | M] () -- C:\Documents and Settings\John\Desktop\Shortcut to My Documents.lnk [2012/06/19 12:37:51 | 000,059,392 | ---- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012/06/19 10:13:27 | 000,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/06/15 19:29:56 | 000,473,392 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/06/15 19:29:56 | 000,084,786 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/06/15 19:22:24 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/06/15 18:28:58 | 000,001,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\YourFile Downloader.lnk [2012/06/15 18:11:02 | 000,034,764 | ---- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\dt.dat [2012/06/15 17:54:03 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk [2012/06/15 17:12:57 | 000,000,224 | ---- | M] () -- C:\WINDOWS\System32\9B13A86D.plf [2012/06/14 17:08:19 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for [2012/06/14 16:19:03 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job [2012/06/11 14:20:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1875872634-156128194-2879020886-1011.job [2012/06/07 18:07:16 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\Desktop\TR1.pdf [2012/06/07 18:07:06 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;07;06PM.PDF [2012/06/07 18:06:33 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\Desktop\TR2.pdf [2012/06/07 18:06:15 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;06;15PM.PDF [2012/06/07 17:48:08 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;48;08PM.PDF [2012/06/07 17:47:01 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;47;00PM.PDF [2012/06/07 17:45:30 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;45;30PM.PDF [2012/05/31 18:28:01 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/05/31 17:38:20 | 000,005,560 | ---- | M] () -- C:\Documents and Settings\John\Desktop\MAY12.rtf [2012/05/31 14:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll [2012/05/31 14:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\crypt32(2)(2).dll [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/06/19 17:31:35 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/19 13:11:01 | 000,000,338 | ---- | C] () -- C:\Documents and Settings\John\Desktop\Shortcut to My Documents.lnk [2012/06/15 18:28:58 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\YourFile Downloader.lnk [2012/06/15 18:28:50 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\Your File Updater.job [2012/06/15 18:11:02 | 000,034,764 | ---- | C] () -- C:\Documents and Settings\John\Local Settings\Application Data\dt.dat [2012/06/15 17:54:03 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk [2012/06/14 17:08:19 | 000,054,156 | ---- | C] () -- C:\WINDOWS\QTFont.qfn [2012/06/14 17:08:19 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for [2012/06/14 16:19:02 | 000,000,414 | ---- | C] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job [2012/06/12 14:09:01 | 000,000,276 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/07 18:07:16 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\Desktop\TR1.pdf [2012/06/07 18:07:06 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;07;06PM.PDF [2012/06/07 18:06:33 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\Desktop\TR2.pdf [2012/06/07 18:06:15 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;06;15PM.PDF [2012/06/07 17:48:08 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;48;08PM.PDF [2012/06/07 17:47:00 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;47;00PM.PDF [2012/06/07 17:45:30 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;45;30PM.PDF [2012/05/31 18:28:01 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/05/30 18:49:14 | 000,005,560 | ---- | C] () -- C:\Documents and Settings\John\Desktop\MAY12.rtf [2012/03/26 14:35:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2010/11/15 13:58:24 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll [2010/11/15 13:58:24 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys [2010/11/15 13:58:09 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\John\Application Data\$_hpcst$.hpc ========== LOP Check ========== [2012/04/12 11:22:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10 [2012/06/15 18:07:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2011/02/22 19:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9 [2011/02/22 19:50:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cached Installations [2010/12/09 14:05:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files [2008/05/21 12:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eBay [2009/04/23 13:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft [2012/06/20 12:22:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData [2011/02/22 15:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic [2010/11/15 13:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung [2008/11/09 18:12:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft [2012/06/15 17:38:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer [2012/06/15 16:47:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2005/11/14 20:59:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2011/02/22 19:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\AVG [2011/02/22 19:45:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\AVG10 [2012/06/15 17:55:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\AVG2012 [2011/03/16 15:42:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Dekart [2011/02/22 19:48:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Flock [2010/10/28 16:35:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\GetRightToGo [2009/04/30 22:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Grisoft [2011/07/28 01:24:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\InfraRecorder [2005/12/06 19:26:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Leadertech [2010/11/15 14:49:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\ML [2011/06/16 16:40:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Nikon [2011/06/12 15:58:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Notepad++ [2012/06/15 15:38:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\OfficeRecovery [2010/11/15 13:57:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Samsung [2006/01/16 20:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Template [2008/07/02 13:34:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\Viewpoint [2012/06/15 18:28:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\YourFileDownloader [2012/06/19 18:04:48 | 000,000,440 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job [2012/06/14 16:19:03 | 000,000,414 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Update Version2.job [2012/06/20 13:43:43 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\Your File Updater.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT [2005/11/17 12:50:38 | 000,000,211 | RHS- | M] () -- C:\boot.ini [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS [2005/11/14 20:40:26 | 000,004,604 | R--- | M] () -- C:\dell.sdr [2012/06/15 16:51:35 | 000,000,000 | ---- | M] () -- C:\FileRecovery.log [2011/03/22 17:42:30 | 000,361,044 | ---- | M] () -- C:\Firefox Keylogger.rar [2011/03/25 00:58:01 | 005,367,914 | ---- | M] () -- C:\firefoxscript.rar [2007/11/07 20:04:48 | 000,000,489 | ---- | M] () -- C:\ICSYSINF.log [2005/11/17 18:33:30 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1 [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\IO.SYS [2005/11/14 20:59:12 | 000,000,897 | ---- | M] () -- C:\IPH.PH [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\MSDOS.SYS [2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM [2008/11/09 17:29:17 | 000,250,048 | RHS- | M] () -- C:\ntldr [2012/06/20 13:39:56 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys [2005/10/31 16:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe < %systemroot%\system32\Spool\prtprocs\w32x86\*.dll > [2008/07/06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll [2006/01/19 05:33:38 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\LXCZPP5C.DLL < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\system32\*.exe /lockedfiles > [2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\System32\config\*.sav > [2004/08/10 13:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav [2004/08/10 13:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav [2004/08/10 13:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav < %PROGRAMFILES%\* > < %USERPROFILE%\..|smtmp;true;true;true /FP > < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU > < hklm\software\clients\startmenuinternet|command /rs > HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/04/21 03:09:58 | 000,866,992 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/04/21 03:09:58 | 000,866,992 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/04/21 03:09:58 | 000,866,992 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/04/21 02:16:21 | 000,924,600 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/04/21 02:16:21 | 000,924,600 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/04/21 02:16:21 | 000,924,600 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) < hklm\software\clients\startmenuinternet|command /64 /rs > HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/04/21 03:09:58 | 000,866,992 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/04/21 03:09:58 | 000,866,992 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/04/21 03:09:58 | 000,866,992 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/04/21 02:16:21 | 000,924,600 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/04/21 02:16:21 | 000,924,600 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/04/21 02:16:21 | 000,924,600 | ---- | M] (Mozilla Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/05/11 12:38:19 | 000,174,080 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) ========== Alternate Data Streams ========== @Alternate Data Stream - 874 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AFB5119F @Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95 @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80337C03 < End of report > Extras.txt OTL Extras logfile created on: 20/06/2012 13:48:14 - Run 1 OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\John\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1022.07 Mb Total Physical Memory | 603.10 Mb Available Physical Memory | 59.01% Memory free 2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.48% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 145.95 Gb Total Space | 104.32 Gb Free Space | 71.48% Space Free | Partition Type: NTFS Computer Name: D7B74Y1J | User Name: John | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- "C:\Program Files\File Type Assistant\tsassist.exe" "%1" (Trusted Software ApS) Directory [browse with Paint Shop Pro Studio] -- "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (Jasc Software, Inc.) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 -- () "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 -- () [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC) "C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer -- (LimeWire) "C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.) "C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server -- (PeeringPortal) "C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server -- (PeeringPortal) "C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer "C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\YourFileDownloader\Downloader.exe" = C:\Program Files\YourFileDownloader\Downloader.exe:*:Enabled:YourFile Downloader -- (http://yourfiledownloader.com) "C:\Program Files\YourFileDownloader\YourFile.exe" = C:\Program Files\YourFileDownloader\YourFile.exe:*:Enabled:YourFile Downloader -- (http://yourfiledownloader.com) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{026C3D27-9BE1-46BE-BEAE-6DE38A0F4FBE}" = RealNetworks - Microsoft Visual C++ 2005 Runtime "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works "{1D3C662A-F6C6-4767-A788-7AA43A9A1317}" = ARTEuro "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 26 "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1 "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page "{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5 "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011 "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5 "{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2 "{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime "{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon "{7A35F91E-1D16-454F-A248-B9B782A2327C}" = Dell Support 3.2.1 "{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport "{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo 1.10.02 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003 "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A580547F-4FB6-433E-A595-21CAA858C556}" = Microsoft Office Live Small Business Image Uploader "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}" = Nikon View 6 "{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience "{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0 "{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0 "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C6A09671-93A6-4548-9FAE-3BF21EB9C921}" = AVG 2012 "{C792A75A-2A1F-4991-9B85-291745478A79}" = NetAssistant "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones "{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call "{E7559288-223B-453C-9F06-340E3BE21E39}" = MyWay Search Assistant "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio "9397EA7527D5597E900F76DDCF42A1DEDCBDC288" = Windows Driver Package - Dekart (DEKART38) SmartCardReader (11/21/2007 1.0.5.9) "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "ATI Display Driver" = ATI Display Driver "AVG" = AVG 2012 "BT Home Hub" = BT Home Hub "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2 "InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio "Lexmark 1200 Series" = Lexmark 1200 Series "LimeWire" = LimeWire 4.16.6 "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox 12.0 (x86 en-GB)" = Mozilla Firefox 12.0 (x86 en-GB) "MozillaMaintenanceService" = Mozilla Maintenance Service "MP3 CD Converter Professional" = MP3 CD Converter Professional 5.03 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MSNINST" = MSN "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "PROSet" = Intel® PRO Network Connections Drivers "QuickTime" = QuickTime "RealPlayer 12.0" = RealPlayer "Recover Files_is1" = Recover Files 3.27 "Serif WebPlus 6.0" = Serif WebPlus 6.0 "StreetPlugin" = Learn2 Player (Uninstall Only) "Trusted Software Assistant_is1" = File Type Assistant "ViewpointMediaPlayer" = Viewpoint Media Player "William Hill Poker" = William Hill Poker "Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "NetAssistant" = Freeze.com NetAssistant "YourFileDownloader" = YourFileDownloader ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 04/06/2012 13:11:14 | Computer Name = D7B74Y1J | Source = Application Hang | ID = 1002 Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 13/06/2012 10:31:11 | Computer Name = D7B74Y1J | Source = Application Hang | ID = 1002 Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 15/06/2012 14:18:13 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 14674, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 15/06/2012 14:18:13 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3011 Description = Unloading the performance counter strings for service ASP.NET_2.0.50727 (ASP.NET_2.0.50727) failed. The Error code is the first DWORD in Data section. Error - 15/06/2012 14:18:15 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 14674, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 15/06/2012 14:18:15 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3011 Description = Unloading the performance counter strings for service aspnet_state (ASP.NET State Service) failed. The Error code is the first DWORD in Data section. Error - 15/06/2012 14:18:17 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 14674, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 19/06/2012 05:36:26 | Computer Name = D7B74Y1J | Source = Application Error | ID = 1000 Description = Faulting application ati2evxx.exe, version 6.14.10.4118, faulting module ati2evxx.exe, version 6.14.10.4118, fault address 0x00028c2b. Error - 19/06/2012 05:37:31 | Computer Name = D7B74Y1J | Source = Application Error | ID = 1004 Description = Faulting application ati2evxx.exe, version 6.14.10.4118, faulting module ati2evxx.exe, version 6.14.10.4118, fault address 0x00028c2b. Error - 19/06/2012 07:23:52 | Computer Name = D7B74Y1J | Source = Application Hang | ID = 1002 Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. [ System Events ] Error - 19/06/2012 05:14:35 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 19/06/2012 05:14:45 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: %%31 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The Fax service depends on the Print Spooler service which failed to start because of the following error: %%1068 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Error - 19/06/2012 05:15:22 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} Error - 19/06/2012 05:16:07 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 19/06/2012 11:47:23 | Computer Name = D7B74Y1J | Source = sr | ID = 1 Description = The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume. < End of report > ------------------------------------------------------------------------------------------------- Please also note that whilst running the scans, both Unhide and OTL threw up a balloon saying "Corrupt file - The file or directory C:\$Mft is corrupt and unreadable. Please run the Chkdsk utility". I don't know if this is of any significance? Oh, and there is still no sign of my missing files and folders in My Documents! Thanks again for your help on this. Quote
Starbuck Posted June 20, 2012 Posted June 20, 2012 Hi JCE "Corrupt file - The file or directory C:\$Mft is corrupt and unreadable. Please run the Chkdsk utility" It would be a good idea to run this. I presume that "Diskinternals Uneraser" is some sort of scam that has found its way onto my computer? On reading this up, i find a lot of bad comments about the product and the company themselves. One comment that may be of interest: Pros I have nothing good to say about this product. It appeared on my office computer at the EXACT time that several of my files disappeared!! Cons The product, Diskinternals Uneraser 3.91, showed up when I right clicked on windows explorer during my attempt to find a MS Publisher file that had just disappeared. The software offered to fix my problem for a fee. I've NEVER lost files before this. Summary I believe it was either hacked, or it's a thug. there is still no sign of my missing files and folders in My Documents! It obviously wasn't the malware i first thought it may be, or UnHide would have been able to put them all back. I will have to dig into this a bit more. I've done the "show hidden folders" thing Did you do it this way? Click Start. Click My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Uncheck the Hide file extensions for known file types. Click OK. I noticed in your earlier post that none of the lines detected by MBAM were removed! There are lines that need addressing in the OTL report, but we need to know that the lines found have been removed with MBAM first. Step 1 Please run the Scandisk utility within Windows. Click Start >> Computer Right click on your main drive (usually 'C') Select Properties Click on the Tools tab Under Error Checking.. Click Check Now Tick the options that you require ( I recommend that you tick both options ) Click Start On the screen that comes up.. Click Yes then OK Now restart your computer. Note: Be patient. Analyzing the drive can be a lengthy process Step 2 Please update MBAM and run another scan: Start MBAM Click on the Update tab http://img.photobucket.com/albums/v708/starbuck50/new/mbamnew.png Click Check for Updates The latest Database Version is: v.2012.06.20.07 If it says that MBAM needs to close to update it... let it close and then restart. Then click the Scan button. Don't forget: When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM.Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Step 3 Double click on OTL to run it. Under Extra Registry section, select Use SafeList. Don't check the boxes beside 'LOP Check' and 'Purity Check' this time. Click on Run Scan at the top left hand corner. When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. In your next reply, please submit: New MBAM report New reports from OTL also let me know how the Scandisk went. Thanks. Quote Member of:UNITE
JCE Posted June 21, 2012 Author Posted June 21, 2012 Hi again Starbuck, Thankyou thankyou thankyou!!.......I ran the Scandisk utility (I would never have found that!).....and guess what? My files and folders are back in My Documents!! Therefore the rest of this reply may be irrelevant, but I am including the reports in case there is something of relevance/interest..... Yes I read that comment about Diskinternals too.....and that was exactly what seemed to have happened to me. Yes I did the "show hidden folders" procedure exactly as you say. Oops yes, it seems I didn't remove the lines that MBAM detected! I have now done that. Please note that I did update MBAM but it was a different version to the latest one you indicated. Here are the reports you requested me to submit: MBAM report: Malwarebytes Anti-Malware (Trial) 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.21.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 John :: D7B74Y1J [administrator] Protection: Disabled 21/06/2012 13:02:36 mbam-log-2012-06-21 (13-02-36).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 339227 Time elapsed: 1 hour(s), 4 minute(s), 21 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 2 C:\Program Files\MyWaySA (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWaySA\SrchAsDe (PUP.MyWebSearch) -> Quarantined and deleted successfully. Files Detected: 3 C:\Documents and Settings\John\Desktop\freeopener.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Desktop\freeopener_715.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1796\A0165977.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. (end) -------------------------------------------------------------------------- New OTL report: OTL logfile created on: 21/06/2012 14:32:06 - Run 2 OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\John\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1022.07 Mb Total Physical Memory | 513.43 Mb Available Physical Memory | 50.23% Memory free 2.40 Gb Paging File | 1.92 Gb Available in Paging File | 79.96% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 145.95 Gb Total Space | 104.25 Gb Free Space | 71.43% Space Free | Partition Type: NTFS Computer Name: D7B74Y1J | User Name: John | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\John\Desktop\OTL.scr (OldTimer Tools) PRC - C:\Program Files\YourFileDownloader\YourFileUpdater.exe (http://yourfiledownloader.com) PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.) PRC - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.) PRC - C:\WINDOWS\system32\FsUsbExService.Exe (Teruten) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) PRC - C:\Program Files\Lexmark 1200 Series\lxczbmon.exe (Lexmark International, Inc.) PRC - C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) PRC - C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation) ========== Modules (No Company Name) ========== MOD - C:\Program Files\Lexmark 1200 Series\ConvDIB.dll () MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\LXCZPP5C.DLL () ========== Win32 Services (SafeList) ========== SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe (AVG Technologies CZ, s.r.o.) SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) SRV - (FsUsbExService) -- C:\WINDOWS\system32\FsUsbExService.Exe (Teruten) SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe () ========== Driver Services (SafeList) ========== DRV - (WDICA) -- File not found DRV - (wanatw) WAN Miniport (ATW) -- system32\DRIVERS\wanatw4.sys File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found DRV - (lbrtfdc) -- File not found DRV - (Changer) -- File not found DRV - (AVGIDSHX) -- C:\WINDOWS\system32\drivers\avgidshx.sys (AVG Technologies CZ, s.r.o. ) DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.) DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\avgidsshimx.sys (AVG Technologies CZ, s.r.o. ) DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\avgidsfilterx.sys (AVG Technologies CZ, s.r.o. ) DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys (AVG Technologies CZ, s.r.o. ) DRV - (FsUsbExDisk) -- C:\WINDOWS\system32\FsUsbExDisk.Sys () DRV - (ss_bmdm) -- C:\WINDOWS\system32\drivers\ss_bmdm.sys (MCCI Corporation) DRV - (ss_bbus) SAMSUNG USB Mobile Device (WDM) -- C:\WINDOWS\system32\drivers\ss_bbus.sys (MCCI) DRV - (ss_bmdfl) SAMSUNG USB Mobile Modem (Filter) -- C:\WINDOWS\system32\drivers\ss_bmdfl.sys (MCCI Corporation) DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.) DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (STHDA) High Definition Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/cs/*http://uk.docs.yahoo.com/info/bt_side.html IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {3E39BC95-F5DF-4D87-8429-CC077D50EC71} IE - HKCU\..\SearchScopes\{3E39BC95-F5DF-4D87-8429-CC077D50EC71}: "URL" = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta= IE - HKCU\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = http://search.ibryte.com/i/playbryte/search/redirect/?type=default-ie&user_id=bc5fd840-cfed-49ac-9a95-d064978ac4e7&query={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.660: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.660: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.660: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll () FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/28 00:06:04 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/06/15 17:54:02 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/06/15 17:53:23 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock\Extensions\\Plugins: C:\Program Files\Flock\flock\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock\Extensions\\Components: C:\Program Files\Flock\flock\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Components: C:\Program Files\Flock\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Plugins: C:\Program Files\Flock\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/31 18:27:58 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/12 15:57:45 | 000,000,000 | ---D | M] [2011/06/12 15:57:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions [2009/07/16 18:29:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b} [2012/06/19 11:17:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\9ygpjs4z.default\extensions [2012/06/15 17:38:33 | 000,000,000 | ---D | M] (Yontoo) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\9ygpjs4z.default\extensions\plugin@yontoo.com [2012/05/31 18:27:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2012/04/21 02:18:00 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2006/06/22 14:44:58 | 002,078,344 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll [2012/04/21 03:09:17 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml [2012/04/21 03:09:17 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012/04/21 03:09:17 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml [2012/04/21 03:09:17 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml [2012/04/21 03:09:17 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml [2012/04/21 03:09:18 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (NetAssistantBHO Class) - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll (Yontoo LLC) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u File not found O4 - HKCU..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKCU..\Run: [eyeBeam SIP Client] File not found O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 () O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_26.dll (Sun Microsystems, Inc.) O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O16 - DPF: {0A89E06C-0BE4-4D92-80FD-9F1009A4F3E1} http://www.the-saleroom.com/LiveAuctions/ActiveX/SaleRoomBidder.cab (Sale Room Bidder) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool) O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module) O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} http://cid-c089f59c7b1c157f.spaces.live.com/PhotoUpload/MsnPUpld.cab (Windows Live Photo Upload Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2A44CE98-3D02-4811-A005-DC2770058E21}: DhcpNameServer = 192.168.1.254 192.168.1.254 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012/06/21 11:04:52 | 000,000,000 | -HSD | C] -- C:\found.000 [2012/06/20 13:46:10 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.scr [2012/06/20 12:57:04 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\John\Desktop\unhide.exe [2012/06/19 17:31:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\Malwarebytes [2012/06/19 17:31:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/06/19 17:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2012/06/19 17:31:32 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012/06/19 17:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/06/19 13:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Desktop\MY DOCS [2012/06/19 11:05:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\testing [2012/06/19 10:34:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\test [2012/06/15 18:28:49 | 000,000,000 | ---D | C] -- C:\Program Files\YourFileDownloader [2012/06/15 18:28:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\YourFileDownloader [2012/06/15 17:55:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\AVG2012 [2012/06/15 17:54:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG [2012/06/15 17:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2012/06/15 17:38:33 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo Layers Runtime [2012/06/15 17:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Desktop\CSA [2012/06/15 15:38:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\OfficeRecovery [2012/06/15 15:38:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Local Settings\Application Data\Apps [2012/06/14 16:18:58 | 000,000,000 | ---D | C] -- C:\Program Files\ParetoLogic [2012/06/14 15:43:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\New Folder (3) [2012/06/14 15:43:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\New Folder (2) [2012/06/14 14:40:32 | 000,521,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll [2012/06/08 15:31:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\hhh [2012/06/08 15:31:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\New Folder [2012/06/06 17:48:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\Royal Mail [2012/05/31 18:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2012/05/31 18:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla [2012/05/22 18:00:37 | 000,000,000 | ---D | C] -- C:\ad303a4e208a87a99824891da506 [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/06/21 14:27:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/06/21 14:27:22 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/21 14:27:12 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/21 14:26:49 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2012/06/21 14:26:48 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1010.job [2012/06/21 14:26:47 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\Your File Updater.job [2012/06/21 14:26:47 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1011.job [2012/06/21 14:26:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/06/21 13:40:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2012/06/21 12:57:48 | 000,033,758 | ---- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\dt.dat [2012/06/21 12:51:44 | 000,059,392 | ---- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012/06/21 10:40:12 | 100,611,477 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm [2012/06/20 13:46:12 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.scr [2012/06/20 12:57:05 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\John\Desktop\unhide.exe [2012/06/19 18:04:48 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job [2012/06/19 17:31:35 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/19 16:40:58 | 000,054,156 | ---- | M] () -- C:\WINDOWS\QTFont.qfn [2012/06/19 13:47:06 | 000,000,161 | ---- | M] () -- C:\Documents and Settings\John\My Documents\test123.rtf [2012/06/19 13:44:24 | 000,029,530 | ---- | M] () -- C:\Documents and Settings\John\Application Data\wklnhst.dat [2012/06/19 13:12:16 | 000,000,338 | ---- | M] () -- C:\Documents and Settings\John\Desktop\Shortcut to My Documents.lnk [2012/06/19 12:49:50 | 000,000,163 | ---- | M] () -- C:\Documents and Settings\John\My Documents\Document.rtf [2012/06/19 10:13:27 | 000,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/06/15 19:29:56 | 000,473,392 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/06/15 19:29:56 | 000,084,786 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/06/15 19:22:24 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/06/15 18:28:58 | 000,001,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\YourFile Downloader.lnk [2012/06/15 17:54:03 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk [2012/06/15 17:12:57 | 000,000,224 | ---- | M] () -- C:\WINDOWS\System32\9B13A86D.plf [2012/06/14 17:08:19 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for [2012/06/14 16:19:03 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job [2012/06/11 14:20:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1875872634-156128194-2879020886-1011.job [2012/06/07 18:07:16 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\Desktop\TR1.pdf [2012/06/07 18:07:06 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;07;06PM.PDF [2012/06/07 18:06:33 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\Desktop\TR2.pdf [2012/06/07 18:06:15 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;06;15PM.PDF [2012/06/07 18:04:54 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\TR2.pdf [2012/06/07 17:48:08 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;48;08PM.PDF [2012/06/07 17:47:01 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;47;00PM.PDF [2012/06/07 17:46:10 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\TR1.pdf [2012/06/07 17:45:30 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;45;30PM.PDF [2012/05/31 18:28:01 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/05/31 17:38:20 | 000,005,560 | ---- | M] () -- C:\Documents and Settings\John\Desktop\MAY12.rtf [2012/05/31 14:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll [2012/05/31 14:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\crypt32(2)(2).dll [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/06/21 12:57:48 | 000,033,758 | ---- | C] () -- C:\Documents and Settings\John\Local Settings\Application Data\dt.dat [2012/06/19 17:31:35 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/19 13:47:06 | 000,000,161 | ---- | C] () -- C:\Documents and Settings\John\My Documents\test123.rtf [2012/06/19 13:11:01 | 000,000,338 | ---- | C] () -- C:\Documents and Settings\John\Desktop\Shortcut to My Documents.lnk [2012/06/19 12:49:50 | 000,000,163 | ---- | C] () -- C:\Documents and Settings\John\My Documents\Document.rtf [2012/06/15 18:28:58 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\YourFile Downloader.lnk [2012/06/15 18:28:50 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\Your File Updater.job [2012/06/15 17:54:03 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk [2012/06/14 17:08:19 | 000,054,156 | ---- | C] () -- C:\WINDOWS\QTFont.qfn [2012/06/14 17:08:19 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for [2012/06/14 16:19:02 | 000,000,414 | ---- | C] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job [2012/06/12 14:09:01 | 000,000,276 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/08 15:58:51 | 000,000,393 | ---- | C] () -- C:\Documents and Settings\John\My Documents\lp.lnk [2012/06/07 18:07:16 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\Desktop\TR1.pdf [2012/06/07 18:07:06 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;07;06PM.PDF [2012/06/07 18:06:33 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\Desktop\TR2.pdf [2012/06/07 18:06:15 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;06;15PM.PDF [2012/06/07 18:04:54 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\TR2.pdf [2012/06/07 17:48:08 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;48;08PM.PDF [2012/06/07 17:47:00 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;47;00PM.PDF [2012/06/07 17:46:10 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\TR1.pdf [2012/06/07 17:45:30 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;45;30PM.PDF [2012/05/31 18:28:01 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/05/30 18:49:14 | 000,005,560 | ---- | C] () -- C:\Documents and Settings\John\Desktop\MAY12.rtf [2012/03/26 14:35:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2010/11/15 13:58:24 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll [2010/11/15 13:58:24 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys [2010/11/15 13:58:09 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\John\Application Data\$_hpcst$.hpc ========== Alternate Data Streams ========== @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\John\My Documents\fbchathistory.dat:�SummaryInformation @Alternate Data Stream - 874 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AFB5119F @Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95 @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80337C03 < End of report > -------------------------------------------------------------------------------------- New Extras report: OTL Extras logfile created on: 21/06/2012 14:32:06 - Run 2 OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\John\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1022.07 Mb Total Physical Memory | 513.43 Mb Available Physical Memory | 50.23% Memory free 2.40 Gb Paging File | 1.92 Gb Available in Paging File | 79.96% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 145.95 Gb Total Space | 104.25 Gb Free Space | 71.43% Space Free | Partition Type: NTFS Computer Name: D7B74Y1J | User Name: John | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- "C:\Program Files\File Type Assistant\tsassist.exe" "%1" (Trusted Software ApS) Directory [browse with Paint Shop Pro Studio] -- "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (Jasc Software, Inc.) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 -- () "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 -- () [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC) "C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer -- (LimeWire) "C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.) "C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server -- (PeeringPortal) "C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server -- (PeeringPortal) "C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer "C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\YourFileDownloader\Downloader.exe" = C:\Program Files\YourFileDownloader\Downloader.exe:*:Enabled:YourFile Downloader -- (http://yourfiledownloader.com) "C:\Program Files\YourFileDownloader\YourFile.exe" = C:\Program Files\YourFileDownloader\YourFile.exe:*:Enabled:YourFile Downloader -- (http://yourfiledownloader.com) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{026C3D27-9BE1-46BE-BEAE-6DE38A0F4FBE}" = RealNetworks - Microsoft Visual C++ 2005 Runtime "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works "{1D3C662A-F6C6-4767-A788-7AA43A9A1317}" = ARTEuro "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 26 "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1 "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page "{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5 "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011 "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5 "{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2 "{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime "{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon "{7A35F91E-1D16-454F-A248-B9B782A2327C}" = Dell Support 3.2.1 "{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport "{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo 1.10.02 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003 "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A580547F-4FB6-433E-A595-21CAA858C556}" = Microsoft Office Live Small Business Image Uploader "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}" = Nikon View 6 "{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience "{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0 "{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0 "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C6A09671-93A6-4548-9FAE-3BF21EB9C921}" = AVG 2012 "{C792A75A-2A1F-4991-9B85-291745478A79}" = NetAssistant "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones "{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call "{E7559288-223B-453C-9F06-340E3BE21E39}" = MyWay Search Assistant "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio "9397EA7527D5597E900F76DDCF42A1DEDCBDC288" = Windows Driver Package - Dekart (DEKART38) SmartCardReader (11/21/2007 1.0.5.9) "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "ATI Display Driver" = ATI Display Driver "AVG" = AVG 2012 "BT Home Hub" = BT Home Hub "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2 "InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio "Lexmark 1200 Series" = Lexmark 1200 Series "LimeWire" = LimeWire 4.16.6 "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox 12.0 (x86 en-GB)" = Mozilla Firefox 12.0 (x86 en-GB) "MozillaMaintenanceService" = Mozilla Maintenance Service "MP3 CD Converter Professional" = MP3 CD Converter Professional 5.03 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MSNINST" = MSN "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "PROSet" = Intel® PRO Network Connections Drivers "QuickTime" = QuickTime "RealPlayer 12.0" = RealPlayer "Recover Files_is1" = Recover Files 3.27 "Serif WebPlus 6.0" = Serif WebPlus 6.0 "StreetPlugin" = Learn2 Player (Uninstall Only) "Trusted Software Assistant_is1" = File Type Assistant "ViewpointMediaPlayer" = Viewpoint Media Player "William Hill Poker" = William Hill Poker "Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "NetAssistant" = Freeze.com NetAssistant "YourFileDownloader" = YourFileDownloader ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 04/06/2012 13:11:14 | Computer Name = D7B74Y1J | Source = Application Hang | ID = 1002 Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 13/06/2012 10:31:11 | Computer Name = D7B74Y1J | Source = Application Hang | ID = 1002 Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 15/06/2012 14:18:13 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 14674, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 15/06/2012 14:18:13 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3011 Description = Unloading the performance counter strings for service ASP.NET_2.0.50727 (ASP.NET_2.0.50727) failed. The Error code is the first DWORD in Data section. Error - 15/06/2012 14:18:15 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 14674, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 15/06/2012 14:18:15 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3011 Description = Unloading the performance counter strings for service aspnet_state (ASP.NET State Service) failed. The Error code is the first DWORD in Data section. Error - 15/06/2012 14:18:17 | Computer Name = D7B74Y1J | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 14674, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 19/06/2012 05:36:26 | Computer Name = D7B74Y1J | Source = Application Error | ID = 1000 Description = Faulting application ati2evxx.exe, version 6.14.10.4118, faulting module ati2evxx.exe, version 6.14.10.4118, fault address 0x00028c2b. Error - 19/06/2012 05:37:31 | Computer Name = D7B74Y1J | Source = Application Error | ID = 1004 Description = Faulting application ati2evxx.exe, version 6.14.10.4118, faulting module ati2evxx.exe, version 6.14.10.4118, fault address 0x00028c2b. Error - 19/06/2012 07:23:52 | Computer Name = D7B74Y1J | Source = Application Hang | ID = 1002 Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. [ System Events ] Error - 19/06/2012 05:14:35 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 19/06/2012 05:14:45 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: %%31 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The Fax service depends on the Print Spooler service which failed to start because of the following error: %%1068 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7001 Description = The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31 Error - 19/06/2012 05:14:57 | Computer Name = D7B74Y1J | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Error - 19/06/2012 05:15:22 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} Error - 19/06/2012 05:16:07 | Computer Name = D7B74Y1J | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 19/06/2012 11:47:23 | Computer Name = D7B74Y1J | Source = sr | ID = 1 Description = The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume. < End of report > ----------------------------------------------------------------------- Thanks again Starbuck.....is there anything else I need to do? Quote
Starbuck Posted June 21, 2012 Posted June 21, 2012 Hi JCE My files and folders are back in My Documents!! That's great. :cool: Please note that I did update MBAM but it was a different version to the latest one you indicated That's fine, it was updated again after i posted. .is there anything else I need to do? Yes, a couple of things. We'll clean up some report entries and get your Java sorted out. Step 1 As you are running XP: You will need to stop the MBAM process's from running or you may get a conflict when trying to run the OTL fix. Press the 3 keys Alt+Ctrl+Del together and fetch up the 'Task Manager'. Click on the Processes tab and select any entries with MalwareBytes Antimalware in them. Once highlighted, click End Process. MBAM will start again after a reboot Double click on OTL to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl DRV - (WDICA) -- File not found DRV - (wanatw) WAN Miniport (ATW) -- system32\DRIVERS\wanatw4.sys File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found DRV - (lbrtfdc) -- File not found DRV - (Changer) -- File not found IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (NetAssistantBHO Class) - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll (Yontoo LLC) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found O4 - HKLM..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u File not found O4 - HKCU..\Run: [eyeBeam SIP Client] File not found O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) @Alternate Data Stream - 874 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AFB5119F @Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95 @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80337C03 :Files ipconfig /flushdns /c :commands [emptytemp] [purity] [RESETHOSTS] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 2 Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:Download the latest version of Java Runtime Environment (JRE) 7 Update 5 and save it to your desktop. Scroll down to where it says "Java SE 7 Update 5". Click the "Download JRE" button to the right. Accept the license agreement. select 'Windows x86'offline from the list. Save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-7u5-windows-i586-p.exe to install the newest version. In your next reply, please submit: The OTL fix report. Quote Member of:UNITE
JCE Posted June 22, 2012 Author Posted June 22, 2012 Hi Starbuck, Ok, I've now run the OTL fix report with the code you posted and here are the results: OTL logfile created on: 22/06/2012 13:21:21 - Run 3 OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\John\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1022.07 Mb Total Physical Memory | 532.84 Mb Available Physical Memory | 52.13% Memory free 2.40 Gb Paging File | 1.92 Gb Available in Paging File | 79.99% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 145.95 Gb Total Space | 104.40 Gb Free Space | 71.54% Space Free | Partition Type: NTFS Computer Name: D7B74Y1J | User Name: John | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\John\Desktop\OTL.scr (OldTimer Tools) PRC - C:\Program Files\YourFileDownloader\YourFileUpdater.exe (http://yourfiledownloader.com) PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.) PRC - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.) PRC - C:\WINDOWS\system32\FsUsbExService.Exe (Teruten) PRC - C:\Program Files\Outlook Express\msimn.exe (Microsoft Corporation) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) PRC - C:\Program Files\Lexmark 1200 Series\lxczbmon.exe (Lexmark International, Inc.) PRC - C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) PRC - C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation) ========== Modules (No Company Name) ========== MOD - C:\Program Files\Lexmark 1200 Series\ConvDIB.dll () MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\LXCZPP5C.DLL () ========== Win32 Services (SafeList) ========== SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe (AVG Technologies CZ, s.r.o.) SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) SRV - (FsUsbExService) -- C:\WINDOWS\system32\FsUsbExService.Exe (Teruten) SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe () ========== Driver Services (SafeList) ========== DRV - (WDICA) -- File not found DRV - (wanatw) WAN Miniport (ATW) -- system32\DRIVERS\wanatw4.sys File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found DRV - (lbrtfdc) -- File not found DRV - (Changer) -- File not found DRV - (AVGIDSHX) -- C:\WINDOWS\system32\drivers\avgidshx.sys (AVG Technologies CZ, s.r.o. ) DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.) DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.) DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\avgidsshimx.sys (AVG Technologies CZ, s.r.o. ) DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\avgidsfilterx.sys (AVG Technologies CZ, s.r.o. ) DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys (AVG Technologies CZ, s.r.o. ) DRV - (FsUsbExDisk) -- C:\WINDOWS\system32\FsUsbExDisk.Sys () DRV - (ss_bmdm) -- C:\WINDOWS\system32\drivers\ss_bmdm.sys (MCCI Corporation) DRV - (ss_bbus) SAMSUNG USB Mobile Device (WDM) -- C:\WINDOWS\system32\drivers\ss_bbus.sys (MCCI) DRV - (ss_bmdfl) SAMSUNG USB Mobile Modem (Filter) -- C:\WINDOWS\system32\drivers\ss_bmdfl.sys (MCCI Corporation) DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.) DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (STHDA) High Definition Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/cs/*http://uk.docs.yahoo.com/info/bt_side.html IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {3E39BC95-F5DF-4D87-8429-CC077D50EC71} IE - HKCU\..\SearchScopes\{3E39BC95-F5DF-4D87-8429-CC077D50EC71}: "URL" = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta= IE - HKCU\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = http://search.ibryte.com/i/playbryte/search/redirect/?type=default-ie&user_id=bc5fd840-cfed-49ac-9a95-d064978ac4e7&query={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.660: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.660: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.660: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll () FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/28 00:06:04 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/06/15 17:54:02 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/06/15 17:53:23 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock\Extensions\\Plugins: C:\Program Files\Flock\flock\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock\Extensions\\Components: C:\Program Files\Flock\flock\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Components: C:\Program Files\Flock\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Plugins: C:\Program Files\Flock\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/31 18:27:58 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/12 15:57:45 | 000,000,000 | ---D | M] [2011/06/12 15:57:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions [2009/07/16 18:29:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b} [2012/06/19 11:17:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\9ygpjs4z.default\extensions [2012/06/15 17:38:33 | 000,000,000 | ---D | M] (Yontoo) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\9ygpjs4z.default\extensions\plugin@yontoo.com [2012/05/31 18:27:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2012/04/21 02:18:00 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2006/06/22 14:44:58 | 002,078,344 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll [2012/04/21 03:09:17 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml [2012/04/21 03:09:17 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012/04/21 03:09:17 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml [2012/04/21 03:09:17 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml [2012/04/21 03:09:17 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml [2012/04/21 03:09:18 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (NetAssistantBHO Class) - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll (Yontoo LLC) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u File not found O4 - HKCU..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKCU..\Run: [eyeBeam SIP Client] File not found O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 () O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_26.dll (Sun Microsystems, Inc.) O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found O16 - DPF: {0A89E06C-0BE4-4D92-80FD-9F1009A4F3E1} http://www.the-saleroom.com/LiveAuctions/ActiveX/SaleRoomBidder.cab (Sale Room Bidder) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool) O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module) O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} http://cid-c089f59c7b1c157f.spaces.live.com/PhotoUpload/MsnPUpld.cab (Windows Live Photo Upload Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: Microsoft XML Parser for Java http://file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2A44CE98-3D02-4811-A005-DC2770058E21}: DhcpNameServer = 192.168.1.254 192.168.1.254 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012/06/22 12:48:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood [2012/06/21 11:04:52 | 000,000,000 | -HSD | C] -- C:\found.000 [2012/06/20 13:46:10 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.scr [2012/06/20 12:57:04 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\John\Desktop\unhide.exe [2012/06/19 17:31:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\Malwarebytes [2012/06/19 17:31:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/06/19 17:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2012/06/19 17:31:32 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012/06/19 17:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/06/19 13:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Desktop\MY DOCS [2012/06/19 11:05:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\testing [2012/06/19 10:34:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\test [2012/06/15 18:28:49 | 000,000,000 | ---D | C] -- C:\Program Files\YourFileDownloader [2012/06/15 18:28:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\YourFileDownloader [2012/06/15 17:55:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\AVG2012 [2012/06/15 17:54:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG [2012/06/15 17:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012 [2012/06/15 17:38:33 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo Layers Runtime [2012/06/15 17:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Desktop\CSA [2012/06/15 15:38:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Application Data\OfficeRecovery [2012/06/15 15:38:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Local Settings\Application Data\Apps [2012/06/14 16:18:58 | 000,000,000 | ---D | C] -- C:\Program Files\ParetoLogic [2012/06/14 15:43:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\New Folder (3) [2012/06/14 15:43:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\New Folder (2) [2012/06/14 14:40:32 | 000,521,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll [2012/06/08 15:31:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\hhh [2012/06/08 15:31:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\New Folder [2012/06/06 17:48:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\My Documents\Royal Mail [2012/05/31 18:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2012/05/31 18:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/06/22 13:18:39 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/22 13:18:38 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/22 12:46:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/06/22 12:46:20 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2012/06/22 12:46:18 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\Your File Updater.job [2012/06/22 12:46:18 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1011.job [2012/06/22 12:46:18 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1010.job [2012/06/22 12:45:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/06/21 18:03:28 | 000,001,572 | ---- | M] () -- C:\Documents and Settings\John\Desktop\Kims CV.rtf [2012/06/21 18:00:36 | 000,013,270 | ---- | M] () -- C:\Documents and Settings\John\Desktop\Kim CV.rtf [2012/06/21 18:00:01 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job [2012/06/21 17:40:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2012/06/21 15:31:20 | 000,029,660 | ---- | M] () -- C:\Documents and Settings\John\Application Data\wklnhst.dat [2012/06/21 15:28:46 | 000,000,968 | ---- | M] () -- C:\WINDOWS\lexstat.ini [2012/06/21 12:57:48 | 000,033,758 | ---- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\dt.dat [2012/06/21 12:51:44 | 000,059,392 | ---- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012/06/21 10:40:12 | 100,611,477 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm [2012/06/20 13:46:12 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.scr [2012/06/20 12:57:05 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\John\Desktop\unhide.exe [2012/06/19 17:31:35 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/19 16:40:58 | 000,054,156 | ---- | M] () -- C:\WINDOWS\QTFont.qfn [2012/06/19 13:47:06 | 000,000,161 | ---- | M] () -- C:\Documents and Settings\John\My Documents\test123.rtf [2012/06/19 13:12:16 | 000,000,338 | ---- | M] () -- C:\Documents and Settings\John\Desktop\Shortcut to My Documents.lnk [2012/06/19 12:49:50 | 000,000,163 | ---- | M] () -- C:\Documents and Settings\John\My Documents\Document.rtf [2012/06/19 10:13:27 | 000,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/06/15 19:29:56 | 000,473,392 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/06/15 19:29:56 | 000,084,786 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/06/15 19:22:24 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/06/15 18:28:58 | 000,001,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\YourFile Downloader.lnk [2012/06/15 17:54:03 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk [2012/06/15 17:12:57 | 000,000,224 | ---- | M] () -- C:\WINDOWS\System32\9B13A86D.plf [2012/06/14 17:08:19 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for [2012/06/14 16:19:03 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job [2012/06/11 14:20:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1875872634-156128194-2879020886-1011.job [2012/06/07 18:07:16 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\Desktop\TR1.pdf [2012/06/07 18:07:06 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;07;06PM.PDF [2012/06/07 18:06:33 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\Desktop\TR2.pdf [2012/06/07 18:06:15 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;06;15PM.PDF [2012/06/07 18:04:54 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\TR2.pdf [2012/06/07 17:48:08 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;48;08PM.PDF [2012/06/07 17:47:01 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;47;00PM.PDF [2012/06/07 17:46:10 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\TR1.pdf [2012/06/07 17:45:30 | 001,146,774 | ---- | M] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;45;30PM.PDF [2012/06/02 15:19:44 | 000,022,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui [2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll [2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wucltui.dll [2012/06/02 15:19:38 | 000,219,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaucpl.cpl [2012/06/02 15:19:38 | 000,210,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll [2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdm.dll [2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cdm.dll [2012/06/02 15:19:34 | 000,053,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuauclt.exe [2012/06/02 15:19:34 | 000,015,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui [2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll [2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuapi.dll [2012/06/02 15:19:18 | 001,933,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaueng.dll [2012/06/02 15:18:58 | 000,275,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll [2012/06/02 15:18:58 | 000,017,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui [2012/05/31 18:28:01 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/05/31 17:38:20 | 000,005,560 | ---- | M] () -- C:\Documents and Settings\John\Desktop\MAY12.rtf [2012/05/31 14:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll [2012/05/31 14:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\crypt32(2)(2).dll [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/06/21 18:03:28 | 000,001,572 | ---- | C] () -- C:\Documents and Settings\John\Desktop\Kims CV.rtf [2012/06/21 18:00:36 | 000,013,270 | ---- | C] () -- C:\Documents and Settings\John\Desktop\Kim CV.rtf [2012/06/21 12:57:48 | 000,033,758 | ---- | C] () -- C:\Documents and Settings\John\Local Settings\Application Data\dt.dat [2012/06/19 17:31:35 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/19 13:47:06 | 000,000,161 | ---- | C] () -- C:\Documents and Settings\John\My Documents\test123.rtf [2012/06/19 13:11:01 | 000,000,338 | ---- | C] () -- C:\Documents and Settings\John\Desktop\Shortcut to My Documents.lnk [2012/06/19 12:49:50 | 000,000,163 | ---- | C] () -- C:\Documents and Settings\John\My Documents\Document.rtf [2012/06/15 18:28:58 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\YourFile Downloader.lnk [2012/06/15 18:28:50 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\Your File Updater.job [2012/06/15 17:54:03 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk [2012/06/14 17:08:19 | 000,054,156 | ---- | C] () -- C:\WINDOWS\QTFont.qfn [2012/06/14 17:08:19 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for [2012/06/14 16:19:02 | 000,000,414 | ---- | C] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job [2012/06/12 14:09:01 | 000,000,276 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1875872634-156128194-2879020886-1006.job [2012/06/08 15:58:51 | 000,000,393 | ---- | C] () -- C:\Documents and Settings\John\My Documents\lp.lnk [2012/06/07 18:07:16 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\Desktop\TR1.pdf [2012/06/07 18:07:06 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;07;06PM.PDF [2012/06/07 18:06:33 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\Desktop\TR2.pdf [2012/06/07 18:06:15 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 06;06;15PM.PDF [2012/06/07 18:04:54 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\TR2.pdf [2012/06/07 17:48:08 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;48;08PM.PDF [2012/06/07 17:47:00 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;47;00PM.PDF [2012/06/07 17:46:10 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\TR1.pdf [2012/06/07 17:45:30 | 001,146,774 | ---- | C] () -- C:\Documents and Settings\John\My Documents\06-07-2012 05;45;30PM.PDF [2012/05/31 18:28:01 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2012/05/31 18:28:01 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/05/30 18:49:14 | 000,005,560 | ---- | C] () -- C:\Documents and Settings\John\Desktop\MAY12.rtf [2012/03/26 14:35:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2010/11/15 13:58:24 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll [2010/11/15 13:58:24 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys [2010/11/15 13:58:09 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\John\Application Data\$_hpcst$.hpc ========== Custom Scans ========== < :Otl > < DRV - (WDICA) -- File not found > < DRV - (wanatw) WAN Miniport (ATW) -- system32\DRIVERS\wanatw4.sys File not found > < DRV - (PDRFRAME) -- File not found > < DRV - (PDRELI) -- File not found > < DRV - (PDFRAME) -- File not found > < DRV - (PDCOMP) -- File not found > < DRV - (PCIDump) -- File not found > < DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found > < DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found > < DRV - (lbrtfdc) -- File not found > < DRV - (Changer) -- File not found > < IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) > < IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found > < O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. > < O2 - BHO: (NetAssistantBHO Class) - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll (W3i, LLC) > < O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll (Yontoo LLC) > < O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. > < O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found > < O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found > < O4 - HKLM..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u File not found > < O4 - HKCU..\Run: [eyeBeam SIP Client] File not found > < O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found > < O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found > < O16 - DPF: Microsoft XML Parser for Java http://file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) > Invalid Switch: C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) < @Alternate Data Stream - 874 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AFB5119F > < @Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 > < @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95 > < @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80337C03 > < > < :Files > < ipconfig /flushdns /c > Windows IP Configuration Could not flush the DNS Resolver Cache: Function failed during execution. < > < :commands > < [emptytemp] > < [purity] > < [RESETHOSTS]•Return to OTL, > ========== Alternate Data Streams ========== @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\John\My Documents\fbchathistory.dat:�SummaryInformation @Alternate Data Stream - 874 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AFB5119F @Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95 @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80337C03 < End of report > ----------------------------------------------------------- I don't know if it is of any significance but my computer did not reboot automatically after the OTL report completed, I did it manually. I've also done the Java reinstall successfully. I'm going to have the best-running computer in the world at this rate! Thankyou so much once again. Quote
Starbuck Posted June 22, 2012 Posted June 22, 2012 I don't know if it is of any significance but my computer did not reboot automatically after the OTL report completed The blue section at the end of the report explains why....... You inadvertently clicked the scan button instead of the fix button. Please run the fix again using the earlier instructions and click 'Fix' this time. I wish i had £1 for every time this mistake has been made :D Quote Member of:UNITE
JCE Posted June 22, 2012 Author Posted June 22, 2012 Oops! Here's the "FIX" report.......... All processes killed ========== OTL ========== Service WDICA stopped successfully! Service WDICA deleted successfully! File File not found not found. Error: No service named wanatw) WAN Miniport (ATW was found to stop! Service\Driver key wanatw) WAN Miniport (ATW not found. File system32\DRIVERS\wanatw4.sys File not found not found. Service PDRFRAME stopped successfully! Service PDRFRAME deleted successfully! File File not found not found. Service PDRELI stopped successfully! Service PDRELI deleted successfully! File File not found not found. Service PDFRAME stopped successfully! Service PDFRAME deleted successfully! File File not found not found. Service PDCOMP stopped successfully! Service PDCOMP deleted successfully! File File not found not found. Service PCIDump stopped successfully! Service PCIDump deleted successfully! File File not found not found. Service MRENDIS5 stopped successfully! Service MRENDIS5 deleted successfully! File C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found not found. Service MREMPR5 stopped successfully! Service MREMPR5 deleted successfully! File C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found not found. Service lbrtfdc stopped successfully! Service lbrtfdc deleted successfully! File File not found not found. Service Changer stopped successfully! Service Changer deleted successfully! File File not found not found. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}\ deleted successfully. C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll moved successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}\ not found. File C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully. File move failed. C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll scheduled to be moved on reboot. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\eyeBeam SIP Client deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found. File oft XML Parser for Java http://file://C:\WINDOWS\Java\classes\xmldso.cab not found. Starting removal of ActiveX control Microsoft XML Parser for Java Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF . Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found. ADS C:\Documents and Settings\All Users\Application Data\TEMP:AFB5119F deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:63238B95 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:80337C03 deleted successfully. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Could not flush the DNS Resolver Cache: Function failed during execution. C:\Documents and Settings\John\Desktop\cmd.bat deleted successfully. C:\Documents and Settings\John\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 32768 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: Guest account User: guest2 User: John ->Temp folder emptied: 205096679 bytes ->Temporary Internet Files folder emptied: 124264965 bytes ->Java cache emptied: 2682492 bytes ->FireFox cache emptied: 84868342 bytes ->Flash cache emptied: 63541 bytes User: kim ->Temp folder emptied: 75726 bytes ->Temporary Internet Files folder emptied: 58446494 bytes ->Flash cache emptied: 2464 bytes User: LocalService ->Temp folder emptied: 65984 bytes ->Temporary Internet Files folder emptied: 32969 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 206377 bytes User: Owner %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19618 bytes %systemroot%\System32 .tmp files removed: 256265 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 29239693 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 312299780 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 42541796 bytes Total Files Cleaned = 820.00 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully OTL by OldTimer - Version 3.2.50.0 log created on 06222012_175927 Files\Folders moved on Reboot... C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll moved successfully. C:\Documents and Settings\John\Local Settings\Temp\REG1A.tmp moved successfully. C:\Documents and Settings\John\Local Settings\Temp\REG1B.tmp moved successfully. C:\Documents and Settings\John\Local Settings\Temp\REG29.tmp moved successfully. C:\Documents and Settings\John\Local Settings\Temp\REG2A.tmp moved successfully. File\Folder C:\Documents and Settings\John\Local Settings\Temp\~DF9A29.tmp not found! File\Folder C:\Documents and Settings\John\Local Settings\Temp\~DF9A38.tmp not found! File\Folder C:\Documents and Settings\John\Local Settings\Temp\~DF9B18.tmp not found! File\Folder C:\Documents and Settings\John\Local Settings\Temp\~DF9B23.tmp not found! File\Folder C:\Documents and Settings\John\Local Settings\Temp\~DF9BF9.tmp not found! File\Folder C:\Documents and Settings\John\Local Settings\Temp\~DF9C04.tmp not found! C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\X87Y38E1\ads[8].txt moved successfully. C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\PEGL3RN6\13704-All-files-folders-in-quot-My-Documents-quot-have-disappeared[1].-Please-help! moved successfully. C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\PEGL3RN6\ads[4].txt moved successfully. C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\9I8DR43M\EFRJTI1MjZudW0lMjUzRDElMjUyNnNpZyUyNTNEQU9ENjRfMjFLOE1FeEhUbGFrX2ExeWFTaHhjSi1tSWFMZyUyNTI2Y2xpZW50JTI1M0RjYS1wdWItNjAzNjQ3ODI1MDM2Mzg3MiUyNTI2YWR1cmwlMjUzRAXX[1].htm moved successfully. C:\Documents and Settings\John\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully. Registry entries deleted on Reboot... ________________________________________________________________ I dare say you will have at least £1 for all this wonderful help! Thanks. Quote
Starbuck Posted June 22, 2012 Posted June 22, 2012 Hi JCE Nice one. You'd be surprised how many people make that mistake. I'd like you to do an ESET OnlineScan Just to double check everything. You may find it beneficial to close your resident AV program before running the scan. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Note: It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% ) To prevent this happening: When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked): Enable Anti-Stealth technology http://img.photobucket.com/albums/v708/starbuck50/eset.png In your next reply, please submit: Eset scan report and also let me know how the system is running now. Thanks Quote Member of:UNITE
JCE Posted June 25, 2012 Author Posted June 25, 2012 Hi Starbuck, Hope you had a good weekend, I've been away but now have the ESET scan report you requested: C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application C:\Documents and Settings\All Users\Application Data\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application C:\WINDOWS\Motive\btbb\UninstallHelper.exe probably a variant of Win32/Adware.Agent.KNNVUII application C:\_OTL\MovedFiles\06222012_175927\C_Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application The system is running like lightning now, best it has ever been....nice to be able to make the most of my high speed broadband connection! Thanks again. Presumably I need to remove the threats that ESET found? Quote
Starbuck Posted June 26, 2012 Posted June 26, 2012 Hi JCE, Hope you had a good weekend, Very good, thanks. Presumably I need to remove the threats that ESET found? Yes please. But thanks for mentioning this. I have been updating my canned speeches and it seems i left a line out of the eset speech. The missing line is: Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications I will now add this back in for future use. Thanks for bringing this to my attention. You'll need to re-run eset and make sure that you remember to tick those options. Quote Member of:UNITE
JCE Posted July 2, 2012 Author Posted July 2, 2012 Hi Starbuck, Apologies for the delay, been up to my ears in work. Glad I could help you for a change in some small way! I've now re-run ESET and removed the infections. Guess we're done now? PC is running superbly, thankyou. Now to get my laptop running smoothly........;) Quote
Starbuck Posted July 2, 2012 Posted July 2, 2012 Hi JCE, Apologies for the delay, been up to my ears in work. No problem, we all suffer from that four letter word sometimes. :) I've now re-run ESET and removed the infections. Guess we're done now? We just need to finish off the cleaning process. PC is running superbly, thankyou. I'm glad i could help. Now to get my laptop running smoothly...... Just start a new thread and one of the staff will pick it up. If it seems to be malware related, either etavares or myself will take over. Step 1 Restart MBAM. Click on the Quarantine tab If there are items in quarantine..... Make sure everything is selected and then click Delete All. Close MBAM. Step 2 Please double-click OTL to run it. You should see a CleanUp! button, press that button, http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png This will cleanup an assortment of tools used during malware removal, plus itself Note: MBAM will not be removed Step 3 Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then go to Start > Run and type: Cleanmgr Click "OK". Select the drive for cleaning then click OK (usually 'C' drive) Click the "More Options" Tab. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. To find out how you may have been infected....read this topic: How did i get infected? Not all of the following information will be applicable to you, but it's still best to read it all. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Use an AntiVirus Software Avira AntiVir ....installation guide Here Avast free MS Security Essentials ... see note** ...installation guide Here Note**: Upon installation MS Security Essentials will check that your OS is a legal copy. Only install one AntiVirus program [*]Update your AntiVirus Software regularly [*]Use a 3rd party Firewall Online Armor Free ZoneAlarm ...Important note below Outpost Firewall Free Sunbelt Personal Firewall NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option. Only install one software Firewall Some 3rd party Firewalls will turn off the windows firewall when they are installed. It's always best to check that the Windows Firewall is turned off: How to turn off Windows Firewall: Start ... Control Panel ...click on 'Classic View'. now select Windows Firewall. When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner: Installing another scanner that you can run once or twice a week is always beneficial. Something like: Malwarebytes Anti-Malware SUPERAntiSypware Remember to update these programs each time before running. You can install more than one of these if you only run them as stand alone programs. [*] Use an alternative browser: Some excellent alternatives to MS Internet Explorer are: Firefox For added security, add the NoScript extension to this browser: Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks also consider adding: WOT - Safe Browsing Tool Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web. Btw: you don't have to make a contribution. Opera They offer better security, more stability, and better speed. [*]Keep a backup of your registry Keeping a regular backup of your registry will help when something goes wrong. Use a program like: Erunt A full tutorial on how to set up and use Erunt can be found here: Erunt tutorial [*]Keep your system clean of temp files etc, using a 'Cleaner': Cleaners are programs that will help to clean out your: Windows temp files Current user temp files Cookies Temporary Internet flies Browser history Recycle bin Etc....... In other words.... all the rubbish that you accumulate over the course of your browsing and day to day usage of your pc. Programs like: TFC by OldTimer. (this is a standalone version of the EmptyTemp command we used in the Otl fix ) ATF Cleaner [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using and installing SpywareBlaster [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Glad I was able to help. Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif Quote Member of:UNITE
JCE Posted July 4, 2012 Author Posted July 4, 2012 Hi Starbuck, All done. I ran MBAM again just to be sure and it found another threat so I deleted that along with the quarantined stuff. I then ran the OTL clean up and created a new restore point. I read most of the "how did I get infected" stuff and that really opened my eyes, I had no idea we were under attack from every direction! To that end I have installed Avast antivirus. But couldn't get on installing any of the firewalls recommended, so I installed Comodo which seems to be highly recommended by most sites in the know. Is Comodo ok in your opinion? Just one thing though - after I installed Avast I got a blue screen saying my computer was at risk or some such. I had to turn it off and on again, but it has been ok since. I guess I'm fully protected now, but will run MBAM and ESET once a week to be sure....is that a good idea? Lastly, may I ask you what the best/fastest browser is in your opinion please? Best regards. Quote
Starbuck Posted July 4, 2012 Posted July 4, 2012 Hi JCE, I ran MBAM again just to be sure and it found another threat so I deleted that along with the quarantined stuff. Nice one. But couldn't get on installing any of the firewalls recommended, so I installed Comodo which seems to be highly recommended by most sites in the know. Is Comodo ok in your opinion? It's not a Firewall that i've used, so can't really comment on it. Obviously the company is well known, so it's probably as good as any. If you do have any problems.... it can easily be uninstalled, so give it a go and see how you get on. Just one thing though - after I installed Avast I got a blue screen saying my computer was at risk or some such. Did you fully remove AVG before installing Avast? AVG does tend to leave a lot of files on the system, so i suggest running the removal tool and making sure everything has gone. To remove AVG go to: http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe download to your desktop. then double click to start the uninstaller. but will run MBAM and ESET once a week to be sure....is that a good idea? As these are 'On Demand' scanners.... it's fine. Just make sure that both have the new definitions before running them. may I ask you what the best/fastest browser is in your opinion please? Not an easy question to answer. I've always found that Firefox was faster than IE..... but that's only the case if you don't add too many addons. I did use Opera for awhile (which i have to admit was nice and fast) but i couldn't use the addons with it that i need. I personally don't like the way that Chrome works ( adding a new process for every tab opened) so i stay away from that. So can't really comment on Chrome. It's just trial and error really. You can install as many browsers as you want..... give them a go and see what works best for you. Quote Member of:UNITE
JCE Posted July 11, 2012 Author Posted July 11, 2012 Starbuck, I can't thank you enough for all your help with this. Computer running fine now. Donation made. Keep up the good work! Quote
Starbuck Posted July 11, 2012 Posted July 11, 2012 Many thanks for the donation JCE, it really is appreciated. Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.